Edit tour

Windows Analysis Report
Transferencia.exe

Overview

General Information

Sample Name:	Transferencia.exe
Analysis ID:	624276
MD5:	fb1d131568bdd2fa951608534f83a75c
SHA1:	ff02df2cb07c221b8ed3583c6dafb8c0e35684f8
SHA256:	42625067621ac2dba6b95e565a48454637f46185356034da214a00a3d453c971
Tags:	exe
Infos:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

PE file contains strange resources

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to dynamically determine API calls

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

Transferencia.exe (PID: 4736 cmdline: "C:\Users\user\Desktop\Transferencia.exe" MD5: FB1D131568BDD2FA951608534F83A75C)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1hB?$1A"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.756250628.0000000002D50000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.756250628.0000000002D50000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1hB?$1A"}

Multi AV Scanner detection for submitted file

Source: Transferencia.exe

ReversingLabs: Detection: 26%

Source: Transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Transferencia.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00406850 FindFirstFileW,FindClose,	0_2_00406850
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C26
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1hB?$1A

Source: Transferencia.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\Transferencia.exe

Code function: 0_2_004056BB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056BB

Source: Transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Transferencia.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Transferencia.exe

Code function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040350A

Source: C:\Users\user\Desktop\Transferencia.exe

Code function: 0_2_732A1BFF

0_2_732A1BFF

Source: Transferencia.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\Transferencia.exe

Process Stats: CPU usage > 98%

Source: Transferencia.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\Transferencia.exe

File read: C:\Users\user\Desktop\Transferencia.exe

Jump to behavior

Source: Transferencia.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Transferencia.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Transferencia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Transferencia.exe

0_2_0040350A

Source: C:\Users\user\Desktop\Transferencia.exe

File created: C:\Users\user\AppData\Local\Temp\nsnC5D7.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Transferencia.exe

File written: C:\Users\user\AppData\Local\Temp\FJERKRFARMENES.ini

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/3@0/0

Source: C:\Users\user\Desktop\Transferencia.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\Transferencia.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Transferencia.exe

Code function: 0_2_00404967 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404967

Source: Transferencia.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.756250628.0000000002D50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Transferencia.exe

Code function: 0_2_732A30C0 push eax; ret

0_2_732A30EE

Source: C:\Users\user\Desktop\Transferencia.exe

Code function: 0_2_732A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_732A1BFF

Source: C:\Users\user\Desktop\Transferencia.exe

File created: C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Transferencia.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Transferencia.exe

RDTSC instruction interceptor: First address: 0000000002D6467E second address: 0000000002D6467E instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F04749FF19Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc

Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00406850 FindFirstFileW,FindClose,	0_2_00406850
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C26
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\Transferencia.exe	API call chain: ExitProcess graph end node			graph_0-4339
Source: C:\Users\user\Desktop\Transferencia.exe	API call chain: ExitProcess graph end node			graph_0-4495

Source: C:\Users\user\Desktop\Transferencia.exe

Code function: 0_2_732A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_732A1BFF

Source: C:\Users\user\Desktop\Transferencia.exe

0_2_0040350A

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Transferencia.exe	27%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	Transferencia.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	624276
Start date and time: 11/05/202213:17:05	2022-05-11 13:17:05 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Transferencia.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@1/3@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 63.2% (good quality ratio 62%) Quality average: 88.3% Quality standard deviation: 21.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 38 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, time.windows.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll	EPAYMENT.exe	Get hash	malicious	Browse
	EPAYMENT.exe	Get hash	malicious	Browse
	xcVh7ZmH4Y.exe	Get hash	malicious	Browse
	OR17233976_00019489_20170619154218.xlsx	Get hash	malicious	Browse
	xcVh7ZmH4Y.exe	Get hash	malicious	Browse
	3GJ6S3Kwnb.exe	Get hash	malicious	Browse
	3GJ6S3Kwnb.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	Bayaran Balik Cukai Terlebih Bayar.exe	Get hash	malicious	Browse
	Bayaran Balik Cukai Terlebih Bayar.exe	Get hash	malicious	Browse
	7RsSycKaNc.exe	Get hash	malicious	Browse
	7RsSycKaNc.exe	Get hash	malicious	Browse
	potwierdzenie wplaty.exe	Get hash	malicious	Browse
	potwierdzenie wplaty.exe	Get hash	malicious	Browse
	Docs advice copy.exe	Get hash	malicious	Browse
	Docs advice copy.exe	Get hash	malicious	Browse
	Transferencia desde ING.exe	Get hash	malicious	Browse
	Transferencia desde ING.exe	Get hash	malicious	Browse
	shipping document.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Dadoes.thi

Download File

Process:	C:\Users\user\Desktop\Transferencia.exe
File Type:	data
Category:	dropped
Size (bytes):	163440
Entropy (8bit):	7.327257313432124
Encrypted:	false
SSDEEP:	3072:TAJ8oRPFQ7IfdpA9PCAHmkvLl75I504TTRajaO7HlnKEmou:Mmcd2nGkvLI504TTIb7Fbmou
MD5:	12189C0F205D353F5492E0231A237B97
SHA1:	0ADAC1C37C0B1D812B77FA9466E501B068802061
SHA-256:	4C5C37CDD6B432A2E245CB3E4D5E31919BBA8A9A7246769A40E781EA4A407D71
SHA-512:	B67C7470BB1D1898A6233DF1D61034A76BC9A862A97C885CE9312A1FF318D0D1C7BBF228FB8E0846D3BAA5AC14751F562943356305569C9DF88F8449B70D7DC8
Malicious:	false
Reputation:	low
Preview:	.E.S..$.......B...^... ..u.H...&..t.....14.x].....}N..+.G.....Tp.$..{S...`).....b..Av.......X..n....^.IO`lw.(..........G..).=.<.B...8.t.&.iy.../R8...W..Ji........cF...(.E..{c......B>y..6.......1f.r../.....\.@..2J...w.....0.8..D.;.<de..p.G.i....'....&.B..W<..I2.......!..w&.=I.P..x..e.kH......K.......[..9..3....(...,..T.i.JP.W.%w.w=..r.w7X... 6.....Z...Q..bN..H..<..d..Q7...w..?.. Q......Y[g._....e...%m+6k.h.oT.\..aF.(..%....k..L.....O..........B........ .....B..9."....w. ..s..a....U@....N..(}.}D....8 ..k..Rp..\.1..).4.]{..9..&.X._...t}...v.1...p%Ts.B-'...`_>......0.<1..Cqd....l'.....c.}8XB..8..,.m6Zm.v..X+..wG.pq...MY`.g....hX..........2..%.G.O....h....I...G....c......J_.pF\|;f.v.....X.i......b....7d.%...24..s..h......v`...M7....o.`....&..,.E.0:.u...F....q.;..n..,..s.-.r..........S.m...5.+.U.....~.h7.Z..sX..>"...zU.g1<.hA...../%......N.G.n?..FJ.v.....k...$.X.LCN..T.^O..)..=.l..e,.P.+xuF...Q.D..qC6...jr..I..7...Et...VV ..d1...2_W..Y&.;.

C:\Users\user\AppData\Local\Temp\FJERKRFARMENES.ini

Download File

Process:	C:\Users\user\Desktop\Transferencia.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.193429088311724
Encrypted:	false
SSDEEP:	3:Nn4y2XEIIz4Acv:t12ez4Acv
MD5:	459F02DD36C8D63BCDF3A4078AEBD592
SHA1:	C61BA4265FB1C24ED73775149BB1F9A62B688CC9
SHA-256:	428CF1D18B7B06811B313C57DF8D240EB44350F63336BD2822B3477525C8BC1A
SHA-512:	A90C2BF7B01C34C5E6E16BA0391258942EDE941424BEF83398F5FE6F8936D75AD68148787F51AE80E03F565D6533811726D8C958888DE02738F514383AA7F7F6
Malicious:	false
Reputation:	low
Preview:	[surucucu]..Lockram2=strandlberen..

C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Transferencia.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: EPAYMENT.exe, Detection: malicious, Browse Filename: EPAYMENT.exe, Detection: malicious, Browse Filename: xcVh7ZmH4Y.exe, Detection: malicious, Browse Filename: OR17233976_00019489_20170619154218.xlsx, Detection: malicious, Browse Filename: xcVh7ZmH4Y.exe, Detection: malicious, Browse Filename: 3GJ6S3Kwnb.exe, Detection: malicious, Browse Filename: 3GJ6S3Kwnb.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Bayaran Balik Cukai Terlebih Bayar.exe, Detection: malicious, Browse Filename: Bayaran Balik Cukai Terlebih Bayar.exe, Detection: malicious, Browse Filename: 7RsSycKaNc.exe, Detection: malicious, Browse Filename: 7RsSycKaNc.exe, Detection: malicious, Browse Filename: potwierdzenie wplaty.exe, Detection: malicious, Browse Filename: potwierdzenie wplaty.exe, Detection: malicious, Browse Filename: Docs advice copy.exe, Detection: malicious, Browse Filename: Docs advice copy.exe, Detection: malicious, Browse Filename: Transferencia desde ING.exe, Detection: malicious, Browse Filename: Transferencia desde ING.exe, Detection: malicious, Browse Filename: shipping document.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.5547497516761295
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Transferencia.exe
File size:	254208
MD5:	fb1d131568bdd2fa951608534f83a75c
SHA1:	ff02df2cb07c221b8ed3583c6dafb8c0e35684f8
SHA256:	42625067621ac2dba6b95e565a48454637f46185356034da214a00a3d453c971
SHA512:	ef46d1fc90b046234a2939d1cbbadeb99cca056bfba74b3b1480af1a1171698a436cc23a809c8f0ec9f2ce5ca45d91db31151311415ed38a137070924476dc10
SSDEEP:	6144:s3yztNlmkDzzo+3sYIEJwqq1XPo6BktVrQGs20z:s3+FvzxsPXj1/o6Aiz
TLSH:	2344D01E3225C4E6F88883765F3A9B0B198FAC03219105177772BBB99B39383C95F5D5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L...h.Oa.................h....:....

File Icon


Icon Hash:	8803969c49c2c3c0

Static PE Info

General

Entrypoint:	0x40350a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x614F9A68 [Sat Sep 25 21:53:44 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Talonen Pral NONPERFECTIBILITY Unmigrant6 ", O=ORDLYDEN, L=Bourg-Saint-Maurice, S=Auvergne-RhÃ´ne-Alpes, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	5/10/2022 12:58:17 PM 5/10/2023 12:58:17 PM
Subject Chain	CN="Talonen Pral NONPERFECTIBILITY Unmigrant6 ", O=ORDLYDEN, L=Bourg-Saint-Maurice, S=Auvergne-RhÃ´ne-Alpes, C=FR
Version:	3
Thumbprint MD5:	C01462F3E1A1421FC7156C98C104EC74
Thumbprint SHA-1:	92A7393883A3AF47A744D137119C6E6BAEA9BC27
Thumbprint SHA-256:	41ACF6A35BC3571C0748976A332965863E86A47C8FBBED9FE240EE0D66E8DEA9
Serial:	F7E6FA3055C43850

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F0474C9CC0Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F0474C9CBDAh
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [007A8B18h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3da000	0x139f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3da38	0x6c8	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6670	0x6800	False	0.667931189904	data	6.43600264122	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	False	0.45	data	5.14577456407	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39eb78	0x600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x3a9000	0x31000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3da000	0x139f0	0x13a00	False	0.570872312898	data	6.54983643379	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3da358	0x8592	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x3e28f0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 1056964863	English	United States
RT_ICON	0x3e6b18	0x25a8	data	English	United States
RT_ICON	0x3e90c0	0x1a68	data	English	United States
RT_ICON	0x3eab28	0x10a8	data	English	United States
RT_ICON	0x3ebbd0	0x988	data	English	United States
RT_ICON	0x3ec558	0x6b8	data	English	United States
RT_ICON	0x3ecc10	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x3ed078	0x100	data	English	United States
RT_DIALOG	0x3ed178	0x11c	data	English	United States
RT_DIALOG	0x3ed298	0xc4	data	English	United States
RT_DIALOG	0x3ed360	0x60	data	English	United States
RT_GROUP_ICON	0x3ed3c0	0x76	data	English	United States
RT_VERSION	0x3ed438	0x274	data	English	United States
RT_MANIFEST	0x3ed6b0	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Version Infos

Description	Data
LegalCopyright	Markedsana
FileVersion	24.8.29
CompanyName	vugvalidatin
LegalTrademarks	METACINNAB
Comments	Spiroloculin113
ProductName	Leuk
FileDescription	Janfridelefrek82
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: Transferencia.exePID: 4736, Parent PID: 2376

General

Target ID:	0
Start time:	13:18:06
Start date:	11/05/2022
Path:	C:\Users\user\Desktop\Transferencia.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Transferencia.exe"
Imagebase:	0x400000
File size:	254208 bytes
MD5 hash:	FB1D131568BDD2FA951608534F83A75C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.756250628.0000000002D50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Transferencia.exePID: 4736, Parent PID: 2376COMMON

Execution Graph

Execution Coverage:	18.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16%
Total number of Nodes:	1586
Total number of Limit Nodes:	35

Executed Functions

Function 0040350A Relevance: 84.4, APIs: 33, Strings: 15, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t120;
				intOrPtr* _t124;
				void* _t138;
				void* _t144;
				void* _t149;
				void* _t153;
				void* _t158;
				signed int _t168;
				void* _t171;
				void* _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr* _t180;
				int _t189;
				void* _t190;
				void* _t199;
				signed int _t205;
				signed int _t210;
				signed int _t215;
				signed int _t217;
				int* _t219;
				signed int _t227;
				signed int _t230;
				CHAR* _t232;
				char* _t233;
				signed int _t234;
				WCHAR* _t235;
				void* _t251;

				_t217 = 0x20;
				_t189 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x7a8b18 = _v324.dwBuildNumber;
				 *0x7a8b1c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x7a8b1e != 0x600) {
					_t180 = E004068E7(_t189);
					if(_t180 != _t189) {
						 *_t180(0xc00);
					}
				}
				_t232 = "UXTHEME";
				do {
					E00406877(_t232); // executed
					_t232 =  &(_t232[lstrlenA(_t232) + 1]);
				} while ( *_t232 != 0);
				E004068E7(0xb);
				 *0x7a8a64 = E004068E7(9);
				_t88 = E004068E7(7);
				if(_t88 != _t189) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x7a8b1c =  *0x7a8b1c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t189); // executed
				 *0x7a8b20 = _t88;
				SHGetFileInfoW(0x79ff08, _t189,  &_v1016, 0x2b4, _t189); // executed
				E0040651A(0x7a7a60, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t233 = L"\"C:\\Users\\jones\\Desktop\\Transferencia.exe\" ";
				E0040651A(_t233, _t92);
				_t94 = _t233;
				_t234 = 0x22;
				 *0x7a8a60 = 0x400000;
				_t251 = L"\"C:\\Users\\jones\\Desktop\\Transferencia.exe\" " - _t234; // 0x22
				if(_t251 == 0) {
					_t217 = _t234;
					_t94 =  &M007B3002;
				}
				_t199 = CharNextW(E00405E16(_t94, _t217));
				_v16 = _t199;
				while(1) {
					_t97 =  *_t199;
					_t252 = _t97 - _t189;
					if(_t97 == _t189) {
						break;
					}
					_t210 = 0x20;
					__eflags = _t97 - _t210;
					if(_t97 != _t210) {
						L17:
						__eflags =  *_t199 - _t234;
						_v12 = _t210;
						if( *_t199 == _t234) {
							_v12 = _t234;
							_t199 = _t199 + 2;
							__eflags = _t199;
						}
						__eflags =  *_t199 - 0x2f;
						if( *_t199 != 0x2f) {
							L32:
							_t199 = E00405E16(_t199, _v12);
							__eflags =  *_t199 - _t234;
							if(__eflags == 0) {
								_t199 = _t199 + 2;
								__eflags = _t199;
							}
							continue;
						} else {
							_t199 = _t199 + 2;
							__eflags =  *_t199 - 0x53;
							if( *_t199 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t215 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t227 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t215;
								__eflags =  *_t199 - (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215);
								if( *_t199 != (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t210 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t230 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t210;
									__eflags =  *(_t199 - 4) - (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210);
									if( *(_t199 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210)) {
										L31:
										_t234 = 0x22;
										goto L32;
									}
									__eflags =  *_t199 - _t230;
									if( *_t199 == _t230) {
										 *(_t199 - 4) = _t189;
										__eflags = _t199;
										E0040651A(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t199);
										L37:
										_t235 = L"C:\\Users\\jones\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t235);
										_t116 = E004034D9(_t199, _t252);
										_t253 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E0040307D(_t255, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t189) {
												L68:
												E00403AEF();
												__imp__OleUninitialize();
												if(_v8 == _t189) {
													if( *0x7a8af4 == _t189) {
														L77:
														_t120 =  *0x7a8b0c;
														if(_t120 != 0xffffffff) {
															_v24 = _t120;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t189, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t189,  &_v40, _t189, _t189, _t189);
													}
													_t124 = E004068E7(4);
													if(_t124 == _t189) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t189);
														_push(_t189);
														_push(_t189);
														if( *_t124() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405B7A(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x7a8a7c == _t189) {
												L51:
												 *0x7a8b0c =  *0x7a8b0c | 0xffffffff;
												_v24 = E00403BC9(_t265);
												goto L68;
											}
											_t219 = E00405E16(L"\"C:\\Users\\jones\\Desktop\\Transferencia.exe\" ", _t189);
											if(_t219 < L"\"C:\\Users\\jones\\Desktop\\Transferencia.exe\" ") {
												L48:
												_t264 = _t219 - L"\"C:\\Users\\jones\\Desktop\\Transferencia.exe\" ";
												_v8 = L"Error launching installer";
												if(_t219 < L"\"C:\\Users\\jones\\Desktop\\Transferencia.exe\" ") {
													_t190 = E00405AE5(__eflags);
													lstrcatW(_t235, L"~nsu");
													__eflags = _t190;
													if(_t190 != 0) {
														lstrcatW(_t235, "A");
													}
													lstrcatW(_t235, L".tmp");
													_t138 = lstrcmpiW(_t235, 0x7b4800);
													__eflags = _t138;
													if(_t138 == 0) {
														L67:
														_t189 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t190;
														_push(_t235);
														if(_t190 == 0) {
															E00405AC8();
														} else {
															E00405A4B();
														}
														SetCurrentDirectoryW(_t235);
														__eflags = L"C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E0040651A(L"C:\\Users\\jones\\AppData\\Local\\Temp", 0x7b4800);
														}
														E0040651A(0x7a9000, _v16);
														_t202 = "A" & 0x0000ffff;
														_t144 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t144;
														_v12 = 0x1a;
														 *0x7a9800 = _t144;
														do {
															E00406557(0, 0x79f708, _t235, 0x79f708,  *((intOrPtr*)( *0x7a8a70 + 0x120)));
															DeleteFileW(0x79f708);
															__eflags = _v8;
															if(_v8 != 0) {
																_t149 = CopyFileW(L"C:\\Users\\jones\\Desktop\\Transferencia.exe", 0x79f708, 1);
																__eflags = _t149;
																if(_t149 != 0) {
																	E004062DA(_t202, 0x79f708, 0);
																	E00406557(0, 0x79f708, _t235, 0x79f708,  *((intOrPtr*)( *0x7a8a70 + 0x124)));
																	_t153 = E00405AFD(0x79f708);
																	__eflags = _t153;
																	if(_t153 != 0) {
																		CloseHandle(_t153);
																		_v8 = 0;
																	}
																}
															}
															 *0x7a9800 =  *0x7a9800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E004062DA(_t202, _t235, 0);
														goto L67;
													}
												}
												 *_t219 = _t189;
												_t222 =  &(_t219[2]);
												_t158 = E00405EF1(_t264,  &(_t219[2]));
												_t265 = _t158;
												if(_t158 == 0) {
													goto L68;
												}
												E0040651A(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t222);
												E0040651A(0x7b4000, _t222);
												_v8 = _t189;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t205 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t168 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t210 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
											while( *_t219 != _t205 || _t219[1] != _t168) {
												_t219 = _t219;
												if(_t219 >= L"\"C:\\Users\\jones\\Desktop\\Transferencia.exe\" ") {
													continue;
												}
												break;
											}
											_t189 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t235, 0x3fb);
										lstrcatW(_t235, L"\\Temp");
										_t171 = E004034D9(_t199, _t253);
										_t254 = _t171;
										if(_t171 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t235);
										lstrcatW(_t235, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t235);
										SetEnvironmentVariableW(L"TMP", _t235);
										_t176 = E004034D9(_t199, _t254);
										_t255 = _t176;
										if(_t176 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t199 + 4)) - _t227;
								if( *((intOrPtr*)(_t199 + 4)) != _t227) {
									goto L29;
								}
								_t178 =  *((intOrPtr*)(_t199 + 8));
								__eflags = _t178 - 0x20;
								if(_t178 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t178 - _t189;
								if(_t178 != _t189) {
									goto L29;
								}
								goto L28;
							}
							_t179 =  *((intOrPtr*)(_t199 + 2));
							__eflags = _t179 - _t210;
							if(_t179 == _t210) {
								L23:
								 *0x7a8b00 = 1;
								goto L24;
							}
							__eflags = _t179 - _t189;
							if(_t179 != _t189) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t199 = _t199 + 2;
						__eflags =  *_t199 - _t210;
					} while ( *_t199 == _t210);
					goto L17;
				}
				goto L37;
			}

0x00403518
0x00403519
0x00403520
0x00403523
0x0040352a
0x0040352d
0x00403540
0x00403546
0x00403549
0x0040354c
0x0040355a
0x00403562
0x0040356d
0x00403586
0x00403588
0x00403590
0x00403590
0x0040359b
0x0040359d
0x0040359d
0x004035b2
0x004035d7
0x004035e5
0x004035e8
0x004035ef
0x004035f6
0x004035f6
0x004035ef
0x004035f8
0x004035fd
0x004035fe
0x0040360a
0x0040360e
0x00403615
0x00403623
0x00403628
0x0040362f
0x00403633
0x00403637
0x00403639
0x00403639
0x00403637
0x00403640
0x00403647
0x0040364d
0x00403665
0x00403675
0x0040367a
0x00403680
0x00403687
0x0040368e
0x00403690
0x00403691
0x0040369b
0x004036a2
0x004036a4
0x004036a6
0x004036a6
0x004036b9
0x004036bb
0x004037b5
0x004037b5
0x004037b8
0x004037bb
0x00000000
0x00000000
0x004036c5
0x004036c6
0x004036c9
0x004036d2
0x004036d2
0x004036d5
0x004036d8
0x004036db
0x004036de
0x004036de
0x004036de
0x004036df
0x004036e3
0x004037a3
0x004037ac
0x004037ae
0x004037b1
0x004037b4
0x004037b4
0x004037b4
0x00000000
0x004036e9
0x004036ea
0x004036eb
0x004036ef
0x00403709
0x00403710
0x00403723
0x00403724
0x00403739
0x0040373e
0x00403740
0x00403742
0x0040375e
0x00403765
0x00403778
0x00403779
0x0040378e
0x00403794
0x00403796
0x00403798
0x004037a0
0x004037a2
0x00000000
0x004037a2
0x0040379c
0x0040379e
0x004037c3
0x004037c7
0x004037d0
0x004037d5
0x004037db
0x004037e6
0x004037e8
0x004037ed
0x004037ef
0x00403847
0x0040384c
0x00403855
0x0040385c
0x0040385f
0x00403a36
0x00403a36
0x00403a3b
0x00403a44
0x00403a61
0x00403ad9
0x00403ad9
0x00403ae1
0x00403ae3
0x00403ae3
0x00403ae9
0x00403ae9
0x00403a78
0x00403a84
0x00403a95
0x00403a9c
0x00403aa3
0x00403aa3
0x00403aab
0x00403ab7
0x00403ac5
0x00403ad0
0x00000000
0x00000000
0x00000000
0x00403ab9
0x00403ab9
0x00403aba
0x00403abc
0x00403abd
0x00403abe
0x00403ac3
0x00403ad2
0x00403ad4
0x00000000
0x00403ad4
0x00000000
0x00403ac3
0x00403ab7
0x00403a4e
0x00403a55
0x00403a55
0x0040386b
0x00403912
0x00403912
0x0040391e
0x00000000
0x0040391e
0x0040387c
0x00403884
0x004038d6
0x004038d6
0x004038dc
0x004038e3
0x00403931
0x00403933
0x00403938
0x0040393a
0x00403942
0x00403942
0x0040394d
0x00403959
0x0040395f
0x00403961
0x00403a34
0x00403a34
0x00403a34
0x00000000
0x00403967
0x00403967
0x00403969
0x0040396a
0x00403973
0x0040396c
0x0040396c
0x0040396c
0x00403979
0x00403981
0x00403988
0x00403990
0x00403990
0x0040399d
0x004039a9
0x004039b3
0x004039b3
0x004039b5
0x004039bc
0x004039c6
0x004039d2
0x004039d8
0x004039de
0x004039e1
0x004039eb
0x004039f1
0x004039f3
0x004039f7
0x00403a08
0x00403a0e
0x00403a13
0x00403a15
0x00403a18
0x00403a1e
0x00403a1e
0x00403a15
0x004039f3
0x00403a21
0x00403a28
0x00403a28
0x00403a28
0x00403a28
0x00403a2f
0x00000000
0x00403a2f
0x00403961
0x004038e5
0x004038e8
0x004038ec
0x004038f1
0x004038f3
0x00000000
0x00000000
0x004038ff
0x0040390a
0x0040390f
0x00000000
0x0040390f
0x0040388d
0x004038a5
0x004038b6
0x004038b7
0x004038bb
0x004038bd
0x004038cb
0x004038d2
0x00000000
0x00000000
0x00000000
0x004038d2
0x004038d4
0x00000000
0x004038d4
0x004037f7
0x00403803
0x00403808
0x0040380d
0x0040380f
0x00000000
0x00000000
0x00403817
0x0040381f
0x00403830
0x00403838
0x0040383a
0x0040383f
0x00403841
0x00000000
0x00000000
0x00000000
0x00403841
0x00000000
0x0040379e
0x00403747
0x00403749
0x00000000
0x00000000
0x0040374b
0x0040374f
0x00403753
0x0040375a
0x0040375a
0x0040375a
0x0040375a
0x00000000
0x0040375a
0x00403755
0x00403758
0x00000000
0x00000000
0x00000000
0x00403758
0x004036f1
0x004036f5
0x004036f8
0x004036ff
0x004036ff
0x00000000
0x004036ff
0x004036fa
0x004036fd
0x00000000
0x00000000
0x00000000
0x004036fd
0x00000000
0x00000000
0x00000000
0x004036cb
0x004036cb
0x004036cc
0x004036cd
0x004036cd
0x00000000
0x004036cb
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 0040352D
GetVersionExW.KERNEL32(?), ref: 00403556
GetVersionExW.KERNEL32(0000011C), ref: 0040356D
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403604
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403640
OleInitialize.OLE32(00000000), ref: 00403647
SHGetFileInfoW.SHELL32(0079FF08,00000000,?,000002B4,00000000), ref: 00403665
GetCommandLineW.KERNEL32(007A7A60,NSIS Error), ref: 0040367A
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Transferencia.exe" ,00000020,"C:\Users\user\Desktop\Transferencia.exe" ,00000000), ref: 004036B3
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 004037E6
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004037F7
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403803
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403817
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040381F
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403830
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403838
DeleteFileW.KERNELBASE(1033), ref: 0040384C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403933
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403942

Part of subcall function 00405AC8: CreateDirectoryW.KERNELBASE(?,00000000,004034FD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00405ACE

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040394D
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,007B4800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Transferencia.exe" ,00000000,?), ref: 00403959
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403979
DeleteFileW.KERNEL32(0079F708,0079F708,?,007A9000,?), ref: 004039D8
CopyFileW.KERNEL32(C:\Users\user\Desktop\Transferencia.exe,0079F708,00000001), ref: 004039EB
CloseHandle.KERNEL32(00000000,0079F708,0079F708,?,0079F708,00000000), ref: 00403A18
OleUninitialize.OLE32(?), ref: 00403A3B
ExitProcess.KERNEL32 ref: 00403A55
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A69
OpenProcessToken.ADVAPI32(00000000), ref: 00403A70
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A84
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AA3
ExitWindowsEx.USER32 ref: 00403AC8
ExitProcess.KERNEL32 ref: 00403AE9

Strings

TMP, xrefs: 00403833
\Temp, xrefs: 004037FD
Error launching installer, xrefs: 004038DC
~nsu, xrefs: 0040392B
.tmp, xrefs: 00403947
C:\Users\user\AppData\Local\Temp, xrefs: 004037CB, 004038FA, 00403981, 0040398B
"C:\Users\user\Desktop\Transferencia.exe" , xrefs: 00403680, 00403686, 0040369B, 00403872, 0040387E, 004038CC, 004038D6
C:\Users\user\Desktop\Transferencia.exe, xrefs: 004039E6
UXTHEME, xrefs: 004035F8, 004035FD, 00403603
Low, xrefs: 00403819
C:\Users\user\AppData\Local\Temp\, xrefs: 004037DB, 004037E0, 004037F6, 00403802, 00403811, 0040381E, 0040382A, 00403832, 00403930, 00403941, 0040394C, 00403958, 00403969, 00403978, 00403A2E
SeShutdownPrivilege, xrefs: 00403A7E
1033, xrefs: 00403847
NSIS Error, xrefs: 0040366B
TEMP, xrefs: 0040382B

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\Transferencia.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\Transferencia.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-377582768
Opcode ID: 4f4eec0de79c21e215e23cc6c73292148191a8a8d39fbf5898b354216cb2abd3
Instruction ID: 53a60b58fdbd25313d51bce5ca3a2b86b24fade18f433b590921527e5da6acff
Opcode Fuzzy Hash: 4f4eec0de79c21e215e23cc6c73292148191a8a8d39fbf5898b354216cb2abd3
Instruction Fuzzy Hash: B2E1F8B0A00214ABD720AFB59D45ABF3AB8EB45705F10807EF581B62D1DB7C8B41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004056BB Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004056BB(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x7a7a44;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E0040564F, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						FindCloseChangeNotification(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406557(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x7a1f48;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x7a7a2c == _t156) {
							ShowWindow( *0x7a8a68, 8);
							if( *0x7a8aec == _t156) {
								_t119 =  *0x7a0f20; // 0x9a9554
								E0040557C( *((intOrPtr*)(_t119 + 0x34)), _t156);
							}
							E0040444F(_t171);
							goto L25;
						}
						 *0x7a0718 = 2;
						E0040444F(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E004044DD(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a7a30, _t156);
						ShowWindow(_t169, 8);
						E004044AB(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x7a8a70;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x7a7a30 = GetDlgItem(_a4, 0x403);
				 *0x7a7a28 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x7a7a44 = _t134;
				_v8 = _t134;
				E004044AB( *0x7a7a30);
				 *0x7a7a34 = E00404E04(4);
				 *0x7a7a4c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404476(_a4);
				if(( *0x7a8a78 & 0x00000003) != 0) {
					ShowWindow( *0x7a7a30, _t156);
					if(( *0x7a8a78 & 0x00000002) != 0) {
						 *0x7a7a30 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004044AB( *0x7a7a28);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x7a8a78 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004056c3
0x004056c9
0x004056d3
0x004056d6
0x0040586c
0x00405889
0x00405890
0x00405890
0x004058a3
0x004058c1
0x004058c3
0x004058cb
0x00405921
0x00405925
0x00000000
0x00000000
0x00405927
0x0040592d
0x00000000
0x00000000
0x00405937
0x0040593f
0x00405942
0x00405a44
0x00000000
0x00405a44
0x00405951
0x0040595c
0x00405965
0x00405970
0x00405973
0x0040597c
0x00405982
0x00405985
0x00405985
0x0040599d
0x004059a6
0x004059a9
0x004059b0
0x004059b7
0x004059bf
0x004059bf
0x004059d6
0x004059d6
0x004059dd
0x004059e3
0x004059ef
0x004059f6
0x004059ff
0x00405a01
0x00405a04
0x00405a13
0x00405a16
0x00405a1c
0x00405a1d
0x00405a23
0x00405a24
0x00405a25
0x00405a2d
0x00405a38
0x00405a3e
0x00405a3e
0x00000000
0x0040599d
0x004058d3
0x00405903
0x0040590b
0x0040590d
0x00405916
0x00405916
0x0040591c
0x00000000
0x0040591c
0x004058d7
0x004058e1
0x00000000
0x004058a5
0x004058ab
0x004058e6
0x00000000
0x004058ef
0x004058b4
0x004058b9
0x004058bc
0x00000000
0x004058bc
0x004058a3
0x004056dc
0x004056e0
0x004056e8
0x004056ec
0x004056ef
0x004056f2
0x004056f5
0x004056f8
0x004056f9
0x004056fa
0x00405713
0x00405716
0x00405720
0x0040572f
0x00405737
0x0040573f
0x00405744
0x00405747
0x00405753
0x0040575c
0x00405765
0x00405787
0x0040578d
0x0040579e
0x004057a3
0x004057b1
0x004057bf
0x004057bf
0x004057c4
0x004057d2
0x004057d2
0x004057d7
0x004057da
0x004057df
0x004057eb
0x004057f4
0x00405801
0x00405810
0x00405803
0x00405808
0x00405808
0x0040581c
0x0040581c
0x00405830
0x00405839
0x00405842
0x00405852
0x0040585e
0x0040585e
0x00000000

APIs

GetDlgItem.USER32 ref: 00405719
GetDlgItem.USER32 ref: 00405728
GetClientRect.USER32 ref: 00405765
GetSystemMetrics.USER32 ref: 0040576C
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040578D
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040579E
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057B1
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057BF
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057D2
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057F4
ShowWindow.USER32(?,00000008), ref: 00405808
GetDlgItem.USER32 ref: 00405829
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405839
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405852
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040585E
GetDlgItem.USER32 ref: 00405737

Part of subcall function 004044AB: SendMessageW.USER32(00000028,?,00000001,004042D6), ref: 004044B9

GetDlgItem.USER32 ref: 0040587B
CreateThread.KERNELBASE ref: 00405889
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405890
ShowWindow.USER32(00000000), ref: 004058B4
ShowWindow.USER32(?,00000008), ref: 004058B9
ShowWindow.USER32(00000008), ref: 00405903
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405937
CreatePopupMenu.USER32 ref: 00405948
AppendMenuW.USER32 ref: 0040595C
GetWindowRect.USER32 ref: 0040597C
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405995
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059CD
OpenClipboard.USER32(00000000), ref: 004059DD
EmptyClipboard.USER32 ref: 004059E3
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004059EF
GlobalLock.KERNEL32 ref: 004059F9
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A0D
GlobalUnlock.KERNEL32(00000000), ref: 00405A2D
SetClipboardData.USER32 ref: 00405A38
CloseClipboard.USER32 ref: 00405A3E

Strings

{, xrefs: 00405921

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: 6f9b910c36771dad060a0dd0b7d94d2eb85d45aef733cfe21307c5b05fb3eeaa
Instruction ID: d7cac64708ae36737aaf404740c8a4e4a0ccfdbfd79e04772bb75515dd65aeb5
Opcode Fuzzy Hash: 6f9b910c36771dad060a0dd0b7d94d2eb85d45aef733cfe21307c5b05fb3eeaa
Instruction Fuzzy Hash: BFB14BB1900608FFDF11AF64DD89AAE7B79FB48354F00802AFA41B61A0CB795A51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00405C26 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405C26(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405EF1(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8ae8 =  *0x7a8ae8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040651A(0x7a3f50, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E35(_t68);
					} else {
						lstrcatW(0x7a3f50, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f50,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040651A(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405BDE(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E0040557C(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8ae8 =  *0x7a8ae8 + 1;
										} else {
											E0040557C(0xfffffff1, _t68);
											E004062DA(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C26(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x7a3f50 - 0x5c;
					if( *0x7a3f50 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00406850(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405DE9(_t68);
							_t38 = E00405BDE(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E0040557C(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E0040557C(0xfffffff1, _t68);
							return E004062DA(_t67, _t68, 0);
						}
						L30:
						 *0x7a8ae8 =  *0x7a8ae8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405c30
0x00405c35
0x00405c3e
0x00405c41
0x00405c49
0x00405c4c
0x00405c4f
0x00405c57
0x00405c59
0x00405c5a
0x00000000
0x00405c5a
0x00405c65
0x00405c68
0x00405c68
0x00405c68
0x00405c6c
0x00405c7f
0x00405c86
0x00405c8b
0x00405c8f
0x00405c9f
0x00405c91
0x00405c97
0x00405c97
0x00405ca4
0x00405ca8
0x00405cb4
0x00405cba
0x00405cbf
0x00405cc5
0x00405cd0
0x00405cd6
0x00405cd8
0x00405cdb
0x00405d85
0x00405d85
0x00405d89
0x00405d8b
0x00405d8b
0x00405d8b
0x00405d8b
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ce1
0x00405ce1
0x00405ce1
0x00405ce9
0x00405d09
0x00405d11
0x00405d16
0x00405d1d
0x00405d38
0x00405d3d
0x00405d3f
0x00405d63
0x00405d41
0x00405d41
0x00405d44
0x00405d58
0x00405d46
0x00405d49
0x00405d51
0x00405d51
0x00405d44
0x00405d1f
0x00405d25
0x00405d27
0x00405d2d
0x00405d2d
0x00405d27
0x00000000
0x00405d1d
0x00405ceb
0x00405cf3
0x00000000
0x00000000
0x00405cf5
0x00405cfd
0x00000000
0x00000000
0x00405cff
0x00405d07
0x00000000
0x00000000
0x00000000
0x00405d68
0x00405d70
0x00405d76
0x00405d76
0x00405d7f
0x00000000
0x00405d7f
0x00405caa
0x00405cb2
0x00000000
0x00000000
0x00000000
0x00405c6e
0x00405c6e
0x00405c70
0x00405d90
0x00405d92
0x00405d95
0x00405de6
0x00405de6
0x00405de6
0x00405d97
0x00405d9a
0x00405da5
0x00405daa
0x00405dac
0x00000000
0x00000000
0x00405daf
0x00405dbb
0x00405dc0
0x00405dc2
0x00000000
0x00405ddd
0x00405dc4
0x00405dc7
0x00000000
0x00000000
0x00405dcc
0x00000000
0x00405dd3
0x00405d9c
0x00405d9c
0x00000000
0x00405d9c
0x00405c76
0x00405c79
0x00000000
0x00000000
0x00000000
0x00405c79

APIs

DeleteFileW.KERNELBASE(?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C4F
lstrcatW.KERNEL32(007A3F50,\*.*), ref: 00405C97
lstrcatW.KERNEL32(?,0040A014), ref: 00405CBA
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F50,?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CC0
FindFirstFileW.KERNEL32(007A3F50,?,?,?,0040A014,?,007A3F50,?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CD0
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D70
FindClose.KERNEL32(00000000), ref: 00405D7F

Strings

., xrefs: 00405CE1
., xrefs: 00405CF5
P?z, xrefs: 00405C7F
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C33
\*.*, xrefs: 00405C91

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$P?z$\*.*
API String ID: 2035342205-451766063
Opcode ID: 86a9ea6cbb14b57aebf4225f9df046bf70f97581db132fea7010d611e8ef0d07
Instruction ID: 717efa72a3eb519caeee53ac910e89dbb8479b941b5c6030fce336447c755aae
Opcode Fuzzy Hash: 86a9ea6cbb14b57aebf4225f9df046bf70f97581db132fea7010d611e8ef0d07
Instruction Fuzzy Hash: C341B230800A14BADB21AB659D8DAAF7778DF85718F24813FF401751D1D77C4A82DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 732A1BFF Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E732A1BFF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				WCHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				WCHAR* _t208;
				signed int _t211;
				void* _t213;
				void* _t215;
				WCHAR* _t217;
				void* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t227;
				struct HINSTANCE__* _t229;
				signed short _t231;
				struct HINSTANCE__* _t234;
				struct HINSTANCE__* _t236;
				void* _t237;
				intOrPtr* _t238;
				void* _t249;
				signed char _t250;
				signed int _t251;
				void* _t255;
				struct HINSTANCE__* _t257;
				void* _t258;
				signed int _t260;
				signed int _t261;
				signed short* _t264;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed int _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed short _t304;
				void* _t305;
				signed int _t309;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed short* _t321;
				WCHAR* _t322;
				WCHAR* _t324;
				WCHAR* _t325;
				struct HINSTANCE__* _t326;
				void* _t328;
				signed int _t331;
				void* _t332;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t332 = 0;
				_v52 = 0;
				_v44 = 0;
				_t208 = E732A12BB();
				_v24 = _t208;
				_v28 = _t208;
				_v48 = E732A12BB();
				_t321 = E732A12E3();
				_v56 = _t321;
				_v12 = _t321;
				while(1) {
					_t211 = _v32;
					_v60 = _t211;
					if(_t211 != _t283 && _t332 == _t283) {
						break;
					}
					_t286 =  *_t321 & 0x0000ffff;
					_t213 = _t286 - _t283;
					if(_t213 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t215 = _v60 - _t283;
						if(_t215 == 0) {
							__eflags = _t332 - _t283;
							 *_v28 = _t283;
							if(_t332 == _t283) {
								_t255 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t332 = _t255;
								 *(_t332 + 0x1010) = _t283;
								 *(_t332 + 0x1014) = _t283;
							}
							_t287 = _v36;
							_t47 = _t332 + 8; // 0x8
							_t217 = _t47;
							_t48 = _t332 + 0x808; // 0x808
							_t322 = _t48;
							 *_t332 = _t287;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *_t217 = _t283;
							 *_t322 = _t283;
							 *(_t332 + 0x1008) = _t283;
							 *(_t332 + 0x100c) = _t283;
							 *(_t332 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t328 = 0;
								GlobalFree(_t332);
								_t332 = E732A13B1(_v24);
								__eflags = _t332 - _t283;
								if(_t332 == _t283) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t249 =  *(_t332 + 0x1ca0);
									__eflags = _t249 - _t283;
									if(_t249 == _t283) {
										break;
									}
									_t328 = _t332;
									_t332 = _t249;
									__eflags = _t332 - _t283;
									if(_t332 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t328 - _t283;
								if(_t328 != _t283) {
									 *(_t328 + 0x1ca0) = _t283;
								}
								_t250 =  *(_t332 + 0x1010);
								__eflags = _t250 & 0x00000008;
								if((_t250 & 0x00000008) == 0) {
									_t251 = _t250 | 0x00000002;
									__eflags = _t251;
									 *(_t332 + 0x1010) = _t251;
								} else {
									_t332 = E732A162F(_t332);
									 *(_t332 + 0x1010) =  *(_t332 + 0x1010) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L31:
									lstrcpyW(_t217, _v48);
									L32:
									lstrcpyW(_t322, _v24);
									goto L42;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L32;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t215 == 1) {
								_t257 = _v16;
								if(_v40 == _t283) {
									_t257 = _t257 - 1;
								}
								 *(_t332 + 0x1014) = _t257;
							}
							L42:
							_v12 = _v12 + 2;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t321 = _v12;
								continue;
							}
							break;
						}
					}
					_t258 = _t213 - 0x23;
					if(_t258 == 0) {
						__eflags = _t321 - _v56;
						if(_t321 <= _v56) {
							L17:
							__eflags = _v44 - _t283;
							if(_v44 != _t283) {
								L43:
								_t260 = _v32 - _t283;
								__eflags = _t260;
								if(_t260 == 0) {
									_t261 = _t286;
									while(1) {
										__eflags = _t261 - 0x22;
										if(_t261 != 0x22) {
											break;
										}
										_t321 =  &(_t321[1]);
										__eflags = _v44 - _t283;
										_v12 = _t321;
										if(_v44 == _t283) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[0]);
											 *_v28 =  *_t321;
											L58:
											_t331 =  &(_t321[1]);
											__eflags = _t331;
											_v12 = _t331;
											goto L59;
										}
										_t261 =  *_t321 & 0x0000ffff;
										_v44 = _t283;
									}
									__eflags = _t261 - 0x2a;
									if(_t261 == 0x2a) {
										_v36 = 2;
										L57:
										_t321 = _v12;
										_v28 = _v24;
										_t283 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t261 - 0x2d;
									if(_t261 == 0x2d) {
										L151:
										_t304 =  *_t321;
										__eflags = _t304 - 0x2d;
										if(_t304 != 0x2d) {
											L154:
											_t264 =  &(_t321[1]);
											__eflags =  *_t264 - 0x3a;
											if( *_t264 != 0x3a) {
												goto L162;
											}
											__eflags = _t304 - 0x2d;
											if(_t304 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t264;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 = _t283;
											} else {
												 *_v28 = _t283;
												lstrcpyW(_v48, _v24);
											}
											goto L57;
										}
										_t264 =  &(_t321[1]);
										__eflags =  *_t264 - 0x3e;
										if( *_t264 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t261 - 0x3a;
									if(_t261 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t269 = _t260 - 1;
								__eflags = _t269;
								if(_t269 == 0) {
									L80:
									_t305 = _t286 + 0xffffffde;
									__eflags = _t305 - 0x55;
									if(_t305 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t305 + 0x732a23e8) & 0x000000ff) * 4 +  &M732A235C))) {
										case 0:
											__ecx = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												L131:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
												if( *((intOrPtr*)(__edi + 2)) != __dx) {
													L136:
													 *__ecx =  *__ecx & 0x00000000;
													__eax = E732A12CC(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __ax;
												if(__ax == 0) {
													goto L136;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__edi = __edi + 1;
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__ax =  *__edi;
												 *__ecx =  *__edi;
												__ecx = __ecx + 1;
												__ecx = __ecx + 1;
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 2;
											__ebx = E732A12BB();
											 &_v12 = E732A1B86( &_v12);
											__eax = E732A1510(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E732A1B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t271 =  *(_t332 + 0x1014);
											__eflags = _t271 - _v16;
											if(_t271 > _v16) {
												_v16 = _t271;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t271 - (_v36 == 3);
											if(_t271 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E732A1B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(4);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x732a405c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x1018) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x1028) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E732A1B86( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x101c)) = _v8;
												_t136 = _v16 + 0x81; // 0x81
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x1030)) = 0;
												 *((intOrPtr*)(__edi + 0x102c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x102c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x1030; // 0x1030
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t272 = _t269 - 1;
								__eflags = _t272;
								if(_t272 == 0) {
									_v16 = _t283;
									goto L80;
								}
								__eflags = _t272 != 1;
								if(_t272 != 1) {
									goto L162;
								}
								__eflags = _t286 - 0x6e;
								if(__eflags > 0) {
									_t309 = _t286 - 0x72;
									__eflags = _t309;
									if(_t309 == 0) {
										_push(4);
										L74:
										_pop(_t274);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t332 + 0x1010;
											 *_t96 =  *(_t332 + 0x1010) &  !_t274;
											__eflags =  *_t96;
										} else {
											 *(_t332 + 0x1010) =  *(_t332 + 0x1010) | _t274;
										}
										_v8 = 1;
										goto L57;
									}
									_t312 = _t309 - 1;
									__eflags = _t312;
									if(_t312 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t312 != 0;
									if(_t312 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t315 = _t286 - 0x21;
								__eflags = _t315;
								if(_t315 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t316 = _t315 - 0x11;
								__eflags = _t316;
								if(_t316 == 0) {
									_t274 = 0x100;
									goto L75;
								}
								_t317 = _t316 - 0x31;
								__eflags = _t317;
								if(_t317 == 0) {
									_t274 = 1;
									goto L75;
								}
								__eflags = _t317 != 0;
								if(_t317 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t283;
								_v36 = _t283;
								goto L20;
							}
						}
						__eflags =  *((short*)(_t321 - 2)) - 0x3a;
						if( *((short*)(_t321 - 2)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							goto L43;
						}
						goto L17;
					}
					_t277 = _t258 - 5;
					if(_t277 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t283;
							_v20 = _t283;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t283;
							goto L20;
						}
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t283;
							_v20 = _t283;
							goto L20;
						}
					}
					if(_t281 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t332 == _t283 ||  *(_t332 + 0x100c) != _t283) {
					L182:
					return _t332;
				} else {
					_t225 =  *_t332 - 1;
					if(_t225 == 0) {
						_t187 = _t332 + 8; // 0x8
						_t324 = _t187;
						__eflags =  *_t324 - _t283;
						if( *_t324 != _t283) {
							_t226 = GetModuleHandleW(_t324); // executed
							__eflags = _t226 - _t283;
							 *(_t332 + 0x1008) = _t226;
							if(_t226 != _t283) {
								L171:
								_t192 = _t332 + 0x808; // 0x808
								_t325 = _t192;
								_t227 = E732A16BD( *(_t332 + 0x1008), _t325);
								__eflags = _t227 - _t283;
								 *(_t332 + 0x100c) = _t227;
								if(_t227 == _t283) {
									__eflags =  *_t325 - 0x23;
									if( *_t325 == 0x23) {
										_t195 = _t332 + 0x80a; // 0x80a
										_t231 = E732A13B1(_t195);
										__eflags = _t231 - _t283;
										if(_t231 != _t283) {
											__eflags = _t231 & 0xffff0000;
											if((_t231 & 0xffff0000) == 0) {
												 *(_t332 + 0x100c) = GetProcAddress( *(_t332 + 0x1008), _t231 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t283;
								if(_v52 != _t283) {
									L178:
									_t325[lstrlenW(_t325)] = 0x57;
									_t229 = E732A16BD( *(_t332 + 0x1008), _t325);
									__eflags = _t229 - _t283;
									if(_t229 != _t283) {
										L166:
										 *(_t332 + 0x100c) = _t229;
										goto L182;
									}
									__eflags =  *(_t332 + 0x100c) - _t283;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t206 = _t332 + 4;
									 *_t206 =  *(_t332 + 4) | 0xffffffff;
									__eflags =  *_t206;
									goto L182;
								} else {
									__eflags =  *(_t332 + 0x100c) - _t283;
									if( *(_t332 + 0x100c) != _t283) {
										goto L182;
									}
									goto L178;
								}
							}
							_t234 = LoadLibraryW(_t324); // executed
							__eflags = _t234 - _t283;
							 *(_t332 + 0x1008) = _t234;
							if(_t234 == _t283) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t332 + 0x808; // 0x808
						_t236 = E732A13B1(_t188);
						 *(_t332 + 0x100c) = _t236;
						__eflags = _t236 - _t283;
						goto L180;
					}
					_t237 = _t225 - 1;
					if(_t237 == 0) {
						_t185 = _t332 + 0x808; // 0x808
						_t238 = _t185;
						__eflags =  *_t238 - _t283;
						if( *_t238 == _t283) {
							goto L182;
						}
						_t229 = E732A13B1(_t238);
						L165:
						goto L166;
					}
					if(_t237 != 1) {
						goto L182;
					}
					_t81 = _t332 + 8; // 0x8
					_t284 = _t81;
					_t326 = E732A13B1(_t81);
					 *(_t332 + 0x1008) = _t326;
					if(_t326 == 0) {
						goto L181;
					}
					 *(_t332 + 0x104c) =  *(_t332 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1050)) = E732A12CC(_t284);
					 *(_t332 + 0x103c) =  *(_t332 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1048)) = 1;
					 *((intOrPtr*)(_t332 + 0x1038)) = 1;
					_t90 = _t332 + 0x808; // 0x808
					_t229 =  *(_t326->i + E732A13B1(_t90) * 4);
					goto L165;
				}
			}

0x732a1c07
0x732a1c0a
0x732a1c0d
0x732a1c10
0x732a1c13
0x732a1c16
0x732a1c19
0x732a1c1b
0x732a1c1e
0x732a1c21
0x732a1c26
0x732a1c29
0x732a1c31
0x732a1c39
0x732a1c3b
0x732a1c3e
0x732a1c46
0x732a1c46
0x732a1c4b
0x732a1c4e
0x00000000
0x00000000
0x732a1c5b
0x732a1c60
0x732a1c62
0x732a1cf4
0x732a1cf4
0x732a1cf4
0x732a1cf8
0x732a1cfb
0x732a1cfd
0x732a1d1f
0x732a1d21
0x732a1d24
0x732a1d2d
0x732a1d33
0x732a1d35
0x732a1d3b
0x732a1d3b
0x732a1d41
0x732a1d44
0x732a1d44
0x732a1d47
0x732a1d47
0x732a1d4d
0x732a1d4f
0x732a1d4f
0x732a1d51
0x732a1d54
0x732a1d57
0x732a1d5d
0x732a1d63
0x732a1d66
0x732a1d8a
0x732a1d8d
0x00000000
0x00000000
0x732a1d90
0x732a1d92
0x732a1da0
0x732a1da3
0x732a1da5
0x00000000
0x00000000
0x00000000
0x00000000
0x732a1da7
0x732a1da7
0x732a1da7
0x732a1dad
0x732a1daf
0x00000000
0x00000000
0x732a1db1
0x732a1db3
0x732a1db5
0x732a1db7
0x00000000
0x00000000
0x00000000
0x732a1db7
0x732a1db9
0x732a1dbb
0x732a1dbd
0x732a1dbd
0x732a1dc3
0x732a1dc9
0x732a1dcb
0x732a1ddf
0x732a1ddf
0x732a1de1
0x732a1dcd
0x732a1dd3
0x732a1dd6
0x732a1dd6
0x00000000
0x732a1d68
0x732a1d68
0x732a1d68
0x732a1d69
0x732a1d71
0x732a1d75
0x732a1d7b
0x732a1d7f
0x00000000
0x732a1d7f
0x732a1d6b
0x732a1d6b
0x732a1d6c
0x00000000
0x00000000
0x732a1d6e
0x732a1d6f
0x00000000
0x00000000
0x00000000
0x732a1d6f
0x732a1cff
0x732a1d00
0x732a1d09
0x732a1d0c
0x732a1d19
0x732a1d19
0x732a1d0e
0x732a1d0e
0x732a1de7
0x732a1dea
0x732a1dee
0x732a1e61
0x732a1e65
0x732a1c43
0x00000000
0x732a1c43
0x00000000
0x732a1e65
0x732a1cfd
0x732a1c68
0x732a1c6b
0x732a1cce
0x732a1cd1
0x732a1ce3
0x732a1ce3
0x732a1ce6
0x732a1df3
0x732a1df6
0x732a1df6
0x732a1df8
0x732a21ae
0x732a21c6
0x732a21c6
0x732a21c9
0x00000000
0x00000000
0x732a21b3
0x732a21b4
0x732a21b7
0x732a21ba
0x732a2244
0x732a224b
0x732a2251
0x732a2255
0x732a1e5c
0x732a1e5d
0x732a1e5d
0x732a1e5e
0x00000000
0x732a1e5e
0x732a21c0
0x732a21c3
0x732a21c3
0x732a21cb
0x732a21ce
0x732a2238
0x732a1e51
0x732a1e54
0x732a1e57
0x732a1e5a
0x732a1e5a
0x00000000
0x732a1e5a
0x732a21d0
0x732a21d3
0x732a21da
0x732a21da
0x732a21dd
0x732a21e1
0x732a21f5
0x732a21f5
0x732a21f8
0x732a21fc
0x00000000
0x00000000
0x732a21fe
0x732a2202
0x00000000
0x00000000
0x732a2204
0x732a220b
0x732a220b
0x732a2211
0x732a2214
0x732a2230
0x732a2216
0x732a221f
0x732a2222
0x732a2222
0x00000000
0x732a2214
0x732a21e3
0x732a21e6
0x732a21ea
0x00000000
0x00000000
0x732a21ec
0x00000000
0x732a21ec
0x732a21d5
0x732a21d8
0x00000000
0x00000000
0x00000000
0x732a21d8
0x732a1dfe
0x732a1dfe
0x732a1dff
0x732a1f49
0x732a1f49
0x732a1f50
0x732a1f53
0x00000000
0x00000000
0x732a1f60
0x00000000
0x732a214b
0x732a214e
0x732a2151
0x732a2151
0x732a2152
0x732a2153
0x732a2156
0x732a2159
0x732a215c
0x00000000
0x00000000
0x732a215e
0x732a215e
0x732a2162
0x732a217a
0x732a217d
0x732a2181
0x732a2187
0x00000000
0x732a2187
0x732a2164
0x732a2164
0x732a2167
0x00000000
0x00000000
0x732a2169
0x732a216c
0x732a216e
0x732a216f
0x732a216f
0x732a216f
0x732a2170
0x732a2173
0x732a2176
0x732a2177
0x732a2151
0x732a2152
0x732a2153
0x732a2156
0x732a2159
0x732a215c
0x00000000
0x00000000
0x00000000
0x732a215c
0x00000000
0x732a1fa7
0x00000000
0x00000000
0x732a1fb3
0x00000000
0x00000000
0x732a1f9a
0x732a1f9e
0x732a1fa2
0x00000000
0x00000000
0x732a211c
0x732a2120
0x00000000
0x00000000
0x732a2126
0x732a212f
0x732a2136
0x732a213e
0x00000000
0x00000000
0x732a2083
0x732a2083
0x00000000
0x00000000
0x732a1fbc
0x00000000
0x00000000
0x732a21a6
0x00000000
0x00000000
0x732a208b
0x732a208d
0x732a208d
0x00000000
0x00000000
0x732a2196
0x00000000
0x00000000
0x732a219a
0x00000000
0x00000000
0x732a21a2
0x00000000
0x00000000
0x732a20d3
0x732a20d5
0x732a20d5
0x00000000
0x00000000
0x732a209d
0x732a209f
0x732a209f
0x00000000
0x00000000
0x732a20af
0x732a20b1
0x732a20b1
0x00000000
0x00000000
0x732a20e1
0x732a20e3
0x732a20e3
0x00000000
0x00000000
0x732a20ba
0x732a20bc
0x732a20bc
0x00000000
0x00000000
0x732a20c1
0x00000000
0x00000000
0x732a219e
0x732a21a8
0x732a21a8
0x00000000
0x00000000
0x732a20ec
0x732a20f0
0x732a20f5
0x732a20f8
0x732a20f9
0x732a20fc
0x732a2102
0x732a2102
0x00000000
0x00000000
0x732a218e
0x00000000
0x00000000
0x732a20c5
0x732a20c7
0x732a20c7
0x00000000
0x00000000
0x732a1fc3
0x732a1fc3
0x00000000
0x00000000
0x732a20da
0x732a20dc
0x732a20dc
0x00000000
0x00000000
0x732a1f67
0x732a1f6d
0x732a1f70
0x732a1f72
0x732a1f72
0x732a1f75
0x732a1f79
0x732a1f86
0x732a1f88
0x732a1f8e
0x732a1f8e
0x732a1f8e
0x00000000
0x00000000
0x732a208e
0x732a208e
0x732a2090
0x732a2097
0x00000000
0x00000000
0x732a20d6
0x732a20d6
0x00000000
0x00000000
0x732a20a0
0x732a20a0
0x732a20a2
0x732a20a9
0x00000000
0x00000000
0x732a20b2
0x732a20b2
0x732a20b4
0x00000000
0x00000000
0x732a20e4
0x732a20e4
0x00000000
0x00000000
0x732a20bd
0x732a20bd
0x00000000
0x00000000
0x732a210a
0x732a210e
0x732a2113
0x732a2116
0x00000000
0x00000000
0x732a20c8
0x732a20c8
0x732a20cb
0x732a20cd
0x00000000
0x00000000
0x732a20dd
0x732a20dd
0x732a20e6
0x732a20e6
0x732a1fc5
0x732a1fc5
0x732a1fc8
0x732a1fcf
0x732a1fd1
0x732a1fd3
0x732a1fda
0x732a1fdd
0x732a1fe2
0x732a1fe4
0x732a1fe6
0x732a1fea
0x732a1ff0
0x732a1ff6
0x732a1ff6
0x732a1ff8
0x732a1ff8
0x732a1ff9
0x732a1ff9
0x732a1ffd
0x732a2003
0x732a2005
0x732a2009
0x732a200e
0x732a200e
0x732a2010
0x732a2010
0x732a2013
0x732a2016
0x732a201f
0x732a2025
0x732a2028
0x732a2028
0x732a202a
0x732a202d
0x732a2033
0x732a2039
0x732a2039
0x732a203b
0x00000000
0x00000000
0x732a2041
0x732a2041
0x732a2045
0x732a204c
0x732a2070
0x732a2070
0x732a2074
0x732a2076
0x732a2079
0x732a2079
0x732a207c
0x732a207c
0x00000000
0x732a2074
0x732a2051
0x732a2054
0x732a2054
0x732a205b
0x732a205d
0x732a2060
0x732a2067
0x732a2068
0x732a206e
0x732a206e
0x00000000
0x732a206e
0x732a2062
0x732a2065
0x00000000
0x00000000
0x00000000
0x732a2065
0x732a1ff2
0x732a1ff4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x732a1f60
0x732a1e05
0x732a1e05
0x732a1e06
0x732a1f46
0x00000000
0x732a1f46
0x732a1e0c
0x732a1e0d
0x00000000
0x00000000
0x732a1e13
0x732a1e16
0x732a1f0b
0x732a1f0b
0x732a1f0e
0x732a1f23
0x732a1f25
0x732a1f25
0x732a1f26
0x732a1f29
0x732a1f2c
0x732a1f38
0x732a1f38
0x732a1f38
0x732a1f2e
0x732a1f2e
0x732a1f2e
0x732a1f3e
0x00000000
0x732a1f3e
0x732a1f10
0x732a1f10
0x732a1f11
0x732a1f1f
0x00000000
0x732a1f1f
0x732a1f14
0x732a1f15
0x00000000
0x00000000
0x732a1f1b
0x00000000
0x732a1f1b
0x732a1e1c
0x732a1f07
0x00000000
0x732a1f07
0x732a1e22
0x732a1e22
0x732a1e25
0x732a1e4e
0x00000000
0x732a1e4e
0x732a1e27
0x732a1e27
0x732a1e2a
0x732a1e44
0x00000000
0x732a1e44
0x732a1e2c
0x732a1e2c
0x732a1e2f
0x732a1e3e
0x00000000
0x732a1e3e
0x732a1e32
0x732a1e33
0x00000000
0x00000000
0x732a1e35
0x00000000
0x732a1cec
0x732a1cec
0x732a1cef
0x00000000
0x732a1cef
0x732a1ce6
0x732a1cd3
0x732a1cd8
0x00000000
0x00000000
0x732a1cda
0x732a1cdd
0x00000000
0x00000000
0x00000000
0x732a1cdd
0x732a1c6d
0x732a1c70
0x732a1ca6
0x732a1ca9
0x00000000
0x732a1caf
0x732a1cb1
0x732a1cb5
0x732a1cbc
0x732a1cc3
0x732a1cc6
0x732a1cc9
0x00000000
0x732a1cc9
0x732a1ca9
0x732a1c72
0x732a1c73
0x732a1c8e
0x732a1c91
0x00000000
0x732a1c97
0x732a1c97
0x732a1c9e
0x732a1ca1
0x00000000
0x732a1ca1
0x732a1c91
0x732a1c78
0x00000000
0x732a1c7e
0x732a1c7e
0x732a1c85
0x00000000
0x732a1c85
0x732a1c78
0x732a1e74
0x732a1e79
0x732a1e7e
0x732a1e82
0x732a2355
0x732a235b
0x732a1e94
0x732a1e96
0x732a1e97
0x732a227e
0x732a227e
0x732a2281
0x732a2284
0x732a22a1
0x732a22a7
0x732a22a9
0x732a22af
0x732a22c6
0x732a22c6
0x732a22c6
0x732a22d3
0x732a22d9
0x732a22dc
0x732a22e2
0x732a22e4
0x732a22e8
0x732a22ea
0x732a22f1
0x732a22f6
0x732a22f9
0x732a22fb
0x732a2300
0x732a2312
0x732a2312
0x732a2300
0x732a22f9
0x732a22e8
0x732a2318
0x732a231b
0x732a2325
0x732a232d
0x732a233a
0x732a2340
0x732a2343
0x732a2273
0x732a2273
0x00000000
0x732a2273
0x732a2349
0x732a234f
0x732a234f
0x00000000
0x00000000
0x732a2351
0x732a2351
0x732a2351
0x732a2351
0x00000000
0x732a231d
0x732a231d
0x732a2323
0x00000000
0x00000000
0x00000000
0x732a2323
0x732a231b
0x732a22b2
0x732a22b8
0x732a22ba
0x732a22c0
0x00000000
0x00000000
0x00000000
0x732a22c0
0x732a2286
0x732a228d
0x732a2293
0x732a2299
0x00000000
0x732a2299
0x732a1e9d
0x732a1e9e
0x732a225d
0x732a225d
0x732a2263
0x732a2266
0x00000000
0x00000000
0x732a226d
0x732a2272
0x00000000
0x732a2272
0x732a1ea5
0x00000000
0x00000000
0x732a1eab
0x732a1eab
0x732a1eb4
0x732a1eb9
0x732a1ebf
0x00000000
0x00000000
0x732a1ec5
0x732a1ed2
0x732a1ed8
0x732a1ee2
0x732a1ee8
0x732a1ef0
0x732a1f00
0x00000000
0x732a1f00

APIs

Part of subcall function 732A12BB: GlobalAlloc.KERNELBASE(00000040,?,732A12DB,?,732A137F,00000019,732A11CA,-000000A0), ref: 732A12C5

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 732A1D2D
lstrcpyW.KERNEL32 ref: 732A1D75
lstrcpyW.KERNEL32 ref: 732A1D7F
GlobalFree.KERNEL32 ref: 732A1D92
GlobalFree.KERNEL32 ref: 732A1E74
GlobalFree.KERNEL32 ref: 732A1E79
GlobalFree.KERNEL32 ref: 732A1E7E
GlobalFree.KERNEL32 ref: 732A2068
lstrcpyW.KERNEL32 ref: 732A2222
GetModuleHandleW.KERNELBASE(00000008), ref: 732A22A1
LoadLibraryW.KERNELBASE(00000008), ref: 732A22B2
GetProcAddress.KERNEL32(?,?), ref: 732A230C
lstrlenW.KERNEL32(00000808), ref: 732A2326

Memory Dump Source

Source File: 00000000.00000002.756317960.00000000732A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 732A0000, based on PE: true

Associated: 00000000.00000002.756311352.00000000732A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756329828.00000000732A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756338430.00000000732A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_732a0000_Transferencia.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: a4e56608a653b16637cd12bd345ac8cc080309714812bc51578028341db27d54
Instruction ID: f05800736010d3b862c39305a2e702713afb90cddc242cf9fffdf7d69a145a14
Opcode Fuzzy Hash: a4e56608a653b16637cd12bd345ac8cc080309714812bc51578028341db27d54
Instruction Fuzzy Hash: 5122AB71E1470ADFDB158FACC9803EEB7B5FB08325F14452AD9A6E2280D7B4A6C1DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00406850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406850(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4f98); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4f98;
			}

0x0040685b
0x00406864
0x00000000
0x00406871
0x00406867
0x00000000

APIs

FindFirstFileW.KERNELBASE(76CDFAA0,007A4F98,C:\Users\user\AppData\Local\Temp\nstC730.tmp,00405F3A,C:\Users\user\AppData\Local\Temp\nstC730.tmp,C:\Users\user\AppData\Local\Temp\nstC730.tmp,00000000,C:\Users\user\AppData\Local\Temp\nstC730.tmp,C:\Users\user\AppData\Local\Temp\nstC730.tmp,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\), ref: 0040685B
FindClose.KERNEL32(00000000), ref: 00406867

Strings

C:\Users\user\AppData\Local\Temp\nstC730.tmp, xrefs: 00406850

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nstC730.tmp
API String ID: 2295610775-469808752
Opcode ID: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
Instruction ID: 4aa2ce40dd0fdaaf15299f79bbf0ddad0ee07bd1ec444a92f9406ee76b8f93c8
Opcode Fuzzy Hash: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
Instruction Fuzzy Hash: 3CD012365592205FC7402779AE0CC4B7A689F563313268B36B0EAF11F0CA74CC3296ED

Uniqueness

Uniqueness Score: -1.00%

Function 00403F77 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00403F77(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x7a1f30 = _t34;
					if(_t130 == 0x110) {
						 *0x7a8a68 = _t127;
						 *0x7a1f44 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79ff10 = _t91;
						E00404476(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x7a7a48); // executed
						 *0x7a7a2c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x7a1f30 = 1;
					}
					_t124 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x7a8a80;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E004044C2(0x40b);
						while(1) {
							_t36 =  *0x7a1f30;
							 *0x40a368 =  *0x40a368 + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a368; // 0x0
							__eflags = _t38 -  *0x7a8a84;
							if(_t38 ==  *0x7a8a84) {
								E0040140B(1);
							}
							__eflags =  *0x7a7a2c - _t136;
							if( *0x7a7a2c != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x7a8a84; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E00406557(_t117, _t127, _t133, 0x7b8000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404476(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404476(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404476(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x7a8aec - _t136;
							_v28 = _t48;
							if( *0x7a8aec != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100); // executed
							E00404498(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x79ff10, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x7a8aec - _t136;
							if( *0x7a8aec == _t136) {
								_push( *0x7a1f44);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x79ff10);
							}
							E004044AB();
							E0040651A(0x7a1f48, E00403F58());
							E00406557(0x7a1f48, _t127, _t133,  &(0x7a1f48[lstrlenW(0x7a1f48)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x7a1f48); // executed
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)), _t136);
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x7a7a38); // executed
									 *0x7a0f20 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x7a8a60,  *_t133 +  *0x7a7a40 & 0x0000ffff, _t127,  *( *(_t133 + 4) * 4 + "5F@"), _t133); // executed
									__eflags = _t73 - _t136;
									 *0x7a7a38 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404476(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x7a7a38, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									E00401389( *((intOrPtr*)(_t133 + 0xc)), _t136);
									__eflags =  *0x7a7a2c - _t136;
									if( *0x7a7a2c != _t136) {
										goto L63;
									}
									ShowWindow( *0x7a7a38, 8); // executed
									E004044C2(0x405);
									goto L60;
								}
								__eflags =  *0x7a8aec - _t136;
								if( *0x7a8aec != _t136) {
									goto L63;
								}
								__eflags =  *0x7a8ae0 - _t136;
								if( *0x7a8ae0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x7a7a38);
						 *0x7a8a68 = _t136;
						EndDialog(_t127,  *0x7a0718);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)), 0);
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x7a7a38, 0x40f, 0, 1);
						__eflags =  *0x7a7a2c;
						return 0 |  *0x7a7a2c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x7a1f28, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x7a7a38, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x7a8aec - _t136;
											if( *0x7a8aec == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x7a0718 = 1;
												L23:
												_push(0x78);
												L24:
												E0040444F();
												goto L28;
											}
											E0040140B(_t129);
											 *0x7a0718 = _t129;
											goto L23;
										}
										__eflags =  *0x40a368 - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x7a7a38);
						 *0x7a7a38 = _t122;
						L60:
						if( *0x7a3f48 == _t136 &&  *0x7a7a38 != _t136) {
							ShowWindow(_t127, 0xa); // executed
							 *0x7a3f48 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f28,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E004044DD(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x00403f82
0x00403f89
0x004040f0
0x004040f4
0x004040f8
0x004040fa
0x004040ff
0x0040410a
0x00404115
0x0040411a
0x0040411c
0x0040411e
0x00404121
0x00404126
0x00404134
0x00404141
0x00404148
0x00404148
0x00404149
0x00404149
0x0040414e
0x00404154
0x0040415b
0x00404161
0x00404163
0x004041a3
0x004041a8
0x004041ad
0x004041ad
0x004041b2
0x004041bb
0x004041bd
0x004041c2
0x004041c8
0x004041cc
0x004041cc
0x004041d1
0x004041d7
0x00000000
0x00000000
0x004041e2
0x004041e8
0x00000000
0x00000000
0x004041f1
0x004041f9
0x004041fe
0x00404201
0x00404207
0x0040420c
0x0040420f
0x00404215
0x0040421a
0x0040421d
0x00404223
0x0040422b
0x00404231
0x00404237
0x0040423b
0x00404242
0x00404242
0x00404242
0x0040424c
0x0040425e
0x0040426a
0x0040426f
0x00404279
0x0040427f
0x00404281
0x00404286
0x00404283
0x00404283
0x00404283
0x00404296
0x004042ae
0x004042b0
0x004042b6
0x004042cb
0x004042b8
0x004042c1
0x004042c3
0x004042c3
0x004042d1
0x004042e2
0x004042f8
0x004042ff
0x00404309
0x0040430e
0x00404310
0x00000000
0x00404316
0x00404316
0x00404318
0x00000000
0x00000000
0x0040431e
0x00404322
0x00404347
0x0040434d
0x00404353
0x00404355
0x00000000
0x00000000
0x0040437b
0x00404381
0x00404383
0x00404388
0x00000000
0x00000000
0x0040438e
0x00404391
0x00404394
0x004043ab
0x004043b7
0x004043d0
0x004043da
0x004043df
0x004043e5
0x00000000
0x00000000
0x004043ef
0x004043fa
0x00000000
0x004043fa
0x00404324
0x0040432a
0x00000000
0x00000000
0x00404330
0x00404336
0x00000000
0x00000000
0x00000000
0x0040433c
0x00404310
0x00404407
0x00404413
0x0040441a
0x00000000
0x00404165
0x00404165
0x00404168
0x0040419b
0x0040419b
0x0040419d
0x00000000
0x00000000
0x00000000
0x0040419d
0x0040416e
0x00404173
0x00404175
0x00000000
0x00000000
0x00404185
0x0040418d
0x00000000
0x00404193
0x00403f9b
0x00403f9b
0x00403f9f
0x00403fa4
0x00403fb3
0x00403fb3
0x00403fb9
0x00403fc0
0x00404004
0x0040400a
0x00404023
0x00404026
0x00404039
0x0040403f
0x00000000
0x00000000
0x00404045
0x00404050
0x00404052
0x00404054
0x00404073
0x00404073
0x00404076
0x0040407b
0x0040407e
0x0040408e
0x0040408f
0x00404091
0x004040c7
0x004040d7
0x00000000
0x004040d7
0x00404093
0x00404099
0x004040b2
0x004040b7
0x004040b9
0x00000000
0x00000000
0x004040bb
0x004040a7
0x004040a7
0x004040a9
0x004040a9
0x00000000
0x004040a9
0x0040409c
0x004040a1
0x00000000
0x004040a1
0x00404080
0x00404086
0x00000000
0x00000000
0x00404088
0x00000000
0x00404088
0x00404078
0x00000000
0x00404078
0x0040405e
0x00404065
0x0040406b
0x0040406d
0x00404443
0x00000000
0x00404443
0x00000000
0x0040406d
0x0040402b
0x00000000
0x00404033
0x00404012
0x00404018
0x00404420
0x00404426
0x00404433
0x00404439
0x00404439
0x00000000
0x00403fc2
0x00403fc7
0x00403fd3
0x00403fdc
0x004040dd
0x00000000
0x00403ffb
0x00403ffe
0x00000000
0x00403ffe
0x00403fdc
0x00403fc0

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FB3
ShowWindow.USER32(?), ref: 00403FD3
GetWindowLongW.USER32(?,000000F0), ref: 00403FE5
ShowWindow.USER32(?,00000004), ref: 00403FFE
DestroyWindow.USER32 ref: 00404012
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040402B
GetDlgItem.USER32 ref: 0040404A
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040405E
IsWindowEnabled.USER32(00000000), ref: 00404065
GetDlgItem.USER32 ref: 00404110
GetDlgItem.USER32 ref: 0040411A
KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00404134
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404185
GetDlgItem.USER32 ref: 0040422B
ShowWindow.USER32(00000000,?), ref: 0040424C
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040425E
EnableWindow.USER32(?,?), ref: 00404279
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040428F
EnableMenuItem.USER32 ref: 00404296
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042AE
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042C1
lstrlenW.KERNEL32(007A1F48,?,007A1F48,00000000), ref: 004042EB
SetWindowTextW.USER32(?,007A1F48), ref: 004042FF
ShowWindow.USER32(?,0000000A), ref: 00404433

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuUser$DestroyEnabledSystemTextlstrlen
String ID:
API String ID: 3618520773-0
Opcode ID: 0031e1bd5cfe270ad991aee2cec6f31fffa44afcca6ec19933d696454b5d3b77
Instruction ID: a523085d0bb4d20675d087507fe11aed99bae63dd77e7307ea40df4209393f8b
Opcode Fuzzy Hash: 0031e1bd5cfe270ad991aee2cec6f31fffa44afcca6ec19933d696454b5d3b77
Instruction Fuzzy Hash: 7FC1CEB1500604ABDB206F21ED85E2A3A69FBC6709F00853EF791B25E0CB3D5851DB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403BC9 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403BC9(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x7a8a70;
				_t22 = E004068E7(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f48;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E004063E8(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f48, 0);
					__eflags =  *0x7a1f48;
					if(__eflags == 0) {
						E004063E8(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x7a1f48, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E00406461(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403E9F(_t78, _t90);
				_t86 = L"C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x7a8ae0 =  *0x7a8a78 & 0x00000020;
				 *0x7a8afc = 0x10000;
				if(E00405EF1(_t90, L"C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405EF1(_t98, _t86) == 0) {
						E00406557(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x7a8a60, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a7a48 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403E9F(_t78, __eflags);
							__eflags =  *0x7a8b00;
							if( *0x7a8b00 != 0) {
								_t33 = E0040564F(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a7a2c;
								if( *0x7a7a2c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f28, 5); // executed
							_t39 = E00406877("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E00406877("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a7a00);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a7a00);
								 *0x7a7a24 = _t87;
								RegisterClassW(0x7a7a00);
							}
							_t44 = DialogBoxParamW( *0x7a8a60,  *0x7a7a40 + 0x00000069 & 0x0000ffff, 0, E00403F77, 0); // executed
							E00403B19(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8a60;
						 *0x7a7a04 = E00401000;
						 *0x7a7a10 =  *0x7a8a60;
						 *0x7a7a14 = _t30;
						 *0x7a7a24 = 0x40a380;
						if(RegisterClassW(0x7a7a00) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f28 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8a60, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x7a6a00;
					E004063E8(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x7a8a98 + _t78 * 2,  *0x7a8a98 +  *(_t82 + 0x4c) * 2, 0x7a6a00, 0);
					_t63 =  *0x7a6a00; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a6a02;
						 *((short*)(E00405E16(0x7a6a02, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040651A(_t86, E00405DE9(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E35(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403bcf
0x00403bd8
0x00403bdf
0x00403be1
0x00403bf5
0x00403c07
0x00403c10
0x00403c19
0x00403c20
0x00403c25
0x00403c2c
0x00403c3f
0x00403c3f
0x00403c4a
0x00403be3
0x00403bee
0x00403bee
0x00403c4f
0x00403c59
0x00403c62
0x00403c67
0x00403c78
0x00403d0a
0x00403d12
0x00403d1b
0x00403d1b
0x00403d31
0x00403d37
0x00403d45
0x00403dc6
0x00403dce
0x00403dd8
0x00403ddd
0x00403de3
0x00403e6d
0x00403e72
0x00403e74
0x00403e90
0x00000000
0x00403e90
0x00403e76
0x00403e7c
0x00403e84
0x00403e84
0x00000000
0x00403e7c
0x00403df1
0x00403dfc
0x00403e01
0x00403e03
0x00403e0a
0x00403e0a
0x00403e15
0x00403e1d
0x00403e1f
0x00403e21
0x00403e2a
0x00403e2d
0x00403e33
0x00403e33
0x00403e52
0x00403e63
0x00000000
0x00403e68
0x00403dd0
0x00403dd2
0x00000000
0x00403d47
0x00403d47
0x00403d53
0x00403d5d
0x00403d63
0x00403d68
0x00403d77
0x00403e95
0x00403e95
0x00000000
0x00403e95
0x00403d86
0x00403dc1
0x00000000
0x00403dc1
0x00403c7e
0x00403c7e
0x00403c81
0x00403c83
0x00000000
0x00000000
0x00403c91
0x00403ca3
0x00403ca8
0x00403cb1
0x00000000
0x00000000
0x00403cb7
0x00403cb9
0x00403cc6
0x00403cc6
0x00403ccf
0x00403cd5
0x00403cfd
0x00403d05
0x00000000
0x00403ce7
0x00403ce8
0x00403cf1
0x00403cf7
0x00403cf8
0x00000000
0x00403cf8
0x00403cf3
0x00403cf5
0x00000000
0x00000000
0x00000000
0x00403cf5
0x00403cd5

APIs

Part of subcall function 004068E7: GetModuleHandleA.KERNEL32(?,00000020,?,0040361A,0000000B), ref: 004068F9
Part of subcall function 004068E7: GetProcAddress.KERNEL32(00000000,?), ref: 00406914

lstrcatW.KERNEL32(1033,007A1F48), ref: 00403C4A
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,76CDFAA0), ref: 00403CCA
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000), ref: 00403CDD
GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403CE8
LoadImageW.USER32 ref: 00403D31

Part of subcall function 00406461: wsprintfW.USER32 ref: 0040646E

RegisterClassW.USER32 ref: 00403D6E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403D86
CreateWindowExW.USER32 ref: 00403DBB
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403DF1
GetClassInfoW.USER32 ref: 00403E1D
GetClassInfoW.USER32 ref: 00403E2A
RegisterClassW.USER32 ref: 00403E33
DialogBoxParamW.USER32 ref: 00403E52

Strings

RichEdit, xrefs: 00403E24
RichEd20, xrefs: 00403DF7
_Nb, xrefs: 00403D4D, 00403DB5
.exe, xrefs: 00403CD7
Control Panel\Desktop\ResourceLocale, xrefs: 00403BFD
Call, xrefs: 00403C91, 00403C9A, 00403CA8, 00403CF7, 00403CFD
.DEFAULT\Control Panel\International, xrefs: 00403C35
C:\Users\user\AppData\Local\Temp, xrefs: 00403C59, 00403C61, 00403D04, 00403D0A, 00403D1A
RichEd32, xrefs: 00403E05
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BCE
1033, xrefs: 00403BE9, 00403C45
RichEdit20W, xrefs: 00403E15, 00403E1B

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2935473529
Opcode ID: 1166395d184842cca1f9c9dbf690e44f16c4877d7fe222633aad620317193a3c
Instruction ID: 5e1ff83f83eb9308ce16c84110d2fcc5f4f6a1078aae304d5a5647478e66a4f2
Opcode Fuzzy Hash: 1166395d184842cca1f9c9dbf690e44f16c4877d7fe222633aad620317193a3c
Instruction Fuzzy Hash: 0661A270240700BAD320AB669D45F2B3A6CEBC5B49F40853FF942B26E1DB7D9901CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0040307D(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\jones\\Desktop\\Transferencia.exe";
				 *0x7a8a6c = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\jones\\Desktop\\Transferencia.exe", 0x400);
				_t89 = E0040600A(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040651A(0x7b4800, _t91);
				E0040651A(0x7b7000, E00405E35(0x7b4800));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x79f704 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00403019(1);
					__eflags =  *0x7a8a74 - _t82;
					if( *0x7a8a74 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t34 =  &_v24; // 0x40385a
						_t53 = GlobalAlloc(0x40,  *_t34); // executed
						_t94 = _t53;
						E004034C2( *0x7a8a74 + 0x1c);
						_t35 =  &_v24; // 0x40385a
						_push( *_t35);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004032B4(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7a8a70 = _t94;
							 *0x7a8a78 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7a8a7c =  *0x7a8a7c + 1;
								__eflags =  *0x7a8a7c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405FC5(0x7a8a80, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004034C2( *0x7936f8);
					_t65 = E004034AC( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7a8a74) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004034AC(0x78b6f8, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00403019(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7a8a74;
						if( *0x7a8a74 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00403019(0);
							}
							goto L20;
						}
						E00405FC5( &_v44, 0x78b6f8, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x7936f8; // 0x3da2f
						 *0x7a8b00 =  *0x7a8b00 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7a8a74 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x79f704; // 0x3e100
						if(__eflags < 0) {
							_v12 = E004069D4(_v12, 0x78b6f8, _t90);
						}
						 *0x7936f8 =  *0x7936f8 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00403085
0x00403088
0x0040308b
0x0040308e
0x00403094
0x004030a5
0x004030aa
0x004030bd
0x004030c2
0x004030c5
0x004030cb
0x00000000
0x004030cd
0x004030de
0x004030ef
0x004030f6
0x004030fc
0x004030fe
0x00403103
0x00403105
0x004031f0
0x004031f2
0x004031f7
0x004031fe
0x00000000
0x00000000
0x00403200
0x00403203
0x00403227
0x00403227
0x0040322c
0x00403232
0x0040323d
0x00403242
0x00403242
0x00403245
0x00403246
0x00403247
0x00403249
0x0040324e
0x00403251
0x00403264
0x00403268
0x00403270
0x00403275
0x00403277
0x00403277
0x00403277
0x0040327f
0x0040327f
0x00403282
0x00403283
0x00403283
0x00403286
0x00403288
0x00403288
0x00403288
0x00403292
0x00403298
0x004032a6
0x004032ab
0x00000000
0x004032ab
0x00000000
0x00403251
0x0040320b
0x00403216
0x0040321b
0x0040321d
0x00000000
0x00000000
0x00403222
0x00403225
0x00000000
0x00000000
0x00000000
0x0040310b
0x00403110
0x00403115
0x00403119
0x00403120
0x00403125
0x00403127
0x00403129
0x00403129
0x0040312d
0x00403132
0x00403134
0x0040325c
0x00403253
0x00000000
0x00403253
0x0040313a
0x00403141
0x004031bd
0x004031c1
0x004031c5
0x004031ca
0x00000000
0x004031c1
0x0040314a
0x0040314f
0x00403152
0x00403157
0x00000000
0x00000000
0x00403159
0x00403160
0x00000000
0x00000000
0x00403162
0x00403169
0x00000000
0x00000000
0x0040316b
0x00403172
0x00000000
0x00000000
0x00403174
0x0040317b
0x00000000
0x00000000
0x0040317d
0x00403183
0x0040318c
0x00403192
0x00403195
0x00403197
0x0040319d
0x00000000
0x00000000
0x004031a3
0x004031a7
0x004031af
0x004031af
0x004031b2
0x004031b5
0x004031b7
0x004031b9
0x004031b9
0x00000000
0x004031b7
0x004031a9
0x004031ad
0x00000000
0x00000000
0x00000000
0x004031cb
0x004031cb
0x004031d1
0x004031dd
0x004031dd
0x004031e0
0x004031e6
0x004031e6
0x004031e6
0x004031ee
0x004031ee
0x00000000
0x004031ee

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Transferencia.exe,00000400,?,?,?,?,?,0040385A,?), ref: 004030AA

Part of subcall function 0040600A: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\Transferencia.exe,80000000,00000003,?,?,?,?,?,0040385A,?), ref: 0040600E
Part of subcall function 0040600A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040385A,?), ref: 00406030

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,007B4800,007B4800,C:\Users\user\Desktop\Transferencia.exe,C:\Users\user\Desktop\Transferencia.exe,80000000,00000003,?,?,?,?,?,0040385A), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,Z8@,?,?,?,?,?,0040385A,?), ref: 0040322C

Strings

Inst, xrefs: 00403162
soft, xrefs: 0040316B
Error launching installer, xrefs: 004030CD
Z8@, xrefs: 00403227, 00403242
C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
C:\Users\user\Desktop\Transferencia.exe, xrefs: 00403094, 004030A3, 004030B7, 004030D7
Null, xrefs: 00403174
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\Transferencia.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$Z8@$soft
API String ID: 2803837635-1956847086
Opcode ID: 228fa0226a90281b4f2baa84689300d30e54d034f1a820beff8a1dc93a475882
Instruction ID: 1f061f0c38a4f693c331b34270bc70c7c89456ffd71d5a2abe04866b7cb55e0c
Opcode Fuzzy Hash: 228fa0226a90281b4f2baa84689300d30e54d034f1a820beff8a1dc93a475882
Instruction Fuzzy Hash: 9551D071901204ABDB10AF65DD82B9E7FA8EB44756F10853BE501FA2C1CB7C8F418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E60( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405DE9(E0040651A(_t81, 0x7b4000)), ??);
				} else {
					E0040651A();
				}
				E004067A1(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E00406850(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405FE5(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040600A(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E0040557C(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x7a8ae8;
						goto L32;
					} else {
						E0040651A("C:\Users\jones\AppData\Local\Temp\nstC730.tmp", _t83);
						E0040651A(_t83, _t81);
						E00406557(_t77, _t81, _t83, "C:\Users\jones\AppData\Local\Temp\nstC730.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040651A(_t83, "C:\Users\jones\AppData\Local\Temp\nstC730.tmp");
						_t64 = E00405B7A("C:\Users\jones\AppData\Local\Temp\nstC730.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x7a8ae8 =  &( *0x7a8ae8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E0040557C();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E0040557C(0xffffffea,  *(_t86 - 8)); // executed
				 *0x7a8b14 =  *0x7a8b14 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 0x38));
				_push( *((intOrPtr*)(_t86 - 0x28)));
				_t45 = E004032B4(); // executed
				 *0x7a8b14 =  *0x7a8b14 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E00406557(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E00406557(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405B7A();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x0040189d
0x0040189e
0x0040189f
0x004018a2
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,007B4000,?,?,00000031), ref: 004017D5

Part of subcall function 0040651A: lstrcpynW.KERNEL32(?,?,00000400,0040367A,007A7A60,NSIS Error), ref: 00406527

Part of subcall function 0040557C: lstrlenW.KERNEL32(007A0F28,00000000,0079F570,76CDEA30,?,?,?,?,?,?,?,?,?,004033F5,00000000,?), ref: 004055B4
Part of subcall function 0040557C: lstrlenW.KERNEL32(004033F5,007A0F28,00000000,0079F570,76CDEA30,?,?,?,?,?,?,?,?,?,004033F5,00000000), ref: 004055C4
Part of subcall function 0040557C: lstrcatW.KERNEL32(007A0F28,004033F5), ref: 004055D7
Part of subcall function 0040557C: SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004055E9
Part of subcall function 0040557C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040560F
Part of subcall function 0040557C: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405629
Part of subcall function 0040557C: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405637

Strings

C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Temp\nstC730.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nstC730.tmp$C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll$Call
API String ID: 1941528284-3308602675
Opcode ID: 7858d456fb03ccf9a4fc02aecf834b9d02d21675ab431890d9fa7e4538b0b482
Instruction ID: 5ac910c5439316a1e26e23cc6d9244c071f0fb36d70bd55283583498c2888f83
Opcode Fuzzy Hash: 7858d456fb03ccf9a4fc02aecf834b9d02d21675ab431890d9fa7e4538b0b482
Instruction Fuzzy Hash: 9841A271900108BACF11BBB5DD85DAE3A79EF4536CB20423FF412B50E1DA3C8A519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004032B4(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				long _t70;
				intOrPtr _t74;
				long _t75;
				intOrPtr _t76;
				void* _t77;
				int _t87;
				intOrPtr _t91;
				intOrPtr _t94;
				long _t95;
				signed int _t96;
				int _t97;
				int _t98;
				intOrPtr _t99;
				void* _t100;
				void* _t101;

				_t96 = _a16;
				_t91 = _a12;
				_v12 = _t96;
				if(_t91 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t91;
				if(_t91 == 0) {
					_v16 = 0x797700;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004034C2( *0x7a8ab8 + _t62);
				}
				if(E004034AC( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t91 != 0) {
							if(_a16 < _t96) {
								_t96 = _a16;
							}
							if(E004034AC(_t91, _t96) != 0) {
								_v8 = _t96;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t91) {
							goto L44;
						}
						_t87 = _v12;
						while(1) {
							_t97 = _a16;
							if(_a16 >= _t87) {
								_t97 = _t87;
							}
							if(E004034AC(0x793700, _t97) == 0) {
								goto L41;
							}
							if(E004060BC(_a8, 0x793700, _t97) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t97;
							_a16 = _a16 - _t97;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40ce58 =  *0x40ce58 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce40 = 0xb;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t98 = 0x4000;
						if(_a16 < 0x4000) {
							_t98 = _a16;
						}
						if(E004034AC(0x793700, _t98) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t98;
						 *0x40ce30 = 0x793700;
						 *0x40ce34 = _t98;
						while(1) {
							_t94 = _v16;
							 *0x40ce38 = _t94;
							 *0x40ce3c = _v12;
							_t74 = E00406A42("Vly");
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t99 =  *0x40ce38; // 0x79f570
							_t100 = _t99 - _t94;
							_t75 = GetTickCount();
							_t95 = _t75;
							if(( *0x7a8b14 & 0x00000001) != 0 && (_t75 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t101 = _t101 + 0xc;
								E0040557C(0,  &_v152); // executed
								_v20 = _t95;
							}
							if(_t100 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t76 =  *0x40ce38; // 0x79f570
									_v8 = _v8 + _t100;
									_v12 = _v12 - _t100;
									_v16 = _t76;
									L23:
									if(_v24 != 4) {
										continue;
									}
									goto L44;
								}
								_t77 = E004060BC(_a8, _v16, _t100); // executed
								if(_t77 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t100;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x004032bf
0x004032c3
0x004032c6
0x004032cb
0x004032cd
0x004032cd
0x004032d4
0x004032d8
0x004032dd
0x004032df
0x004032df
0x004032e6
0x004032eb
0x004032f6
0x004032f6
0x00403308
0x0040349a
0x0040349a
0x00000000
0x0040330e
0x00403312
0x00403447
0x0040348a
0x0040348c
0x0040348c
0x00403498
0x0040349f
0x004034a2
0x00000000
0x00000000
0x00000000
0x00000000
0x00403498
0x0040344c
0x00000000
0x00000000
0x0040344e
0x00403451
0x00403454
0x00403457
0x00403459
0x00403459
0x00403469
0x00000000
0x00000000
0x00403477
0x00403441
0x00403441
0x0040349c
0x0040349c
0x00000000
0x0040349c
0x00403479
0x0040347c
0x00403483
0x00000000
0x00000000
0x00000000
0x00403485
0x00000000
0x00403451
0x0040331e
0x00403320
0x00403327
0x00403327
0x0040332e
0x00403334
0x0040333b
0x0040333e
0x00000000
0x00000000
0x00000000
0x00000000
0x00403344
0x00403344
0x00403344
0x0040334c
0x0040334e
0x0040334e
0x0040335f
0x00000000
0x00000000
0x00403365
0x00403368
0x0040336e
0x00403374
0x00403374
0x0040337f
0x00403385
0x0040338a
0x00403391
0x00403394
0x00000000
0x00000000
0x0040339a
0x004033a0
0x004033a2
0x004033ab
0x004033ad
0x004033de
0x004033e4
0x004033f0
0x004033f5
0x004033f5
0x004033fa
0x00403435
0x00000000
0x00000000
0x00000000
0x004033fc
0x00403400
0x00403417
0x0040341c
0x0040341f
0x00403422
0x00403425
0x00403429
0x00000000
0x00000000
0x00000000
0x0040342f
0x00403409
0x00403410
0x00000000
0x00000000
0x00403412
0x00000000
0x00403412
0x004033fa
0x0040343d
0x00000000
0x0040343d
0x00000000
0x00403344

APIs

GetTickCount.KERNEL32 ref: 0040331E
GetTickCount.KERNEL32 ref: 004033A2
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033CB
wsprintfW.USER32 ref: 004033DE

Strings

... %d%%, xrefs: 004033D8
Vly, xrefs: 00403368, 0040337A
Z8@, xrefs: 004032B4

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$Vly$Z8@
API String ID: 551687249-2471056181
Opcode ID: 67e296ff4565807106035eaab5f2577f851fd332784b09125895019d099d7f68
Instruction ID: 2eef5f2140e491494c2db8857c7661a7403dfcbdcc622e4f150acafc5917097d
Opcode Fuzzy Hash: 67e296ff4565807106035eaab5f2577f851fd332784b09125895019d099d7f68
Instruction Fuzzy Hash: 59516C71800219EBDB11DF55DA84B9E7FB8AF40326F14417BE814BA2C1D7789F408BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040557C Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040557C(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a44;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8b14;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406557(_t38, 0, 0x7a0f28, 0x7a0f28, _a4);
					}
					_t27 = lstrlenW(0x7a0f28);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a7a28, 0x7a0f28); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f28;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f28[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f28, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x00405582
0x0040558c
0x00405591
0x00405597
0x004055a2
0x004055a5
0x004055a8
0x004055ae
0x004055ae
0x004055b4
0x004055bc
0x004055bf
0x004055dc
0x004055e0
0x004055e9
0x004055e9
0x004055f3
0x004055fc
0x00405608
0x0040560f
0x00405613
0x00405616
0x00405629
0x00405637
0x00405637
0x0040563b
0x0040563d
0x00405640
0x00000000
0x00405640
0x004055c1
0x004055c9
0x004055d1
0x004055d7
0x00000000
0x004055d7
0x004055d1
0x004055bf
0x0040564c

APIs

lstrlenW.KERNEL32(007A0F28,00000000,0079F570,76CDEA30,?,?,?,?,?,?,?,?,?,004033F5,00000000,?), ref: 004055B4
lstrlenW.KERNEL32(004033F5,007A0F28,00000000,0079F570,76CDEA30,?,?,?,?,?,?,?,?,?,004033F5,00000000), ref: 004055C4
lstrcatW.KERNEL32(007A0F28,004033F5), ref: 004055D7
SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004055E9
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040560F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405629
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405637

Part of subcall function 00406557: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066FC
Part of subcall function 00406557: lstrlenW.KERNEL32(Call,00000000,007A0F28,?,004055B3,007A0F28,00000000), ref: 00406756

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID:
API String ID: 1495540970-0
Opcode ID: 4220885725f682886bacb0d0991f91d3f85cd1758724983fd30707fe453943de
Instruction ID: aa9a416d1108715588902b7fd38edda494bf3b6dcc64e7638c7e5b3a5377cb21
Opcode Fuzzy Hash: 4220885725f682886bacb0d0991f91d3f85cd1758724983fd30707fe453943de
Instruction Fuzzy Hash: F7218071900518BACF119F69ED449CFBF79EF49750F10803AF944B62A0C7794A40CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406877 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406877(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x0040688e
0x00406897
0x00406899
0x00406899
0x0040689d
0x004068b0
0x004068aa
0x004068aa
0x004068aa
0x004068c9
0x004068dd
0x004068e4

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040688E
wsprintfW.USER32 ref: 004068C9
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068DD

Strings

\, xrefs: 0040689F
%s%S.dll, xrefs: 004068C3
UXTHEME, xrefs: 00406880

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: cdb972a85fe13f574061c7118b8c5d4b466341d866a79bb5796beb4354b5a6e3
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: E9F0F671511119A7DF10BB64DD0DF9B376CAF00305F11447AAA46F10E0EB7CDA68CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A4B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405A4B(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405a56
0x00405a5a
0x00405a5d
0x00405a63
0x00405a67
0x00405a6b
0x00405a73
0x00405a7a
0x00405a80
0x00405a87
0x00405a8e
0x00405a96
0x00405a98
0x00000000
0x00405a98
0x00405aa2
0x00405aa9
0x00405abf
0x00000000
0x00000000
0x00000000
0x00405ac1
0x00405ac5

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A8E
GetLastError.KERNEL32 ref: 00405AA2
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405AB7
GetLastError.KERNEL32 ref: 00405AC1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A71

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3081826266
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 6b4cde1861b350949670c47dbaa51c368922036badf300449d23a0f4a4187d7a
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: D0010871D10219EADF109BA0C984BEFBFB4EB04314F04853AD545B6180D77896488FA9

Uniqueness

Uniqueness Score: -1.00%

Function 732A1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E732A1817(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v136;
				struct HINSTANCE__* _t37;
				void* _t39;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x732a506c = _a8;
				 *0x732a5070 = _a16;
				 *0x732a5074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x732a5048, E732A1651);
				_push(1); // executed
				_t37 = E732A1BFF(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E732A243E(_t54);
					}
					_push(_t54);
					E732A2480(_t67);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_push(_t54);
								_t37 = E732A2655();
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x1018; // 0x1018
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E732A1666(_t54,  &_v136);
								 *(_t54 + 0x1034) =  *(_t54 + 0x1034) & 0x00000000;
								_t18 = _t54 + 0x1018; // 0x1018
								_t72 = _t18;
								_push(_t54);
								 *((intOrPtr*)(_t54 + 0x1020)) = _t42;
								 *_t72 = 4;
								E732A2655();
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							_push(_t54);
							E732A2655();
							_t37 = GlobalFree(E732A1312(E732A1654(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E732A2618(_t54);
							if(( *(_t54 + 0x1010) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x1008);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x1010) & 0x00000020) != 0) {
								_t37 = E732A15DD( *0x732a5068);
							}
						}
						if(( *(_t54 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							_t39 = GlobalFree(_t54); // executed
							return _t39;
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E732A2E23(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E732A2B98(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E732A2810(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x732a1817
0x732a1817
0x732a1817
0x732a1824
0x732a182c
0x732a1839
0x732a1847
0x732a184a
0x732a184c
0x732a1851
0x732a1856
0x732a1978
0x732a1978
0x732a185c
0x732a1860
0x732a1863
0x732a1868
0x732a1869
0x732a186a
0x732a1870
0x732a1876
0x732a18a6
0x732a18ad
0x732a18d1
0x732a191e
0x732a191f
0x732a18d3
0x732a18d3
0x732a18d4
0x732a18dd
0x732a18de
0x732a18e8
0x732a18eb
0x732a18f0
0x732a18f7
0x732a18f7
0x732a18fd
0x732a18fe
0x732a1904
0x732a190a
0x732a1917
0x732a1918
0x732a191b
0x732a18af
0x732a18af
0x732a18b0
0x732a18c5
0x732a18c5
0x732a1929
0x732a192c
0x732a1939
0x732a1940
0x732a1948
0x732a194b
0x732a194b
0x732a1948
0x732a1958
0x732a1960
0x732a1965
0x732a1958
0x732a196d
0x00000000
0x732a196f
0x732a1970
0x00000000
0x732a1970
0x732a196d
0x732a187a
0x732a187d
0x732a189b
0x00000000
0x00000000
0x732a189e
0x732a18a3
0x732a18a3
0x732a18a5
0x00000000
0x732a18a5
0x732a187f
0x732a1880
0x732a1888
0x732a1889
0x00000000
0x732a1889
0x732a1882
0x732a1883
0x732a1891
0x00000000
0x732a1891
0x732a1886
0x00000000
0x00000000
0x00000000
0x732a1886

APIs

Part of subcall function 732A1BFF: GlobalFree.KERNEL32 ref: 732A1E74
Part of subcall function 732A1BFF: GlobalFree.KERNEL32 ref: 732A1E79
Part of subcall function 732A1BFF: GlobalFree.KERNEL32 ref: 732A1E7E

GlobalFree.KERNEL32 ref: 732A18C5
FreeLibrary.KERNEL32(?), ref: 732A194B
GlobalFree.KERNEL32 ref: 732A1970

Part of subcall function 732A243E: GlobalAlloc.KERNEL32(00000040,?), ref: 732A246F

Part of subcall function 732A2810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,732A1896,00000000), ref: 732A28E0

Part of subcall function 732A1666: wsprintfW.USER32 ref: 732A1694

Strings

, xrefs: 732A1951

Memory Dump Source

Source File: 00000000.00000002.756317960.00000000732A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 732A0000, based on PE: true

Associated: 00000000.00000002.756311352.00000000732A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756329828.00000000732A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756338430.00000000732A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_732a0000_Transferencia.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 325b81e355114694e649d33d76a76816ecc7dd48f82e2e1925eb52604c4b1e31
Instruction ID: 925aacf5b1ab6826760b64d2e0f415da110e79ba4a2762eec26522e9e52d84c4
Opcode Fuzzy Hash: 325b81e355114694e649d33d76a76816ecc7dd48f82e2e1925eb52604c4b1e31
Instruction Fuzzy Hash: D341A771A043469BEB019F6CD988B9537ACAF04370F188465ED4BAA1C6DBB8E0C4D760

Uniqueness

Uniqueness Score: -1.00%

Function 00406039 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406039(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x0040603f
0x00406045
0x00406046
0x00406046
0x0040604b
0x0040604c
0x0040604f
0x00406054
0x00406057
0x00406061
0x0040606e
0x00406072
0x0040607a
0x00000000
0x00000000
0x0040607e
0x00000000
0x00406080
0x00406080
0x00406080
0x00406083
0x00406086
0x00406086
0x00406089
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00406057
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,00403508,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406072

Strings

nsa, xrefs: 00406046
C:\Users\user\AppData\Local\Temp\, xrefs: 0040603E

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: d9a4429216a2c16f2b1e0ff0632edab8c7003fcac11a898ec3991e0c35e2d836
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 84F0F076B40204BFEB00CF59ED05E9EB7ACEB95750F01803AEE45F3140E6B099648768

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004020D8(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x7a8b20");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x7a8ae8 =  *0x7a8ae8 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402DA6(1);
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406956(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E0040557C(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x400, _t37, 0x40ce28, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403B69( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d8
0x004020d8
0x004020dd
0x004020e4
0x004021a3
0x004022f1
0x004022f1
0x00402c2a
0x00402c2d
0x00402c39
0x00402c39
0x004020f3
0x004020fd
0x00402100
0x00402110
0x00402114
0x0040211a
0x0040211c
0x0040211f
0x0040219c
0x00000000
0x0040219c
0x00402121
0x0040212c
0x00402130
0x00402170
0x00402132
0x00402135
0x00402138
0x00402164
0x0040213a
0x0040213d
0x00402146
0x00402148
0x00402148
0x00402146
0x00402138
0x00402178
0x00402191
0x00402191
0x00000000
0x00402178
0x00402103
0x0040210b
0x0040210e
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 0040557C: lstrlenW.KERNEL32(007A0F28,00000000,0079F570,76CDEA30,?,?,?,?,?,?,?,?,?,004033F5,00000000,?), ref: 004055B4
Part of subcall function 0040557C: lstrlenW.KERNEL32(004033F5,007A0F28,00000000,0079F570,76CDEA30,?,?,?,?,?,?,?,?,?,004033F5,00000000), ref: 004055C4
Part of subcall function 0040557C: lstrcatW.KERNEL32(007A0F28,004033F5), ref: 004055D7
Part of subcall function 0040557C: SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004055E9
Part of subcall function 0040557C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040560F
Part of subcall function 0040557C: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405629
Part of subcall function 0040557C: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405637

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: d3289adf4ebaccc714292094f0131b2a55a31b2be69c8ba73e82ed6e367305b0
Instruction ID: 444e3b163f15bd358be0b4800c507c2147bc3560cfb58e26f6c7225f93e15a3b
Opcode Fuzzy Hash: d3289adf4ebaccc714292094f0131b2a55a31b2be69c8ba73e82ed6e367305b0
Instruction Fuzzy Hash: D621D471904104FACF11AFA5CF48E9E7A71BF48354F20413BF505B91E1DBBD8A929A1D

Uniqueness

Uniqueness Score: -1.00%

Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B9B(void* __ebx) {
				intOrPtr _t8;
				void* _t9;
				void _t12;
				void* _t14;
				void* _t22;
				void* _t25;
				void* _t30;
				char* _t32;
				void* _t33;
				void* _t34;
				void* _t37;

				_t28 = __ebx;
				_t8 =  *((intOrPtr*)(_t37 - 0x28));
				_t33 =  *0x40ce28; // 0x0
				if(_t8 == __ebx) {
					if( *((intOrPtr*)(_t37 - 0x2c)) == __ebx) {
						_t9 = GlobalAlloc(0x40, 0x804); // executed
						_t34 = _t9;
						_t5 = _t34 + 4; // 0x4
						E00406557(__ebx, _t30, _t34, _t5,  *((intOrPtr*)(_t37 - 0x30)));
						_t12 =  *0x40ce28; // 0x0
						 *_t34 = _t12;
						 *0x40ce28 = _t34;
					} else {
						if(_t33 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t3 = _t33 + 4; // 0x4
							E0040651A(_t30, _t3);
							_push(_t33);
							 *0x40ce28 =  *_t33;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t8 = _t8 - 1;
						if(_t33 == _t28) {
							break;
						}
						_t33 =  *_t33;
						if(_t8 != _t28) {
							continue;
						} else {
							if(_t33 == _t28) {
								break;
							} else {
								_t36 = _t33 + 4;
								_t32 = L"Call";
								E0040651A(_t32, _t33 + 4);
								_t22 =  *0x40ce28; // 0x0
								E0040651A(_t36, _t22 + 4);
								_t25 =  *0x40ce28; // 0x0
								_push(_t32);
								_push(_t25 + 4);
								E0040651A();
								L15:
								 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t37 - 4));
								_t14 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E00406557(_t28, _t30, _t33, _t28, 0xffffffe8));
					E00405B7A();
					_t14 = 0x7fffffff;
				}
				L17:
				return _t14;
			}

0x00401b9b
0x00401b9b
0x00401b9e
0x00401ba6
0x00401bef
0x00401c1d
0x00401c26
0x00401c28
0x00401c2c
0x00401c31
0x00401c36
0x00401c38
0x00401bf1
0x00401bf3
0x0040292e
0x00401bf9
0x00401bf9
0x00401bfe
0x00401c05
0x00401c06
0x00401c0b
0x00401c0b
0x00401bf3
0x00000000
0x00401ba8
0x00401ba8
0x00401ba8
0x00401bab
0x00000000
0x00000000
0x00401bb1
0x00401bb5
0x00000000
0x00401bb7
0x00401bb9
0x00000000
0x00401bbf
0x00401bbf
0x00401bc2
0x00401bc9
0x00401bce
0x00401bd8
0x00401bdd
0x00401be2
0x00401be6
0x00402a94
0x00402c2a
0x00402c2d
0x00402c33
0x00402c33
0x00401bb9
0x00000000
0x00401bb5
0x0040238a
0x00402397
0x00402398
0x0040239d
0x0040239d
0x00402c35
0x00402c39

APIs

GlobalFree.KERNEL32 ref: 00401C0B
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D

Part of subcall function 00406557: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066FC
Part of subcall function 00406557: lstrlenW.KERNEL32(Call,00000000,007A0F28,?,004055B3,007A0F28,00000000), ref: 00406756

Strings

Call, xrefs: 00401BC2, 00401BC8, 00401BE2

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Global$AllocFreelstrcatlstrlen
String ID: Call
API String ID: 3292104215-1824292864
Opcode ID: b890c972c8bf46be985b92796f08af71a41c27e005c5bd4be6b96cad305d66d6
Instruction ID: 26dbd5a77eb58e605bfe28f9d4715249581a5b1b61a00b50ad00dbbd18183bd9
Opcode Fuzzy Hash: b890c972c8bf46be985b92796f08af71a41c27e005c5bd4be6b96cad305d66d6
Instruction Fuzzy Hash: CE219373904210EBD721AFA4DEC4A9E73A4EB08328715453BF542F72D0D6BCA8418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405E94(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E16(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AC8( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405AE5(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A4B( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040651A(0x7b4000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405E94: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nstC730.tmp,?,00405F08,C:\Users\user\AppData\Local\Temp\nstC730.tmp,C:\Users\user\AppData\Local\Temp\nstC730.tmp,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EA2
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EA7
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EBF

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A4B: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A8E

SetCurrentDirectoryW.KERNELBASE(?,007B4000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: ea366b61ea7e0f954f802211c46f95b4e790a63d7230a0a8c72c366b88b3d3fb
Instruction ID: b26d59bbbb8bd31aa62bfaa3988508fb5429084e49f4d8f394da2dab55023cb6
Opcode Fuzzy Hash: ea366b61ea7e0f954f802211c46f95b4e790a63d7230a0a8c72c366b88b3d3fb
Instruction Fuzzy Hash: E611E631504115EBCF216FA5CD40A9F36A0EF15369B28493BF541B52F1DA3E4A819F4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040252A(int* __ebx, char* __edi) {
				void* _t17;
				short* _t18;
				void* _t35;
				void* _t37;
				void* _t40;

				_t33 = __edi;
				_t27 = __ebx;
				_t17 = E00402DE6(_t40, 0x20019); // executed
				_t35 = _t17;
				_t18 = E00402DA6(0x33);
				 *__edi = __ebx;
				if(_t35 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x10) = 0x800;
					if(RegQueryValueExW(_t35, _t18, __ebx, _t37 + 8, __edi, _t37 - 0x10) != 0) {
						L7:
						 *_t33 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x20) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x20) == __ebx;
							E00406461(__edi,  *__edi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x20);
								_t33[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t35);
					RegCloseKey();
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *(_t37 - 4);
				return 0;
			}

0x0040252a
0x0040252a
0x0040252f
0x00402536
0x00402538
0x0040253f
0x00402542
0x0040292e
0x00402548
0x0040254b
0x00402566
0x00402596
0x00402596
0x00402599
0x00402568
0x0040256c
0x00402585
0x0040258c
0x0040258f
0x0040256e
0x00402571
0x0040257c
0x004025f5
0x00000000
0x00000000
0x00000000
0x00402571
0x0040256c
0x004025fc
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nstC730.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 0694351e98cd469bae9d726cc189f6ef90d59886634df9e537887f839f6a2698
Instruction ID: 571b9b924b31111faeddb2e20a0922d1bec3187f76108aa99b1997940c0dfa40
Opcode Fuzzy Hash: 0694351e98cd469bae9d726cc189f6ef90d59886634df9e537887f839f6a2698
Instruction Fuzzy Hash: D5116D71904219EADF14DFA4DA589AE7774FF04345B20843BE001B62C0E7B88A45EB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4, struct HWND__* _a10) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8a90;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a10 != 0) {
						 *0x7a7a4c =  *0x7a7a4c + _t12;
						SendMessageW(_a10, 0x402, MulDiv( *0x7a7a4c, 0x7530,  *0x7a7a34), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0f992e2ae6cf3b1b8dd96a4b6b0adf3515dff43e38b3359cc4322e8ed16e10f0
Instruction ID: 637f0bbede897030ab690e2e99e2181d797c58f7d0d2aab6e1f53bdf2be6ce4b
Opcode Fuzzy Hash: 0f992e2ae6cf3b1b8dd96a4b6b0adf3515dff43e38b3359cc4322e8ed16e10f0
Instruction Fuzzy Hash: 9501F432624220ABE7195B389D05B2A3698E751314F10C13FF955F69F1EA78CC02DB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 393b5c21bb7cc3de8bedbfe4bad105ee39a9eabd1884b7fb5bcfa8057cf0f7ce
Instruction ID: 6c41119d880c6e907524726e204bf21ac727531236896e2a35a455d3971ed6d0
Opcode Fuzzy Hash: 393b5c21bb7cc3de8bedbfe4bad105ee39a9eabd1884b7fb5bcfa8057cf0f7ce
Instruction Fuzzy Hash: 62E01272908211CFE705EBA4EE495AE77B4EB40315710497FE501F11D1DBB94D00865D

Uniqueness

Uniqueness Score: -1.00%

Function 004068E7 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004068E7(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E00406877(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x004068ef
0x004068f2
0x004068f9
0x00406901
0x0040690d
0x00000000
0x00406914
0x00406904
0x0040690b
0x00000000
0x0040691c
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040361A,0000000B), ref: 004068F9
GetProcAddress.KERNEL32(00000000,?), ref: 00406914

Part of subcall function 00406877: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040688E
Part of subcall function 00406877: wsprintfW.USER32 ref: 004068C9
Part of subcall function 00406877: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068DD

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction ID: 6423a29397ed7bff7b22ace80297d9bc35d616ea5f013efbaa2f78a15a639a79
Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction Fuzzy Hash: CEE08673504210AAE21196716E44C7773A89F89740316443FF946F2080D738DC359AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040600A Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040600A(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x0040600e
0x0040601b
0x00406030
0x00406036

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\Transferencia.exe,80000000,00000003,?,?,?,?,?,0040385A,?), ref: 0040600E
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040385A,?), ref: 00406030

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405FE5 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FE5(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405fea
0x00405ff0
0x00405ff5
0x00405ffe
0x00405ffe
0x00406007

APIs

GetFileAttributesW.KERNELBASE(?,?,00405BEA,?,?,00000000,00405DC0,?,?,?,?), ref: 00405FEA
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405FFE

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: e4d3e829c0d5e7da9196b8d45c2199d6a51b20c6ab53065100e3d1aec4738abc
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 4CD01272504130BFC2102728EF0C89BBF95EF64375B024B35FAA5A22F0CB304C638A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405AC8 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AC8(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405ace
0x00405ad6
0x00000000
0x00405adc
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004034FD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00405ACE
GetLastError.KERNEL32 ref: 00405ADC

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 96bb703f3db892353912e36940962cdd7e9d34b0f70b6f3c067145efd4a10b7e
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 95C04C30344601AEDA105B219E48B1B7AD4DB50741F26853D6146F41A0EA788455DD3D

Uniqueness

Uniqueness Score: -1.00%

Function 732A2B98 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E732A2B98(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t70;
				intOrPtr _t72;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t81;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t94;

				if( *0x732a5050 != 0 && E732A2ADB(_a4) == 0) {
					 *0x732a5054 = _t93;
					if( *0x732a504c != 0) {
						_t93 =  *0x732a504c;
					} else {
						E732A30C0(E732A2AD5(), __ecx);
						 *0x732a504c = _t93;
					}
				}
				_t28 = E732A2B09(_a4);
				_t94 = _t93 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E732A2AFD();
					_t72 = _a4;
					_t79 =  *0x732a5058;
					 *((intOrPtr*)(_t29 + _t72)) = _t79;
					 *0x732a5058 = _t72;
					E732A2AF7();
					_t33 = ReadFile(??, ??, ??, ??, ??); // executed
					 *0x732a5034 = _t33;
					 *0x732a5038 = _t79;
					if( *0x732a5050 != 0 && E732A2ADB( *0x732a5058) == 0) {
						 *0x732a504c = _t94;
						_t94 =  *0x732a5054;
					}
					_t80 =  *0x732a5058;
					_a4 = _t80;
					 *0x732a5058 =  *((intOrPtr*)(E732A2AFD() + _t80));
					_t37 = E732A2AE9(_t80);
					_pop(_t81);
					if(_t37 != 0) {
						_t40 = E732A2B09(_t81);
						if(_t40 > 0) {
							_push(_t40);
							_push(E732A2B14() + _a4 + _v8);
							_push(E732A2B1E());
							if( *0x732a5050 <= 0 || E732A2ADB(_a4) != 0) {
								_pop(_t88);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t88 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t89);
								_pop(_t49);
								 *0x732a504c =  *0x732a504c +  *(_t89 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t107 =  *0x732a5058;
					if( *0x732a5058 == 0) {
						 *0x732a504c = 0;
					}
					E732A2B42(_t107, _a4,  *0x732a5034,  *0x732a5038);
					return _a4;
				}
				_push(E732A2B14() + _a4);
				_t56 = E732A2B1A();
				_v8 = _t56;
				_t77 = _t28;
				_push(_t68 + _t56 * _t77);
				_t70 = E732A2B26();
				_t87 = E732A2B22();
				_t90 = E732A2B1E();
				_t61 = _t77;
				if( *((intOrPtr*)(_t90 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t70 + _t61)));
				}
				_push( *((intOrPtr*)(_t87 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x732a2ba8
0x732a2bb9
0x732a2bc6
0x732a2bda
0x732a2bc8
0x732a2bcd
0x732a2bd2
0x732a2bd2
0x732a2bc6
0x732a2be3
0x732a2be8
0x732a2bee
0x732a2c32
0x732a2c32
0x732a2c37
0x732a2c3c
0x732a2c42
0x732a2c44
0x732a2c4a
0x732a2c57
0x732a2c59
0x732a2c5e
0x732a2c6b
0x732a2c7e
0x732a2c84
0x732a2c8a
0x732a2c8b
0x732a2c91
0x732a2c9d
0x732a2ca3
0x732a2cab
0x732a2cac
0x732a2caf
0x732a2cba
0x732a2cbc
0x732a2cc8
0x732a2cce
0x732a2cd6
0x732a2d02
0x732a2d03
0x732a2d05
0x732a2d09
0x732a2d09
0x732a2d10
0x732a2ce6
0x732a2ce6
0x732a2ce7
0x732a2cf5
0x732a2cfe
0x732a2cfe
0x732a2cd6
0x732a2cba
0x732a2d12
0x732a2d19
0x732a2d1b
0x732a2d1b
0x732a2d34
0x732a2d42
0x732a2d42
0x732a2bf9
0x732a2bfa
0x732a2bff
0x732a2c03
0x732a2c08
0x732a2c1c
0x732a2c1d
0x732a2c1e
0x732a2c20
0x732a2c25
0x732a2c27
0x732a2c27
0x732a2c2a
0x732a2c30
0x00000000

APIs

ReadFile.KERNELBASE(00000000), ref: 732A2C57

Memory Dump Source

Source File: 00000000.00000002.756317960.00000000732A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 732A0000, based on PE: true

Associated: 00000000.00000002.756311352.00000000732A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756329828.00000000732A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756338430.00000000732A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_732a0000_Transferencia.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c20f5053eb2bc463d40a08126a21abfcc9030f75c2cc04265b23dd5b9f9a9867
Instruction ID: 728647bf0c09a74b9912f5dcd9889500b1b8fbffccdebe6de0ee69a9c2250274
Opcode Fuzzy Hash: c20f5053eb2bc463d40a08126a21abfcc9030f75c2cc04265b23dd5b9f9a9867
Instruction Fuzzy Hash: DC418DB2504309EFEB11AF69D988B5A77B9EB48310F30C826EC49E6141D67994C4FB91

Uniqueness

Uniqueness Score: -1.00%

Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023B2(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402DA6(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x2c)) != _t11) {
					_t13 = E00402DA6(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x20)) != _t11) {
					_t11 = E00402DA6(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402DA6(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004023b2
0x004023b2
0x004023b4
0x004023b8
0x004023bb
0x004023c0
0x004023c5
0x004023ce
0x004023ce
0x004023d3
0x004023dc
0x004023dc
0x004023e9
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E9

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction ID: de4cb5ca612a6b97b91745c8380e1d92b079ec7b797fcdaf288f77766e75fad7
Opcode Fuzzy Hash: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction Fuzzy Hash: FAE04F31900124BBDF603AB11F8DEAE205C6FC6744B18013EF911BA1C2E9FC8C4146AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040608D Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040608D(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00406091
0x004060a1
0x004060a9
0x00000000
0x004060b0
0x00000000
0x004060b2

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034BF,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060A1

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 9ce5220da9ed3c49ab8c05536da5923326b58a2142fda2ae973167115508ceb5
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: 2DE08632140259ABCF119E518C00AEB376CFB05350F018472F911E2240D630E82187A5

Uniqueness

Uniqueness Score: -1.00%

Function 004060BC Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060BC(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060c0
0x004060d0
0x004060d8
0x00000000
0x004060df
0x00000000
0x004060e1

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403475,00000000,00793700,000000FF,00793700,000000FF,000000FF,00000004,00000000), ref: 004060D0

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: ff7f98053b8daf8dc00d9e724bd7773b369301681fd057c4f0a19a08aea0fefc
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: AEE0EC3225426AABDF10AF659C00AEB7BACFB15360F018437FA56E3190D631E83197A4

Uniqueness

Uniqueness Score: -1.00%

Function 732A2A7F Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x732a5048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x732a505c, 4, 0x40, 0x732a504c); // executed
					 *0x732a505c = 0xc2;
					 *0x732a504c = 0;
					 *0x732a5054 = 0;
					 *0x732a5068 = 0;
					 *0x732a5058 = 0;
					 *0x732a5050 = 0;
					 *0x732a5060 = 0;
					 *0x732a505e = 0;
				}
				return 1;
			}

0x732a2a88
0x732a2a8d
0x732a2a9d
0x732a2aa5
0x732a2aac
0x732a2ab1
0x732a2ab6
0x732a2abb
0x732a2ac0
0x732a2ac5
0x732a2aca
0x732a2aca
0x732a2ad2

APIs

VirtualProtect.KERNELBASE(732A505C,00000004,00000040,732A504C), ref: 732A2A9D

Memory Dump Source

Source File: 00000000.00000002.756317960.00000000732A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 732A0000, based on PE: true

Associated: 00000000.00000002.756311352.00000000732A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756329828.00000000732A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756338430.00000000732A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_732a0000_Transferencia.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f388b27ae6b77a6d037abefca9117611716b68adb514808f8b5aa1478913797a
Instruction ID: f7a2c913a0801d69f80a1fa79d884a2cf0adacc6f02f0b90e774a171a504f9c5
Opcode Fuzzy Hash: f388b27ae6b77a6d037abefca9117611716b68adb514808f8b5aa1478913797a
Instruction Fuzzy Hash: B4F07FF2544280EFC350EB2A844870B3BE0A70C308B35C56AA9DCD6642E3744084BB91

Uniqueness

Uniqueness Score: -1.00%

Function 00406387 Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406387(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406306(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00406391
0x00406398
0x004063ab
0x00000000
0x004063ab
0x0040639c
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F28,?,?,00406415,007A0F28,00000000,?,?,Call,?), ref: 004063AB

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 951ca2c494bd41099ddae5d9c01dd02c2d656467939f39d3ba1b92e1fa2b8fa2
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 68D0123200020DBBDF115F919D11FAB371DAB08310F014426FE06E40A1D775D530AB64

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402DA6(0xfffffff0),  *(_t11 - 0x2c)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8e8437053afad80912e7fe99d23a7899dcdd75370ab461d6a983f2abced3a503
Instruction ID: 3401d83366b66bc7d36fe448f6674e23f614db8d4b192a7867871455da4782ce
Opcode Fuzzy Hash: 8e8437053afad80912e7fe99d23a7899dcdd75370ab461d6a983f2abced3a503
Instruction Fuzzy Hash: 5CD01772A08110DBDB11DBA8AA48B9E72A4AB51368B208937D111F61D0EAB8C9559B1A

Uniqueness

Uniqueness Score: -1.00%

Function 004044C2 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044C2(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x7a7a38;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004044c2
0x004044c9
0x004044d4
0x00000000
0x004044d4
0x004044da

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044D4

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
Instruction ID: ac3b44bde4cff7d728b8f73da7dc3c4418e617d20a2d9e9616a9aba5531653cc
Opcode Fuzzy Hash: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
Instruction Fuzzy Hash: 4FC04C75744600BAEA148F549E45F0677546790701F14C429B641B54D0CA74D410DA2C

Uniqueness

Uniqueness Score: -1.00%

Function 004034C2 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034C2(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004034d0
0x004034d6

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040385A,?), ref: 004034D0

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004044AB Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044AB(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x7a8a68, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004044b9
0x004044bf

APIs

SendMessageW.USER32(00000028,?,00000001,004042D6), ref: 004044B9

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
Instruction ID: 9ccc480ae856a8f761d654a46a9a0801f91457f8e33b58f107ae6609e89c6df3
Opcode Fuzzy Hash: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
Instruction Fuzzy Hash: 51B09235181A00AADE914B00DE09F457A62A7A4701F00C029B241240B4CAB200A4DB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00404498 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404498(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x7a1f44, _a4); // executed
				return _t2;
			}

0x004044a2
0x004044a8

APIs

KiUserCallbackDispatcher.NTDLL(?,0040426F), ref: 004044A2

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
Instruction ID: f32ebe17383345fd09930a0b12515434b8b37a693fa3d318b2a69664ac7713bd
Opcode Fuzzy Hash: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
Instruction Fuzzy Hash: 97A00176405540AFEE029B61EF09D4ABB72ABA9701B4185B9A286A0034CB364860EB1D

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402D84(_t7);
				 *((intOrPtr*)(_t13 - 0x10)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402c2d
0x00402c39

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 37e8cdb3e959b6eccc3643533ee898bd9fefd3c7d67a49354a1a021ca5fec273
Instruction ID: 3b5dc4dfeaf44569f9deb2ecf0de9c371932af0cf72a0f4646a25a2108455337
Opcode Fuzzy Hash: 37e8cdb3e959b6eccc3643533ee898bd9fefd3c7d67a49354a1a021ca5fec273
Instruction Fuzzy Hash: E0D05E73A141018BD704EBB8BE8545E73A8EB503193208C37D402E1091EA7888564618

Uniqueness

Uniqueness Score: -1.00%

Function 732A12BB Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E732A12BB() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x732a506c +  *0x732a506c); // executed
				return _t3;
			}

0x732a12c5
0x732a12cb

APIs

GlobalAlloc.KERNELBASE(00000040,?,732A12DB,?,732A137F,00000019,732A11CA,-000000A0), ref: 732A12C5

Memory Dump Source

Source File: 00000000.00000002.756317960.00000000732A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 732A0000, based on PE: true

Associated: 00000000.00000002.756311352.00000000732A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756329828.00000000732A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756338430.00000000732A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_732a0000_Transferencia.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 2b18cc81a81b5258c4344524256d7ff3a1d65c7c6754030c3aa7141ce041a8e8
Instruction ID: 318a296f81240e7a8cd7bf5d7aba96274e3b4693a0c0c3b8272cda7a3b5dec79
Opcode Fuzzy Hash: 2b18cc81a81b5258c4344524256d7ff3a1d65c7c6754030c3aa7141ce041a8e8
Instruction Fuzzy Hash: F7B012B2A00010DFEE00AB65CC0EF353294E704301F25C000FF08C0281C1608800B534

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404967 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404967(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x7a0f20; // 0x9a9554
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x7a9000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405B5E(0x3fb, _t146);
					E004067A1(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B5E(0x3fb, _t146);
							if(E00405EF1(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040651A(0x79ff18, _t146);
							_t87 = E004068E7(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040651A(0x79ff18, _t146);
								_t89 = E00405E94(0x79ff18);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x79ff18,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79ff18) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79ff18,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E35(0x79ff18);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x79ff18) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404E04(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x7a7a3c + 0x10)) != _t158) {
									E00404DEC(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x79ff08);
									} else {
										E00404D23(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a8b04 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404498(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x7a1f38 == _t158) {
									E004048C0();
								}
								 *0x7a1f38 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x7a1f48;
							_v60 = E00404CBD;
							_v56 = _t146;
							_v68 = E00406557(_t146, 0x7a1f48, _t167, 0x7a0720, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405DE9(_t146);
								_t125 =  *((intOrPtr*)( *0x7a8a70 + 0x11c));
								if( *((intOrPtr*)( *0x7a8a70 + 0x11c)) != 0 && _t146 == L"C:\\Users\\jones\\AppData\\Local\\Temp") {
									E00406557(_t146, 0x7a1f48, _t167, 0, _t125);
									if(lstrcmpiW(0x7a6a00, 0x7a1f48) != 0) {
										lstrcatW(_t146, 0x7a6a00);
									}
								}
								 *0x7a1f38 =  *0x7a1f38 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E60(_t146) != 0 && E00405E94(_t146) == 0) {
						E00405DE9(_t146);
					}
					 *0x7a7a38 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404476(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404476(_t167);
					E004044AB(_t166);
					_t138 = E004068E7(8);
					if(_t138 == 0) {
						L53:
						return E004044DD(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404967
0x0040496d
0x00404973
0x00404980
0x0040498e
0x00404991
0x00404999
0x0040499f
0x0040499f
0x004049ab
0x004049ae
0x00404a1c
0x00404a23
0x00404afa
0x00404b01
0x00404b10
0x00404b10
0x00404b14
0x00404b1e
0x00404b2b
0x00404b2d
0x00404b2d
0x00404b3b
0x00404b42
0x00404b49
0x00404b4c
0x00404b88
0x00404b8a
0x00404b90
0x00404b95
0x00404b99
0x00404b9b
0x00404b9b
0x00404bb7
0x00000000
0x00404bb9
0x00404bbc
0x00404bca
0x00404bd0
0x00404bd1
0x00404bd4
0x00404bd7
0x00000000
0x00404bd7
0x00404b4e
0x00404b50
0x00404b54
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b56
0x00404b56
0x00404b63
0x00404b68
0x00000000
0x00000000
0x00404b6c
0x00404b6e
0x00404b6e
0x00404b77
0x00404b79
0x00404b7e
0x00404b81
0x00404b86
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b86
0x00404be3
0x00404bed
0x00404bf0
0x00404bf3
0x00404bfa
0x00404bfa
0x00404bfc
0x00404bfc
0x00404c01
0x00404c03
0x00404c0b
0x00404c12
0x00404c14
0x00404c1f
0x00404c1f
0x00404c14
0x00404c2f
0x00404c39
0x00404c41
0x00404c5c
0x00404c43
0x00404c4c
0x00404c4c
0x00404c41
0x00404c61
0x00404c66
0x00404c6b
0x00404c74
0x00404c74
0x00404c7d
0x00404c7f
0x00404c7f
0x00404c8b
0x00404c93
0x00404c9d
0x00404c9d
0x00404ca2
0x00000000
0x00404ca2
0x00404b4c
0x00404b03
0x00404b0a
0x00000000
0x00000000
0x00000000
0x00404b0a
0x00404a29
0x00404a32
0x00404a4c
0x00404a51
0x00404a5b
0x00404a62
0x00404a6e
0x00404a71
0x00404a74
0x00404a7b
0x00404a83
0x00404a86
0x00404a8a
0x00404a91
0x00404a99
0x00404af3
0x00404a9b
0x00404a9c
0x00404aa3
0x00404aad
0x00404ab5
0x00404ac2
0x00404ad6
0x00404ada
0x00404ada
0x00404ad6
0x00404adf
0x00404aec
0x00404aec
0x00404a99
0x00000000
0x00404a51
0x00404a3f
0x00000000
0x00000000
0x00404a45
0x00000000
0x004049b0
0x004049bd
0x004049c6
0x004049d3
0x004049d3
0x004049da
0x004049e0
0x004049e9
0x004049ec
0x004049ef
0x004049f7
0x004049fa
0x004049fd
0x00404a03
0x00404a0a
0x00404a11
0x00404ca8
0x00404cba
0x00404a17
0x00404a1a
0x00000000
0x00404a1a
0x00404a11

APIs

GetDlgItem.USER32 ref: 004049B6
SetWindowTextW.USER32(00000000,?), ref: 004049E0
SHBrowseForFolderW.SHELL32(?), ref: 00404A91
CoTaskMemFree.OLE32(00000000), ref: 00404A9C
lstrcmpiW.KERNEL32(Call,007A1F48,00000000,?,?), ref: 00404ACE
lstrcatW.KERNEL32(?,Call), ref: 00404ADA
SetDlgItemTextW.USER32 ref: 00404AEC

Part of subcall function 00405B5E: GetDlgItemTextW.USER32(?,?,00000400,00404B23), ref: 00405B71

Part of subcall function 004067A1: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406804
Part of subcall function 004067A1: CharNextW.USER32(?,?,?,00000000,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406813
Part of subcall function 004067A1: CharNextW.USER32(?,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406818
Part of subcall function 004067A1: CharPrevW.USER32(?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 0040682B

GetDiskFreeSpaceW.KERNEL32(0079FF18,?,?,0000040F,?,0079FF18,0079FF18,?,00000001,0079FF18,?,?,000003FB,?), ref: 00404BAF
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BCA

Part of subcall function 00404D23: lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DC4
Part of subcall function 00404D23: wsprintfW.USER32 ref: 00404DCD
Part of subcall function 00404D23: SetDlgItemTextW.USER32 ref: 00404DE0

Strings

Call, xrefs: 00404AC8, 00404ACD, 00404AD8
C:\Users\user\AppData\Local\Temp, xrefs: 00404AB7
A, xrefs: 00404A8A

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$Call
API String ID: 2624150263-3265145871
Opcode ID: 18688f4ff942e0cd0688df8116ebccbb4873b9e7479cc5ca6d046e93a4f243ee
Instruction ID: 86dd0b9b094f85dab2cef093751cf510b28304c980c81074e8bd76ad65710a38
Opcode Fuzzy Hash: 18688f4ff942e0cd0688df8116ebccbb4873b9e7479cc5ca6d046e93a4f243ee
Instruction Fuzzy Hash: 4DA190B1901208ABDB11EFA5CD45AEF77B8EF84314F11803BF601B62D1DB7C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E60( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x7b4000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 170ec6e86a9220940142559721d639d0d56cd3ceb1b5832377203a0a19f0ade3
Instruction ID: 703d758d197f09623ff28e3c758b152e072eb06d6e5445e6f92684eec68365f7
Opcode Fuzzy Hash: 170ec6e86a9220940142559721d639d0d56cd3ceb1b5832377203a0a19f0ade3
Instruction Fuzzy Hash: 47412571A00209EFCF40DFE4C989E9D7BB5BF49344B2045AAF505EB2D1DB799981CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E00406461( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040651A();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 916bc7ecc775c30468185263b2e38d8e788801032425324021ee9d0e1a06674e
Instruction ID: 12288428410ef0014967daf25a5ca188ca533e908051b72e28feae2455f0dfde
Opcode Fuzzy Hash: 916bc7ecc775c30468185263b2e38d8e788801032425324021ee9d0e1a06674e
Instruction Fuzzy Hash: A6F05E71904114EED701DBA4D949AAEB378EF55318F20857BE101F21D0EBB88E119B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00404EE3 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404EE3(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x7a8a88;
				_v28 =  *0x7a8a70 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x7a8a79 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404E31(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x7a8a78) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x7a1f2c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x7a1f40;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x7a1f2c = 0;
								 *0x7a1f40 = 0;
								 *0x7a8ac0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x7a8a79 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404EB1();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x7a1f40;
									_t201 =  *0x7a8a88;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x7a8a8c <= 0) {
										L86:
										if( *0x7a8b1e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x7a7a3c + 0x10)) != 0) {
											E00404DEC(0x3ff, 0xfffffffb, E00404E04(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x7a8a8c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x7a1f40);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x7a8ac0 = _t291;
					 *0x7a1f40 = GlobalAlloc(0x40,  *0x7a8a8c << 2);
					_t258 = LoadImageW( *0x7a8a60, 0x6e, 0, 0, 0, 0);
					 *0x7a1f34 =  *0x7a1f34 | 0xffffffff;
					_t297 = _t258;
					 *0x7a1f3c = SetWindowLongW(_v8, 0xfffffffc, E004054F0);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x7a1f2c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x7a1f2c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E00406557(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404476(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404476(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x7a8a8c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x7a1f40 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x7a1f40 + _t300 * 4) = _t284;
									_v16 =  *( *0x7a1f40 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x7a8a8c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004044AB(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004044AB(_v12);
								L93:
								return E004044DD(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404eea
0x00404f03
0x00404f08
0x00404f10
0x00404f16
0x00404f2c
0x00404f2f
0x0040515a
0x00405161
0x00405175
0x00405163
0x00405165
0x00405168
0x00405169
0x00405170
0x00405170
0x00405181
0x0040518f
0x00405192
0x004051a8
0x0040521d
0x00405220
0x00405222
0x0040522c
0x0040523a
0x0040523a
0x0040523c
0x00405246
0x0040524c
0x0040524f
0x00405252
0x0040526d
0x00405254
0x0040525e
0x0040525e
0x00405252
0x00405246
0x00000000
0x00405220
0x004051ad
0x004051b8
0x004051bd
0x004051c4
0x004051c9
0x004051cd
0x004051d8
0x004051d8
0x004051dc
0x004051e0
0x004051e4
0x004051f7
0x004051e6
0x004051e6
0x004051ed
0x004051f3
0x004051ef
0x004051ef
0x004051ef
0x004051ed
0x004051fb
0x004051fd
0x00405210
0x00405213
0x00405216
0x00405216
0x004051e0
0x00000000
0x004051cd
0x004051af
0x004051b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405270
0x00405270
0x00405277
0x004052e8
0x004052f0
0x004052f8
0x004052f8
0x00405301
0x00405303
0x0040530a
0x0040530d
0x0040530d
0x00405313
0x0040531a
0x0040531d
0x0040531d
0x00405323
0x00405329
0x0040532f
0x0040532f
0x0040533c
0x0040549d
0x004054a4
0x004054c1
0x004054c7
0x004054d9
0x004054d9
0x00000000
0x00405342
0x00405344
0x00405349
0x0040534e
0x00405353
0x00405355
0x00405355
0x00405356
0x00405357
0x00405359
0x00405359
0x00405361
0x004053a2
0x004053a4
0x004053b4
0x004053b7
0x004053bc
0x004053c3
0x004053c6
0x00405468
0x00405471
0x00405479
0x00405479
0x00405487
0x00405498
0x00405498
0x00000000
0x00405487
0x004053cc
0x004053cf
0x004053d5
0x004053da
0x004053dc
0x004053de
0x004053e4
0x004053eb
0x004053f0
0x004053f7
0x004053fa
0x004053fa
0x00405401
0x0040540d
0x00405411
0x00405413
0x00405413
0x00405403
0x00405405
0x00405405
0x00405433
0x0040543f
0x0040544e
0x0040544e
0x00405450
0x00405453
0x0040545c
0x00000000
0x00405363
0x0040536e
0x00405371
0x00405376
0x00405378
0x0040537c
0x0040538c
0x00405396
0x00405398
0x0040539b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040537e
0x0040537e
0x00405384
0x00405386
0x00405386
0x00405387
0x00405388
0x00000000
0x0040537e
0x00405361
0x0040533c
0x0040527f
0x00000000
0x00405295
0x0040529f
0x004052a4
0x00000000
0x00000000
0x004052b6
0x004052bb
0x004052c7
0x004052c7
0x004052c9
0x004052d8
0x004052da
0x004052de
0x004052e1
0x00000000
0x004052e1
0x0040527f
0x00404f35
0x00404f3a
0x00404f43
0x00404f4a
0x00404f5c
0x00404f67
0x00404f6d
0x00404f7b
0x00404f8f
0x00404f94
0x00404fa1
0x00404fa6
0x00404fbc
0x00404fcd
0x00404fda
0x00404fda
0x00404fdd
0x00404fe3
0x00404fe5
0x00404fe8
0x00404fed
0x00404ff2
0x00404ff4
0x00404ff4
0x00405014
0x00405014
0x00405016
0x00405017
0x0040501c
0x00405022
0x00405026
0x0040502b
0x00405033
0x00405037
0x0040503c
0x00405041
0x00405049
0x0040504c
0x0040511c
0x0040512f
0x00000000
0x00405052
0x00405055
0x00405058
0x0040505b
0x0040505b
0x00405061
0x0040506a
0x0040506d
0x00405071
0x00405074
0x00405077
0x00405080
0x00405089
0x0040508c
0x0040508f
0x00405092
0x004050d0
0x004050fb
0x004050d2
0x004050e1
0x004050e1
0x00405094
0x00405097
0x004050a5
0x004050af
0x004050b7
0x004050be
0x004050c9
0x004050c9
0x00405092
0x00405101
0x00405102
0x0040510e
0x0040510e
0x0040511a
0x00405135
0x00405138
0x00405155
0x00000000
0x0040513a
0x0040513f
0x00405148
0x004054db
0x004054ed
0x004054ed
0x00405138
0x00000000
0x0040511a
0x0040504c

APIs

GetDlgItem.USER32 ref: 00404EFB
GetDlgItem.USER32 ref: 00404F06
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F50
LoadImageW.USER32 ref: 00404F67
SetWindowLongW.USER32(?,000000FC,004054F0), ref: 00404F80
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F94
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FA6
SendMessageW.USER32(?,00001109,00000002), ref: 00404FBC
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FC8
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FDA
DeleteObject.GDI32(00000000), ref: 00404FDD
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405008
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405014
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050AF
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004050DF

Part of subcall function 004044AB: SendMessageW.USER32(00000028,?,00000001,004042D6), ref: 004044B9

SendMessageW.USER32(?,00001132,00000000,?), ref: 004050F3
GetWindowLongW.USER32(?,000000F0), ref: 00405121
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040512F
ShowWindow.USER32(?,00000005), ref: 0040513F
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040523A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040529F
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052B4
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052D8
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004052F8
ImageList_Destroy.COMCTL32(?), ref: 0040530D
GlobalFree.KERNEL32 ref: 0040531D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405396
SendMessageW.USER32(?,00001102,?,?), ref: 0040543F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040544E
InvalidateRect.USER32(?,00000000,00000001), ref: 00405479
ShowWindow.USER32(?,00000000), ref: 004054C7
GetDlgItem.USER32 ref: 004054D2
ShowWindow.USER32(00000000), ref: 004054D9

Strings

M, xrefs: 00405097
N, xrefs: 00405178
, xrefs: 004054B1

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 175cf0479e418895b067fb807809c06ca34509b835de2015ac728b6654376382
Instruction ID: cd3a3d13ac431be8b4ce3887d4b4ed089ddf64e85d32bcda767c16d05f8e906a
Opcode Fuzzy Hash: 175cf0479e418895b067fb807809c06ca34509b835de2015ac728b6654376382
Instruction Fuzzy Hash: 8D028B70900609AFDB20DFA5CC45EAF7BB5FB85314F10817AE610BA2E1DB798941DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404635 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404635(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t108;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L13:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x79ff14 =  *0x79ff14 + 1;
								__eflags =  *0x79ff14;
							}
							L27:
							_t114 = _a16;
							L28:
							return E004044DD(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
								_t103 =  *((intOrPtr*)(_t114 + 0x1c));
								_t113 =  *((intOrPtr*)(_t114 + 0x18));
								_v12 = _t103;
								__eflags = _t103 - _t113 - 0x800;
								_v16 = _t113;
								_v8 = 0x7a6a00;
								if(_t103 - _t113 < 0x800) {
									SendMessageW(_t56, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorW(0, 0x7f02));
									_push(1);
									E004048E4(_a4, _v8);
									SetCursor(LoadCursorW(0, 0x7f00));
									_t114 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x700;
						if( *((intOrPtr*)(_t114 + 8)) != 0x700) {
							goto L28;
						} else {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
								goto L28;
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x7a8a68, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x7a8a68, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L27;
					}
					__eflags =  *0x79ff14; // 0x0
					if(__eflags != 0) {
						goto L27;
					}
					_t69 =  *0x7a0f20; // 0x9a9554
					_t29 = _t69 + 0x14; // 0x9a9568
					_t116 = _t29;
					__eflags =  *_t116 & 0x00000020;
					if(( *_t116 & 0x00000020) == 0) {
						goto L27;
					}
					_t108 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t108;
					 *_t116 = _t108;
					E00404498(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E004048C0();
					goto L13;
				} else {
					_t117 = _a16;
					_t75 =  *(_t117 + 0x30);
					if(_t75 < 0) {
						_t75 =  *( *0x7a7a3c - 4 + _t75 * 4);
					}
					_t76 =  *0x7a8a98 + _t75 * 2;
					_t110 =  *_t76 & 0x0000ffff;
					_a8 = _t110;
					_t78 =  &(_t76[1]);
					_a16 = _t78;
					_v16 = _t78;
					_v12 = 0;
					_v8 = E004045E6;
					if(_t110 != 2) {
						_v8 = E004045AC;
					}
					_push( *((intOrPtr*)(_t117 + 0x34)));
					_push(0x22);
					E00404476(_a4);
					_push( *((intOrPtr*)(_t117 + 0x38)));
					_push(0x23);
					E00404476(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E00404498( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
					_t118 = GetDlgItem(_a4, 0x3e8);
					E004044AB(_t118);
					SendMessageW(_t118, 0x45b, 1, 0);
					_t92 =  *( *0x7a8a70 + 0x68);
					if(_t92 < 0) {
						_t92 = GetSysColor( ~_t92);
					}
					SendMessageW(_t118, 0x443, 0, _t92);
					SendMessageW(_t118, 0x445, 0, 0x4010000);
					SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
					 *0x79ff14 = 0;
					SendMessageW(_t118, 0x449, _a8,  &_v16);
					 *0x79ff14 = 0;
					return 0;
				}
			}

0x00404647
0x00404767
0x00404774
0x004047d1
0x004047d1
0x004047d5
0x0040489b
0x004048a2
0x004048a4
0x004048a4
0x004048a4
0x004048aa
0x004048aa
0x004048ad
0x00000000
0x004048b4
0x004047e3
0x004047e9
0x004047ec
0x004047f3
0x004047f5
0x004047fc
0x004047fe
0x00404801
0x00404804
0x00404809
0x0040480f
0x00404812
0x00404819
0x00404826
0x00404837
0x0040483d
0x00404845
0x00404853
0x00404859
0x00404859
0x00404819
0x004047fc
0x0040485c
0x00404863
0x00000000
0x00404865
0x00404865
0x0040486c
0x00000000
0x00000000
0x0040486e
0x00404872
0x00404882
0x00404882
0x00404884
0x00404888
0x00404894
0x00404894
0x00000000
0x00404898
0x00404863
0x0040477c
0x0040477f
0x00000000
0x00000000
0x00404785
0x0040478b
0x00000000
0x00000000
0x00404791
0x00404796
0x00404796
0x00404799
0x0040479c
0x00000000
0x00000000
0x004047c3
0x004047c3
0x004047c5
0x004047c7
0x004047cc
0x00000000
0x0040464d
0x0040464d
0x00404650
0x00404655
0x00404666
0x00404666
0x0040466e
0x00404671
0x00404675
0x00404678
0x0040467c
0x0040467f
0x00404682
0x00404685
0x0040468c
0x0040468e
0x0040468e
0x00404698
0x004046a5
0x004046af
0x004046b4
0x004046b7
0x004046bc
0x004046d3
0x004046da
0x004046ed
0x004046f0
0x00404704
0x0040470b
0x00404710
0x00404715
0x00404715
0x00404723
0x00404731
0x00404743
0x00404748
0x00404758
0x0040475a
0x00000000
0x00404760

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046D3
GetDlgItem.USER32 ref: 004046E7
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404704
GetSysColor.USER32(?), ref: 00404715
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404723
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404731
lstrlenW.KERNEL32(?), ref: 00404736
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404743
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404758
GetDlgItem.USER32 ref: 004047B1
SendMessageW.USER32(00000000), ref: 004047B8
GetDlgItem.USER32 ref: 004047E3
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404826
LoadCursorW.USER32(00000000,00007F02), ref: 00404834
SetCursor.USER32(00000000), ref: 00404837
LoadCursorW.USER32(00000000,00007F00), ref: 00404850
SetCursor.USER32(00000000), ref: 00404853
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404882
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404894

Strings

Call, xrefs: 00404812
N, xrefs: 004047D1

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 733b5ee76d40f44ee13d94ce5730b27edf6232bbb6d7c3eda73f746bb046eca6
Instruction ID: dae4caa8b62e847b2ebc6bc8f7d7cc953444b28573a7dbce8249495b0b2e45c9
Opcode Fuzzy Hash: 733b5ee76d40f44ee13d94ce5730b27edf6232bbb6d7c3eda73f746bb046eca6
Instruction Fuzzy Hash: 5361A0B6900609BFDB10AF60DD85E6A7B69FB85314F00C43AF605B62D0C77CA961CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00406160 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406160(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a55e8 = 0x55004e;
				 *0x7a55ec = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x7a5de8
					_t12 = GetShortPathNameW( *_t2, 0x7a5de8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a51e8, "%ls=%ls\r\n", 0x7a55e8, 0x7a5de8);
						_t53 = _t52 + 0x10;
						E00406557(_t37, 0x400, 0x7a5de8, 0x7a5de8,  *((intOrPtr*)( *0x7a8a70 + 0x128)));
						_t12 = E0040600A(0x7a5de8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E0040608D(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F6F(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F6F(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FC5(_t24 + _t46, 0x7a51e8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060BC(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040600A(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x7a55e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00406160
0x00406169
0x00406170
0x0040617a
0x0040618e
0x004061b6
0x004061bd
0x004061c1
0x004061c5
0x004061e5
0x004061ec
0x004061f6
0x00406203
0x00406208
0x0040620d
0x00406211
0x00406220
0x00406222
0x0040622f
0x00406233
0x004062ce
0x00000000
0x00406249
0x00406256
0x0040627a
0x0040627e
0x0040629d
0x004062a1
0x004062a1
0x004062a3
0x004062ac
0x004062b7
0x004062c2
0x004062c8
0x00000000
0x004062c8
0x00406280
0x00406283
0x0040628e
0x0040628a
0x0040628c
0x0040628d
0x0040628d
0x00406295
0x00406297
0x00000000
0x00406297
0x00406261
0x00406267
0x00000000
0x00406267
0x00406233
0x00406211
0x00406190
0x0040619b
0x004061a4
0x004061a8
0x00000000
0x00000000
0x004061a8
0x004062d9

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004062FB,?,?), ref: 0040619B
GetShortPathNameW.KERNEL32 ref: 004061A4

Part of subcall function 00405F6F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F7F
Part of subcall function 00405F6F: lstrlenA.KERNEL32(00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB1

GetShortPathNameW.KERNEL32 ref: 004061C1
wsprintfA.USER32 ref: 004061DF
GetFileSize.KERNEL32(00000000,00000000,007A5DE8,C0000000,00000004,007A5DE8,?,?,?,?,?), ref: 0040621A
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406229
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406261
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A51E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062B7
GlobalFree.KERNEL32 ref: 004062C8
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062CF

Part of subcall function 0040600A: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\Transferencia.exe,80000000,00000003,?,?,?,?,?,0040385A,?), ref: 0040600E
Part of subcall function 0040600A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040385A,?), ref: 00406030

Strings

]z, xrefs: 004061B6
[Rename], xrefs: 00406249, 0040625B
Uz, xrefs: 00406189
%ls=%ls, xrefs: 004061D5
]z, xrefs: 004061BD

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$Uz$]z$]z
API String ID: 2171350718-2304911260
Opcode ID: 0fc318522e14f799396e5140a163aeba190b6da409f6537590e24aabf338351a
Instruction ID: 21e35848ad9e0a4f6d0f4344ae9360a4b2933efdadd7627ed2dc2072c6695f7b
Opcode Fuzzy Hash: 0fc318522e14f799396e5140a163aeba190b6da409f6537590e24aabf338351a
Instruction Fuzzy Hash: 2D313771600715BBD220BB659D48F2B3A5CDF86764F16003EFD42F62C2EA7C9821867D

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a8a70;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x7a7a60, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a8a68;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7A60,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 8a25a35e32ca6dce8bd23cc7af0fa44a7ac16e68086679f93291a7c2c2804fa7
Instruction ID: 94ee33a561faf14046f005448635b33146be7beb2ca28ebab25df4912e6f605d
Opcode Fuzzy Hash: 8a25a35e32ca6dce8bd23cc7af0fa44a7ac16e68086679f93291a7c2c2804fa7
Instruction Fuzzy Hash: 9E417C71800209AFCF058FA5DE459AF7BB9FF45315F00802AF991AA1A0CB789A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406557 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00406557(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x7a7a3c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x7a8a98 + _t44 * 2;
				_t45 = 0x7a6a00;
				_t108 = 0x7a6a00;
				if(_a4 >= 0x7a6a00 && _a4 - 0x7a6a00 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040651A(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E00406557(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x7a6a00;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x7a9000;
								E0040651A(_t108, (_t78 << 0xb) + 0x7a9000);
							} else {
								E00406461(_t108,  *0x7a8a68);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004067A1(_t108);
							}
							goto L38;
						}
						if( *0x7a8ae4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x7a8a64;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x7a8a68,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x7a8a68,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E004063E8( *0x7a8a98, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8a98 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E00406557(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x00406557
0x00406557
0x00406557
0x0040655d
0x00406562
0x00406573
0x00406573
0x0040657b
0x0040657c
0x0040657d
0x0040657e
0x00406581
0x00406589
0x0040658b
0x0040659c
0x0040659f
0x0040659f
0x004065a3
0x004065a9
0x004065ac
0x00406787
0x00406787
0x00406792
0x0040679e
0x0040679e
0x00000000
0x004065b2
0x004065b7
0x004065cc
0x004065cd
0x004065d3
0x00406765
0x00406773
0x00406776
0x00406776
0x00406767
0x0040676a
0x0040676d
0x0040676f
0x0040676f
0x00406778
0x00406778
0x0040677e
0x00406781
0x004065b4
0x00000000
0x004065b4
0x00000000
0x00406781
0x004065d9
0x004065dc
0x004065eb
0x004065f2
0x004065fe
0x00406601
0x00406604
0x00406605
0x0040660a
0x00406610
0x00406613
0x00406616
0x00406709
0x0040670e
0x00406741
0x00406746
0x0040674b
0x00406750
0x00406750
0x00406755
0x0040675b
0x0040675e
0x00000000
0x0040675e
0x00406710
0x00406713
0x00406716
0x0040672b
0x00406732
0x00406718
0x0040671f
0x0040671f
0x0040673a
0x0040673d
0x00406701
0x00406702
0x00406702
0x00000000
0x0040673d
0x00406623
0x00406627
0x00406627
0x00406628
0x0040662a
0x00406667
0x0040666a
0x0040667a
0x0040667d
0x00406685
0x0040668b
0x0040668b
0x004066e6
0x004066e6
0x004066e8
0x00000000
0x00000000
0x0040668f
0x00406694
0x00406695
0x00406697
0x004066ae
0x004066bc
0x004066c2
0x004066c4
0x004066e2
0x004066e2
0x004066e2
0x00000000
0x004066e2
0x004066ca
0x004066d3
0x004066d6
0x004066dc
0x004066e0
0x00000000
0x00000000
0x00000000
0x004066e0
0x004066a8
0x004066aa
0x004066ac
0x00000000
0x00000000
0x00000000
0x004066ac
0x00000000
0x004066e6
0x00406672
0x00000000
0x0040662c
0x0040664a
0x00406653
0x004066f0
0x004066f4
0x004066fc
0x004066fc
0x00000000
0x004066f4
0x0040665d
0x004066ea
0x004066ee
0x00000000
0x00000000
0x00000000
0x004066ee
0x0040662a
0x00000000
0x004065b7

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406672
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F28,?,004055B3,007A0F28,00000000,00000000,0079F570,76CDEA30), ref: 00406685
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066FC
lstrlenW.KERNEL32(Call,00000000,007A0F28,?,004055B3,007A0F28,00000000), ref: 00406756

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004066F6
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406640
Call, xrefs: 00406581, 00406634, 0040663B, 0040663F, 0040665C, 00406671, 00406684, 00406699, 004066C6, 004066FB, 00406701, 0040671E, 00406731, 0040674F, 00406755, 0040675E, 00406794

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-1230650788
Opcode ID: da38963e672fb73e568923eb237ce0014ee8c8129af21826515d3029acbe5ea3
Instruction ID: 9e459ffa4d797bbc81f49b8710fc234ac44c95668d32beb4df18aeb57a87e6f9
Opcode Fuzzy Hash: da38963e672fb73e568923eb237ce0014ee8c8129af21826515d3029acbe5ea3
Instruction Fuzzy Hash: E061D271900206AADF109F64DC40BAE37A5AF55318F22C13BE917B72D0DB7D8AA1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004044DD Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044DD(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004044ef
0x004045a5
0x00000000
0x004045a5
0x00404500
0x00404504
0x00000000
0x0040451e
0x0040451e
0x00404527
0x00000000
0x00000000
0x00404529
0x00404535
0x00404538
0x00404538
0x0040453e
0x00404544
0x00404544
0x00404550
0x00404556
0x0040455d
0x00404560
0x00404563
0x00404565
0x00404565
0x0040456d
0x00404573
0x00404573
0x0040457d
0x00404582
0x00404585
0x0040458a
0x0040458d
0x0040458d
0x0040459d
0x0040459d
0x00000000
0x004045a0

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004044FA
GetSysColor.USER32(00000000), ref: 00404538
SetTextColor.GDI32(?,00000000), ref: 00404544
SetBkMode.GDI32(?,?), ref: 00404550
GetSysColor.USER32(?), ref: 00404563
SetBkColor.GDI32(?,?), ref: 00404573
DeleteObject.GDI32(?), ref: 0040458D
CreateBrushIndirect.GDI32(?), ref: 00404597

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 307f0adb03de418db05ce456a6e98ecd908ab5abab62206e0655cd74099b0a55
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 702197B1501708BFD7309F28DD08B5BBBF8AF80714B00852EEA92A22E1D738D914CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x7a8ae8 =  *0x7a8ae8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E0040647A(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E004060EB( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E0040608D( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406461( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027bc
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 004060EB: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406101

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 588ede5e84484d8860c92fb66ffae47e610f47b9ca95ac382e9d1b4b4742ae18
Instruction ID: be08228a48e351455db253d3f5410474da148bca98ac48c4339161726040cff4
Opcode Fuzzy Hash: 588ede5e84484d8860c92fb66ffae47e610f47b9ca95ac382e9d1b4b4742ae18
Instruction Fuzzy Hash: 89510A75D00219AADF20EFD5CA88AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004067A1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004067A1(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E60(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E16(L"*?|<>/\":", _t5))) == 0) {
							E00405FC5(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004067a3
0x004067ac
0x004067c3
0x004067c3
0x004067ca
0x004067d6
0x004067d6
0x004067d9
0x004067dc
0x004067e1
0x004067e3
0x004067ec
0x004067f0
0x0040680d
0x00406815
0x00406815
0x0040681a
0x0040681c
0x0040681f
0x00406824
0x00406825
0x00406829
0x00406829
0x0040682a
0x00406831
0x00406833
0x0040683a
0x00000000
0x00000000
0x00406842
0x00406848
0x00000000
0x00000000
0x00000000
0x00406848
0x0040684d

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406804
CharNextW.USER32(?,?,?,00000000,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406813
CharNextW.USER32(?,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406818
CharPrevW.USER32(?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 0040682B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004067A2
*?|<>/":, xrefs: 004067F3

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4010320282
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: df5be6298df38fe53a3c1647d4a953459580f705d81a6df7816dadf9acb4bb56
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: C0110D2680161295DB3037149D84A7766F8EF58BA4F56803FED86732C0F77C4C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E31 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E31(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404e3f
0x00404e4c
0x00404e52
0x00404e90
0x00404e90
0x00404e9f
0x00404ea6
0x00000000
0x00404ea8
0x00404e54
0x00404e63
0x00404e6b
0x00404e6e
0x00404e80
0x00404e86
0x00404e8d
0x00000000
0x00404e8d
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E4C
GetMessagePos.USER32 ref: 00404E54
ScreenToClient.USER32 ref: 00404E6E
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E80
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EA6

Strings

f, xrefs: 00404E82

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: da5f2d6a974e9c572a85d9e94ff0a86548add23bfd296e24df18a92b611d7590
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 2F018C71900219BADB00DBA4DD81BFEBBBCAB94710F10002BBB10B61C0C7B4AA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x7936f8; // 0x3da2f
					_t11 =  *0x79f704; // 0x3e100
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fcd
0x00402fd4
0x00402fd6
0x00402fd6
0x00402fec
0x00402ffc
0x0040300e
0x0040300e
0x00403016

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(0003DA2F,00000064,0003E100), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32 ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: d023595f9e9ef59bdd75dda31b52a3c2e885d3e2bc42a898f2d7cd706f4c6b2f
Instruction ID: 93fc8baa8d380bd3002b945ae1bdcf8604075b20dc3457daa0419b6feabf18a2
Opcode Fuzzy Hash: d023595f9e9ef59bdd75dda31b52a3c2e885d3e2bc42a898f2d7cd706f4c6b2f
Instruction Fuzzy Hash: EC014F7064020DBBEF209F60DE4ABEA3B79EB00345F108039FA06B51D0DBB99A559B58

Uniqueness

Uniqueness Score: -1.00%

Function 732A2655 Relevance: 9.1, APIs: 6, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E732A2655() {
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t40 = E732A12BB();
				_t24 =  *((intOrPtr*)(_t45 + 0x18));
				_t44 =  *((intOrPtr*)(_t24 + 0x1014));
				_t43 = (_t44 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) >= 0) {
					}
					_t39 =  *(_t43 - 8) & 0x000000ff;
					if(_t39 <= 7) {
						switch( *((intOrPtr*)(_t39 * 4 +  &M732A2784))) {
							case 0:
								 *_t40 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									 *(__esp + 0x10) = __ecx;
									__ecx =  *(0x732a407c + __edx * 4);
									__edx =  *(__esp + 0x10);
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x732a409c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E732A1510(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__ecx =  *0x732a506c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(__ebx, __ebx,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x732a506c;
								 *((short*)(__edi + __eax * 2 - 2)) = __bx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x732a506c);
								goto L17;
							case 5:
								_push( *0x732a506c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x732a5000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x18)))) != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E732A1381(_t27 - 1, _t40);
								goto L26;
							}
						} else {
							E732A1312(_t40);
							L26:
						}
					}
					_t44 = _t44 - 1;
					_t43 = _t43 - 0x20;
				} while (_t44 >= 0);
				return GlobalFree(_t40);
			}

0x732a265f
0x732a2661
0x732a2665
0x732a2674
0x732a2678
0x732a267d
0x732a267d
0x732a2685
0x732a268c
0x732a2692
0x00000000
0x732a2699
0x00000000
0x00000000
0x732a26a1
0x732a26a5
0x732a26a8
0x732a26ac
0x732a26b3
0x732a26b7
0x732a26bd
0x732a26bf
0x732a26c1
0x732a26c1
0x732a26c8
0x00000000
0x00000000
0x732a26d1
0x00000000
0x00000000
0x732a26d8
0x732a26de
0x732a26e8
0x732a26ee
0x732a26f3
0x00000000
0x00000000
0x732a2714
0x00000000
0x00000000
0x732a26fa
0x732a2700
0x732a2701
0x732a2703
0x00000000
0x00000000
0x732a271c
0x732a271e
0x732a2724
0x732a272a
0x732a272a
0x00000000
0x00000000
0x732a2692
0x732a272d
0x732a272d
0x732a2732
0x732a2743
0x732a2743
0x732a2749
0x732a274e
0x732a2753
0x732a275f
0x732a2764
0x00000000
0x732a2769
0x732a2755
0x732a2756
0x732a276a
0x732a276a
0x732a2753
0x732a276b
0x732a276c
0x732a276f
0x732a2783

APIs

Part of subcall function 732A12BB: GlobalAlloc.KERNELBASE(00000040,?,732A12DB,?,732A137F,00000019,732A11CA,-000000A0), ref: 732A12C5

GlobalFree.KERNEL32 ref: 732A2743
GlobalFree.KERNEL32 ref: 732A2778

Memory Dump Source

Source File: 00000000.00000002.756317960.00000000732A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 732A0000, based on PE: true

Associated: 00000000.00000002.756311352.00000000732A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756329828.00000000732A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756338430.00000000732A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_732a0000_Transferencia.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: c47758b99de272a6a7ad1900b8cbd731f58b7046005690be48cc569210ce6703
Instruction ID: 59602891232afbfe880e5d71695c9e42c3869f0cbbf6bc67d49cc9cf467cb167
Opcode Fuzzy Hash: c47758b99de272a6a7ad1900b8cbd731f58b7046005690be48cc569210ce6703
Instruction Fuzzy Hash: B731067260431ADFD71A9F59CD88F2A77BAFB853013248128FD45A3250C774A984FB51

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402950(int __ebx, void* __eflags) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405E60(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00405FE5(_t55);
				_t29 = E0040600A(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x7a8a74;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004034C2(_t49);
							E004034AC(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E004032B4( *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00405FC5( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E004060BC( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E004032B4( *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32 ref: 00402A06
GlobalFree.KERNEL32 ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: aebb5c15b31ebc5aa49e3490bdf2bd0c4f89cf94e3d7c186155ff6a3853049af
Instruction ID: ce13e03cd45963b48540e15e7c975c75beca6294bacda27d7b2280c3fc44a057
Opcode Fuzzy Hash: aebb5c15b31ebc5aa49e3490bdf2bd0c4f89cf94e3d7c186155ff6a3853049af
Instruction Fuzzy Hash: CA31B171D00124BBCF216FA5CE89D9EBE79EF49364F14423AF450762E1CB794C429B98

Uniqueness

Uniqueness Score: -1.00%

Function 732A1979 Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E732A1979(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v76;
				void _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x732a506c = _a8;
				_t77 = 0;
				 *0x732a5070 = _a16;
				_v12 = 0;
				_v8 = E732A12E3();
				_t90 = E732A13B1(_t42);
				_t87 = _t85;
				_t81 = E732A12E3();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E732A12E3();
					_t77 = E732A13B1(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81 & 0x0000ffff;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x3c;
						if( *((short*)(_t81 + 2)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E732A1510(_t85, _t90, _t87,  &_v76);
								E732A1312( &_v76);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E732A3050(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x3e;
						if( *((short*)(_t81 + 2)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((short*)(_t81 + 4)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((short*)(_t81 + 4)) != 0x3e) {
							_t48 = E732A3070(_t59, _t83, _t85);
						} else {
							_t48 = E732A30A0(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x7c;
						if( *((short*)(_t81 + 2)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E732A2EE0(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E732A2F90(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((short*)(_t81 + 2)) - 0x26;
					if( *((short*)(_t81 + 2)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E732A2EA0(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x732a1979
0x732a1983
0x732a198c
0x732a198f
0x732a1994
0x732a199d
0x732a19a6
0x732a19a8
0x732a19af
0x732a19b1
0x732a19b4
0x732a19bb
0x732a19c9
0x732a19d2
0x732a19d7
0x732a19da
0x732a19e0
0x732a19e0
0x732a19e3
0x732a19e6
0x732a19e9
0x732a1ab1
0x732a1ab1
0x732a1ab4
0x732a1b34
0x732a1b39
0x732a1b48
0x732a1b4b
0x732a1b53
0x732a1b53
0x732a1b53
0x732a1b55
0x732a1b55
0x732a1b56
0x732a1b56
0x732a1b58
0x732a1b5a
0x732a1b60
0x732a1b69
0x732a1b7a
0x732a1b85
0x732a1b85
0x732a1b4d
0x732a1b2f
0x732a1b2f
0x732a1b31
0x732a1b31
0x00000000
0x732a1b31
0x732a1b4f
0x732a1b51
0x00000000
0x00000000
0x00000000
0x732a1b51
0x732a1b3d
0x732a1b41
0x00000000
0x732a1b41
0x732a1ab6
0x732a1ab6
0x732a1ab7
0x732a1b26
0x732a1b28
0x00000000
0x00000000
0x732a1b2a
0x732a1b2d
0x00000000
0x00000000
0x00000000
0x732a1b2d
0x732a1ab9
0x732a1ab9
0x732a1aba
0x732a1af7
0x732a1afc
0x732a1b19
0x732a1b1c
0x00000000
0x00000000
0x732a1b1e
0x00000000
0x00000000
0x732a1b20
0x732a1b22
0x00000000
0x00000000
0x00000000
0x732a1b24
0x732a1afe
0x732a1b03
0x732a1b05
0x732a1b07
0x732a1b09
0x732a1b12
0x732a1b0b
0x732a1b0b
0x732a1b0b
0x00000000
0x732a1b09
0x732a1abc
0x732a1abc
0x732a1abf
0x732a1af0
0x732a1af2
0x00000000
0x732a1af2
0x732a1ac1
0x732a1ac1
0x732a1ac4
0x732a1ad7
0x732a1adc
0x732a1ae9
0x732a1aeb
0x00000000
0x732a1aeb
0x732a1ade
0x732a1ae0
0x00000000
0x00000000
0x732a1ae2
0x732a1ae5
0x00000000
0x00000000
0x00000000
0x732a1ae7
0x732a1ac7
0x732a1ac8
0x732a1ace
0x732a1ad0
0x732a1ad0
0x00000000
0x732a1ac8
0x732a19ef
0x732a1a68
0x732a1a6a
0x732a1a6d
0x732a1a8b
0x732a1a8e
0x732a1a94
0x732a1a99
0x732a1a6f
0x732a1a6f
0x732a1a73
0x732a1a77
0x732a1a79
0x732a1a79
0x732a1a9c
0x732a1aa0
0x00000000
0x732a1aa6
0x732a1aa6
0x732a1aa9
0x00000000
0x732a1aa9
0x732a1aa0
0x732a19f1
0x732a19f4
0x732a1a59
0x732a1a5b
0x732a1a5d
0x00000000
0x00000000
0x00000000
0x732a1a63
0x732a19f6
0x732a19f9
0x00000000
0x00000000
0x732a19fb
0x732a19fc
0x732a1a32
0x732a1a37
0x732a1a4f
0x732a1a51
0x00000000
0x732a1a51
0x732a1a39
0x732a1a3b
0x00000000
0x00000000
0x732a1a41
0x732a1a44
0x00000000
0x00000000
0x00000000
0x732a1a4a
0x732a19fe
0x732a1a01
0x732a1a28
0x00000000
0x732a1a03
0x732a1a03
0x732a1a04
0x732a1a18
0x732a1a1a
0x732a1a06
0x732a1a08
0x732a1a0e
0x732a1a10
0x732a1a10
0x732a1a08
0x00000000
0x732a1a04

APIs

GlobalFree.KERNEL32 ref: 732A19DA
GlobalFree.KERNEL32 ref: 732A1B7A
GlobalFree.KERNEL32 ref: 732A1B7F

Memory Dump Source

Source File: 00000000.00000002.756317960.00000000732A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 732A0000, based on PE: true

Associated: 00000000.00000002.756311352.00000000732A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756329828.00000000732A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756338430.00000000732A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_732a0000_Transferencia.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 7be8471919947167827806dc5bbf3bc21910229860bae31ff55c89f5c584ba52
Instruction ID: 940487da9a29201697f582f44575af32409bd623b01b4f41d6b63f1bd0728d04
Opcode Fuzzy Hash: 7be8471919947167827806dc5bbf3bc21910229860bae31ff55c89f5c584ba52
Instruction Fuzzy Hash: 1F51F732F1011AABDB029FAC844079DBBFAEB44330F188959DC07B3294E6B5B9C5C795

Uniqueness

Uniqueness Score: -1.00%

Function 732A2480 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E732A2480(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed char* _t42;
				signed char* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[0x18];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[0x18] = _t41;
							goto L12;
						} else {
							_t37 = E732A135A(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E732A12E3();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[8]); // 0x1020
						_t42 = _t13;
						if(_t51[4] >= 0) {
						}
						_t38 =  *_t51 & 0x000000ff;
						_t51[0x1c] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M732A25F8))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E732A13B1(__ebp);
									goto L21;
								case 2:
									 *__edi = E732A13B1(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x732a506c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x732a506c, __eax,  *0x732a506c, 0, 0);
									goto L27;
								case 4:
									__eax = E732A12CC(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E732A13B1(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x732a506c =  *0x732a5074 + ( *(__esi + 0x18) - 1) *  *0x732a506c * 2 + 0x18;
									 *__ebx =  *0x732a5074 + ( *(__esi + 0x18) - 1) *  *0x732a506c * 2 + 0x18;
									asm("cdq");
									__eax = E732A1510(__edx,  *0x732a5074 + ( *(__esi + 0x18) - 1) *  *0x732a506c * 2 + 0x18, __edx,  *0x732a5074 + ( *(__esi + 0x18) - 1) *  *0x732a506c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E732A12CC(0x732a5044);
					goto L10;
				}
			}

0x732a2494
0x732a2498
0x732a24a3
0x732a24a3
0x732a24aa
0x732a24af
0x00000000
0x00000000
0x732a24b3
0x732a24b6
0x00000000
0x00000000
0x732a24bb
0x732a24c6
0x732a24d6
0x00000000
0x732a24cd
0x732a24cf
0x732a24e5
0x00000000
0x732a24e5
0x732a24bd
0x732a24bd
0x732a24e6
0x732a24e6
0x732a24e8
0x732a24ec
0x732a24ec
0x732a24ef
0x732a24ef
0x732a24f7
0x732a24ff
0x732a2502
0x732a25c1
0x732a25c2
0x732a25cd
0x732a25f7
0x732a25f7
0x732a25dd
0x732a25e9
0x732a25df
0x732a25df
0x732a25df
0x00000000
0x732a2508
0x732a2508
0x00000000
0x732a250f
0x00000000
0x00000000
0x732a2517
0x00000000
0x00000000
0x732a2525
0x732a2527
0x00000000
0x00000000
0x732a2548
0x732a254e
0x732a2551
0x732a2553
0x732a2563
0x00000000
0x00000000
0x732a2530
0x732a2535
0x732a2538
0x732a2539
0x00000000
0x00000000
0x732a256f
0x732a2575
0x732a2576
0x732a2579
0x732a257a
0x732a257c
0x00000000
0x00000000
0x732a2588
0x732a258b
0x732a2597
0x732a2599
0x00000000
0x00000000
0x732a25a5
0x732a25b1
0x732a25b4
0x732a25b6
0x732a25b9
0x00000000
0x00000000
0x732a2508
0x732a2502
0x732a24db
0x732a24e0
0x00000000
0x732a24e0

APIs

GlobalFree.KERNEL32 ref: 732A25C2

Part of subcall function 732A12CC: lstrcpynW.KERNEL32(00000000,?,732A137F,00000019,732A11CA,-000000A0), ref: 732A12DC

GlobalAlloc.KERNEL32(00000040), ref: 732A2548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 732A2563

Memory Dump Source

Source File: 00000000.00000002.756317960.00000000732A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 732A0000, based on PE: true

Associated: 00000000.00000002.756311352.00000000732A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756329828.00000000732A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756338430.00000000732A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_732a0000_Transferencia.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 77fe7c19931b911eaab5b9973028d0907544ed165bb3ff304df25d876d33a27e
Instruction ID: b109dc66d3bacb06cd4265da878fad3ad8bcfd644ee1591b1ef0f41c4790d98c
Opcode Fuzzy Hash: 77fe7c19931b911eaab5b9973028d0907544ed165bb3ff304df25d876d33a27e
Instruction Fuzzy Hash: C541B1B1508309DFE719EF2DD844B2677F8FB88310F10891EED4AA6681E774A5C4EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00406387(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E004068E7(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32 ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: e3874647b70fc3bb13da35da8902fd1ce062095075b440694413d8eb29dad5c0
Instruction ID: c11aca49d0effc85046ccc9aadc56b913b01f210672418aaa5aa9f4d8e4c938e
Opcode Fuzzy Hash: e3874647b70fc3bb13da35da8902fd1ce062095075b440694413d8eb29dad5c0
Instruction Fuzzy Hash: 8C212A7150010ABBDF11AF90CE89EEF7B7DEB54384F110076F909B21A0D7B59E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x7a8a60,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E00406461();
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32 ref: 00401D9A
GetClientRect.USER32 ref: 00401DE5
LoadImageW.USER32 ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: a6aad87a710fcdef47f5999398108e389655c35983e9ac7c8f9262d328879ae0
Instruction ID: 28669104e63112c2688ec1bf4ccd66a2dfd92d91aff3cd1988410ea650e2814b
Opcode Fuzzy Hash: a6aad87a710fcdef47f5999398108e389655c35983e9ac7c8f9262d328879ae0
Instruction Fuzzy Hash: 1721F672D04119AFCB05DBA4DE45AEEBBB5EF08304F14403AF945F62A0DB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdc8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40cdd8 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40cddf = 1;
				 *0x40cddc = _t15 & 0x00000001;
				 *0x40cddd = _t15 & 0x00000002;
				 *0x40cdde = _t15 & 0x00000004;
				E00406557(_t9, _t31, _t33, 0x40cde4,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdc8);
				_push(_t18);
				_push(_t31);
				E00406461();
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32 ref: 00401E84

Part of subcall function 00406557: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066FC
Part of subcall function 00406557: lstrlenW.KERNEL32(Call,00000000,007A0F28,?,004055B3,007A0F28,00000000), ref: 00406756

CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
Instruction ID: 0d45dbb9e622ade016cb62109ac663f1c9afcfae21dbc147df73c93619ae97e2
Opcode Fuzzy Hash: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
Instruction Fuzzy Hash: 6401D871940641EFEB006BB4AE89BDA3FB0AF15301F10493AF141B61D2C6B90404DB2C

Uniqueness

Uniqueness Score: -1.00%

Function 732A16BD Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E732A16BD(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x732a16d7
0x732a16e3
0x732a16f0
0x732a16f7
0x732a1700
0x732a170c

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,732A22D8,?,00000808), ref: 732A16D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,732A22D8,?,00000808), ref: 732A16DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,732A22D8,?,00000808), ref: 732A16F0
GetProcAddress.KERNEL32(732A22D8,00000000), ref: 732A16F7
GlobalFree.KERNEL32 ref: 732A1700

Memory Dump Source

Source File: 00000000.00000002.756317960.00000000732A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 732A0000, based on PE: true

Associated: 00000000.00000002.756311352.00000000732A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756329828.00000000732A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756338430.00000000732A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_732a0000_Transferencia.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 647614b5df40037765a31dd91ffe66da210ae7f25890bce9ebf49d01578439e5
Instruction ID: b3d3dcf6b03ca8afd07075352b00a3b5b5cd20e1b561db90ad5274cce6d85dba
Opcode Fuzzy Hash: 647614b5df40037765a31dd91ffe66da210ae7f25890bce9ebf49d01578439e5
Instruction Fuzzy Hash: 9DF0A2731061387BD62126AB8C4CD9BBE9CDF8B2F5B214215FB1C9129085619D05F7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E00406461();
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32 ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 443c3db962ab0709f794cef0dd75cfbbc40298e4b9bc43596e0072424d6b1197
Instruction ID: f7a68e929e996113dc281fa05a4685e5ce16b579df1de56e4cd617e501a9a943
Opcode Fuzzy Hash: 443c3db962ab0709f794cef0dd75cfbbc40298e4b9bc43596e0072424d6b1197
Instruction Fuzzy Hash: 90219C7190421AEFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D23 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404D23(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406557(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406557(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406557(_t44, _t50, 0x7a1f48, 0x7a1f48, _a8);
				wsprintfW(_t34 + lstrlenW(0x7a1f48) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x7a7a38, _a4, 0x7a1f48);
			}

0x00404d2c
0x00404d31
0x00404d39
0x00404d3a
0x00404d47
0x00404d4f
0x00404d50
0x00404d52
0x00404d54
0x00404d56
0x00404d59
0x00404d59
0x00404d60
0x00404d66
0x00404d66
0x00404d6d
0x00404d74
0x00404d77
0x00404d7a
0x00404d7a
0x00404d7e
0x00404d8e
0x00404d90
0x00404d93
0x00404d3c
0x00404d3c
0x00404d43
0x00404d43
0x00404d9b
0x00404da6
0x00404dbc
0x00404dcd
0x00404de9

APIs

lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DC4
wsprintfW.USER32 ref: 00404DCD
SetDlgItemTextW.USER32 ref: 00404DE0

Strings

%u.%u%s%s, xrefs: 00404DAE

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 1bfcb38a10210d596bf4d505370845bd3ec1d918e724b2dddb7cd3055ac07146
Instruction ID: 68f5f2c35a4a9d0707adcc228443cff0cbca91619b9e39d4db13cc85b0838dbb
Opcode Fuzzy Hash: 1bfcb38a10210d596bf4d505370845bd3ec1d918e724b2dddb7cd3055ac07146
Instruction Fuzzy Hash: C911A5736041283BDB1065ADAC45EAE329C9F86334F250237FA66F71D5EA79981182E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040248A(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t20;
				void* _t21;
				int _t24;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t42 = __eflags;
				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402DA6(2);
				_t20 = E00402DA6(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402E36(_t42, _t34, _t20, 2);
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402DA6(0x23);
						_t24 = lstrlenW(0x40b5c8) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5c8 = E00402D84(3);
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004032B4( *((intOrPtr*)(_t39 - 0x24)), _t30, 0x40b5c8, 0x1800);
					}
					if(RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x40b5c8, _t24) == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *(_t39 - 4);
				return 0;
			}

0x0040248a
0x0040248a
0x0040248a
0x0040248a
0x0040248d
0x00402494
0x0040249e
0x004024a1
0x004024aa
0x004024b1
0x004024b8
0x004024bb
0x004024c1
0x004024cb
0x004024cf
0x004024da
0x004024da
0x004024e1
0x004024eb
0x004024f1
0x004024f4
0x004024f4
0x004024f8
0x00402504
0x00402504
0x0040251d
0x0040251f
0x0040251f
0x00402522
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nstC730.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nstC730.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nstC730.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nstC730.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nstC730.tmp
API String ID: 2655323295-469808752
Opcode ID: 12168f80e921b5cc7eda85fa60d779498084ba5053d7a6b6976cb8c5581d4f01
Instruction ID: 3228b6dbd083cda5ecf055ca6763daeb969d91bf2f3b8010d8844d1cd476a235
Opcode Fuzzy Hash: 12168f80e921b5cc7eda85fa60d779498084ba5053d7a6b6976cb8c5581d4f01
Instruction Fuzzy Hash: CF117C71E00118BEEB11AFA5DE49EAEBAB8FF44758F11443BF504B61C1D7B88D409A68

Uniqueness

Uniqueness Score: -1.00%

Function 00405EF1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405EF1(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040651A(0x7a4750, _a4);
				_t21 = E00405E94(0x7a4750);
				if(_t21 != 0) {
					E004067A1(_t21);
					if(( *0x7a8a78 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4750 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4750);
							_push(0x7a4750);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E00406850();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E35(0x7a4750);
								continue;
							} else {
								goto L1;
							}
						}
						E00405DE9();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405efd
0x00405f08
0x00405f0c
0x00405f13
0x00405f1f
0x00405f2f
0x00405f31
0x00405f49
0x00405f4a
0x00405f51
0x00405f52
0x00000000
0x00000000
0x00405f35
0x00405f3c
0x00405f44
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f3c
0x00405f54
0x00000000
0x00405f68
0x00405f21
0x00405f27
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f27
0x00405f0e
0x00000000

APIs

Part of subcall function 0040651A: lstrcpynW.KERNEL32(?,?,00000400,0040367A,007A7A60,NSIS Error), ref: 00406527

Part of subcall function 00405E94: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nstC730.tmp,?,00405F08,C:\Users\user\AppData\Local\Temp\nstC730.tmp,C:\Users\user\AppData\Local\Temp\nstC730.tmp,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EA2
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EA7
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EBF

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nstC730.tmp,00000000,C:\Users\user\AppData\Local\Temp\nstC730.tmp,C:\Users\user\AppData\Local\Temp\nstC730.tmp,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F4A
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nstC730.tmp,C:\Users\user\AppData\Local\Temp\nstC730.tmp,C:\Users\user\AppData\Local\Temp\nstC730.tmp,C:\Users\user\AppData\Local\Temp\nstC730.tmp,C:\Users\user\AppData\Local\Temp\nstC730.tmp,C:\Users\user\AppData\Local\Temp\nstC730.tmp,00000000,C:\Users\user\AppData\Local\Temp\nstC730.tmp,C:\Users\user\AppData\Local\Temp\nstC730.tmp,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\), ref: 00405F5A

Strings

C:\Users\user\AppData\Local\Temp\nstC730.tmp, xrefs: 00405EF7, 00405EFC, 00405F02, 00405F43, 00405F49, 00405F51, 00405F59
C:\Users\user\AppData\Local\Temp\, xrefs: 00405EF1

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nstC730.tmp
API String ID: 3248276644-633924231
Opcode ID: 6050a9c972c7e617ff80ad1598d6c44632e97a304d800cac2a50d0185b8cc685
Instruction ID: 6b34473ccab7fedc8ccd770ab5d77ed9e65f07289ecf91379f8b64e60d69f16d
Opcode Fuzzy Hash: 6050a9c972c7e617ff80ad1598d6c44632e97a304d800cac2a50d0185b8cc685
Instruction Fuzzy Hash: 64F0F43A105D5325D622333A5C09AAF1609CEC2328B19093FF992B22D1DB3CCA438D6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E94 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E94(WCHAR* _a4) {
				WCHAR* _t5;
				short* _t7;
				WCHAR* _t10;
				short _t11;
				WCHAR* _t12;
				void* _t14;

				_t12 = _a4;
				_t10 = CharNextW(_t12);
				_t5 = CharNextW(_t10);
				_t11 =  *_t12;
				if(_t11 == 0 ||  *_t10 != 0x3a || _t10[1] != 0x5c) {
					if(_t11 != 0x5c || _t12[1] != _t11) {
						L10:
						return 0;
					} else {
						_t14 = 2;
						while(1) {
							_t14 = _t14 - 1;
							_t7 = E00405E16(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 2;
							if(_t14 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextW(_t5);
				}
			}

0x00405e9d
0x00405ea4
0x00405ea7
0x00405ea9
0x00405eaf
0x00405ec7
0x00405ee9
0x00000000
0x00405ecf
0x00405ed1
0x00405ed2
0x00405ed5
0x00405ed6
0x00405edf
0x00000000
0x00000000
0x00405ee2
0x00405ee5
0x00000000
0x00000000
0x00000000
0x00405ee5
0x00000000
0x00405ed2
0x00405ebe
0x00000000
0x00405ebf

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nstC730.tmp,?,00405F08,C:\Users\user\AppData\Local\Temp\nstC730.tmp,C:\Users\user\AppData\Local\Temp\nstC730.tmp,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EA2
CharNextW.USER32(00000000), ref: 00405EA7
CharNextW.USER32(00000000), ref: 00405EBF

Strings

C:\Users\user\AppData\Local\Temp\nstC730.tmp, xrefs: 00405E95

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nstC730.tmp
API String ID: 3213498283-469808752
Opcode ID: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
Instruction ID: c1792dff9018e3c7d7ac3158fe05bd311bc395bc4b40032904b556d4a70b82f0
Opcode Fuzzy Hash: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
Instruction Fuzzy Hash: 83F09031920F1195DB31B754CC55E7766BCEB98765B00843BE681B72C1D3B88A828AEA

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405DE9(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405dea
0x00405df7
0x00405df8
0x00405e03
0x00405e0b
0x00405e0b
0x00405e13

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00405DEF
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00405DF9
lstrcatW.KERNEL32(?,0040A014), ref: 00405E0B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DE9

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 5df85f57ea55352fd9405ca64aeca33b709f52697b2ce94ac79c97851b919939
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 0BD05E31111A307BC1116B48AD04DDB629CAE85700381042AF141B20A5D778596286FD

Uniqueness

Uniqueness Score: -1.00%

Function 732A10E1 Relevance: 6.4, APIs: 5, Instructions: 145
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E732A10E1(signed int _a8, intOrPtr* _a12, void* _a16, void* _a20) {
				void* _v0;
				void* _t27;
				signed int _t29;
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t48;
				void* _t54;
				void* _t63;
				void* _t64;
				signed int _t66;
				void* _t67;
				void* _t73;
				void* _t74;
				void* _t77;
				void* _t80;
				void _t81;
				void _t82;
				intOrPtr _t84;
				void* _t86;
				void* _t88;

				 *0x732a506c = _a8;
				 *0x732a5070 = _a16;
				 *0x732a5074 = _a12;
				_a12( *0x732a5048, E732A1651, _t73);
				_t66 =  *0x732a506c +  *0x732a506c * 4 << 3;
				_t27 = E732A12E3();
				_v0 = _t27;
				_t74 = _t27;
				if( *_t27 == 0) {
					L28:
					return GlobalFree(_t27);
				}
				do {
					_t29 =  *_t74 & 0x0000ffff;
					_t67 = 2;
					_t74 = _t74 + _t67;
					_t88 = _t29 - 0x66;
					if(_t88 > 0) {
						_t30 = _t29 - 0x6c;
						if(_t30 == 0) {
							L23:
							_t31 =  *0x732a5040;
							if( *0x732a5040 == 0) {
								goto L26;
							}
							E732A1603( *0x732a5074, _t31 + 4, _t66);
							_t34 =  *0x732a5040;
							_t86 = _t86 + 0xc;
							 *0x732a5040 =  *_t34;
							L25:
							GlobalFree(_t34);
							goto L26;
						}
						_t36 = _t30 - 4;
						if(_t36 == 0) {
							L13:
							_t38 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E732A1312(E732A135A(_t38));
							L14:
							goto L25;
						}
						_t40 = _t36 - _t67;
						if(_t40 == 0) {
							L11:
							_t80 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E732A1381(_t80, E732A12E3());
							goto L14;
						}
						L8:
						if(_t40 == 1) {
							_t81 = GlobalAlloc(0x40, _t66 + 4);
							_t10 = _t81 + 4; // 0x4
							E732A1603(_t10,  *0x732a5074, _t66);
							_t86 = _t86 + 0xc;
							 *_t81 =  *0x732a5040;
							 *0x732a5040 = _t81;
						}
						goto L26;
					}
					if(_t88 == 0) {
						_t48 =  *0x732a5070;
						_t77 =  *_t48;
						 *_t48 =  *_t77;
						_t49 = _v0;
						_t84 =  *((intOrPtr*)(_v0 + 0xc));
						if( *((short*)(_t77 + 4)) == 0x2691) {
							E732A1603(_t49, _t77 + 8, 0x38);
							_t86 = _t86 + 0xc;
						}
						 *((intOrPtr*)( *_a12 + 0xc)) = _t84;
						GlobalFree(_t77);
						goto L26;
					}
					_t54 = _t29 - 0x46;
					if(_t54 == 0) {
						_t82 = GlobalAlloc(0x40,  *0x732a506c +  *0x732a506c + 8);
						 *((intOrPtr*)(_t82 + 4)) = 0x2691;
						_t14 = _t82 + 8; // 0x8
						E732A1603(_t14, _v0, 0x38);
						_t86 = _t86 + 0xc;
						 *_t82 =  *( *0x732a5070);
						 *( *0x732a5070) = _t82;
						goto L26;
					}
					_t63 = _t54 - 6;
					if(_t63 == 0) {
						goto L23;
					}
					_t64 = _t63 - 4;
					if(_t64 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L13;
					}
					_t40 = _t64 - _t67;
					if(_t40 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L11;
					}
					goto L8;
					L26:
				} while ( *_t74 != 0);
				_t27 = _v0;
				goto L28;
			}

0x732a10eb
0x732a1100
0x732a1109
0x732a110e
0x732a1119
0x732a111c
0x732a1125
0x732a1129
0x732a112b
0x732a12b0
0x732a12ba
0x732a12ba
0x732a1132
0x732a1132
0x732a1137
0x732a1138
0x732a113a
0x732a113d
0x732a1256
0x732a1259
0x732a1271
0x732a1271
0x732a1278
0x00000000
0x00000000
0x732a1285
0x732a128a
0x732a128f
0x732a1294
0x732a129a
0x732a129b
0x00000000
0x732a129b
0x732a125b
0x732a125e
0x732a11bc
0x732a11bf
0x732a11c2
0x732a11cb
0x732a11d0
0x00000000
0x732a11d1
0x732a1264
0x732a1266
0x732a11a2
0x732a11a5
0x732a11a8
0x732a11b1
0x00000000
0x732a11b1
0x732a1164
0x732a1165
0x732a1177
0x732a1180
0x732a1184
0x732a118e
0x732a1191
0x732a1193
0x732a1193
0x00000000
0x732a1165
0x732a1143
0x732a1218
0x732a121d
0x732a1221
0x732a1223
0x732a122c
0x732a122f
0x732a1238
0x732a123d
0x732a123d
0x732a1247
0x732a124a
0x00000000
0x732a1250
0x732a1149
0x732a114c
0x732a11e9
0x732a11ed
0x732a11f7
0x732a11fb
0x732a1205
0x732a120a
0x732a1211
0x00000000
0x732a1211
0x732a1152
0x732a1155
0x00000000
0x00000000
0x732a115b
0x732a115e
0x732a11b8
0x00000000
0x732a11b8
0x732a1160
0x732a1162
0x732a119e
0x00000000
0x732a119e
0x00000000
0x732a12a1
0x732a12a1
0x732a12ab
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 732A1171
GlobalAlloc.KERNEL32(00000040,?), ref: 732A11E3
GlobalFree.KERNEL32 ref: 732A124A
GlobalFree.KERNEL32 ref: 732A129B
GlobalFree.KERNEL32 ref: 732A12B1

Memory Dump Source

Source File: 00000000.00000002.756317960.00000000732A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 732A0000, based on PE: true

Associated: 00000000.00000002.756311352.00000000732A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756329828.00000000732A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.756338430.00000000732A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_732a0000_Transferencia.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6c7bbb6fdd7a2e9b3281f76a47ee4f6d0dd0a2cd8301e01a3ea0b82dc5ce420e
Instruction ID: c0e6cbffaf54b06527bd807da0706749f69bd17f2f5ce7b5c685dda1691163ed
Opcode Fuzzy Hash: 6c7bbb6fdd7a2e9b3281f76a47ee4f6d0dd0a2cd8301e01a3ea0b82dc5ce420e
Instruction Fuzzy Hash: 64515EB6600212DFE7009F6DC848B5677F8EB09725B248129ED4ADB290E774F980EB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040263E(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402DA6(0x11)) + _t16;
					} else {
						E00402DA6(0x21);
						E0040653C("C:\Users\jones\AppData\Local\Temp\nstC730.tmp", "C:\Users\jones\AppData\Local\Temp\nstC730.tmp\System.dll", 0x400);
						_t17 = lstrlenA("C:\Users\jones\AppData\Local\Temp\nstC730.tmp\System.dll");
					}
				} else {
					E00402D84(1);
					 *0x40adc8 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E0040647A(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E004060EB(_t31, _t31) >= 0) {
						_t14 = E004060BC(_t31, "C:\Users\jones\AppData\Local\Temp\nstC730.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x0040263e
0x0040263e
0x0040263e
0x00402643
0x00402646
0x00402649
0x0040264e
0x00402650
0x00402670
0x004026aa
0x00402672
0x00402674
0x00402688
0x00402695
0x00402695
0x00402652
0x00402654
0x00402659
0x00402667
0x0040266a
0x004026af
0x004026b2
0x0040292e
0x0040292e
0x004026b8
0x004026c1
0x004026c3
0x004026e2
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026c3
0x00402c2d
0x00402c39

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC
C:\Users\user\AppData\Local\Temp\nstC730.tmp, xrefs: 00402683

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nstC730.tmp$C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll
API String ID: 1659193697-710139636
Opcode ID: 94b5b71aa4e8bab5ab4092e73ec8dd6b07f14be24c3351a2e68bf7ce1f7f5cb1
Instruction ID: fdcd3470e26f59c64840f8c249bec33fde4ddddd182ca34a55142dcc3fd3dd5a
Opcode Fuzzy Hash: 94b5b71aa4e8bab5ab4092e73ec8dd6b07f14be24c3351a2e68bf7ce1f7f5cb1
Instruction Fuzzy Hash: 6211E772A10315FACB10BBB19F4AE9E7670AF40748F21443FE002B21C1D6FD8891565E

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403019(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x79f700; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7a8a6c;
						if(_t2 >  *0x7a8a6c) {
							_t3 = CreateDialogParamW( *0x7a8a60, 0x6f, 0, E00402F93, 0);
							 *0x79f700 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406923(0);
					}
				} else {
					_t6 =  *0x79f700; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x79f700 = 0;
					return _t6;
				}
			}

0x00403020
0x0040303a
0x00403040
0x0040304a
0x00403050
0x00403056
0x00403067
0x00403070
0x00000000
0x00403075
0x0040307c
0x00403042
0x00403049
0x00403049
0x00403022
0x00403022
0x00403029
0x0040302c
0x0040302c
0x00403032
0x00403039
0x00403039

APIs

DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,0040385A,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32 ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040385A,?), ref: 00403075

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: b52c166fbdc46a50eb389bc731d276b0b3b8dd33dc72d9bc298b94529c150aa9
Instruction ID: 88099082ea7d1cc716486b810d419c96650c49a7fc0f2dc261fb7bb284c478c3
Opcode Fuzzy Hash: b52c166fbdc46a50eb389bc731d276b0b3b8dd33dc72d9bc298b94529c150aa9
Instruction Fuzzy Hash: AEF08230502620AFC2216F50FD0898B7F78FB40B52745C47BF145F15A8CB3C09828B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004054F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004054F0(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x7a1f34 != _t16) {
							_push(_t16);
							_push(6);
							 *0x7a1f34 = _t16;
							E00404EB1();
						}
						L11:
						return CallWindowProcW( *0x7a1f3c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E31(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044C2(0x413);
				return 0;
			}

0x004054f4
0x004054fe
0x0040551a
0x0040553c
0x0040553f
0x00405545
0x0040554f
0x00405550
0x00405552
0x00405558
0x00405558
0x00405562
0x00000000
0x00405570
0x00405527
0x0040555f
0x0040555f
0x00000000
0x0040555f
0x00405533
0x00405535
0x00000000
0x00405535
0x00405504
0x00000000
0x00000000
0x0040550b
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040551F
CallWindowProcW.USER32(?,?,?,?), ref: 00405570

Part of subcall function 004044C2: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044D4

Strings

, xrefs: 00405500

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 12bfab27e4c440399339c76943a3ce3238f45f096417f1c9bebb63cc2fec6fed
Instruction ID: 9d4fd90c1d1287ad01f41678c6dcc1ca6f3bae65868fe0495ea0105890a895ad
Opcode Fuzzy Hash: 12bfab27e4c440399339c76943a3ce3238f45f096417f1c9bebb63cc2fec6fed
Instruction Fuzzy Hash: CC01BC71100648BFEF209F11ED80A9B3B27FB84390F548037FA057A2E5C77A8D529A69

Uniqueness

Uniqueness Score: -1.00%

Function 004063E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004063E8(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E00406387(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x004063f6
0x004063f8
0x00406410
0x00406415
0x0040641a
0x00406458
0x00406458
0x0040641c
0x0040642e
0x00406439
0x0040643f
0x0040644a
0x00000000
0x00000000
0x0040644a
0x0040645e

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,007A0F28,00000000,?,?,Call,?,?,0040664F,80000002), ref: 0040642E
RegCloseKey.ADVAPI32(?,?,0040664F,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F28), ref: 00406439

Strings

Call, xrefs: 004063EF

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c8e7ab71330f2791f483a460aa46ee3ca29019eaf6ff50790d5d7e2e81223b20
Instruction ID: 998e79ef7726f2f5777b90a8cc8b3066c283ada07cb0ab9722e08f3c700fe3cb
Opcode Fuzzy Hash: c8e7ab71330f2791f483a460aa46ee3ca29019eaf6ff50790d5d7e2e81223b20
Instruction Fuzzy Hash: D1017C72500209AEDF219F51CC09EDB3BB9EB54364F11803AFD1AA2191D738D968DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403B34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B34() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x79ff0c; // 0x9b9af0
				_t3 = E00403B19(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x79ff0c =  *0x79ff0c & 0x00000000;
				return _t3;
			}

0x00403b35
0x00403b3d
0x00403b44
0x00403b47
0x00403b47
0x00403b49
0x00403b4e
0x00403b55
0x00403b5b
0x00403b5f
0x00403b60
0x00403b68

APIs

FreeLibrary.KERNEL32(?,76CDFAA0,00000000,C:\Users\user\AppData\Local\Temp\,00403B0C,00403A3B,?), ref: 00403B4E
GlobalFree.KERNEL32 ref: 00403B55

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B34

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
Instruction ID: 695255c2ecde24bf448a41ac97d2e3a141eb08f66f7233a7170c0cf0b0d44fd9
Opcode Fuzzy Hash: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
Instruction Fuzzy Hash: A0E0123390112057C6215F55FE04B5AB77D6F45B26F05403BE980BB2618B786C428BDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405F6F Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F6F(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405f7f
0x00405f81
0x00405f84
0x00405fb0
0x00405f89
0x00405f92
0x00405f97
0x00405fa2
0x00405fa5
0x00405fc1
0x00405fa7
0x00405fae
0x00000000
0x00405fae
0x00405fba
0x00405fbe
0x00405fbe
0x00405fb8
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F7F
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F97
CharNextA.USER32(00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA8
lstrlenA.KERNEL32(00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB1

Memory Dump Source

Source File: 00000000.00000002.755415149.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.755408358.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755428109.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755438602.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755693232.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755731847.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755772036.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755817113.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755939181.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.755971847.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756009900.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756022297.00000000007B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.756029667.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Transferencia.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: d1bddae3a0f18f97ac1aa465d67762edc6f3aabfb23b395e61e0e19fb30ac715
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 50F0C231205414FFD7029FA5DE049AFBBA8EF06250B2140BAE840F7310DA78DE019BA8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Transferencia.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Dadoes.thi

C:\Users\user\AppData\Local\Temp\FJERKRFARMENES.ini

C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
Transferencia.exe

Function 0040350A Relevance: 84.4, APIs: 33, Strings: 15, Instructions: 450
stringfilecomCOMMON

Function 004056BB Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405C26 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Function 732A1BFF Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Function 00406850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403F77 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403BC9 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 004032B4 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 161
COMMON

Function 0040557C Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Function 00406877 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405A4B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 732A1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00406039 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 004068E7 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 0040600A Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405FE5 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 00405AC8 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 732A2B98 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Function 0040608D Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 004060BC Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 732A2A7F Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Function 00406387 Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Function 004044C2 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Function 004034C2 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 004044AB Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Function 00404498 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Function 732A12BB Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Function 00404967 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129
comCOMMON

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Function 00404EE3 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Function 00404635 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Function 00406160 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
memorystringCOMMON