Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6culQoI97a.exe

Overview

General Information

Sample Name:	6culQoI97a.exe
Analysis ID:	755473
MD5:	d9aa122b8c39444799e60eabbab69502
SHA1:	0175baf7a240c2050571a6df273a892e8b192d81
SHA256:	317b5db72d7c43ab63caffa88412395a1b010d24f234eb1b7eeabc92105db143
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Uses 32bit PE files

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Contains functionality to dynamically determine API calls

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

×

Process Tree

System is w10x64

6culQoI97a.exe (PID: 5172 cmdline: C:\Users\user\Desktop\6culQoI97a.exe MD5: D9AA122B8C39444799E60EABBAB69502)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 6culQoI97a.exe	ReversingLabs: Detection: 73%
Source: 6culQoI97a.exe	Virustotal: Detection: 58%			Perma Link

Source: 6culQoI97a.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 6culQoI97a.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\6culQoI97a.exe	Code function: 0_2_00406448 FindFirstFileA,FindClose,		0_2_00406448
Source: C:\Users\user\Desktop\6culQoI97a.exe	Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_0040589C
Source: C:\Users\user\Desktop\6culQoI97a.exe	Code function: 0_2_004027A1 FindFirstFileA,		0_2_004027A1

Source: 6culQoI97a.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 6culQoI97a.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_00405339 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: 6culQoI97a.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\6culQoI97a.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_73541A98

Source: C:\Users\user\Desktop\6culQoI97a.exe

Process Stats: CPU usage > 98%

Source: 6culQoI97a.exe	ReversingLabs: Detection: 73%
Source: 6culQoI97a.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\6culQoI97a.exe

File read: C:\Users\user\Desktop\6culQoI97a.exe

Jump to behavior

Source: 6culQoI97a.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6culQoI97a.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\6culQoI97a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\6culQoI97a.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker

Jump to behavior

Source: C:\Users\user\Desktop\6culQoI97a.exe

File created: C:\Users\user\AppData\Local\Temp\nskAD76.tmp

Jump to behavior

Source: classification engine

Classification label: mal52.evad.winEXE@1/4@0/0

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\6culQoI97a.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: 6culQoI97a.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_73542F60 push eax; ret

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_73541A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

Source: C:\Users\user\Desktop\6culQoI97a.exe

File created: C:\Users\user\AppData\Local\Temp\nskAE13.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\6culQoI97a.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\6culQoI97a.exe

RDTSC instruction interceptor: First address: 0000000002C434D3 second address: 0000000002C434D3 instructions: 0x00000000 rdtsc 0x00000002 cmp bh, ah 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F1108CE4DA5h 0x00000008 cmp dh, 00000028h 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc

Source: C:\Users\user\Desktop\6culQoI97a.exe	Code function: 0_2_00406448 FindFirstFileA,FindClose,		0_2_00406448
Source: C:\Users\user\Desktop\6culQoI97a.exe	Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_0040589C
Source: C:\Users\user\Desktop\6culQoI97a.exe	Code function: 0_2_004027A1 FindFirstFileA,		0_2_004027A1

Source: C:\Users\user\Desktop\6culQoI97a.exe	API call chain: ExitProcess graph end node			graph_0-4415
Source: C:\Users\user\Desktop\6culQoI97a.exe	API call chain: ExitProcess graph end node			graph_0-4249

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_73541A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

Source: C:\Users\user\Desktop\6culQoI97a.exe

Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Access Token Manipulation	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
6culQoI97a.exe	73%	ReversingLabs	Win32.Trojan.Woreflint
6culQoI97a.exe	58%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nskAE13.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nskAE13.tmp\System.dll	0%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.6culQoI97a.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File
0.0.6culQoI97a.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	6culQoI97a.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	6culQoI97a.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	755473
Start date and time:	2022-11-28 18:32:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	6culQoI97a.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.evad.winEXE@1/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 85.2% (good quality ratio 83.7%) Quality average: 87.2% Quality standard deviation: 22%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Temp\nskAE13.tmp\System.dll	documentos DHL.Pdf.exe	Get hash	malicious	Browse
	documentos DHL.Pdf.exe	Get hash	malicious	Browse
	9gZFIWeV47.exe	Get hash	malicious	Browse
	9gZFIWeV47.exe	Get hash	malicious	Browse
	Orden de compra #F045678.exe	Get hash	malicious	Browse
	documentos DHL.exe	Get hash	malicious	Browse
	documentos DHL.Pdf.exe	Get hash	malicious	Browse
	Orden de compra #F045678.exe	Get hash	malicious	Browse
	documentos DHL.exe	Get hash	malicious	Browse
	documentos DHL.Pdf.exe	Get hash	malicious	Browse
	documentos DHL.exe	Get hash	malicious	Browse
	documentos DHL.exe	Get hash	malicious	Browse
	BUNKER_INQUIRY_964394771-20221107.exe	Get hash	malicious	Browse
	BUNKER_INQUIRY_964394771-20221107.exe	Get hash	malicious	Browse
	58IGmGvH5X.exe	Get hash	malicious	Browse
	58IGmGvH5X.exe	Get hash	malicious	Browse
	58IGmGvH5X.exe	Get hash	malicious	Browse
	Quote #U2116 106 - Supply of Flex Connector for Diesel Engine Exhaust.exe	Get hash	malicious	Browse
	Quote #U2116 106 - Supply of Flex Connector for Diesel user Exhaust.exe	Get hash	malicious	Browse
	PO 251102022-UNI-TREND.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Lavkonjunkturen.pro

Process:	C:\Users\user\Desktop\6culQoI97a.exe
File Type:	data
Category:	dropped
Size (bytes):	151484
Entropy (8bit):	6.722739524237379
Encrypted:	false
SSDEEP:	3072:i/XcPN2AMaEryngg6xwigaQTpHJVoBMQ/fV:ikUUhnfJrZzcMQ/fV
MD5:	7D35914613D5AE2EE21358270112B5F2
SHA1:	ED7CBBBBC35EBCA9F221B1E22927BF2845B54807
SHA-256:	DF9AA833D7E0B7455D5112DF644234B735D4F8C4E2A1527148E655DE16DA4BA3
SHA-512:	29F422C4B45EE72141D040EA7682A6D4C90858EA42F2FF461A6301B90195F5DF6F79B5F364B55D61A327EE1E5BAAE26F317E42B3965EDBD1ED42EF7F4FCB7793
Malicious:	false
Reputation:	low
Preview:	..zx'il...Y........W.7...HF..$K..B.+.z.$i.z.M6.O..0wG;~Fm.....!gJn..M;&..-Lm.S<......B..Q.N.).C....x.h`.[o.......IL@..^..e(...H....F<U...,.M8m>.l..F...o...W......4....l<h..f....yK...a..n.....LM..U..S7]..b..V..;.W-..pL.k..........w...U...9F..;y.....H..jc......u....\.V...%.O..r.a3=&.mE9.........G..c..Y.&.....\|.....X.~.`...=...e6..W.........w..7..B.U.".m....Q;T..D..A[...E.{...[..f..".....D#a...........sd...l,..t....)tU.[ .u\.M...{3UP...~c_u.......dK..=.1.?..}8.TP.+P.z.H{.>'..2%a...}.f.e\|3C.....R(...Q.`F~..N}Q]H.!.....+.....Y.G...d.\U."......Z....../c..%.t.....@8...D.1.S....N........q.......Kq..........................................................................f.................l.d)f................................................................................................................f.e....f.b..i.LZ.....................................................................................................f!............H...6qqqqqqqqqqqqqqqqqqqqqqq

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Pollen47\Disvoice\Grabbers145.Scu187

Process:	C:\Users\user\Desktop\6culQoI97a.exe
File Type:	ASCII text, with very long lines (42820), with no line terminators
Category:	dropped
Size (bytes):	42820
Entropy (8bit):	3.999720795205128
Encrypted:	false
SSDEEP:	768:Y8gLgZjz0mqZY9XVZ3z0Aqa2ogrBpnu2L9l6+EfD5u6IZ46hj0HJPn1W4:LgLgNuYBrA75oIpu2Rl6+20v46QF17
MD5:	63EE366B70BC4507D462A94DD9C637BA
SHA1:	E0E3D34620C83C47F0590BD059AE2066D7F26FE7
SHA-256:	D032E1E9FA29373C0D811D0ED484D69F64DF02C0353DC2B7B4F2D08C44094F8A
SHA-512:	096C8D578842BE10D2B5D88DF5B130EE3D352190158CBF893DC2AC106D2DF6A91BFA17A92F5F48D3EC952A83DB785A05076AC340015832E5EF4D08D5E584EF00
Malicious:	false
Reputation:	low
Preview:	FEE6A8669E78D118DC67A5CFBFFEC42B41EA106FBB6439C877770204CA485EF518706580B268717463D5CB797335A0A4350DCD796FC17224C6434BF095F7CA6B1DB91696C2ADB472E0F9E1E2D5D9262D956F3DB187372096F1F921757D6CF3BF2C192545E4EC2E0119B230B5AE2A35C6F37BA1074F96373F828DDB9E588D13955D1AB94FE615E94016E252B8B38104F562E874B8886AF764B43D98BB66EA7A4F47209579E550F48880977DB1721FBE84477DACD88B7A9715F0DB819F886D56CCEFBB7CF44E40BEFCFF574D5E029E1762B75A84AEB88BC477AD0C2EEA118D4BEE4BCF2EB8DDD0207D78B0EC8551401E1F79E9FB8B2FBE5C4F4026E771F2713CF19CDF0CB33B72276EC057B36A339D1B55FF594867C79F91E160A4306CB89DC803C9D2A891E3B0250832C9561D97669476859BD0FA173F47CCE4052D59DB63C8DA7F75B11332DBC582649E24CAD546663CE0C14FBBE1C832071D322EA51419FF51CF67B56DC3A1EC75B588F2C7B20CAE80771F166C55894E635141CFA69FAE881544C83F0F60B59833A61A433C6F47427621250CE45F35855E28554832210A2F46F0BBC2640B9A2CD045EC3AEF8BDAD8D15D0B80E2F82BA296742D4481221961F2BB57D4461407EAB6FEB6DC9E558BE2DB318A22CDEB0E26889BCA6482843DEB5C73A1C673197F30B4DA15D73000C3C08C5F8CDCD8

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Urationelt\call-missed-symbolic.svg

Process:	C:\Users\user\Desktop\6culQoI97a.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1626
Entropy (8bit):	5.039495966615547
Encrypted:	false
SSDEEP:	24:t42w+Fdw6OyKbRAecFxVrGMalOY3bYnfS/YH6AAHD1gyKbRAecFxVrGMaFC:fONtAecFmMiScmNtAecFmMmC
MD5:	CCC1083D634E112EBE2FAD8D1809FEB7
SHA1:	AFBBB71D1B029B7FBE45E09C7217945A2668D262
SHA-256:	3D961823A04BAC2FF8748D7624AF7D06B10B3D2566AA93540ADB1FC46F6FA6CF
SHA-512:	3962F71527D2B662D5B9EACA2AF12AE414F01497871F3E818D86A9DF03DC9C08F1A9873265F70745857D65ADA87E623E523BEB80B51CCA99E820C459757B96D2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16.006" height="16.013"><path d="M12.98 0a1 1 0 00-.11.01H8v.832A1 1 0 009 2.01h1.586L8 4.596 5.707 2.303a1 1 0 10-1.414 1.414l3 3a1 1 0 001.414 0L12 3.424V5.01a1 1 0 001.158 1H14V1.137a1 1 0 000-.275V.01h-.854A1 1 0 0012.98 0z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000;text-transform:none;text-orientation:mixed;shape-padding:0;isolation:auto;mix-blend-mode:normal;marker:none" color="#000" font-weight="400" font-family="sans-serif" overflow="visible" fill="#2e3436"/><path class="error" d="M14.242 15.725a.979.979 0 01-1.387 0l-1.04-1.04-1.041-1.04a.979.979 0 010-1.387l.493-.493a6.838 6.838 0 00-6.534 0l.493.493a.979.979 0 010 1.387l-1.04 1.04-1.04 1.04a.979.979 0 01-1.388 0l-1.

C:\Users\user\AppData\Local\Temp\nskAE13.tmp\System.dll

Process:	C:\Users\user\Desktop\6culQoI97a.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.854450882766351
Encrypted:	false
SSDEEP:	192:jPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4I:u7VpNo8gmOyRsVc4
MD5:	34442E1E0C2870341DF55E1B7B3CCCDC
SHA1:	99B2FA21AEAD4B6CCD8FF2F6D3D3453A51D9C70C
SHA-256:	269D232712C86983336BADB40B9E55E80052D8389ED095EBF9214964D43B6BB1
SHA-512:	4A8C57FB12997438B488B862F3FC9DC0F236E07BB47B2BCE6053DCB03AC7AD171842F02AC749F02DDA4719C681D186330524CD2953D33CB50854844E74B33D51
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: documentos DHL.Pdf.exe, Detection: malicious, Browse Filename: documentos DHL.Pdf.exe, Detection: malicious, Browse Filename: 9gZFIWeV47.exe, Detection: malicious, Browse Filename: 9gZFIWeV47.exe, Detection: malicious, Browse Filename: Orden de compra #F045678.exe, Detection: malicious, Browse Filename: documentos DHL.exe, Detection: malicious, Browse Filename: documentos DHL.Pdf.exe, Detection: malicious, Browse Filename: Orden de compra #F045678.exe, Detection: malicious, Browse Filename: documentos DHL.exe, Detection: malicious, Browse Filename: documentos DHL.Pdf.exe, Detection: malicious, Browse Filename: documentos DHL.exe, Detection: malicious, Browse Filename: documentos DHL.exe, Detection: malicious, Browse Filename: BUNKER_INQUIRY_964394771-20221107.exe, Detection: malicious, Browse Filename: BUNKER_INQUIRY_964394771-20221107.exe, Detection: malicious, Browse Filename: 58IGmGvH5X.exe, Detection: malicious, Browse Filename: 58IGmGvH5X.exe, Detection: malicious, Browse Filename: 58IGmGvH5X.exe, Detection: malicious, Browse Filename: Quote #U2116 106 - Supply of Flex Connector for Diesel Engine Exhaust.exe, Detection: malicious, Browse Filename: Quote #U2116 106 - Supply of Flex Connector for Diesel user Exhaust.exe, Detection: malicious, Browse Filename: PO 251102022-UNI-TREND.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....`...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.777623756268328
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6culQoI97a.exe
File size:	334430
MD5:	d9aa122b8c39444799e60eabbab69502
SHA1:	0175baf7a240c2050571a6df273a892e8b192d81
SHA256:	317b5db72d7c43ab63caffa88412395a1b010d24f234eb1b7eeabc92105db143
SHA512:	4ba7e997ffad2ce396faa08d8be8cd6b7073e37828b347fad1ca3f1112d257ecd235c7df9d3d6c78e6b9f96ce878c5fbe2d2a70f7428648f1d2aa14aba7f5d38
SSDEEP:	6144:0x/MQs/IvHdjSzIH1qrb+WECj3wc0ibE0+Ix:wxAIVu8VWb+WEY3LbEt6
TLSH:	7964F1253F64DC27C2A906708EF3D329D6F9D9406E634717BB8177ACBD31780B91A18A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L......`.................d....9.....%3............@

File Icon


Icon Hash:	6070dee2bab2c43c

Static PE Info

General

Entrypoint:	0x403325
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60FC909C [Sat Jul 24 22:13:48 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A2F6Ch], eax
je 00007F11089BBEB3h
push ebx
call 00007F11089BF016h
cmp eax, ebx
je 00007F11089BBEA9h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F11089BEF92h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F11089BBE8Dh
push 0000000Bh
call 00007F11089BEFEAh
push 00000009h
call 00007F11089BEFE3h
push 00000007h
mov dword ptr [007A2F64h], eax
call 00007F11089BEFD7h
cmp eax, ebx
je 00007F11089BBEB1h
push 0000001Eh
call eax
test eax, eax
je 00007F11089BBEA9h
or byte ptr [007A2F6Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [007A3038h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0079E528h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8438	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c7000	0x28868	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6230	0x6400	False	0.6699609375	data	6.441889952551939	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1274	0x1400	False	0.4337890625	data	5.061067348371254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x399078	0x600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a4000	0x23000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c7000	0x28868	0x28a00	False	0.5296875	data	5.194338163153121	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x3c73b8	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States
RT_ICON	0x3c7720	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States
RT_ICON	0x3d7f48	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States
RT_ICON	0x3e13f0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States
RT_ICON	0x3e6878	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States
RT_ICON	0x3eaaa0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x3ed048	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x3ee0f0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States
RT_ICON	0x3eea78	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_DIALOG	0x3eeee0	0x144	data	English	United States
RT_DIALOG	0x3ef028	0x13c	data	English	United States
RT_DIALOG	0x3ef168	0x100	data	English	United States
RT_DIALOG	0x3ef268	0x11c	data	English	United States
RT_DIALOG	0x3ef388	0xc4	data	English	United States
RT_DIALOG	0x3ef450	0x60	data	English	United States
RT_GROUP_ICON	0x3ef4b0	0x76	data	English	United States
RT_MANIFEST	0x3ef528	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: 6culQoI97a.exePID: 5172, Parent PID: 3452

General

Target ID:	0
Start time:	18:33:04
Start date:	28/11/2022
Path:	C:\Users\user\Desktop\6culQoI97a.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\6culQoI97a.exe
Imagebase:	0x400000
File size:	334430 bytes
MD5 hash:	D9AA122B8C39444799E60EABBAB69502
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 6culQoI97a.exePID: 5172, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	21.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.5%
Total number of Nodes:	1560
Total number of Limit Nodes:	44

Executed Functions

Function 00403325 Relevance: 94.9, APIs: 32, Strings: 22, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				intOrPtr _t86;
				intOrPtr _t92;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				intOrPtr _t177;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x7a2f6c = _t42;
				if(_t42 != 6) {
					_t119 = E004064DD(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E0040646F(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E004064DD(0xb);
				 *0x7a2f64 = E004064DD(9);
				_t47 = E004064DD(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x7a2f6f =  *0x7a2f6f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x7a3038 = _t47;
				SHGetFileInfoA(0x79e528, 0, _t164 + 0x38, 0x160, 0); // executed
				E004060D4("Resultatlst", "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Users\\hardz\\Desktop\\6culQoI97a.exe\"";
				E004060D4(_t160, _t51);
				 *0x7a2f60 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Users\\hardz\\Desktop\\6culQoI97a.exe\"" == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M007A9001;
				}
				_t55 = CharNextA(E00405A97(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405A97(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E004060D4("C:\\Users\\hardz\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Bracker\\Feberkosten",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157); // executed
										_t59 = E004032F4(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EA1(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E0040380D();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x7a3014;
													if( *0x7a3014 == 0) {
														L67:
														_t63 =  *0x7a302c;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E004064DD(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E004057F0( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											_t177 =  *0x7a2f80; // 0x0
											if(_t177 == 0) {
												L42:
												 *0x7a302c =  *0x7a302c | 0xffffffff;
												 *(_t164 + 0x18) = E004038E7( *0x7a302c);
												goto L43;
											}
											_t153 = E00405A97(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E0040575B(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Users\\hardz\\Desktop";
													if(lstrcmpiA(_t157, "C:\\Users\\hardz\\Desktop") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E0040573E();
														} else {
															E004056C1();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\hardz\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Bracker\\Feberkosten"; // 0x43
														if(_t189 == 0) {
															E004060D4("C:\\Users\\hardz\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Bracker\\Feberkosten", _t162);
														}
														E004060D4("540027183",  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														do {
															_t86 =  *0x7a2f74; // 0x94d040
															E00406167(0, 0x79e128, _t157, 0x79e128,  *((intOrPtr*)(_t86 + 0x120)));
															DeleteFileA(0x79e128);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Users\\hardz\\Desktop\\6culQoI97a.exe", 0x79e128, 1) != 0) {
																E00405EB3(_t137, 0x79e128, 0);
																_t92 =  *0x7a2f74; // 0x94d040
																E00406167(0, 0x79e128, _t157, 0x79e128,  *((intOrPtr*)(_t92 + 0x124)));
																_t94 = E00405773(0x79e128);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															"46399488" =  &("46399488"[1]);
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E00405EB3(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E00405B5A(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E004060D4("C:\\Users\\hardz\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Bracker\\Feberkosten", _t154);
												E004060D4("C:\\Users\\hardz\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Bracker\\Feberkosten\\Pollen47\\Disvoice", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E004032F4(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E004032F4(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x7a3020 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x00403335
0x00403339
0x00403341
0x00403345
0x0040334a
0x00403356
0x0040335f
0x00403364
0x00403367
0x0040336e
0x00403375
0x00403375
0x0040336e
0x00403377
0x0040337c
0x0040337d
0x00403389
0x0040338d
0x00403393
0x004033a1
0x004033a6
0x004033ad
0x004033b1
0x004033b5
0x004033b7
0x004033b7
0x004033b5
0x004033bf
0x004033c6
0x004033cc
0x004033e2
0x004033f2
0x004033f7
0x004033fd
0x00403404
0x00403410
0x0040341a
0x0040341c
0x0040341e
0x00403423
0x00403423
0x00403433
0x00403439
0x00403502
0x00403502
0x00403504
0x00403506
0x00000000
0x00000000
0x00403442
0x00403445
0x0040344d
0x0040344d
0x00403450
0x00403455
0x00403457
0x00403457
0x00403458
0x00403458
0x0040345d
0x00403460
0x004034f2
0x004034f7
0x004034fc
0x004034ff
0x00403501
0x00403501
0x00403501
0x00000000
0x00403466
0x00403466
0x00403467
0x0040346a
0x00403482
0x004034ad
0x004034af
0x004034c2
0x004034ed
0x004034f0
0x0040350e
0x00403511
0x0040351a
0x0040351f
0x00403525
0x00403530
0x00403532
0x00403537
0x00403539
0x00403591
0x00403596
0x004035a0
0x004035a7
0x004035ab
0x0040363f
0x0040363f
0x00403644
0x0040364a
0x0040364f
0x00403773
0x00403779
0x004037f5
0x004037f5
0x004037fa
0x004037fd
0x004037ff
0x004037ff
0x00403807
0x00403807
0x00403789
0x00403791
0x00403793
0x00403794
0x004037a1
0x004037b4
0x004037bc
0x004037c0
0x004037c0
0x004037c8
0x004037cd
0x004037d4
0x004037e2
0x004037e4
0x004037ea
0x004037ec
0x00000000
0x00000000
0x00000000
0x004037d6
0x004037dc
0x004037de
0x004037e0
0x004037ee
0x004037f0
0x00000000
0x004037f0
0x00000000
0x004037e0
0x004037d4
0x0040365e
0x00403665
0x00403665
0x004035b1
0x004035b7
0x0040362f
0x0040362f
0x0040363b
0x00000000
0x0040363b
0x004035c0
0x004035c4
0x004035fa
0x004035fa
0x004035fc
0x00403604
0x00403676
0x00403678
0x0040367f
0x00403687
0x00403687
0x00403692
0x00403697
0x004036a6
0x004036aa
0x004036ab
0x004036b4
0x004036ad
0x004036ad
0x004036ad
0x004036ba
0x004036c0
0x004036c6
0x004036ce
0x004036ce
0x004036dc
0x004036e1
0x004036f3
0x00403701
0x00403701
0x0040370d
0x00403713
0x0040371d
0x00403733
0x00403738
0x00403744
0x0040374a
0x00403751
0x00403754
0x0040375a
0x0040375a
0x00403751
0x0040375e
0x00403764
0x00403764
0x00403769
0x00403769
0x00000000
0x004036a6
0x00403606
0x00403608
0x00403613
0x00000000
0x00000000
0x0040361b
0x00403626
0x0040362b
0x00000000
0x0040362b
0x004035ef
0x004035f1
0x004035f5
0x004035f8
0x00000000
0x00000000
0x00000000
0x004035f8
0x00000000
0x004035f1
0x00403541
0x0040354d
0x00403552
0x00403557
0x00403559
0x00000000
0x00000000
0x00403561
0x00403569
0x0040357a
0x00403582
0x00403584
0x00403589
0x0040358b
0x00000000
0x00000000
0x00000000
0x0040358b
0x00000000
0x004034f0
0x004034b1
0x004034b4
0x004034b7
0x004034bd
0x004034bd
0x004034bd
0x004034bd
0x00000000
0x004034bd
0x004034b9
0x004034bb
0x00000000
0x00000000
0x00000000
0x004034bb
0x0040346c
0x0040346f
0x00403472
0x00403478
0x00403478
0x00000000
0x00403478
0x00403474
0x00403476
0x00000000
0x00000000
0x00000000
0x00403476
0x00000000
0x00000000
0x00000000
0x00403447
0x00403447
0x00403447
0x00403448
0x00403448
0x00000000
0x00403447
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 0040334A
GetVersion.KERNEL32 ref: 00403350
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403383
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033BF
OleInitialize.OLE32(00000000), ref: 004033C6
SHGetFileInfoA.SHELL32(0079E528,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 004033E2
GetCommandLineA.KERNEL32(Resultatlst,NSIS Error,?,00000007,00000009,0000000B), ref: 004033F7
CharNextA.USER32(00000000,"C:\Users\user\Desktop\6culQoI97a.exe",00000020,"C:\Users\user\Desktop\6culQoI97a.exe",00000000,?,00000007,00000009,0000000B), ref: 00403433
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403530
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403541
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 0040354D
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403561
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403569
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040357A
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403582
DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403596

Part of subcall function 004064DD: GetModuleHandleA.KERNEL32(?,?,?,00403398,0000000B), ref: 004064EF
Part of subcall function 004064DD: GetProcAddress.KERNEL32(00000000,?), ref: 0040650A

Part of subcall function 004038E7: GetUserDefaultUILanguage.KERNELBASE(00000002,74D0FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\6culQoI97a.exe",00000000), ref: 00403901
Part of subcall function 004038E7: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten,1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000,00000002,74D0FA90), ref: 004039D7
Part of subcall function 004038E7: lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten,1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000), ref: 004039EA
Part of subcall function 004038E7: GetFileAttributesA.KERNEL32(Call), ref: 004039F5
Part of subcall function 004038E7: LoadImageA.USER32 ref: 00403A3E
Part of subcall function 004038E7: RegisterClassA.USER32 ref: 00403A7B

Part of subcall function 0040380D: CloseHandle.KERNEL32(00000280,00403644,?,?,00000007,00000009,0000000B), ref: 00403818

OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403644
ExitProcess.KERNEL32 ref: 00403665
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 00403782
OpenProcessToken.ADVAPI32(00000000), ref: 00403789
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037A1
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037C0
ExitWindowsEx.USER32 ref: 004037E4
ExitProcess.KERNEL32 ref: 00403807

Part of subcall function 004057F0: MessageBoxIndirectA.USER32 ref: 0040584B

Strings

UXTHEME, xrefs: 00403377, 0040337C, 00403382
~nsu, xrefs: 00403670
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten, xrefs: 00403515, 00403616, 004036C0, 004036C9
SeShutdownPrivilege, xrefs: 0040379B
", xrefs: 00403458
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Pollen47\Disvoice, xrefs: 00403621
1033, xrefs: 00403591
TMP, xrefs: 0040357D
C:\Users\user\Desktop\6culQoI97a.exe, xrefs: 00403722
.tmp, xrefs: 0040368C
TEMP, xrefs: 00403575
\Temp, xrefs: 00403547
C:\Users\user\AppData\Local\Temp\, xrefs: 00403525, 0040352A, 00403540, 0040354C, 0040355B, 00403568, 00403574, 0040357C, 00403675, 00403686, 00403691, 0040369D, 004036AA, 004036B9, 00403768
Low, xrefs: 00403563
540027183, xrefs: 004036D7
(y, xrefs: 004036F6
Resultatlst, xrefs: 004033ED
"C:\Users\user\Desktop\6culQoI97a.exe", xrefs: 004033FD, 00403403, 004035BA
NSIS Error, xrefs: 004033E8
Error launching installer, xrefs: 004035FC
C:\Users\user\Desktop, xrefs: 00403697, 0040369C, 004036C8
46399488, xrefs: 004036FB, 0040375E

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\6culQoI97a.exe"$(y$.tmp$1033$46399488$540027183$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Pollen47\Disvoice$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\6culQoI97a.exe$Error launching installer$Low$NSIS Error$Resultatlst$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 1314998376-2393349186
Opcode ID: 1195337d90c26c4f7dc82a4c41dbf044501a9304385343c07f335edd965a58af
Instruction ID: 97d63beb8df843ca38620017436ed0801945ee3064957e10bbaedf14490df2b6
Opcode Fuzzy Hash: 1195337d90c26c4f7dc82a4c41dbf044501a9304385343c07f335edd965a58af
Instruction Fuzzy Hash: B6C1F7705047816ED7216F759D89A2F3EACAB86306F05453EF182B61D2CB7C8A15CB2F

Uniqueness

Uniqueness Score: -1.00%

Function 73541A98 Relevance: 20.1, APIs: 13, Instructions: 591
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E73541A98() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				CHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				CHAR* _t207;
				signed int _t210;
				void* _t212;
				void* _t214;
				CHAR* _t216;
				void* _t224;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t228;
				signed short _t230;
				struct HINSTANCE__* _t233;
				struct HINSTANCE__* _t235;
				void* _t236;
				char* _t237;
				void* _t248;
				signed char _t249;
				signed int _t250;
				void* _t254;
				struct HINSTANCE__* _t256;
				void* _t257;
				signed int _t259;
				intOrPtr _t260;
				char* _t263;
				signed int _t268;
				signed int _t271;
				signed int _t273;
				void* _t276;
				void* _t280;
				struct HINSTANCE__* _t282;
				intOrPtr _t285;
				void _t286;
				signed int _t287;
				signed int _t299;
				signed int _t300;
				intOrPtr _t303;
				void* _t304;
				signed int _t308;
				signed int _t311;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				intOrPtr _t319;
				intOrPtr* _t320;
				CHAR* _t321;
				CHAR* _t323;
				CHAR* _t324;
				struct HINSTANCE__* _t325;
				void* _t327;
				signed int _t328;
				void* _t329;

				_t282 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t329 = 0;
				_v52 = 0;
				_v44 = 0;
				_t207 = E73541215();
				_v24 = _t207;
				_v28 = _t207;
				_v48 = E73541215();
				_t320 = E7354123B();
				_v56 = _t320;
				_v12 = _t320;
				while(1) {
					_t210 = _v32;
					_v60 = _t210;
					if(_t210 != _t282 && _t329 == _t282) {
						break;
					}
					_t319 =  *_t320;
					_t285 = _t319;
					_t212 = _t285 - _t282;
					if(_t212 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t214 = _v60 - _t282;
						if(_t214 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t329 - _t282;
							if(_t329 == _t282) {
								_t254 = GlobalAlloc(0x40, 0x14a4); // executed
								_t329 = _t254;
								 *(_t329 + 0x810) = _t282;
								 *(_t329 + 0x814) = _t282;
							}
							_t286 = _v36;
							_t47 = _t329 + 8; // 0x8
							_t216 = _t47;
							_t48 = _t329 + 0x408; // 0x408
							_t321 = _t48;
							 *_t329 = _t286;
							 *_t216 =  *_t216 & 0x00000000;
							 *(_t329 + 0x808) = _t282;
							 *_t321 =  *_t321 & 0x00000000;
							_t287 = _t286 - _t282;
							__eflags = _t287;
							 *(_t329 + 0x80c) = _t282;
							 *(_t329 + 4) = _t282;
							if(_t287 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t327 = 0;
								GlobalFree(_t329);
								_t329 = E735412FE(_v24);
								__eflags = _t329 - _t282;
								if(_t329 == _t282) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t248 =  *(_t329 + 0x14a0);
									__eflags = _t248 - _t282;
									if(_t248 == _t282) {
										break;
									}
									_t327 = _t329;
									_t329 = _t248;
									__eflags = _t329 - _t282;
									if(_t329 != _t282) {
										continue;
									}
									break;
								}
								__eflags = _t327 - _t282;
								if(_t327 != _t282) {
									 *(_t327 + 0x14a0) = _t282;
								}
								_t249 =  *(_t329 + 0x810);
								__eflags = _t249 & 0x00000008;
								if((_t249 & 0x00000008) == 0) {
									_t250 = _t249 | 0x00000002;
									__eflags = _t250;
									 *(_t329 + 0x810) = _t250;
								} else {
									_t329 = E73541534(_t329);
									 *(_t329 + 0x810) =  *(_t329 + 0x810) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t299 = _t287 - 1;
								__eflags = _t299;
								if(_t299 == 0) {
									L31:
									lstrcpyA(_t216, _v48);
									L32:
									lstrcpyA(_t321, _v24);
									goto L42;
								}
								_t300 = _t299 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									goto L32;
								}
								__eflags = _t300 != 1;
								if(_t300 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t214 == 1) {
								_t256 = _v16;
								if(_v40 == _t282) {
									_t256 = _t256 - 1;
								}
								 *(_t329 + 0x814) = _t256;
							}
							L42:
							_v12 = _v12 + 1;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t320 = _v12;
								continue;
							}
							break;
						}
					}
					_t257 = _t212 - 0x23;
					if(_t257 == 0) {
						__eflags = _t320 - _v56;
						if(_t320 <= _v56) {
							L17:
							__eflags = _v44 - _t282;
							if(_v44 != _t282) {
								L43:
								_t259 = _v32 - _t282;
								__eflags = _t259;
								if(_t259 == 0) {
									_t260 = _t319;
									while(1) {
										__eflags = _t260 - 0x22;
										if(_t260 != 0x22) {
											break;
										}
										_t320 = _t320 + 1;
										__eflags = _v44 - _t282;
										_v12 = _t320;
										if(_v44 == _t282) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[1]);
											 *_v28 =  *_t320;
											L58:
											_t328 = _t320 + 1;
											__eflags = _t328;
											_v12 = _t328;
											goto L59;
										}
										_t260 =  *_t320;
										_v44 = _t282;
									}
									__eflags = _t260 - 0x2a;
									if(_t260 == 0x2a) {
										_v36 = 2;
										L57:
										_t320 = _v12;
										_v28 = _v24;
										_t282 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t260 - 0x2d;
									if(_t260 == 0x2d) {
										L151:
										_t303 =  *_t320;
										__eflags = _t303 - 0x2d;
										if(_t303 != 0x2d) {
											L154:
											_t263 = _t320 + 1;
											__eflags =  *_t263 - 0x3a;
											if( *_t263 != 0x3a) {
												goto L162;
											}
											__eflags = _t303 - 0x2d;
											if(_t303 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t263;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 =  *_v48 & 0x00000000;
											} else {
												 *_v28 =  *_v28 & 0x00000000;
												lstrcpyA(_v48, _v24);
											}
											goto L57;
										}
										_t263 = _t320 + 1;
										__eflags =  *_t263 - 0x3e;
										if( *_t263 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t260 - 0x3a;
									if(_t260 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t268 = _t259 - 1;
								__eflags = _t268;
								if(_t268 == 0) {
									L80:
									_t304 = _t285 + 0xffffffde;
									__eflags = _t304 - 0x55;
									if(_t304 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t304 + 0x73542259) & 0x000000ff) * 4 +  &M735421CD))) {
										case 0:
											__eax = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												L131:
												__eflags =  *(__edi + 1) - __dl;
												if( *(__edi + 1) != __dl) {
													L136:
													 *__eax =  *__eax & 0x00000000;
													__eax = E73541224(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __cl;
												if(__cl == 0) {
													goto L136;
												}
												__eflags = __cl - __dl;
												if(__cl == __dl) {
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__cl =  *__edi;
												 *__eax =  *__edi;
												__eax = __eax + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 1;
											__ebx = E73541215();
											 &_v12 = E73541A36( &_v12);
											__eax = E73541429(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E73541A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eflags = 0;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t270 =  *(_t329 + 0x814);
											__eflags = _t270 - _v16;
											if(_t270 > _v16) {
												_v16 = _t270;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t270 - (_v36 == 3);
											if(_t270 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E73541A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(3);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x7354305c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x818) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x828) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E73541A36( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x81c)) = _v8;
												_t136 = _v16 + 0x41; // 0x41
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x830)) = 0;
												 *((intOrPtr*)(__edi + 0x82c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x82c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x830; // 0x830
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t271 = _t268 - 1;
								__eflags = _t271;
								if(_t271 == 0) {
									_v16 = _t282;
									goto L80;
								}
								__eflags = _t271 != 1;
								if(_t271 != 1) {
									goto L162;
								}
								__eflags = _t285 - 0x6e;
								if(__eflags > 0) {
									_t308 = _t285 - 0x72;
									__eflags = _t308;
									if(_t308 == 0) {
										_push(4);
										L74:
										_pop(_t273);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t329 + 0x810;
											 *_t96 =  *(_t329 + 0x810) &  !_t273;
											__eflags =  *_t96;
										} else {
											 *(_t329 + 0x810) =  *(_t329 + 0x810) | _t273;
										}
										_v8 = 1;
										goto L57;
									}
									_t311 = _t308 - 1;
									__eflags = _t311;
									if(_t311 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t311 != 0;
									if(_t311 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t314 = _t285 - 0x21;
								__eflags = _t314;
								if(_t314 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t315 = _t314 - 0x11;
								__eflags = _t315;
								if(_t315 == 0) {
									_t273 = 0x100;
									goto L75;
								}
								_t316 = _t315 - 0x31;
								__eflags = _t316;
								if(_t316 == 0) {
									_t273 = 1;
									goto L75;
								}
								__eflags = _t316 != 0;
								if(_t316 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t282;
								_v36 = _t282;
								goto L20;
							}
						}
						__eflags =  *((char*)(_t320 - 1)) - 0x3a;
						if( *((char*)(_t320 - 1)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t282;
						if(_v32 == _t282) {
							goto L43;
						}
						goto L17;
					}
					_t276 = _t257 - 5;
					if(_t276 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t282;
							_v20 = _t282;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t282;
							goto L20;
						}
					}
					_t280 = _t276 - 1;
					if(_t280 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t282;
							_v20 = _t282;
							goto L20;
						}
					}
					if(_t280 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t329 == _t282 ||  *(_t329 + 0x80c) != _t282) {
					L182:
					return _t329;
				} else {
					_t224 =  *_t329 - 1;
					if(_t224 == 0) {
						_t187 = _t329 + 8; // 0x8
						_t323 = _t187;
						__eflags =  *_t323;
						if( *_t323 != 0) {
							_t225 = GetModuleHandleA(_t323);
							__eflags = _t225 - _t282;
							 *(_t329 + 0x808) = _t225;
							if(_t225 != _t282) {
								L171:
								_t192 = _t329 + 0x408; // 0x408
								_t324 = _t192;
								_t226 = E735415C2( *(_t329 + 0x808), _t324);
								__eflags = _t226 - _t282;
								 *(_t329 + 0x80c) = _t226;
								if(_t226 == _t282) {
									__eflags =  *_t324 - 0x23;
									if( *_t324 == 0x23) {
										_t195 = _t329 + 0x409; // 0x409
										_t230 = E735412FE(_t195);
										__eflags = _t230 - _t282;
										if(_t230 != _t282) {
											__eflags = _t230 & 0xffff0000;
											if((_t230 & 0xffff0000) == 0) {
												 *(_t329 + 0x80c) = GetProcAddress( *(_t329 + 0x808), _t230 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t282;
								if(_v52 != _t282) {
									L178:
									_t324[lstrlenA(_t324)] = 0x41;
									_t228 = E735415C2( *(_t329 + 0x808), _t324);
									__eflags = _t228 - _t282;
									if(_t228 != _t282) {
										L166:
										 *(_t329 + 0x80c) = _t228;
										goto L182;
									}
									__eflags =  *(_t329 + 0x80c) - _t282;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t205 = _t329 + 4;
									 *_t205 =  *(_t329 + 4) | 0xffffffff;
									__eflags =  *_t205;
									goto L182;
								} else {
									__eflags =  *(_t329 + 0x80c) - _t282;
									if( *(_t329 + 0x80c) != _t282) {
										goto L182;
									}
									goto L178;
								}
							}
							_t233 = LoadLibraryA(_t323);
							__eflags = _t233 - _t282;
							 *(_t329 + 0x808) = _t233;
							if(_t233 == _t282) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t329 + 0x408; // 0x408
						_t235 = E735412FE(_t188);
						 *(_t329 + 0x80c) = _t235;
						__eflags = _t235 - _t282;
						goto L180;
					}
					_t236 = _t224 - 1;
					if(_t236 == 0) {
						_t185 = _t329 + 0x408; // 0x408
						_t237 = _t185;
						__eflags =  *_t237;
						if( *_t237 == 0) {
							goto L182;
						}
						_t228 = E735412FE(_t237);
						L165:
						goto L166;
					}
					if(_t236 != 1) {
						goto L182;
					}
					_t81 = _t329 + 8; // 0x8
					_t283 = _t81;
					_t325 = E735412FE(_t81);
					 *(_t329 + 0x808) = _t325;
					if(_t325 == 0) {
						goto L181;
					}
					 *(_t329 + 0x84c) =  *(_t329 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x850)) = E73541224(_t283);
					 *(_t329 + 0x83c) =  *(_t329 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x848)) = 1;
					 *((intOrPtr*)(_t329 + 0x838)) = 1;
					_t90 = _t329 + 0x408; // 0x408
					_t228 =  *(_t325->i + E735412FE(_t90) * 4);
					goto L165;
				}
			}

0x73541aa0
0x73541aa3
0x73541aa6
0x73541aa9
0x73541aac
0x73541aaf
0x73541ab2
0x73541ab4
0x73541ab7
0x73541aba
0x73541abf
0x73541ac2
0x73541aca
0x73541ad2
0x73541ad4
0x73541ad7
0x73541adf
0x73541adf
0x73541ae4
0x73541ae7
0x00000000
0x00000000
0x73541af1
0x73541af3
0x73541af8
0x73541afa
0x73541b8b
0x73541b8b
0x73541b8b
0x73541b8f
0x73541b92
0x73541b94
0x73541bb6
0x73541bb9
0x73541bbb
0x73541bc4
0x73541bca
0x73541bcc
0x73541bd2
0x73541bd2
0x73541bd8
0x73541bdb
0x73541bdb
0x73541bde
0x73541bde
0x73541be4
0x73541be6
0x73541be9
0x73541bef
0x73541bf2
0x73541bf2
0x73541bf4
0x73541bfa
0x73541bfd
0x73541c21
0x73541c24
0x00000000
0x00000000
0x73541c27
0x73541c29
0x73541c37
0x73541c3a
0x73541c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x73541c3e
0x73541c3e
0x73541c3e
0x73541c44
0x73541c46
0x00000000
0x00000000
0x73541c48
0x73541c4a
0x73541c4c
0x73541c4e
0x00000000
0x00000000
0x00000000
0x73541c4e
0x73541c50
0x73541c52
0x73541c54
0x73541c54
0x73541c5a
0x73541c60
0x73541c62
0x73541c76
0x73541c76
0x73541c78
0x73541c64
0x73541c6a
0x73541c6d
0x73541c6d
0x00000000
0x73541bff
0x73541bff
0x73541bff
0x73541c00
0x73541c08
0x73541c0c
0x73541c12
0x73541c16
0x00000000
0x73541c16
0x73541c02
0x73541c02
0x73541c03
0x00000000
0x00000000
0x73541c05
0x73541c06
0x00000000
0x00000000
0x00000000
0x73541c06
0x73541b96
0x73541b97
0x73541ba0
0x73541ba3
0x73541bb0
0x73541bb0
0x73541ba5
0x73541ba5
0x73541c7e
0x73541c81
0x73541c84
0x73541cf6
0x73541cfa
0x73541adc
0x00000000
0x73541adc
0x00000000
0x73541cfa
0x73541b94
0x73541b00
0x73541b03
0x73541b66
0x73541b69
0x73541b7a
0x73541b7a
0x73541b7d
0x73541c89
0x73541c8c
0x73541c8c
0x73541c8e
0x73542033
0x73542045
0x73542045
0x73542047
0x00000000
0x00000000
0x73542037
0x73542038
0x7354203b
0x7354203e
0x735420ba
0x735420c1
0x735420c6
0x735420c9
0x73541cf2
0x73541cf2
0x73541cf2
0x73541cf3
0x00000000
0x73541cf3
0x73542040
0x73542042
0x73542042
0x73542049
0x7354204b
0x735420ae
0x73541ce7
0x73541cea
0x73541ced
0x73541cf0
0x73541cf0
0x00000000
0x73541cf0
0x7354204d
0x7354204f
0x73542055
0x73542055
0x73542057
0x7354205a
0x7354206d
0x7354206d
0x73542070
0x73542073
0x00000000
0x00000000
0x73542075
0x73542078
0x00000000
0x00000000
0x7354207a
0x73542081
0x73542081
0x73542087
0x7354208a
0x735420a6
0x7354208c
0x73542095
0x73542098
0x73542098
0x00000000
0x7354208a
0x7354205c
0x7354205f
0x73542062
0x00000000
0x00000000
0x73542064
0x00000000
0x73542064
0x73542051
0x73542053
0x00000000
0x00000000
0x00000000
0x73542053
0x73541c94
0x73541c94
0x73541c95
0x73541dde
0x73541dde
0x73541de5
0x73541de8
0x00000000
0x00000000
0x73541df5
0x00000000
0x73541fdb
0x73541fde
0x73541fe1
0x73541fe1
0x73541fe2
0x73541fe5
0x73541fe7
0x73541fe9
0x00000000
0x00000000
0x73541feb
0x73541feb
0x73541fee
0x73542000
0x73542003
0x73542006
0x7354200c
0x00000000
0x7354200c
0x73541ff0
0x73541ff0
0x73541ff2
0x00000000
0x00000000
0x73541ff4
0x73541ff6
0x73541ff8
0x73541ff8
0x73541ff8
0x73541ff9
0x73541ffb
0x73541ffd
0x73541fe1
0x73541fe2
0x73541fe5
0x73541fe7
0x73541fe9
0x00000000
0x00000000
0x00000000
0x73541fe9
0x00000000
0x73541e3c
0x00000000
0x00000000
0x73541e48
0x00000000
0x00000000
0x73541e2f
0x73541e33
0x73541e37
0x00000000
0x00000000
0x73541fad
0x73541fb1
0x00000000
0x00000000
0x73541fb7
0x73541fbf
0x73541fc6
0x73541fce
0x00000000
0x00000000
0x73541f15
0x73541f15
0x00000000
0x00000000
0x73541e51
0x00000000
0x00000000
0x7354202b
0x00000000
0x00000000
0x73541f1d
0x73541f1f
0x73541f1f
0x00000000
0x00000000
0x7354201b
0x00000000
0x00000000
0x7354201f
0x00000000
0x00000000
0x73542027
0x00000000
0x00000000
0x73541f64
0x73541f66
0x73541f66
0x00000000
0x00000000
0x73541f2f
0x73541f31
0x73541f31
0x00000000
0x00000000
0x73541f41
0x73541f43
0x73541f43
0x00000000
0x00000000
0x73541f72
0x73541f74
0x73541f74
0x00000000
0x00000000
0x73541f4c
0x73541f4e
0x73541f4e
0x00000000
0x00000000
0x73541f53
0x00000000
0x00000000
0x73542023
0x7354202d
0x7354202d
0x00000000
0x00000000
0x73541f7d
0x73541f81
0x73541f86
0x73541f89
0x73541f8a
0x73541f8d
0x73541f93
0x73541f93
0x00000000
0x00000000
0x73542013
0x00000000
0x00000000
0x73541f57
0x73541f57
0x00000000
0x00000000
0x73541e58
0x73541e58
0x00000000
0x00000000
0x73541f6b
0x73541f6d
0x73541f6d
0x00000000
0x00000000
0x73541dfc
0x73541e02
0x73541e05
0x73541e07
0x73541e07
0x73541e0a
0x73541e0e
0x73541e1b
0x73541e1d
0x73541e23
0x73541e23
0x73541e23
0x00000000
0x00000000
0x73541f20
0x73541f20
0x73541f22
0x73541f29
0x00000000
0x00000000
0x73541f67
0x73541f67
0x00000000
0x00000000
0x73541f32
0x73541f32
0x73541f34
0x73541f3b
0x00000000
0x00000000
0x73541f44
0x73541f44
0x73541f46
0x00000000
0x00000000
0x73541f75
0x73541f75
0x00000000
0x00000000
0x73541f4f
0x73541f4f
0x00000000
0x00000000
0x73541f9b
0x73541f9f
0x73541fa4
0x73541fa7
0x00000000
0x00000000
0x73541f59
0x73541f59
0x73541f5c
0x73541f5e
0x00000000
0x00000000
0x73541f6e
0x73541f6e
0x73541f77
0x73541f77
0x73541e5a
0x73541e5a
0x73541e5d
0x73541e64
0x73541e66
0x73541e68
0x73541e6f
0x73541e72
0x73541e77
0x73541e79
0x73541e7b
0x73541e7f
0x73541e85
0x73541e8b
0x73541e8b
0x73541e8d
0x73541e8d
0x73541e8e
0x73541e8e
0x73541e92
0x73541e98
0x73541e9a
0x73541e9e
0x73541ea3
0x73541ea3
0x73541ea5
0x73541ea5
0x73541ea8
0x73541eab
0x73541eb4
0x73541eb7
0x73541eba
0x73541eba
0x73541ebc
0x73541ebf
0x73541ec5
0x73541ecb
0x73541ecb
0x73541ecd
0x00000000
0x00000000
0x73541ed3
0x73541ed3
0x73541ed7
0x73541ede
0x73541f02
0x73541f02
0x73541f06
0x73541f08
0x73541f0b
0x73541f0b
0x73541f0e
0x73541f0e
0x00000000
0x73541f06
0x73541ee3
0x73541ee6
0x73541ee6
0x73541eed
0x73541eef
0x73541ef2
0x73541ef9
0x73541efa
0x73541f00
0x73541f00
0x00000000
0x73541f00
0x73541ef4
0x73541ef7
0x00000000
0x00000000
0x00000000
0x73541ef7
0x73541e87
0x73541e89
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x73541df5
0x73541c9b
0x73541c9b
0x73541c9c
0x73541ddb
0x00000000
0x73541ddb
0x73541ca2
0x73541ca3
0x00000000
0x00000000
0x73541ca9
0x73541cac
0x73541da0
0x73541da0
0x73541da3
0x73541db8
0x73541dba
0x73541dba
0x73541dbb
0x73541dbe
0x73541dc1
0x73541dcd
0x73541dcd
0x73541dcd
0x73541dc3
0x73541dc3
0x73541dc3
0x73541dd3
0x00000000
0x73541dd3
0x73541da5
0x73541da5
0x73541da6
0x73541db4
0x00000000
0x73541db4
0x73541da9
0x73541daa
0x00000000
0x00000000
0x73541db0
0x00000000
0x73541db0
0x73541cb2
0x73541d9c
0x00000000
0x73541d9c
0x73541cb8
0x73541cb8
0x73541cbb
0x73541ce4
0x00000000
0x73541ce4
0x73541cbd
0x73541cbd
0x73541cc0
0x73541cda
0x00000000
0x73541cda
0x73541cc2
0x73541cc2
0x73541cc5
0x73541cd4
0x00000000
0x73541cd4
0x73541cc8
0x73541cc9
0x00000000
0x00000000
0x73541ccb
0x00000000
0x73541b83
0x73541b83
0x73541b86
0x00000000
0x73541b86
0x73541b7d
0x73541b6b
0x73541b6f
0x00000000
0x00000000
0x73541b71
0x73541b74
0x00000000
0x00000000
0x00000000
0x73541b74
0x73541b05
0x73541b08
0x73541b3e
0x73541b41
0x00000000
0x73541b47
0x73541b49
0x73541b4d
0x73541b54
0x73541b5b
0x73541b5e
0x73541b61
0x00000000
0x73541b61
0x73541b41
0x73541b0a
0x73541b0b
0x73541b26
0x73541b29
0x00000000
0x73541b2f
0x73541b2f
0x73541b36
0x73541b39
0x00000000
0x73541b39
0x73541b29
0x73541b10
0x00000000
0x73541b16
0x73541b16
0x73541b1d
0x00000000
0x73541b1d
0x73541b10
0x73541d09
0x73541d0e
0x73541d13
0x73541d17
0x735421c6
0x735421cc
0x73541d29
0x73541d2b
0x73541d2c
0x735420f1
0x735420f1
0x735420f4
0x735420f7
0x73542114
0x7354211a
0x7354211c
0x73542122
0x73542139
0x73542139
0x73542139
0x73542146
0x7354214c
0x7354214f
0x73542155
0x73542157
0x7354215a
0x7354215c
0x73542163
0x73542168
0x7354216b
0x7354216d
0x73542172
0x73542184
0x73542184
0x73542172
0x7354216b
0x7354215a
0x7354218a
0x7354218d
0x73542197
0x7354219f
0x735421ab
0x735421b1
0x735421b4
0x735420e6
0x735420e6
0x00000000
0x735420e6
0x735421ba
0x735421c0
0x735421c0
0x00000000
0x00000000
0x735421c2
0x735421c2
0x735421c2
0x735421c2
0x00000000
0x7354218f
0x7354218f
0x73542195
0x00000000
0x00000000
0x00000000
0x73542195
0x7354218d
0x73542125
0x7354212b
0x7354212d
0x73542133
0x00000000
0x00000000
0x00000000
0x73542133
0x735420f9
0x73542100
0x73542106
0x7354210c
0x00000000
0x7354210c
0x73541d32
0x73541d33
0x735420d0
0x735420d0
0x735420d6
0x735420d9
0x00000000
0x00000000
0x735420e0
0x735420e5
0x00000000
0x735420e5
0x73541d3a
0x00000000
0x00000000
0x73541d40
0x73541d40
0x73541d49
0x73541d4e
0x73541d54
0x00000000
0x00000000
0x73541d5a
0x73541d67
0x73541d6d
0x73541d77
0x73541d7d
0x73541d85
0x73541d95
0x00000000
0x73541d95

APIs

Part of subcall function 73541215: GlobalAlloc.KERNELBASE(00000040,73541233,?,735412CF,-7354404B,735411AB,-000000A0), ref: 7354121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 73541BC4
lstrcpyA.KERNEL32(00000008,?), ref: 73541C0C
lstrcpyA.KERNEL32(00000408,?), ref: 73541C16
GlobalFree.KERNEL32 ref: 73541C29
GlobalFree.KERNEL32 ref: 73541D09
GlobalFree.KERNEL32 ref: 73541D0E
GlobalFree.KERNEL32 ref: 73541D13
GlobalFree.KERNEL32 ref: 73541EFA
lstrcpyA.KERNEL32(?,?), ref: 73542098
GetModuleHandleA.KERNEL32(00000008), ref: 73542114
LoadLibraryA.KERNEL32(00000008), ref: 73542125
GetProcAddress.KERNEL32(?,?), ref: 7354217E
lstrlenA.KERNEL32(00000408), ref: 73542198

Memory Dump Source

Source File: 00000000.00000002.775640570.0000000073541000.00000020.00000001.01000000.00000005.sdmp, Offset: 73540000, based on PE: true

Associated: 00000000.00000002.775623192.0000000073540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775656382.0000000073543000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775675016.0000000073545000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73540000_6culQoI97a.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: aa091359d969265ab3e27629b1cab694a76ce032ec12679bae450da7df067c25
Instruction ID: 726f56ba6bacf4753d1ca4fd3458a438c3f92a7beb3ccbdf257c4a45662ace59
Opcode Fuzzy Hash: aa091359d969265ab3e27629b1cab694a76ce032ec12679bae450da7df067c25
Instruction Fuzzy Hash: 6322CC71D0434ADFDB19DFA5E9807ADBBF5FB04304F24A92ED1AAE2280DB745681CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040589C Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040589C(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405B5A(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x7a3008 =  *0x7a3008 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E004060D4(0x7a0570, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405AB3(_t73);
					} else {
						lstrcatA(0x7a0570, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x7a0570,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405A97( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E004060D4(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405854(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E004051FB(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x7a3008 =  *0x7a3008 + 1;
										} else {
											E004051FB(0xfffffff1, _t73);
											E00405EB3(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040589C(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x7a0570 - 0x5c;
					if( *0x7a0570 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E00406448(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405A6C(_t73);
							_t40 = E00405854(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E004051FB(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E004051FB(0xfffffff1, _t73);
							return E00405EB3(_t72, _t73, 0);
						}
						L33:
						 *0x7a3008 =  *0x7a3008 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004058a6
0x004058ab
0x004058b4
0x004058b7
0x004058bf
0x004058c2
0x004058c5
0x004058cd
0x004058cf
0x004058d0
0x00000000
0x004058d0
0x004058db
0x004058de
0x004058de
0x004058de
0x004058e2
0x004058f5
0x004058fc
0x00405901
0x00405905
0x00405915
0x00405907
0x0040590d
0x0040590d
0x0040591a
0x0040591d
0x00405928
0x0040592e
0x00405933
0x00405943
0x00405945
0x0040594b
0x0040594e
0x00405951
0x00405a09
0x00405a09
0x00405a0d
0x00405a0f
0x00405a0f
0x00405a0f
0x00405a0f
0x00000000
0x00000000
0x00000000
0x00000000
0x00405957
0x00405957
0x00405960
0x00405966
0x0040596b
0x0040596e
0x00405970
0x00405974
0x00405976
0x00405976
0x00405974
0x00405979
0x0040597c
0x0040598f
0x00405991
0x00405996
0x0040599d
0x004059b8
0x004059bd
0x004059bf
0x004059e3
0x004059c1
0x004059c1
0x004059c4
0x004059d8
0x004059c6
0x004059c9
0x004059d1
0x004059d1
0x004059c4
0x0040599f
0x004059a5
0x004059a7
0x004059ad
0x004059ad
0x004059a7
0x00000000
0x0040599d
0x0040597e
0x00405981
0x00405983
0x00000000
0x00000000
0x00405985
0x00405987
0x00000000
0x00000000
0x00405989
0x0040598d
0x00000000
0x00000000
0x00000000
0x004059e8
0x004059f2
0x004059f8
0x004059f8
0x00405a03
0x00000000
0x00405a03
0x0040591f
0x00405926
0x00000000
0x00000000
0x00000000
0x004058e4
0x004058e4
0x004058e6
0x00405a13
0x00405a15
0x00405a18
0x00405a69
0x00405a69
0x00405a69
0x00405a1a
0x00405a1d
0x00405a28
0x00405a2d
0x00405a2f
0x00000000
0x00000000
0x00405a32
0x00405a3e
0x00405a43
0x00405a45
0x00000000
0x00405a60
0x00405a47
0x00405a4a
0x00000000
0x00000000
0x00405a4f
0x00000000
0x00405a56
0x00405a1f
0x00405a1f
0x00000000
0x00405a1f
0x004058ec
0x004058ef
0x00000000
0x00000000
0x00000000
0x004058ef

APIs

DeleteFileA.KERNELBASE(?,?,74D0FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058C5
lstrcatA.KERNEL32(007A0570,\*.*,007A0570,?,?,74D0FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040590D
lstrcatA.KERNEL32(?,0040A014,?,007A0570,?,?,74D0FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040592E
lstrlenA.KERNEL32(?,?,0040A014,?,007A0570,?,?,74D0FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405934
FindFirstFileA.KERNEL32(007A0570,?,?,?,0040A014,?,007A0570,?,?,74D0FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405945
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004059F2
FindClose.KERNEL32(00000000), ref: 00405A03

Strings

"C:\Users\user\Desktop\6culQoI97a.exe", xrefs: 0040589C
\*.*, xrefs: 00405907
C:\Users\user\AppData\Local\Temp\, xrefs: 004058A9

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\6culQoI97a.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-34974162
Opcode ID: 01fb9e0cb0f04803ffd17b8b81141bc26167464e8ccb864bcb1501931c73c8a8
Instruction ID: ff286dc4e0ddd5c67b21a0dc49aadedac0e09a5b28e8edd6ac2018649726c89b
Opcode Fuzzy Hash: 01fb9e0cb0f04803ffd17b8b81141bc26167464e8ccb864bcb1501931c73c8a8
Instruction Fuzzy Hash: 9C51B071900A04AADF21AB65CC86BBF7B68DF46724F14823BF441B51D2C73C4A82DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00406448 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406448(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x7a0db8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a0db8;
			}

0x00406453
0x0040645c
0x00000000
0x00406469
0x0040645f
0x00000000

APIs

FindFirstFileA.KERNELBASE(74D0FA90,007A0DB8,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,00405B9D,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,00000000,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,74D0FA90,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,74D0FA90,C:\Users\user\AppData\Local\Temp\), ref: 00406453
FindClose.KERNEL32(00000000), ref: 0040645F

Strings

C:\Users\user\AppData\Local\Temp\nskAE13.tmp, xrefs: 00406448

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nskAE13.tmp
API String ID: 2295610775-3340837358
Opcode ID: e2f3e8573fc2909bb7a973f29d8235fa37fadc60103d57d1e27243d25dce126e
Instruction ID: 7d3207d9493d68405b9bf293567bde81a359e03289c7d5d361232287f2b34f21
Opcode Fuzzy Hash: e2f3e8573fc2909bb7a973f29d8235fa37fadc60103d57d1e27243d25dce126e
Instruction Fuzzy Hash: B7D01235504620ABC3405B78AD0C88B7A589F563313218F36F46AF12E0C6748C638ADD

Uniqueness

Uniqueness Score: -1.00%

Function 00404B5D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00404B5D(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t190;
				intOrPtr _t191;
				int _t198;
				signed int _t203;
				intOrPtr _t206;
				intOrPtr _t207;
				signed int _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				intOrPtr _t241;
				long _t242;
				long _t243;
				signed int _t244;
				signed int* _t246;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed int _t255;
				signed int _t258;
				signed char _t259;
				signed int _t261;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t287;
				long _t290;
				int _t294;
				signed int _t300;
				int _t303;
				signed int _t308;
				intOrPtr _t315;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				signed int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;
				signed int _t339;
				void* _t342;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t190 =  *0x7a2fa8; // 0x94d26c
				_t331 = SendMessageA;
				_v24 = _t190;
				_t191 =  *0x7a2f74; // 0x94d040
				_v28 = _t191 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t298;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x7a2f7d & 0x00000002;
							if(( *0x7a2f7d & 0x00000002) != 0) {
								L41:
								__eflags = _v16;
								if(_v16 != 0) {
									_t242 = _v16;
									__eflags =  *((intOrPtr*)(_t242 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c)); // executed
									}
									_t243 = _v16;
									__eflags =  *((intOrPtr*)(_t243 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t243 + 0xc)) - 2;
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											_t246 = _t244 * 0x418 + _t298 + 8;
											 *_t246 =  *_t246 & 0xffffffdf;
											__eflags =  *_t246;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404AAB(_v8, _a8 != 0x413);
								_t325 = _t250;
								__eflags = _t325;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									__eflags = _t252 & 0x00000010;
									if((_t252 & 0x00000010) == 0) {
										__eflags = _t252 & 0x00000040;
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
											__eflags = _t253;
										} else {
											_t259 = _t252 ^ 0x00000080;
											__eflags = _t259;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_t255 =  *0x7a2f7c; // 0x80
										_t258 =  !_t255 >> 0x00000008 & 0x00000001;
										__eflags = _t258;
										_a12 = _t325 + 1;
										_a16 = _t258;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							__eflags =  *((intOrPtr*)(_t298 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t298 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t298 + 4)) - 0x408;
						if( *((intOrPtr*)(_t298 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, 0, 0);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t230 =  *0x79f54c;
									__eflags = _t230;
									if(_t230 != 0) {
										ImageList_Destroy(_t230);
									}
									_t231 =  *0x79f560;
									__eflags = _t231;
									if(_t231 != 0) {
										GlobalFree(_t231);
									}
									 *0x79f54c = 0;
									 *0x79f560 = 0;
									 *0x7a2fe0 = 0;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L90:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x7a2f7d & 0x00000001;
										if(( *0x7a2f7d & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t198 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t198;
											_t321 = _t198;
											ShowWindow(_v8, _t321);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
										}
									}
									goto L93;
								} else {
									E004011EF(_t298, 0, 0);
									_t203 = _a12;
									__eflags = _t203;
									if(_t203 != 0) {
										__eflags = _t203 - 0xffffffff;
										if(_t203 != 0xffffffff) {
											_t203 = _t203 - 1;
											__eflags = _t203;
										}
										_push(_t203);
										_push(8);
										E00404B2B();
									}
									__eflags = _a16;
									if(_a16 == 0) {
										L75:
										E004011EF(_t298, 0, 0);
										__eflags =  *0x7a2fac; // 0x7
										_v36 =  *0x79f560;
										_t206 =  *0x7a2fa8; // 0x94d26c
										_v64 = 0xf030;
										_v24 = 0;
										if(__eflags <= 0) {
											L86:
											__eflags =  *0x7a2f6c - 4;
											if( *0x7a2f6c == 4) {
												InvalidateRect(_v8, 0, 1);
											}
											_t207 =  *0x7a273c; // 0x952563
											__eflags =  *(_t207 + 0x10);
											if( *(_t207 + 0x10) != 0) {
												E00404A66(0x3ff, 0xfffffffb, E00404A7E(5));
											}
											goto L90;
										} else {
											_t149 = _t206 + 8; // 0x94d274
											_t322 = _t149;
											do {
												_t212 =  *(_v36 + _v24 * 4);
												__eflags = _t212;
												if(_t212 != 0) {
													_t300 =  *_t322;
													_v72 = _t212;
													__eflags = _t300 & 0x00000001;
													_v76 = 8;
													if((_t300 & 0x00000001) != 0) {
														_t158 =  &(_t322[4]); // 0x94d284
														_v76 = 9;
														_v60 = _t158;
														_t161 =  &(_t322[0]);
														 *_t161 = _t322[0] & 0x000000fe;
														__eflags =  *_t161;
													}
													__eflags = _t300 & 0x00000040;
													if((_t300 & 0x00000040) == 0) {
														_t216 = (_t300 & 0x00000001) + 1;
														__eflags = _t300 & 0x00000010;
														if((_t300 & 0x00000010) != 0) {
															_t216 = _t216 + 3;
															__eflags = _t216;
														}
													} else {
														_t216 = 3;
													}
													_t303 = (_t300 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t303;
													_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t303, _v72);
													SendMessageA(_v8, 0x110d, 0,  &_v76);
												}
												_v24 = _v24 + 1;
												_t322 =  &(_t322[0x106]);
												__eflags = _v24 -  *0x7a2fac; // 0x7
											} while (__eflags < 0);
											goto L86;
										}
									} else {
										_t323 = E004012E2( *0x79f560);
										E00401299(_t323);
										_t227 = 0;
										_t298 = 0;
										__eflags = _t323;
										if(_t323 <= 0) {
											L74:
											SendMessageA(_v12, 0x14e, _t298, 0);
											_a16 = _t323;
											_a8 = 0x420;
											goto L75;
										} else {
											goto L71;
										}
										do {
											L71:
											_t315 = _v28;
											__eflags =  *(_t315 + _t227 * 4);
											if( *(_t315 + _t227 * 4) != 0) {
												_t298 = _t298 + 1;
												__eflags = _t298;
											}
											_t227 = _t227 + 1;
											__eflags = _t227 - _t323;
										} while (_t227 < _t323);
										goto L74;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L93;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L93;
							}
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							__eflags = _t237 - 0xffffffff;
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							__eflags = _t324 - 0xffffffff;
							if(_t324 == 0xffffffff) {
								L54:
								_t324 = 0x20;
								L55:
								E00401299(_t324);
								SendMessageA(_a4, 0x420, 0, _t324);
								_t130 =  &_a12;
								 *_t130 = _a12 | 0xffffffff;
								__eflags =  *_t130;
								_a16 = 0;
								_a8 = 0x40f;
								goto L56;
							}
							_t241 = _v28;
							__eflags =  *(_t241 + _t324 * 4);
							if( *(_t241 + _t324 * 4) != 0) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					_v36 = 0;
					 *0x7a2fe0 = _a4;
					_t261 =  *0x7a2fac; // 0x7
					_v20 = 2;
					 *0x79f560 = GlobalAlloc(0x40, _t261 << 2);
					_t264 = LoadImageA( *0x7a2f60, 0x6e, 0, 0, 0, 0);
					 *0x79f554 =  *0x79f554 | 0xffffffff;
					_v16 = _t264;
					 *0x79f55c = SetWindowLongA(_v8, 0xfffffffc, E0040516F);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x79f54c = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x79f54c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							_t294 = SendMessageA(_v12, 0x143, 0, E00406167(0, _t327, _t331, 0, _t272)); // executed
							SendMessageA(_v12, 0x151, _t294, _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404158(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404158(_a4);
					_t329 = 0;
					_t339 =  *0x7a2fac; // 0x7
					_v16 = 0;
					if(_t339 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									__eflags = _t285 & 0x00000004;
									if((_t285 & 0x00000004) == 0) {
										_t287 = SendMessageA(_v8, 0x1100, 0,  &_v88); // executed
										 *( *0x79f560 + _t329 * 4) = _t287;
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x79f560 + _t329 * 4) = _t290;
									_v16 =  *( *0x79f560 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_t342 = _t329 -  *0x7a2fac; // 0x7
							_v32 = _t316;
						} while (_t342 < 0);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E0040418D(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040418D(_v12);
								L93:
								return E004041BF(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404b7b
0x00404b83
0x00404b86
0x00404b8b
0x00404b91
0x00404b94
0x00404ba9
0x00404bac
0x00404bad
0x00404dda
0x00404dda
0x00404de1
0x00404df5
0x00404de3
0x00404de5
0x00404de8
0x00404de9
0x00404df0
0x00404df0
0x00404df8
0x00404e01
0x00404e0c
0x00404e0c
0x00404e0f
0x00404e12
0x00404e21
0x00404e21
0x00404e28
0x00404e9d
0x00404e9d
0x00404ea0
0x00404ea2
0x00404ea5
0x00404eac
0x00404eba
0x00404eba
0x00404ebc
0x00404ebf
0x00404ec6
0x00404ec8
0x00404ecc
0x00404ecf
0x00404ed2
0x00404ee9
0x00404eed
0x00404eed
0x00404ed4
0x00404ede
0x00404ede
0x00404ed2
0x00404ec6
0x00000000
0x00404ea0
0x00404e2a
0x00404e2d
0x00404e38
0x00404e3a
0x00404e3d
0x00404e44
0x00404e49
0x00404e4b
0x00404e4d
0x00404e58
0x00404e58
0x00404e5c
0x00404e5e
0x00404e60
0x00404e62
0x00404e64
0x00404e77
0x00404e77
0x00404e66
0x00404e66
0x00404e6b
0x00404e6d
0x00404e73
0x00404e6f
0x00404e6f
0x00404e6f
0x00404e6d
0x00404e7b
0x00404e7d
0x00404e82
0x00404e8d
0x00404e8d
0x00404e90
0x00404e93
0x00404e96
0x00404e96
0x00404e60
0x00000000
0x00404e4d
0x00404e2f
0x00404e32
0x00404e36
0x00000000
0x00000000
0x00000000
0x00404e36
0x00404e14
0x00404e1b
0x00000000
0x00000000
0x00000000
0x00404e03
0x00404e03
0x00404e06
0x00404ef0
0x00404ef0
0x00404ef7
0x00404f68
0x00404f6d
0x00404f70
0x00404f78
0x00404f78
0x00404f7a
0x00404f81
0x00404f83
0x00404f88
0x00404f8a
0x00404f8d
0x00404f8d
0x00404f93
0x00404f98
0x00404f9a
0x00404f9d
0x00404f9d
0x00404fa3
0x00404fa9
0x00404faf
0x00404faf
0x00404fb5
0x00404fbc
0x0040511c
0x0040511c
0x00405123
0x00405125
0x0040512c
0x00405130
0x0040513d
0x0040513d
0x00405140
0x00405146
0x00405158
0x00405158
0x0040512c
0x00000000
0x00404fc2
0x00404fc4
0x00404fc9
0x00404fcc
0x00404fce
0x00404fd0
0x00404fd3
0x00404fd5
0x00404fd5
0x00404fd5
0x00404fd6
0x00404fd7
0x00404fd9
0x00404fd9
0x00404fde
0x00404fe1
0x00405022
0x00405024
0x0040502e
0x00405034
0x00405037
0x0040503c
0x00405043
0x00405046
0x004050e8
0x004050e8
0x004050f0
0x004050f8
0x004050f8
0x004050fe
0x00405103
0x00405106
0x00405117
0x00405117
0x00000000
0x0040504c
0x0040504c
0x0040504c
0x0040504f
0x00405055
0x00405058
0x0040505a
0x0040505c
0x0040505e
0x00405061
0x00405064
0x0040506b
0x0040506d
0x00405070
0x00405077
0x0040507a
0x0040507a
0x0040507a
0x0040507a
0x0040507e
0x00405081
0x0040508d
0x0040508e
0x00405091
0x00405093
0x00405093
0x00405093
0x00405083
0x00405085
0x00405085
0x004050b2
0x004050b2
0x004050b3
0x004050bf
0x004050ce
0x004050ce
0x004050d0
0x004050d3
0x004050dc
0x004050dc
0x00000000
0x0040504f
0x00404fe3
0x00404fee
0x00404ff1
0x00404ff6
0x00404ff8
0x00404ffa
0x00404ffc
0x0040500c
0x00405016
0x00405018
0x0040501b
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ffe
0x00404ffe
0x00404ffe
0x00405001
0x00405004
0x00405006
0x00405006
0x00405006
0x00405007
0x00405008
0x00405008
0x00000000
0x00404ffe
0x00404fe1
0x00404fbc
0x00404ef9
0x00404eff
0x00000000
0x00000000
0x00404f0b
0x00404f0f
0x00000000
0x00000000
0x00404f1f
0x00404f21
0x00404f24
0x00000000
0x00000000
0x00404f36
0x00404f38
0x00404f3b
0x00404f45
0x00404f47
0x00404f48
0x00404f49
0x00404f58
0x00404f5a
0x00404f5a
0x00404f5a
0x00404f5e
0x00404f61
0x00000000
0x00404f61
0x00404f3d
0x00404f40
0x00404f43
0x00000000
0x00000000
0x00000000
0x00404f43
0x00000000
0x00404e06
0x00404bb3
0x00404bb6
0x00404bb9
0x00404bbe
0x00404bc9
0x00404bdc
0x00404be7
0x00404bed
0x00404bfb
0x00404c0e
0x00404c13
0x00404c1e
0x00404c27
0x00404c3d
0x00404c4d
0x00404c59
0x00404c59
0x00404c5e
0x00404c64
0x00404c66
0x00404c69
0x00404c6e
0x00404c73
0x00404c75
0x00404c75
0x00404c89
0x00404c95
0x00404c95
0x00404c97
0x00404c98
0x00404c9d
0x00404ca3
0x00404ca7
0x00404cac
0x00404cb4
0x00404cb8
0x00404cbd
0x00404cc2
0x00404cc4
0x00404cca
0x00404ccd
0x00404d9c
0x00404daf
0x00000000
0x00404cd3
0x00404cd6
0x00404cd9
0x00404cdc
0x00404cdc
0x00404ce1
0x00404cea
0x00404ced
0x00404cf1
0x00404cf4
0x00404cf7
0x00404d00
0x00404d09
0x00404d0c
0x00404d0f
0x00404d12
0x00404d4e
0x00404d50
0x00404d73
0x00404d7b
0x00404d52
0x00404d61
0x00404d61
0x00404d14
0x00404d17
0x00404d25
0x00404d2f
0x00404d37
0x00404d3e
0x00404d49
0x00404d49
0x00404d12
0x00404d81
0x00404d82
0x00404d88
0x00404d8e
0x00404d8e
0x00404d9a
0x00404db5
0x00404db8
0x00404dd5
0x00000000
0x00404dba
0x00404dbf
0x00404dc8
0x0040515a
0x0040516c
0x0040516c
0x00404db8
0x00000000
0x00404d9a
0x00404ccd

APIs

GetDlgItem.USER32 ref: 00404B74
GetDlgItem.USER32 ref: 00404B81
GlobalAlloc.KERNEL32(00000040,00000007), ref: 00404BD0
LoadImageA.USER32 ref: 00404BE7
SetWindowLongA.USER32 ref: 00404C01
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C13
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C27
SendMessageA.USER32(?,00001109,00000002), ref: 00404C3D
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C49
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C59
DeleteObject.GDI32(00000110), ref: 00404C5E
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404C89
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404C95
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D2F
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404D5F

Part of subcall function 0040418D: SendMessageA.USER32(00000028,?,00000001,00403FBD), ref: 0040419B

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D73
GetWindowLongA.USER32 ref: 00404DA1
SetWindowLongA.USER32 ref: 00404DAF
ShowWindow.USER32(?,00000005), ref: 00404DBF
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404EBA
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404F1F
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F34
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F58
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F78
ImageList_Destroy.COMCTL32(?), ref: 00404F8D
GlobalFree.KERNEL32 ref: 00404F9D
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405016
SendMessageA.USER32(?,00001102,?,?), ref: 004050BF
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004050CE
InvalidateRect.USER32(?,00000000,00000001), ref: 004050F8
ShowWindow.USER32(?,00000000), ref: 00405146
GetDlgItem.USER32 ref: 00405151
ShowWindow.USER32(00000000), ref: 00405158

Strings

, xrefs: 00405130
N, xrefs: 00404DF8
M, xrefs: 00404D17

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 4d121559fe05f84de95b4a0219e608994aaae28832c28ac134bb19e234486368
Instruction ID: 01e3f0ac69fe039d53c66122a0ee2819e5ae0f579c243cd3ce02c20529578500
Opcode Fuzzy Hash: 4d121559fe05f84de95b4a0219e608994aaae28832c28ac134bb19e234486368
Instruction Fuzzy Hash: AC025BB0900209AFDB10DFA8DD45AAE7BB5FB84354F10813AF610BA2E1D7799D52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403C84 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00403C84(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t142;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x79f550 = _t35;
					if(_t116 == 0x110) {
						 *0x7a2f68 = _t126;
						 *0x79f564 = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79e530 = _t92;
						E00404158(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x7a2748); // executed
						 *0x7a272c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x79f550 = 1;
					}
					_t123 =  *0x40a1dc; // 0x0
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x7a2fa0;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E004041A4(0x40b);
						while(1) {
							_t37 =  *0x79f550;
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0x0
							__eflags = _t39 -  *0x7a2fa4; // 0x4
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x7a272c - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x7a2fa4; // 0x4
							__eflags =  *0x40a1dc - _t44; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E00406167(_t117, _t126, _t131, 0x7ab800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E00404158(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E00404158(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E00404158(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x7a300c - _t134;
							_v32 = _t49;
							if( *0x7a300c != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008); // executed
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100); // executed
							E0040417A(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x79e530, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x7a300c - _t134;
							if( *0x7a300c == _t134) {
								_push( *0x79f564);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x79e530);
							}
							E0040418D();
							E004060D4(0x79f568, E00403C65());
							E00406167(0x79f568, _t126, _t131,  &(0x79f568[lstrlenA(0x79f568)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x79f568); // executed
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)), _t134);
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x7a2738); // executed
									 *0x79ed40 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x7a2f60,  *_t131 +  *0x7a2740 & 0x0000ffff, _t126,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131); // executed
									__eflags = _t74 - _t134;
									 *0x7a2738 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E00404158(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x7a2738, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									E00401389( *((intOrPtr*)(_t131 + 0xc)), _t134);
									__eflags =  *0x7a272c - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x7a2738, 8);
									E004041A4(0x405);
									goto L58;
								}
								__eflags =  *0x7a300c - _t134;
								if( *0x7a300c != _t134) {
									goto L61;
								}
								__eflags =  *0x7a3000 - _t134;
								if( *0x7a3000 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a2738);
						 *0x7a2f68 = _t134;
						EndDialog(_t126,  *0x79e938);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)), 0);
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x7a2738, 0x40f, 0, 1);
						__eflags =  *0x7a272c - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x79f548, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x79f548,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E004041BF(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x7a2738, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x7a300c - _t134;
										if( *0x7a300c == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x79e938 = 1;
											L21:
											_push(0x78);
											L22:
											E00404131();
											goto L26;
										}
										E0040140B(_t128);
										 *0x79e938 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x7a2738);
						 *0x7a2738 = _a12;
						L58:
						_t142 =  *0x7a0568 - _t134; // 0x0
						if(_t142 == 0) {
							_t143 =  *0x7a2738 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x7a0568 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403c8d
0x00403c96
0x00403dd7
0x00403ddb
0x00403ddf
0x00403de1
0x00403de6
0x00403df1
0x00403dfc
0x00403e01
0x00403e03
0x00403e05
0x00403e08
0x00403e0d
0x00403e1b
0x00403e28
0x00403e2f
0x00403e2f
0x00403e30
0x00403e30
0x00403e35
0x00403e3b
0x00403e42
0x00403e48
0x00403e4a
0x00403e8a
0x00403e8f
0x00403e94
0x00403e94
0x00403e99
0x00403ea2
0x00403ea4
0x00403ea9
0x00403eaf
0x00403eb3
0x00403eb3
0x00403eb8
0x00403ebe
0x00000000
0x00000000
0x00403ec4
0x00403ec9
0x00403ecf
0x00000000
0x00000000
0x00403ed8
0x00403ee0
0x00403ee5
0x00403ee8
0x00403eee
0x00403ef3
0x00403ef6
0x00403efc
0x00403f01
0x00403f04
0x00403f0a
0x00403f12
0x00403f18
0x00403f1e
0x00403f22
0x00403f29
0x00403f29
0x00403f29
0x00403f33
0x00403f45
0x00403f51
0x00403f56
0x00403f60
0x00403f66
0x00403f68
0x00403f6d
0x00403f6a
0x00403f6a
0x00403f6a
0x00403f7d
0x00403f95
0x00403f97
0x00403f9d
0x00403fb2
0x00403f9f
0x00403fa8
0x00403faa
0x00403faa
0x00403fb8
0x00403fc9
0x00403fda
0x00403fe1
0x00403feb
0x00403ff0
0x00403ff2
0x00000000
0x00403ff8
0x00403ff8
0x00403ffa
0x00000000
0x00000000
0x00404000
0x00404004
0x00404029
0x0040402f
0x00404035
0x00404037
0x00000000
0x00000000
0x0040405d
0x00404063
0x00404065
0x0040406a
0x00000000
0x00000000
0x00404070
0x00404073
0x00404076
0x0040408d
0x00404099
0x004040b2
0x004040bc
0x004040c1
0x004040c7
0x00000000
0x00000000
0x004040d1
0x004040dc
0x00000000
0x004040dc
0x00404006
0x0040400c
0x00000000
0x00000000
0x00404012
0x00404018
0x00000000
0x00000000
0x00000000
0x0040401e
0x00403ff2
0x004040e9
0x004040f5
0x004040fc
0x00000000
0x00403e4c
0x00403e4c
0x00403e4f
0x00403e82
0x00403e82
0x00403e84
0x00000000
0x00000000
0x00000000
0x00403e84
0x00403e55
0x00403e5a
0x00403e5c
0x00000000
0x00000000
0x00403e6c
0x00403e74
0x00000000
0x00403e7a
0x00403ca8
0x00403ca8
0x00403cac
0x00403cb1
0x00403cc0
0x00403cc0
0x00403cc9
0x00403cd2
0x00403cdd
0x00403cdd
0x00403ce9
0x00403d05
0x00403d08
0x00403d1b
0x00403d21
0x00403dc4
0x00000000
0x00403dcd
0x00403d27
0x00403d34
0x00403d36
0x00403d38
0x00403d57
0x00403d57
0x00403d5a
0x00403d5f
0x00403d62
0x00403d72
0x00403d73
0x00403d75
0x00403dab
0x00403dbe
0x00000000
0x00403dbe
0x00403d77
0x00403d7d
0x00403d96
0x00403d9b
0x00403d9d
0x00000000
0x00000000
0x00403d9f
0x00403d8b
0x00403d8b
0x00403d8d
0x00403d8d
0x00000000
0x00403d8d
0x00403d80
0x00403d85
0x00000000
0x00403d85
0x00403d64
0x00403d6a
0x00000000
0x00000000
0x00403d6c
0x00000000
0x00403d6c
0x00403d5c
0x00000000
0x00403d5c
0x00403d42
0x00403d49
0x00403d4f
0x00403d51
0x00000000
0x00000000
0x00000000
0x00403d51
0x00403d0d
0x00000000
0x00403ceb
0x00403cf1
0x00403cfb
0x00404102
0x00404102
0x00404108
0x0040410a
0x00404110
0x00404115
0x0040411b
0x0040411b
0x00404110
0x00404125
0x00000000
0x00404125
0x00403ce9

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CC0
ShowWindow.USER32(?), ref: 00403CDD
DestroyWindow.USER32 ref: 00403CF1
SetWindowLongA.USER32 ref: 00403D0D
GetDlgItem.USER32 ref: 00403D2E
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D42
IsWindowEnabled.USER32(00000000), ref: 00403D49
GetDlgItem.USER32 ref: 00403DF7
GetDlgItem.USER32 ref: 00403E01
KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403E1B
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E6C
GetDlgItem.USER32 ref: 00403F12
ShowWindow.USER32(00000000,?), ref: 00403F33
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F45
EnableWindow.USER32(?,?), ref: 00403F60
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F76
EnableMenuItem.USER32 ref: 00403F7D
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403F95
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FA8
lstrlenA.KERNEL32(0079F568,?,0079F568,00000000), ref: 00403FD2
SetWindowTextA.USER32(?,0079F568), ref: 00403FE1
ShowWindow.USER32(?,0000000A), ref: 00404115

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
String ID:
API String ID: 3906175533-0
Opcode ID: ec739e9d96bc32f6baab2395f713d9bda4e2b377654e9d8e1af96a71d6295b9f
Instruction ID: 3358382e01a0dfa2f7aaf81ce727bcb664174c2c7b1baf79b3eefcfdc57a0ccd
Opcode Fuzzy Hash: ec739e9d96bc32f6baab2395f713d9bda4e2b377654e9d8e1af96a71d6295b9f
Instruction Fuzzy Hash: 6EC1D171500200AFDB21AF25EE89D2B3AB9EB96706F00453EF641B51F1CB3D9992DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 004038E7 Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004038E7(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				signed int _t21;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				intOrPtr _t55;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				struct HINSTANCE__* _t71;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x7a2f74; // 0x94d040
				_t17 = E004064DD(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x79f568;
					"1033" = 0x30;
					 *0x7aa001 = 0x78;
					 *0x7aa002 = 0;
					E00405FBB(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x79f568, 0);
					__eflags =  *0x79f568;
					if(__eflags == 0) {
						E00405FBB(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x79f568, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					_t67 =  *_t17(); // executed
					E00406032("1033", _t67 & 0x0000ffff);
				}
				E00403BAC(_t71, _t84);
				_t21 =  *0x7a2f7c; // 0x80
				_t80 = "C:\\Users\\hardz\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Bracker\\Feberkosten";
				 *0x7a3000 = _t21 & 0x00000020;
				 *0x7a301c = 0x10000;
				if(E00405B5A(_t84, "C:\\Users\\hardz\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Bracker\\Feberkosten") != 0) {
					L16:
					if(E00405B5A(_t92, _t80) == 0) {
						E00406167(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118))); // executed
					}
					_t25 = LoadImageA( *0x7a2f60, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a2748 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403BAC(_t71, __eflags);
							__eflags =  *0x7a3020;
							if( *0x7a3020 != 0) {
								_t28 = E004052CD(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a272c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x79f548, 5); // executed
							_t34 = E0040646F("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E0040646F("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x7a2700);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x7a2700);
								 *0x7a2724 = _t81;
								RegisterClassA(0x7a2700);
							}
							_t36 =  *0x7a2740; // 0x0
							_t39 = DialogBoxParamA( *0x7a2f60, _t36 + 0x00000069 & 0x0000ffff, 0, E00403C84, 0); // executed
							E00403837(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x7a2f60; // 0x400000
						 *0x7a2704 = E00401000;
						 *0x7a2710 = _t71;
						 *0x7a2714 = _t25;
						 *0x7a2724 = 0x40a1f4;
						if(RegisterClassA(0x7a2700) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x79f548 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a2f60, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t55 =  *0x7a2fb8; // 0x9510e0
					_t74 = 0x7a1f00;
					E00405FBB(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) + _t55, 0x7a1f00, 0);
					_t57 =  *0x7a1f00; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x7a1f01;
						 *((char*)(E00405A97(0x7a1f01, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E004060D4(_t80, E00405A6C(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405AB3(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004038ed
0x004038f6
0x004038fd
0x004038ff
0x00403913
0x00403925
0x0040392c
0x00403933
0x00403939
0x0040393e
0x00403944
0x00403957
0x00403957
0x00403962
0x00403901
0x00403901
0x0040390c
0x0040390c
0x00403967
0x0040396c
0x00403971
0x0040397a
0x0040397f
0x00403990
0x00403a17
0x00403a1f
0x00403a28
0x00403a28
0x00403a3e
0x00403a44
0x00403a52
0x00403ad3
0x00403adb
0x00403ae5
0x00403aea
0x00403af0
0x00403b7a
0x00403b7f
0x00403b81
0x00403b9d
0x00000000
0x00403b9d
0x00403b83
0x00403b89
0x00403b91
0x00403b91
0x00000000
0x00403b89
0x00403afe
0x00403b09
0x00403b0e
0x00403b10
0x00403b17
0x00403b17
0x00403b22
0x00403b2a
0x00403b2c
0x00403b2e
0x00403b37
0x00403b3a
0x00403b40
0x00403b40
0x00403b46
0x00403b5f
0x00403b70
0x00000000
0x00403b75
0x00403add
0x00403adf
0x00000000
0x00403a54
0x00403a54
0x00403a60
0x00403a6a
0x00403a70
0x00403a75
0x00403a84
0x00403ba2
0x00403ba2
0x00000000
0x00403ba2
0x00403a93
0x00403ace
0x00000000
0x00403ace
0x00403996
0x00403996
0x00403999
0x0040399b
0x00000000
0x00000000
0x004039a0
0x004039a5
0x004039b5
0x004039ba
0x004039c1
0x00000000
0x00000000
0x004039c5
0x004039c7
0x004039d4
0x004039d4
0x004039dc
0x004039e2
0x00403a0a
0x00403a12
0x00000000
0x004039f4
0x004039f5
0x004039fe
0x00403a04
0x00403a05
0x00000000
0x00403a05
0x00403a00
0x00403a02
0x00000000
0x00000000
0x00000000
0x00403a02
0x004039e2

APIs

Part of subcall function 004064DD: GetModuleHandleA.KERNEL32(?,?,?,00403398,0000000B), ref: 004064EF
Part of subcall function 004064DD: GetProcAddress.KERNEL32(00000000,?), ref: 0040650A

GetUserDefaultUILanguage.KERNELBASE(00000002,74D0FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\6culQoI97a.exe",00000000), ref: 00403901

Part of subcall function 00406032: wsprintfA.USER32 ref: 0040603F

lstrcatA.KERNEL32(1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000,00000002,74D0FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\6culQoI97a.exe",00000000), ref: 00403962
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten,1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000,00000002,74D0FA90), ref: 004039D7
lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten,1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000), ref: 004039EA
GetFileAttributesA.KERNEL32(Call), ref: 004039F5
LoadImageA.USER32 ref: 00403A3E
RegisterClassA.USER32 ref: 00403A7B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403A93
CreateWindowExA.USER32 ref: 00403AC8
ShowWindow.USER32(00000005,00000000), ref: 00403AFE
GetClassInfoA.USER32 ref: 00403B2A
GetClassInfoA.USER32 ref: 00403B37
RegisterClassA.USER32 ref: 00403B40
DialogBoxParamA.USER32 ref: 00403B5F

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten, xrefs: 00403971, 00403979, 00403A11, 00403A17, 00403A27
1033, xrefs: 00403907, 0040395D
RichEd32, xrefs: 00403B12
Call, xrefs: 004039A5, 004039AD, 004039BA, 00403A04, 00403A0A
.exe, xrefs: 004039E4
C:\Users\user\AppData\Local\Temp\, xrefs: 004038EC
RichEdit20A, xrefs: 00403B22, 00403B28
RichEd20, xrefs: 00403B04
RichEdit, xrefs: 00403B31
"C:\Users\user\Desktop\6culQoI97a.exe", xrefs: 004038EB
Control Panel\Desktop\ResourceLocale, xrefs: 0040391B
_Nb, xrefs: 00403A5A, 00403AC2
.DEFAULT\Control Panel\International, xrefs: 0040394D

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\6culQoI97a.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 606308-1114785763
Opcode ID: 33a654ab319a5143a78b8400df8df2a17f9037dc0bafbe0e038c6009d0731ac5
Instruction ID: f7990f1d18b0f5a23d57c8cfe7c70d4d4c73fa70df7bf6ac8ad2bf3217d0cd4d
Opcode Fuzzy Hash: 33a654ab319a5143a78b8400df8df2a17f9037dc0bafbe0e038c6009d0731ac5
Instruction Fuzzy Hash: 29619570640640AEE610AF659D45F3B3E6CEB8574AF10413EF981B62E3DB7D9D028B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402EA1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\hardz\\Desktop\\6culQoI97a.exe";
				 *0x7a2f70 = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop\\6culQoI97a.exe", 0x400);
				_t89 = E00405C6D(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\hardz\\Desktop";
				E004060D4("C:\\Users\\hardz\\Desktop", _t91);
				E004060D4(0x7ab000, E00405AB3(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x79e124 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E3D(1);
					__eflags =  *0x7a2f78 - _t82; // 0x30c00
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x7a2f78; // 0x30c00
						E004032DD(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030D8(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7a2f74 = _t94;
							 *0x7a2f7c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7a2f80 =  *0x7a2f80 + 1;
								__eflags =  *0x7a2f80;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405C28(0x7a2fa0, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004032DD( *0x792118);
					_t65 = E004032C7( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x7a2f78; // 0x30c00
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004032C7(0x78a118, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402E3D(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7a2f78;
						if( *0x7a2f78 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402E3D(0);
							}
							goto L20;
						}
						E00405C28( &_v44, 0x78a118, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x792118; // 0x51a5a
						 *0x7a3020 =  *0x7a3020 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7a2f78 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a194
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x79e124; // 0x51a5e
						if(__eflags < 0) {
							_v12 = E00406594(_v12, 0x78a118, _t90);
						}
						 *0x792118 =  *0x792118 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402ea9
0x00402eac
0x00402eaf
0x00402eb2
0x00402eb8
0x00402ec9
0x00402ece
0x00402ee1
0x00402ee6
0x00402ee9
0x00402eef
0x00000000
0x00402ef1
0x00402efc
0x00402f02
0x00402f13
0x00402f1a
0x00402f20
0x00402f22
0x00402f27
0x00402f29
0x00403014
0x00403016
0x0040301b
0x00403022
0x00000000
0x00000000
0x00403024
0x00403027
0x0040304b
0x00403050
0x00403056
0x00403058
0x00403061
0x00403066
0x00403069
0x0040306a
0x0040306b
0x0040306d
0x00403072
0x00403075
0x00403088
0x0040308c
0x00403094
0x00403099
0x0040309b
0x0040309b
0x0040309b
0x004030a3
0x004030a3
0x004030a6
0x004030a7
0x004030a7
0x004030aa
0x004030ac
0x004030ac
0x004030ac
0x004030b6
0x004030bc
0x004030ca
0x004030cf
0x00000000
0x004030cf
0x00000000
0x00403075
0x0040302f
0x0040303a
0x0040303f
0x00403041
0x00000000
0x00000000
0x00403046
0x00403049
0x00000000
0x00000000
0x00000000
0x00402f2f
0x00402f34
0x00402f34
0x00402f39
0x00402f3d
0x00402f44
0x00402f49
0x00402f4b
0x00402f4d
0x00402f4d
0x00402f51
0x00402f56
0x00402f58
0x00403080
0x00403077
0x00000000
0x00403077
0x00402f5e
0x00402f65
0x00402fe1
0x00402fe5
0x00402fe9
0x00402fee
0x00000000
0x00402fe5
0x00402f6e
0x00402f73
0x00402f76
0x00402f7b
0x00000000
0x00000000
0x00402f7d
0x00402f84
0x00000000
0x00000000
0x00402f86
0x00402f8d
0x00000000
0x00000000
0x00402f8f
0x00402f96
0x00000000
0x00000000
0x00402f98
0x00402f9f
0x00000000
0x00000000
0x00402fa1
0x00402fa7
0x00402fb0
0x00402fb6
0x00402fb9
0x00402fbb
0x00402fc1
0x00000000
0x00000000
0x00402fc7
0x00402fcb
0x00402fd3
0x00402fd3
0x00402fd6
0x00402fd6
0x00402fd9
0x00402fdb
0x00402fdd
0x00402fdd
0x00000000
0x00402fdb
0x00402fcd
0x00402fd1
0x00000000
0x00000000
0x00000000
0x00402fef
0x00402fef
0x00402ff5
0x00403001
0x00403001
0x00403004
0x0040300a
0x0040300a
0x0040300a
0x00403012
0x00403012
0x00000000
0x00403012

APIs

GetTickCount.KERNEL32 ref: 00402EB2
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\6culQoI97a.exe,00000400), ref: 00402ECE

Part of subcall function 00405C6D: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\6culQoI97a.exe,80000000,00000003), ref: 00405C71
Part of subcall function 00405C6D: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C93

GetFileSize.KERNEL32(00000000,00000000,007AB000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\6culQoI97a.exe,C:\Users\user\Desktop\6culQoI97a.exe,80000000,00000003), ref: 00402F1A
GlobalAlloc.KERNELBASE(00000040,00000020), ref: 00403050

Strings

"C:\Users\user\Desktop\6culQoI97a.exe", xrefs: 00402EA1
Null, xrefs: 00402F98
soft, xrefs: 00402F8F
C:\Users\user\Desktop\6culQoI97a.exe, xrefs: 00402EB8, 00402EC7, 00402EDB, 00402EFB
Error launching installer, xrefs: 00402EF1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403077
Inst, xrefs: 00402F86
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EA8
C:\Users\user\Desktop, xrefs: 00402EFC, 00402F01, 00402F07

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\6culQoI97a.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\6culQoI97a.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1649669562
Opcode ID: 757e6f753a61218cc68c4c3168c4f0314001b502d62b2c7f1e7b3a9d0f58f82d
Instruction ID: e6d4fb369877e8ee952de7074d12315c12307524423d8dbd5c49f4dc18488fa3
Opcode Fuzzy Hash: 757e6f753a61218cc68c4c3168c4f0314001b502d62b2c7f1e7b3a9d0f58f82d
Instruction Fuzzy Hash: 3151D271901208AFDF20AF65DD85B6E7AB8EB04755F10813BF500B22D6D77C9E818B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00406167 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00406167(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				intOrPtr _t76;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x7a273c; // 0x952563
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_t76 =  *0x7a2fb8; // 0x9510e0
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 + _t76;
				_t39 = 0x7a1f00;
				_t90 = 0x7a1f00;
				if(_a4 >= 0x7a1f00 && _a4 - 0x7a1f00 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E00406167(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x7a1f00;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = "540027183" + (_t97 << 0xa);
							E004060D4(_t90, "540027183" + (_t97 << 0xa));
						} else {
							E00406032(_t90,  *0x7a2f68);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004063AF(_t90);
						}
						goto L42;
					}
					_t52 =  *0x7a2f6c; // 0x42ee000a
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x7a3004;
						if( *0x7a3004 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x7a2f64; // 0x74101340
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x7a2f68,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x7a2f68,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90); // executed
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405FBB((_t80 & 0x0000003f) +  *0x7a2fb8, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x7a2fb8, _t90, _t80 & 0x00000040); // executed
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00406167(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E004060D4(_a4, _t39);
			}

0x00406167
0x00406167
0x00406167
0x0040616d
0x00406172
0x00406174
0x00406183
0x00406183
0x00406185
0x0040618b
0x0040618c
0x0040618d
0x0040618e
0x00406191
0x00406199
0x0040619b
0x004061b2
0x004061b5
0x004061b5
0x0040638c
0x0040638c
0x00406390
0x00000000
0x00000000
0x004061c2
0x004061c8
0x00000000
0x00000000
0x004061ce
0x004061cf
0x004061d2
0x004061d5
0x0040637f
0x00406389
0x0040638b
0x0040638b
0x00406381
0x00406383
0x00406385
0x00406386
0x00406386
0x00000000
0x0040637f
0x004061db
0x004061df
0x004061ef
0x004061f6
0x004061f9
0x00406201
0x00406204
0x0040620b
0x0040620c
0x0040620f
0x0040632c
0x0040632f
0x0040635f
0x00406362
0x00406367
0x0040636b
0x0040636b
0x00406370
0x00406376
0x00406378
0x00000000
0x00406378
0x00406331
0x00406334
0x00406349
0x00406350
0x00406336
0x0040633d
0x0040633d
0x00406358
0x0040635b
0x00406324
0x00406325
0x00406325
0x00000000
0x0040635b
0x00406215
0x0040621c
0x0040621e
0x0040621f
0x00406239
0x00406239
0x00406240
0x00406240
0x00406247
0x0040624b
0x0040624b
0x0040624c
0x0040624e
0x00406287
0x0040628a
0x0040629a
0x0040629d
0x004062a5
0x004062ab
0x004062ab
0x0040630a
0x0040630a
0x0040630c
0x00000000
0x00000000
0x004062af
0x004062b6
0x004062b7
0x004062b9
0x004062d3
0x004062e1
0x004062e7
0x004062e9
0x00406307
0x00406307
0x00406307
0x00000000
0x00406307
0x004062ef
0x004062f8
0x004062fb
0x00406301
0x00406305
0x00000000
0x00000000
0x00000000
0x00406305
0x004062bb
0x004062be
0x00000000
0x00000000
0x004062cd
0x004062cf
0x004062d1
0x00000000
0x00000000
0x00000000
0x004062d1
0x00000000
0x0040630a
0x00406292
0x00000000
0x00406250
0x0040626b
0x00406270
0x00406273
0x00406313
0x00406313
0x00406317
0x0040631f
0x0040631f
0x00000000
0x00406317
0x0040627d
0x0040630e
0x0040630e
0x00406311
0x00000000
0x00000000
0x00000000
0x00406311
0x0040624e
0x00406221
0x00406225
0x00000000
0x00000000
0x00406227
0x0040622b
0x00000000
0x00000000
0x0040622d
0x00406231
0x00000000
0x00406233
0x00406233
0x00000000
0x00406233
0x00406231
0x00406396
0x004063a0
0x004063ac
0x004063ac
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 00406292
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,0079ED48,00000000,00405233,0079ED48,00000000), ref: 004062A5
SHGetSpecialFolderLocation.SHELL32(00405233,74D0EA30,?,0079ED48,00000000,00405233,0079ED48,00000000), ref: 004062E1
SHGetPathFromIDListA.SHELL32(74D0EA30,Call), ref: 004062EF
CoTaskMemFree.OLE32(74D0EA30), ref: 004062FB
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040631F
lstrlenA.KERNEL32(Call,?,0079ED48,00000000,00405233,0079ED48,00000000,00000000,00798F20,74D0EA30), ref: 00406371

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406319
Call, xrefs: 00406191, 0040625E, 0040625F, 00406260, 0040627C, 00406291, 004062A4, 004062C0, 004062EB, 0040631E, 00406324, 0040633C, 0040634F, 0040636A, 00406370, 00406378, 004063A2
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406261
540027183, xrefs: 00406349

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: 540027183$Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1892903659
Opcode ID: e6c4a9fbb4c321ecebe7d36b76985c5b159c9a2176219b4b87ef98d85bb8a455
Instruction ID: 6e1ed981659f24e818377f3a16580b7a42bd992c39e8c3c65ac9697aa82fb6a7
Opcode Fuzzy Hash: e6c4a9fbb4c321ecebe7d36b76985c5b159c9a2176219b4b87ef98d85bb8a455
Instruction Fuzzy Hash: C861E571900210AEEB149F28DC94BBE7BA49B46314F12413FED43B62D1D73C4961CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405AD9(_t82);
				_push(_t82);
				_t83 = "Call";
				if(_t33 == 0) {
					lstrcatA(E00405A6C(E004060D4(_t83, "C:\\Users\\hardz\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Bracker\\Feberkosten\\Pollen47\\Disvoice")), ??);
				} else {
					E004060D4();
				}
				E004063AF(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00406448(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405C48(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405C6D(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E004051FB(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x7a3008;
						goto L32;
					} else {
						E004060D4(0x40ac08, "540027183");
						E004060D4("540027183", _t83);
						E00406167(_t75, 0x40ac08, _t83, "C:\Users\hardz\AppData\Local\Temp\nskAE13.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E004060D4("540027183", 0x40ac08);
						_t62 = E004057F0("C:\Users\hardz\AppData\Local\Temp\nskAE13.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x7a3008 =  &( *0x7a3008->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E004051FB();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E004051FB(0xffffffea,  *(_t85 - 8));
				 *0x7a3034 =  *0x7a3034 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E004030D8(); // executed
				 *0x7a3034 =  *0x7a3034 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00406167(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E00406167(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E004057F0();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x00401775
0x0040177c
0x00401798
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x004027bf
0x004027bf
0x00402a5a
0x00402a5d
0x00402a5d
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402a63
0x00402a63
0x00402a63
0x00401858
0x00401858
0x00401859
0x00401492
0x00402387
0x00402387
0x00402387
0x00401856
0x0040184f
0x00402a65
0x00402a69
0x00402a69
0x00401883
0x00401888
0x0040188e
0x0040188f
0x00401890
0x00401893
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x00402382
0x00000000
0x00402382
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Pollen47\Disvoice,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Pollen47\Disvoice,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 004060D4: lstrcpynA.KERNEL32(?,?,00000400,004033F7,Resultatlst,NSIS Error,?,00000007,00000009,0000000B), ref: 004060E1

Part of subcall function 004051FB: lstrlenA.KERNEL32(0079ED48,00000000,00798F20,74D0EA30,?,?,?,?,?,?,?,?,?,00403210,00000000,?), ref: 00405234
Part of subcall function 004051FB: lstrlenA.KERNEL32(00403210,0079ED48,00000000,00798F20,74D0EA30,?,?,?,?,?,?,?,?,?,00403210,00000000), ref: 00405244
Part of subcall function 004051FB: lstrcatA.KERNEL32(0079ED48,00403210,00403210,0079ED48,00000000,00798F20,74D0EA30), ref: 00405257
Part of subcall function 004051FB: SetWindowTextA.USER32(0079ED48,0079ED48), ref: 00405269
Part of subcall function 004051FB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040528F
Part of subcall function 004051FB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052A9
Part of subcall function 004051FB: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052B7

Strings

C:\Users\user\AppData\Local\Temp\nskAE13.tmp, xrefs: 004017A3, 00401812, 00401830
C:\Users\user\AppData\Local\Temp\nskAE13.tmp\System.dll, xrefs: 00401826, 00401842
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Pollen47\Disvoice, xrefs: 00401786
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
540027183, xrefs: 0040180D, 00401819, 00401831

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: 540027183$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Pollen47\Disvoice$C:\Users\user\AppData\Local\Temp\nskAE13.tmp$C:\Users\user\AppData\Local\Temp\nskAE13.tmp\System.dll$Call
API String ID: 1941528284-3165503059
Opcode ID: 1bd0c0f9eb5db5d60fca7822dcde0a7a20bb861fe8cd4b3143028ee231146c6f
Instruction ID: fd3b8c6ffda923ee712ccabd95e062e364f7e6d0f101aa5c62542bd457b9e8d3
Opcode Fuzzy Hash: 1bd0c0f9eb5db5d60fca7822dcde0a7a20bb861fe8cd4b3143028ee231146c6f
Instruction Fuzzy Hash: F841B571900114BACF10BFB5CC45DAF36A9EF45368B20833BF522B50E2CA7C8A519B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004030D8 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004030D8(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				long _t70;
				intOrPtr _t74;
				long _t75;
				intOrPtr _t76;
				void* _t77;
				int _t87;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t94;
				long _t95;
				signed int _t96;
				int _t97;
				int _t98;
				intOrPtr _t99;
				void* _t100;
				void* _t101;

				_t96 = _a16;
				_t91 = _a12;
				_v12 = _t96;
				if(_t91 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t91;
				if(_t91 == 0) {
					_v16 = 0x796120;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					_t89 =  *0x7a2fd8; // 0x32126
					E004032DD(_t89 + _t62);
				}
				if(E004032C7( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t91 != 0) {
							if(_a16 < _t96) {
								_t96 = _a16;
							}
							if(E004032C7(_t91, _t96) != 0) {
								_v8 = _t96;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t91) {
							goto L44;
						}
						_t87 = _v12;
						while(1) {
							_t97 = _a16;
							if(_a16 >= _t87) {
								_t97 = _t87;
							}
							if(E004032C7(0x792120, _t97) == 0) {
								goto L41;
							}
							if(E00405D14(_a8, 0x792120, _t97) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t97;
							_a16 = _a16 - _t97;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40b878 =  *0x40b878 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b860 = 0xb;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t98 = 0x4000;
						if(_a16 < 0x4000) {
							_t98 = _a16;
						}
						if(E004032C7(0x792120, _t98) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t98;
						 *0x40b850 = 0x792120;
						 *0x40b854 = _t98;
						while(1) {
							_t94 = _v16;
							 *0x40b858 = _t94;
							 *0x40b85c = _v12;
							_t74 = E00406602(0x40b850);
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t99 =  *0x40b858; // 0x798f20
							_t100 = _t99 - _t94;
							_t75 = GetTickCount();
							_t95 = _t75;
							if(( *0x7a3034 & 0x00000001) != 0 && (_t75 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t101 = _t101 + 0xc;
								E004051FB(0,  &_v88);
								_v20 = _t95;
							}
							if(_t100 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t76 =  *0x40b858; // 0x798f20
									_v8 = _v8 + _t100;
									_v12 = _v12 - _t100;
									_v16 = _t76;
									L23:
									if(_v24 != 4) {
										continue;
									}
									goto L44;
								}
								_t77 = E00405D14(_a8, _v16, _t100); // executed
								if(_t77 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t100;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x004030e0
0x004030e4
0x004030e7
0x004030ec
0x004030ee
0x004030ee
0x004030f5
0x004030f9
0x004030fe
0x00403100
0x00403100
0x00403107
0x0040310c
0x0040310e
0x00403117
0x00403117
0x00403129
0x004032b5
0x004032b5
0x00000000
0x0040312f
0x00403133
0x00403262
0x004032a5
0x004032a7
0x004032a7
0x004032b3
0x004032ba
0x004032bd
0x00000000
0x00000000
0x00000000
0x00000000
0x004032b3
0x00403267
0x00000000
0x00000000
0x00403269
0x0040326c
0x0040326f
0x00403272
0x00403274
0x00403274
0x00403284
0x00000000
0x00000000
0x00403292
0x0040325c
0x0040325c
0x004032b7
0x004032b7
0x00000000
0x004032b7
0x00403294
0x00403297
0x0040329e
0x00000000
0x00000000
0x00000000
0x004032a0
0x00000000
0x0040326c
0x0040313f
0x00403141
0x00403148
0x00403148
0x0040314f
0x00403155
0x0040315c
0x0040315f
0x00000000
0x00000000
0x00000000
0x00000000
0x00403165
0x00403165
0x00403165
0x0040316d
0x0040316f
0x0040316f
0x00403180
0x00000000
0x00000000
0x00403186
0x00403189
0x0040318f
0x00403195
0x00403195
0x004031a0
0x004031a6
0x004031ab
0x004031b2
0x004031b5
0x00000000
0x00000000
0x004031bb
0x004031c1
0x004031c3
0x004031cc
0x004031ce
0x004031fc
0x00403202
0x0040320b
0x00403210
0x00403210
0x00403215
0x00403250
0x00000000
0x00000000
0x00000000
0x00403217
0x0040321b
0x00403232
0x00403237
0x0040323a
0x0040323d
0x00403240
0x00403244
0x00000000
0x00000000
0x00000000
0x0040324a
0x00403224
0x0040322b
0x00000000
0x00000000
0x0040322d
0x00000000
0x0040322d
0x00403215
0x00403258
0x00000000
0x00403258
0x00000000
0x00403165

APIs

GetTickCount.KERNEL32 ref: 0040313F
GetTickCount.KERNEL32 ref: 004031C3
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004031EC
wsprintfA.USER32 ref: 004031FC

Strings

!y, xrefs: 00403276
!y, xrefs: 00403172
... %d%%, xrefs: 004031F6
ay, xrefs: 00403100

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: !y$ !y$ ay$... %d%%
API String ID: 551687249-830929277
Opcode ID: fb80ba013608f3c098533986785ac97089a2e466ddceb92ce4d814dff21de19d
Instruction ID: a0ed304c84634e1a182b4cedd43d653909124c4238878ead4aa9bd0ee2fb7366
Opcode Fuzzy Hash: fb80ba013608f3c098533986785ac97089a2e466ddceb92ce4d814dff21de19d
Instruction Fuzzy Hash: CE516E31800219ABCB10DFA5DA44A9F7BB8EF44756F1481BFE800B72D0C7389F448BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004056C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004056C1(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x004056cc
0x004056d0
0x004056d3
0x004056d9
0x004056dd
0x004056e1
0x004056e9
0x004056f0
0x004056f6
0x004056fd
0x00405704
0x0040570c
0x0040570e
0x00000000
0x0040570e
0x00405718
0x0040571f
0x00405735
0x00000000
0x00000000
0x00000000
0x00405737
0x0040573b

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405704
GetLastError.KERNEL32 ref: 00405718
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040572D
GetLastError.KERNEL32 ref: 00405737

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004056E7
C:\Users\user\Desktop, xrefs: 004056C1

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-3254906087
Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction ID: 68da7140adab9ac89dc439175e59da9b3464284d57dce40cdacedd7e8d7715c7
Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction Fuzzy Hash: E2011671C00219EADF00DFA1C944BEFBBB8EF04354F00403AD944B6290E7B89648DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040646F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040646F(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x00406486
0x0040648f
0x00406491
0x00406491
0x00406495
0x004064a7
0x004064a1
0x004064a1
0x004064a1
0x004064ab
0x004064bf
0x004064d3
0x004064da

APIs

GetSystemDirectoryA.KERNEL32 ref: 00406486
wsprintfA.USER32 ref: 004064BF
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064D3

Strings

UXTHEME, xrefs: 00406478
%s%s.dll, xrefs: 004064B9
\, xrefs: 00406497

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction ID: e4af93c3cdb1388bd8c61da79080aae0fca49bc102c632b45afecef183fab820
Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction Fuzzy Hash: D3F0F63055020AABEF159B64DD0DFEB375CEB08344F1400BAA986E10C1EA78D9258BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040209D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E0040209D(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x7a3038");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x7a3008 =  *0x7a3008 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E004051FB(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, "540027183", 0x40b848, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403887(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040209d
0x0040209d
0x004020a2
0x004020a9
0x00402164
0x004022dd
0x004022dd
0x00402a5a
0x00402a5d
0x00402a69
0x00402a69
0x004020b8
0x004020c2
0x004020c5
0x004020d4
0x004020d8
0x004020de
0x004020e2
0x0040215d
0x00000000
0x0040215d
0x004020e4
0x004020ed
0x004020f1
0x00402135
0x004020f3
0x004020f6
0x004020f9
0x00402129
0x004020fb
0x004020fe
0x00402107
0x00402109
0x00402109
0x00402107
0x004020f9
0x0040213d
0x00402152
0x00402152
0x00000000
0x0040213d
0x004020c8
0x004020ce
0x004020d2
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020C8

Part of subcall function 004051FB: lstrlenA.KERNEL32(0079ED48,00000000,00798F20,74D0EA30,?,?,?,?,?,?,?,?,?,00403210,00000000,?), ref: 00405234
Part of subcall function 004051FB: lstrlenA.KERNEL32(00403210,0079ED48,00000000,00798F20,74D0EA30,?,?,?,?,?,?,?,?,?,00403210,00000000), ref: 00405244
Part of subcall function 004051FB: lstrcatA.KERNEL32(0079ED48,00403210,00403210,0079ED48,00000000,00798F20,74D0EA30), ref: 00405257
Part of subcall function 004051FB: SetWindowTextA.USER32(0079ED48,0079ED48), ref: 00405269
Part of subcall function 004051FB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040528F
Part of subcall function 004051FB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052A9
Part of subcall function 004051FB: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052B7

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020D8
GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152

Strings

540027183, xrefs: 0040211C

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: 540027183
API String ID: 2987980305-348788735
Opcode ID: e31bbca7845924857a2458c4529ee67341cf0da622ce0a781d3c3ebb18b34366
Instruction ID: b82e27a23205e400b7882a9dda540b85adfac7e99319b749728402aba69a9ded
Opcode Fuzzy Hash: e31bbca7845924857a2458c4529ee67341cf0da622ce0a781d3c3ebb18b34366
Instruction Fuzzy Hash: 55213B32500110EBCF207F608F48A5F36B0AF51358F20423BF601B51D0CBBC49829A1E

Uniqueness

Uniqueness Score: -1.00%

Function 00405C9C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405C9C(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3d4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405ca0
0x00405ca6
0x00405ca7
0x00405ca7
0x00405cac
0x00405cad
0x00405cb0
0x00405cba
0x00405cc7
0x00405cca
0x00405cd2
0x00000000
0x00000000
0x00405cd6
0x00000000
0x00000000
0x00405cd8
0x00000000
0x00405cd8
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405CB0
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CCA

Strings

nsa, xrefs: 00405CA7
"C:\Users\user\Desktop\6culQoI97a.exe", xrefs: 00405C9C
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C9F

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\6culQoI97a.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3718587181
Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction ID: 300c2e40aa17b99eb6a72bfbf7bdfcd49c284ecfca22a4765a13b30c42836751
Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction Fuzzy Hash: B7F08236308308ABEB108F56ED04B9B7B98EF91750F14803BF944DA280D6B599549B68

Uniqueness

Uniqueness Score: -1.00%

Function 00402CD0 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00405F5A(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8); // executed
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E004064DD(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402cdb
0x00402ce4
0x00402ced
0x00402cf9
0x00402d02
0x00402d0c
0x00402d31
0x00402d37
0x00402d3c
0x00402d3d
0x00402d6d
0x00402d46
0x00402d48
0x00402d98
0x00402d9b
0x00000000
0x00402da1
0x00402d57
0x00402d5c
0x00402d5e
0x00000000
0x00000000
0x00402d66
0x00402d6b
0x00402d6c
0x00402d6c
0x00402d79
0x00402d81
0x00402d88
0x00000000
0x00402db1
0x00000000
0x00402d90
0x00402d1c
0x00402d2f
0x00000000
0x00000000
0x00000000
0x00402d2f
0x00402db7

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 61b01d759961c4e40bf2e960662e07dc36c2227ae484429a43adcb02bb257662
Instruction ID: 148915660003aa48eae5eddbcc28bbe782376451a520f9e519856868b1d6a9df
Opcode Fuzzy Hash: 61b01d759961c4e40bf2e960662e07dc36c2227ae484429a43adcb02bb257662
Instruction Fuzzy Hash: 8D215771900109BBEF129F90CE89EEE7A7DEF44344F100076FA55B11A0E7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 735416DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E735416DB(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v88;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x7354405c = _a8;
				 *0x73544060 = _a16;
				 *0x73544064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73544038, E73541556);
				_push(1); // executed
				_t37 = E73541A98(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E735422AF(_t54);
					}
					E735422F1(_t67, _t54);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_t37 = E735424D8(_t54);
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x818; // 0x818
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E7354156B(_t54,  &_v88);
								 *(_t54 + 0x834) =  *(_t54 + 0x834) & 0x00000000;
								_t18 = _t54 + 0x818; // 0x818
								_t72 = _t18;
								 *((intOrPtr*)(_t54 + 0x820)) = _t42;
								 *_t72 = 3;
								E735424D8(_t54);
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							E735424D8(_t54);
							_t37 = GlobalFree(E73541266(E73541559(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E7354249E(_t54);
							if(( *(_t54 + 0x810) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x808);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x810) & 0x00000020) != 0) {
								_t37 = E735414E2( *0x73544058);
							}
						}
						if(( *(_t54 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E73542CC3(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E73542A38(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E735426B2(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x735416db
0x735416db
0x735416db
0x735416e5
0x735416ed
0x735416fa
0x73541708
0x7354170b
0x7354170d
0x73541712
0x73541717
0x73541836
0x73541836
0x7354171d
0x73541721
0x73541724
0x73541729
0x7354172b
0x73541731
0x73541737
0x73541767
0x7354176e
0x73541792
0x735417dd
0x73541794
0x73541794
0x73541795
0x7354179b
0x7354179c
0x735417a6
0x735417a9
0x735417ae
0x735417b5
0x735417b5
0x735417bc
0x735417c2
0x735417c8
0x735417d5
0x735417d6
0x735417d9
0x73541770
0x73541771
0x73541786
0x73541786
0x735417e7
0x735417ea
0x735417f7
0x735417fe
0x73541806
0x73541809
0x73541809
0x73541806
0x73541816
0x7354181e
0x73541823
0x73541816
0x7354182b
0x00000000
0x7354182d
0x00000000
0x7354182e
0x7354182b
0x7354173b
0x7354173e
0x7354175c
0x00000000
0x00000000
0x7354175f
0x73541764
0x73541764
0x73541766
0x00000000
0x73541766
0x73541740
0x73541741
0x73541749
0x7354174a
0x00000000
0x7354174a
0x73541743
0x73541744
0x73541752
0x00000000
0x73541752
0x73541747
0x00000000
0x00000000
0x00000000
0x73541747

APIs

Part of subcall function 73541A98: GlobalFree.KERNEL32 ref: 73541D09
Part of subcall function 73541A98: GlobalFree.KERNEL32 ref: 73541D0E
Part of subcall function 73541A98: GlobalFree.KERNEL32 ref: 73541D13

GlobalFree.KERNEL32 ref: 73541786
FreeLibrary.KERNEL32(?), ref: 73541809
GlobalFree.KERNEL32 ref: 7354182E

Part of subcall function 735422AF: GlobalAlloc.KERNEL32(00000040,?), ref: 735422E0

Part of subcall function 735426B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73541757,00000000), ref: 73542782

Part of subcall function 7354156B: wsprintfA.USER32 ref: 73541599

Strings

, xrefs: 7354180F

Memory Dump Source

Source File: 00000000.00000002.775640570.0000000073541000.00000020.00000001.01000000.00000005.sdmp, Offset: 73540000, based on PE: true

Associated: 00000000.00000002.775623192.0000000073540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775656382.0000000073543000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775675016.0000000073545000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73540000_6culQoI97a.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: b7ae5d7ba76d62b0060aac0c9c8485cc312a23cceacd320d4def01c804bc82ae
Instruction ID: 09d551e833f22aa0a07ae6bedd00ac68e2a64f14dc9552278c3acbe908276b5b
Opcode Fuzzy Hash: b7ae5d7ba76d62b0060aac0c9c8485cc312a23cceacd320d4def01c804bc82ae
Instruction Fuzzy Hash: D44173721003189BDB0DAF75FA84B9537BCBF44224F28A466E94B9E1C6DB749245CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00402476 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00402476(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t18;
				void* _t19;
				int _t22;
				long _t23;
				int _t28;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t35;
				void* _t37;
				void* _t40;

				_t40 = __eflags;
				_t31 = __edx;
				_t28 = __ebx;
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				_t32 = __eax;
				 *(_t37 - 0x38) =  *(_t37 - 0x14);
				 *(_t37 - 0x78) = E00402BCE(2);
				_t18 = E00402BCE(0x11);
				 *(_t37 - 4) = 1;
				_t19 = E00402C5E(_t40, _t32, _t18, 2); // executed
				 *(_t37 + 8) = _t19;
				if(_t19 != __ebx) {
					_t22 = 0;
					if(_t35 == 1) {
						E00402BCE(0x23);
						_t22 = lstrlenA(0x40ac08) + 1;
					}
					if(_t35 == 4) {
						 *0x40ac08 = E00402BAC(3);
						 *((intOrPtr*)(_t37 - 0x88)) = _t31;
						_t22 = _t35;
					}
					if(_t35 == 3) {
						_t22 = E004030D8( *((intOrPtr*)(_t37 - 0x1c)), _t28, 0x40ac08, 0xc00); // executed
					}
					_t23 = RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x78), _t28,  *(_t37 - 0x38), 0x40ac08, _t22); // executed
					if(_t23 == 0) {
						 *(_t37 - 4) = _t28;
					}
					_push( *(_t37 + 8));
					RegCloseKey(); // executed
				}
				 *0x7a3008 =  *0x7a3008 +  *(_t37 - 4);
				return 0;
			}

0x00402476
0x00402476
0x00402476
0x00402476
0x00402479
0x00402480
0x0040248a
0x0040248d
0x00402496
0x0040249d
0x004024a4
0x004024a7
0x004024ad
0x004024b7
0x004024bb
0x004024c6
0x004024c6
0x004024ca
0x004024d4
0x004024da
0x004024e0
0x004024e0
0x004024e4
0x004024f0
0x004024f0
0x00402501
0x00402509
0x0040250b
0x0040250b
0x0040250e
0x004025e5
0x004025e5
0x00402a5d
0x00402a69

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nskAE13.tmp,00000023,00000011,00000002), ref: 004024C1
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,00000000,00000011,00000002), ref: 00402501
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,00000000,00000011,00000002), ref: 004025E5

Strings

C:\Users\user\AppData\Local\Temp\nskAE13.tmp, xrefs: 004024B2, 004024D4, 004024EB, 004024F6

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nskAE13.tmp
API String ID: 2655323295-3340837358
Opcode ID: 0de24952f0d24d99859b8d0a5fd9ad0301599ff203bfff235046f9e1218ab5e4
Instruction ID: 621c84a53dcaf2a3225fca01673abe6cb58a25da7017df2cdf0d3381b538cbef
Opcode Fuzzy Hash: 0de24952f0d24d99859b8d0a5fd9ad0301599ff203bfff235046f9e1218ab5e4
Instruction Fuzzy Hash: A1118171E00214BFEF10AFA5DE49EAE7A74EB44314F20843AF505F71D1D6B99D419B28

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405B05(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405A97(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E0040573E(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040575B(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E004056C1(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E004060D4("C:\\Users\\hardz\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Bracker\\Feberkosten\\Pollen47\\Disvoice", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x004022dd
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402a5d
0x00402a69

APIs

Part of subcall function 00405B05: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,?,00405B71,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,74D0FA90,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,74D0FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B13
Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B18
Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B2C

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004056C1: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405704

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Pollen47\Disvoice,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Pollen47\Disvoice, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Pollen47\Disvoice
API String ID: 1892508949-1299319120
Opcode ID: 88146135321c1cd0d38d76d739be7b0afe4dc7015577e79ca40491864a132507
Instruction ID: 50be7771e3672f66fe07c9109d7a0934d5fb35c2f40f106ce03ebb8fd80801ba
Opcode Fuzzy Hash: 88146135321c1cd0d38d76d739be7b0afe4dc7015577e79ca40491864a132507
Instruction Fuzzy Hash: F2110831104151EBCB307FA54D409BF37B09A92324B28463FE592B22E3DA3D4942AA2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040516F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040516F(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t9;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x79f554 != _t16) {
							_push(_t16);
							_push(6);
							 *0x79f554 = _t16;
							E00404B2B();
						}
						L11:
						_t9 = CallWindowProcA( *0x79f55c, _a4, _t15, _a12, _t16); // executed
						return _t9;
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404AAB(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004041A4(0x413);
				return 0;
			}

0x00405173
0x0040517d
0x00405199
0x004051bb
0x004051be
0x004051c4
0x004051ce
0x004051cf
0x004051d1
0x004051d7
0x004051d7
0x004051e1
0x004051ef
0x00000000
0x004051ef
0x004051a6
0x004051de
0x004051de
0x00000000
0x004051de
0x004051b2
0x004051b4
0x00000000
0x004051b4
0x00405183
0x00000000
0x00000000
0x0040518a
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040519E
CallWindowProcA.USER32 ref: 004051EF

Part of subcall function 004041A4: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004041B6

Strings

, xrefs: 0040517F

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 34aba529733e3b32ef5863def0a598af0a9d68f7816d72c254ac1b8fca419f55
Instruction ID: a815c8626c5111ac64f0cf4f46d81bc36f874ce80d1ab61a55fc5c00676d5aef
Opcode Fuzzy Hash: 34aba529733e3b32ef5863def0a598af0a9d68f7816d72c254ac1b8fca419f55
Instruction Fuzzy Hash: 1A015E31600608ABEF205F11DD84B9B376AEB84315F244137FA00791D0C7799D62DA69

Uniqueness

Uniqueness Score: -1.00%

Function 00405FBB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405FBB(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405F5A(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20); // executed
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00405fc9
0x00405fcb
0x00405fe3
0x00405fe8
0x00405fed
0x0040602a
0x0040602a
0x00405fef
0x00406001
0x0040600c
0x00406012
0x0040601c
0x00000000
0x00000000
0x0040601c
0x0040602f

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,0079ED48,?,?,?,00000002,Call,?,00406270,80000002), ref: 00406001
RegCloseKey.KERNELBASE(?,?,00406270,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,0079ED48), ref: 0040600C

Strings

Call, xrefs: 00405FBE, 00405FF2

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 02b0ca06b85e7c04b5820a528fa41c7769f17ba5f8155b904997ba725fa221fb
Instruction ID: d626b699d45c1b84179135bbe24e0f50758a75bbb6c39e90c48a844674782db3
Opcode Fuzzy Hash: 02b0ca06b85e7c04b5820a528fa41c7769f17ba5f8155b904997ba725fa221fb
Instruction Fuzzy Hash: BB017C7254020AABDF22CF61CC09FDB3FA8EF55364F01803AF959A2190D678D964DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405773 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405773(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a0d70->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a0d70,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x0040577c
0x0040579c
0x004057a4
0x004057a9
0x00000000
0x004057af
0x004057b3

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A0D70,Error launching installer), ref: 0040579C
CloseHandle.KERNEL32(?), ref: 004057A9

Strings

Error launching installer, xrefs: 00405786

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: cdb3d12e93955e9b982c1d5c04e4c9d7882df22fc18f803694ab679cdbae7595
Instruction ID: 33f777635f039691b801aef677aa15ec1976f60057d2e453273d56c3b7e761be
Opcode Fuzzy Hash: cdb3d12e93955e9b982c1d5c04e4c9d7882df22fc18f803694ab679cdbae7595
Instruction Fuzzy Hash: 58E04FF5600209BFEB009BA0DD09F7B7BACEB04304F008520BD40F2190D774A8148E78

Uniqueness

Uniqueness Score: -1.00%

Function 00402588 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402588(int* __ebx, intOrPtr __edx, char* __esi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				void* _t22;
				char* _t24;
				void* _t26;
				void* _t29;

				_t24 = __esi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402C0E(_t29, 0x20019); // executed
				_t22 = _t9;
				_t10 = E00402BAC(3);
				 *((intOrPtr*)(_t26 - 0x38)) = _t21;
				 *__esi = __ebx;
				if(_t22 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x18)) == __ebx) {
						_t13 = RegEnumValueA(_t22, _t10, __esi, _t26 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyA(_t22, _t10, __esi, 0x3ff);
					}
					_t24[0x3ff] = _t16;
					_push(_t22); // executed
					RegCloseKey(); // executed
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x00402588
0x00402588
0x00402588
0x0040258d
0x00402594
0x00402596
0x0040259e
0x004025a1
0x004025a3
0x004027bf
0x004025a9
0x004025b1
0x004025b4
0x004025cd
0x004025d3
0x004025d5
0x004025d7
0x004025d7
0x004025b6
0x004025ba
0x004025ba
0x004025de
0x004025e4
0x004025e5
0x004025e5
0x00402a5d
0x00402a69

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025BA
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025CD
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,00000000,00000011,00000002), ref: 004025E5

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: cf9cb235eaceda232b8d5cb85930a824aab3df6c76033e8d5e6dfae408f9178a
Instruction ID: 773a7303ee78c1acb854ba03901dd4e05cd3950a579afad538e8a0ffc4c9b84d
Opcode Fuzzy Hash: cf9cb235eaceda232b8d5cb85930a824aab3df6c76033e8d5e6dfae408f9178a
Instruction Fuzzy Hash: 5A018F71604204FFE7219F54DE99ABF7ABCEF41358F20803EF505B61C0DAB84E459629

Uniqueness

Uniqueness Score: -1.00%

Function 00402516 Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402516(int* __ebx, char* __esi) {
				void* _t17;
				char* _t18;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402C0E(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402BCE(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x38) = 0x400;
					if(RegQueryValueExA(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x38) != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E00406032(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x3ff] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33); // executed
					RegCloseKey(); // executed
				}
				 *0x7a3008 =  *0x7a3008 +  *(_t37 - 4);
				return 0;
			}

0x00402516
0x00402516
0x0040251b
0x00402522
0x00402524
0x0040252b
0x0040252d
0x004027bf
0x00402533
0x00402536
0x00402551
0x00402581
0x00402581
0x00402583
0x00402553
0x00402557
0x00402570
0x00402577
0x0040257a
0x00402559
0x0040255c
0x00402567
0x004025de
0x00000000
0x00000000
0x00000000
0x0040255c
0x00402557
0x004025e4
0x004025e5
0x004025e5
0x00402a5d
0x00402a69

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402546
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,00000000,00000011,00000002), ref: 004025E5

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 3b9348bb8a9111bac0e2cc5a321a2019a7d0bedee63fc4786f56487d85f53e47
Instruction ID: a38d896beb00bd6b96c1afca0a4d37843b6a01bbd6b744c8c042ddc4311e4418
Opcode Fuzzy Hash: 3b9348bb8a9111bac0e2cc5a321a2019a7d0bedee63fc4786f56487d85f53e47
Instruction Fuzzy Hash: E911BF71901205EFDF24CF64CA985AE7AB4EF01355F20843FE446B72C0D6B88A85DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401389(signed int _a4, struct HWND__* _a11) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x7a2fb0; // 0x94ef14
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a11 != 0) {
						 *0x7a274c =  *0x7a274c + _t12;
						SendMessageA(_a11, 0x402, MulDiv( *0x7a274c, 0x7530,  *0x7a2734), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x00401392
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e0cd62ee3040700a295e5b46d32f75e08d2db3f93dbac9e55f4e6f2709676977
Instruction ID: 845b7e25721e970e15b242f5633496821e9acd9660688f654d55c439198c0cfc
Opcode Fuzzy Hash: e0cd62ee3040700a295e5b46d32f75e08d2db3f93dbac9e55f4e6f2709676977
Instruction Fuzzy Hash: 0701F4316242209FE7195B389D04B2A3698E751314F10813FF951F65F2D678CC129B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00402421 Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402421(void* __ebx, void* __edx) {
				long _t6;
				void* _t9;
				void* _t13;
				long _t18;
				void* _t20;
				void* _t22;
				void* _t23;

				_t13 = __ebx;
				_t26 =  *(_t23 - 0x18) - __ebx;
				_t20 = __edx;
				if( *(_t23 - 0x18) != __ebx) {
					_t6 = E00402C8C(_t20, E00402BCE(0x22),  *(_t23 - 0x18) >> 1); // executed
					_t18 = _t6;
					goto L4;
				} else {
					_t9 = E00402C0E(_t26, 2); // executed
					_t22 = _t9;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t18 = RegDeleteValueA(_t22, E00402BCE(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t18 != _t13) {
							goto L6;
						}
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x00402421
0x00402421
0x00402424
0x00402426
0x00402462
0x00402467
0x00000000
0x00402428
0x0040242a
0x0040242f
0x00402433
0x004027bf
0x004027bf
0x00402439
0x00402449
0x0040244b
0x00402469
0x0040246b
0x00000000
0x00402471
0x0040246b
0x00402433
0x00402a5d
0x00402a69

APIs

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402442
RegCloseKey.ADVAPI32(00000000), ref: 0040244B

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: f536f3262d18be2c6f7a6d3884124582493bd4da2c41e4e8920fbd88c56e0979
Instruction ID: 46fd4e9b359f40bb4978f14a9f4b8ff9846529a3f504122c01e888531eb5d2ac
Opcode Fuzzy Hash: f536f3262d18be2c6f7a6d3884124582493bd4da2c41e4e8920fbd88c56e0979
Instruction Fuzzy Hash: A4F09632600121EBE710BFA49B8EAAE72A59B40314F25443FF602B71C1D9F84E4246AE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EE3
EnableWindow.USER32(00000000,00000000), ref: 00401EEE

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 7b718858ea627c1e477ef1a2caf7c7d5619c5910c58fb60c1957f9bb67eb09d5
Instruction ID: 0d648207ff9f6deaa2b416c319ca4d02dfd5ede2de2ab3ccb6edf8448476ab2e
Opcode Fuzzy Hash: 7b718858ea627c1e477ef1a2caf7c7d5619c5910c58fb60c1957f9bb67eb09d5
Instruction Fuzzy Hash: 3AE09232A04200EFD714EFA5EA8856F7BB0EB40325B20403FF001F10C1CA7848418A59

Uniqueness

Uniqueness Score: -1.00%

Function 004064DD Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064DD(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E0040646F(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x004064e5
0x004064e8
0x004064ef
0x004064f7
0x00406503
0x00000000
0x0040650a
0x004064fa
0x00406501
0x00000000
0x00406512
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403398,0000000B), ref: 004064EF
GetProcAddress.KERNEL32(00000000,?), ref: 0040650A

Part of subcall function 0040646F: GetSystemDirectoryA.KERNEL32 ref: 00406486
Part of subcall function 0040646F: wsprintfA.USER32 ref: 004064BF
Part of subcall function 0040646F: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064D3

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction ID: 042920e8a29c9b7d047f9b8d679db2b98f9cdac4fa712678353772f8bdeb7375
Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction Fuzzy Hash: 6EE0863260421167D6105B70BE0493B72A89E84700302043EF546F6144DB38DC769A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C6D Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405C6D(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405c71
0x00405c7e
0x00405c93
0x00405c99

APIs

GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\6culQoI97a.exe,80000000,00000003), ref: 00405C71
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C93

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405C48 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C48(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405c4d
0x00405c53
0x00405c58
0x00405c61
0x00405c61
0x00405c6a

APIs

GetFileAttributesA.KERNELBASE(?,?,00405860,?,?,00000000,00405A43,?,?,?,?), ref: 00405C4D
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C61

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 7e700ee3acf44982365c3fbd0e808c401ff2a4825d9ccd2943b1641dd8ae7ae4
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: ABD0A932004022ABC2002728AE0C88BBB90DB00270702CA35FCA4A22B1DB300C529A98

Uniqueness

Uniqueness Score: -1.00%

Function 0040573E Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040573E(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405744
0x0040574c
0x00000000
0x00405752
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403318,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00405744
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405752

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction ID: 5acf7b5c2778cbfdcbae9b0437cf869adc97d3df665aa26c8b081b4f29c10bb0
Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction Fuzzy Hash: 53C04C30204501EFDA106B209E08B177AD0AB50741F2548396146E10A0DA789455F92E

Uniqueness

Uniqueness Score: -1.00%

Function 73542A38 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E73542A38(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t70;
				intOrPtr _t72;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t81;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t94;

				if( *0x73544040 != 0 && E7354297D(_a4) == 0) {
					 *0x73544044 = _t93;
					if( *0x7354403c != 0) {
						_t93 =  *0x7354403c;
					} else {
						E73542F60(E73542977(), __ecx);
						 *0x7354403c = _t93;
					}
				}
				_t28 = E735429AB(_a4);
				_t94 = _t93 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E7354299F();
					_t72 = _a4;
					_t79 =  *0x73544048;
					 *((intOrPtr*)(_t29 + _t72)) = _t79;
					 *0x73544048 = _t72;
					E73542999();
					_t33 = ReadFile(??, ??, ??, ??, ??); // executed
					 *0x7354401c = _t33;
					 *0x73544020 = _t79;
					if( *0x73544040 != 0 && E7354297D( *0x73544048) == 0) {
						 *0x7354403c = _t94;
						_t94 =  *0x73544044;
					}
					_t80 =  *0x73544048;
					_a4 = _t80;
					 *0x73544048 =  *((intOrPtr*)(E7354299F() + _t80));
					_t37 = E7354298B(_t80);
					_pop(_t81);
					if(_t37 != 0) {
						_t40 = E735429AB(_t81);
						if(_t40 > 0) {
							_push(_t40);
							_push(E735429B6() + _a4 + _v8);
							_push(E735429C0());
							if( *0x73544040 <= 0 || E7354297D(_a4) != 0) {
								_pop(_t88);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t88 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t89);
								_pop(_t49);
								 *0x7354403c =  *0x7354403c +  *(_t89 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t107 =  *0x73544048;
					if( *0x73544048 == 0) {
						 *0x7354403c = 0;
					}
					E735429E4(_t107, _a4,  *0x7354401c,  *0x73544020);
					return _a4;
				}
				_push(E735429B6() + _a4);
				_t56 = E735429BC();
				_v8 = _t56;
				_t77 = _t28;
				_push(_t68 + _t56 * _t77);
				_t70 = E735429C8();
				_t87 = E735429C4();
				_t90 = E735429C0();
				_t61 = _t77;
				if( *((intOrPtr*)(_t90 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t70 + _t61)));
				}
				_push( *((intOrPtr*)(_t87 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x73542a48
0x73542a59
0x73542a66
0x73542a7a
0x73542a68
0x73542a6d
0x73542a72
0x73542a72
0x73542a66
0x73542a83
0x73542a88
0x73542a8e
0x73542ad2
0x73542ad2
0x73542ad7
0x73542adc
0x73542ae2
0x73542ae4
0x73542aea
0x73542af7
0x73542af9
0x73542afe
0x73542b0b
0x73542b1e
0x73542b24
0x73542b2a
0x73542b2b
0x73542b31
0x73542b3d
0x73542b43
0x73542b4b
0x73542b4c
0x73542b4f
0x73542b5a
0x73542b5c
0x73542b68
0x73542b6e
0x73542b76
0x73542ba2
0x73542ba3
0x73542ba5
0x73542ba9
0x73542ba9
0x73542bb0
0x73542b86
0x73542b86
0x73542b87
0x73542b95
0x73542b9e
0x73542b9e
0x73542b76
0x73542b5a
0x73542bb2
0x73542bb9
0x73542bbb
0x73542bbb
0x73542bd4
0x73542be2
0x73542be2
0x73542a99
0x73542a9a
0x73542a9f
0x73542aa3
0x73542aa8
0x73542abc
0x73542abd
0x73542abe
0x73542ac0
0x73542ac5
0x73542ac7
0x73542ac7
0x73542aca
0x73542ad0
0x00000000

APIs

ReadFile.KERNELBASE(00000000), ref: 73542AF7

Memory Dump Source

Source File: 00000000.00000002.775640570.0000000073541000.00000020.00000001.01000000.00000005.sdmp, Offset: 73540000, based on PE: true

Associated: 00000000.00000002.775623192.0000000073540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775656382.0000000073543000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775675016.0000000073545000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73540000_6culQoI97a.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: cd7320c3c49f22467fe9113b4893badc21420bed9c15ca278b4ca2467069e8b5
Instruction ID: a34613d13619a300ac68c517ea9dc475ce01c3d327c3083fabf2822a4d0d6604
Opcode Fuzzy Hash: cd7320c3c49f22467fe9113b4893badc21420bed9c15ca278b4ca2467069e8b5
Instruction Fuzzy Hash: 224150B3540328DFEB2DEF66F885B593B75EB84354F249426D80DCA240C734D4A2DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0040266D Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040266D(intOrPtr __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _t27;
				intOrPtr _t33;
				void* _t38;
				void* _t41;

				_t33 = __edx;
				 *((intOrPtr*)(_t38 - 8)) = __ebx;
				_t27 = E00402BAC(2);
				_t41 = _t27 - 1;
				 *((intOrPtr*)(_t38 - 0x38)) = _t33;
				 *((intOrPtr*)(_t38 - 0xc)) = _t27;
				if(_t41 < 0) {
					L24:
					 *0x7a3008 =  *0x7a3008 +  *(_t38 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *((intOrPtr*)(__ebp - 0xc)) = 0x3ff;
					}
					if( *__esi == __bl) {
						L21:
						__esi =  *((intOrPtr*)(__ebp - 8));
						goto L22;
					} else {
						 *((char*)(__ebp + 0xb)) = __bl;
						 *(__ebp - 0x30) = E0040604B(__ecx, __esi);
						if( *((intOrPtr*)(__ebp - 0xc)) <= __ebx) {
							goto L21;
						} else {
							__esi =  *((intOrPtr*)(__ebp - 8));
							while(1) {
								__eax = __ebp - 0xd;
								__eax = E00405CE5( *(__ebp - 0x30), __ebp - 0xd, 1); // executed
								if(__eax == 0) {
									break;
								}
								if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
									 *(__ebp - 0xd) & 0x000000ff = E00406032(__edi,  *(__ebp - 0xd) & 0x000000ff);
								} else {
									if( *((char*)(__ebp + 0xb)) == 0xd ||  *((char*)(__ebp + 0xb)) == 0xa) {
										__al =  *(__ebp - 0xd);
										if( *((intOrPtr*)(__ebp + 0xb)) == __al || __al != 0xd && __al != 0xa) {
											__eax = SetFilePointer( *(__ebp - 0x30), 0xffffffff, __ebx, 1);
										} else {
											 *((char*)(__esi + __edi)) = __al;
											__esi = __esi + 1;
										}
										break;
									} else {
										__al =  *(__ebp - 0xd);
										 *((char*)(__esi + __edi)) = __al;
										__esi = __esi + 1;
										 *((char*)(__ebp + 0xb)) = __al;
										if(__al == __bl) {
											break;
										} else {
											if(__esi <  *((intOrPtr*)(__ebp - 0xc))) {
												continue;
											} else {
												break;
											}
										}
									}
								}
								goto L25;
							}
							L22:
							 *((char*)(__esi + __edi)) = __bl;
							if(_t41 == 0) {
								 *(_t38 - 4) = 1;
							}
							goto L24;
						}
					}
				}
				L25:
				return 0;
			}

0x0040266d
0x0040266f
0x00402672
0x00402677
0x0040267b
0x0040267e
0x00402681
0x00402a5a
0x00402a5d
0x00402687
0x00402687
0x0040268e
0x00402690
0x00402690
0x00402695
0x0040271d
0x0040271d
0x00000000
0x0040269b
0x0040269c
0x004026a7
0x004026aa
0x00000000
0x004026ac
0x004026ac
0x004026af
0x004026af
0x004026b8
0x004026bf
0x00000000
0x00000000
0x004026c4
0x004026ed
0x004026c6
0x004026ca
0x004026f7
0x004026fd
0x00402715
0x00402707
0x00402707
0x0040270a
0x0040270a
0x00000000
0x004026d2
0x004026d2
0x004026d5
0x004026d8
0x004026db
0x004026de
0x00000000
0x004026e0
0x004026e3
0x00000000
0x004026e5
0x00000000
0x004026e5
0x004026e3
0x004026de
0x004026ca
0x00000000
0x004026c4
0x00402720
0x00402720
0x004015b0
0x004027bf
0x004027bf
0x00000000
0x004015b0
0x004026aa
0x00402695
0x00402a63
0x00402a69

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 1fff1c024f0da74a38f67832438442dfe69e2d67dfdc3f60895da878d3f3862f
Instruction ID: fd9bc14af938dda3ba6ee14a28b1b596e7393f89127f163b83c4ac721f41f027
Opcode Fuzzy Hash: 1fff1c024f0da74a38f67832438442dfe69e2d67dfdc3f60895da878d3f3862f
Instruction Fuzzy Hash: 5621B730C04299FADF328B9885886AEBF759F01314F1440BBE491B73D1C2BD8A85CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040272B Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E0040272B(intOrPtr __edx, void* __eflags) {
				long _t7;
				long _t9;
				LONG* _t11;
				void* _t13;
				intOrPtr _t14;
				void* _t17;
				void* _t19;

				_t14 = __edx;
				_push(ds);
				if(__eflags != 0) {
					_t7 = E00402BAC(2);
					_pop(_t13);
					 *((intOrPtr*)(_t19 - 0x38)) = _t14;
					_t9 = SetFilePointer(E0040604B(_t13, _t17), _t7, _t11,  *(_t19 - 0x1c)); // executed
					if( *((intOrPtr*)(_t19 - 0x24)) >= _t11) {
						_push(_t9);
						E00406032();
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x0040272b
0x0040272b
0x0040272c
0x00402734
0x00402739
0x0040273a
0x00402749
0x00402752
0x004029a3
0x004029a5
0x004029a5
0x00402752
0x00402a5d
0x00402a69

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402749

Part of subcall function 00406032: wsprintfA.USER32 ref: 0040603F

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 3a86cb04035c0cb5dda10b044d6ebe2fb462ac2f461410f51185e628d17b0ec2
Instruction ID: bd15af3dcc237b5343033b16e4fa6085095d10168d64e0165304c7e5f2e27a94
Opcode Fuzzy Hash: 3a86cb04035c0cb5dda10b044d6ebe2fb462ac2f461410f51185e628d17b0ec2
Instruction Fuzzy Hash: 40E09271B00110FED710EF94AA499BF77A8EB40315B10843BF102F10C2CA7C49028A2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040171F Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040171F() {
				long _t5;
				CHAR* _t8;
				CHAR* _t12;
				void* _t14;
				long _t17;

				_t5 = SearchPathA(_t8, E00402BCE(0xffffffff), _t8, 0x400, _t12, _t14 + 8); // executed
				_t17 = _t5;
				if(_t17 == 0) {
					 *((intOrPtr*)(_t14 - 4)) = 1;
					 *_t12 = _t8;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t14 - 4));
				return 0;
			}

0x00401733
0x00401739
0x0040173b
0x00402793
0x0040279a
0x0040279a
0x00402a5d
0x00402a69

APIs

SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401733

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: ed9dccc4f8e199fa8770a3267bdab13559cb47985dffab646a44fea6aae1914a
Instruction ID: eb17f69382d89759ebdee5c9dd5d6a4f0c1420afe9db4a8697d1259c8666677d
Opcode Fuzzy Hash: ed9dccc4f8e199fa8770a3267bdab13559cb47985dffab646a44fea6aae1914a
Instruction Fuzzy Hash: 80E0D871304110EFD710DF649E49BAB3758DB01368B20817AF111A60C1D5B89905872D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F88 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F88(void* __eflags, char _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00405EDF(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExA(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00405f92
0x00405f9b
0x00405fb1
0x00000000
0x00405fb1
0x00405f9f
0x00000000

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402C7F,00000000,?,?), ref: 00405FB1

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
Instruction ID: 0f1f398a2e861ffee82e275805f4c84720ea89191264ee960a0e3bcb1bee2725
Opcode Fuzzy Hash: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
Instruction Fuzzy Hash: DAE0ECB211450ABEEF099F90DC0ADBB371DEB04300F10492EF956E5090E6B9AE30AE75

Uniqueness

Uniqueness Score: -1.00%

Function 00405D14 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D14(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405d18
0x00405d28
0x00405d30
0x00000000
0x00405d37
0x00000000
0x00405d39

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403290,00000000,00792120,000000FF,00792120,000000FF,000000FF,00000004,00000000), ref: 00405D28

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 77bff2a1fb4a149192ffadfb645e09873699659932145b723af6e3d7aa9a80e5
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 35E0EC3222065AABDF109E659C04AEB7B6CEF05360F008837FE55F3190D635E9219BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE5 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CE5(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405ce9
0x00405cf9
0x00405d01
0x00000000
0x00405d08
0x00000000
0x00405d0a

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032DA,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405CF9

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction ID: 359c21f91a3bba3ce6496bf321611394009143f850dd69016ead32bb33babeaa
Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction Fuzzy Hash: 08E0863210011EABCF106E909C08FEB775CEF00350F048433FD15E2040E230E8209BA4

Uniqueness

Uniqueness Score: -1.00%

Function 73542921 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x73544038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x7354404c, 4, 0x40, 0x7354403c); // executed
					 *0x7354404c = 0xc2;
					 *0x7354403c = 0;
					 *0x73544044 = 0;
					 *0x73544058 = 0;
					 *0x73544048 = 0;
					 *0x73544040 = 0;
					 *0x73544050 = 0;
					 *0x7354404e = 0;
				}
				return 1;
			}

0x7354292a
0x7354292f
0x7354293f
0x73542947
0x7354294e
0x73542953
0x73542958
0x7354295d
0x73542962
0x73542967
0x7354296c
0x7354296c
0x73542974

APIs

VirtualProtect.KERNELBASE(7354404C,00000004,00000040,7354403C), ref: 7354293F

Memory Dump Source

Source File: 00000000.00000002.775640570.0000000073541000.00000020.00000001.01000000.00000005.sdmp, Offset: 73540000, based on PE: true

Associated: 00000000.00000002.775623192.0000000073540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775656382.0000000073543000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775675016.0000000073545000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73540000_6culQoI97a.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d06b59ed235357c892704c902f530fa8deb15b24e084c4a731b1dc3c33e4bcc3
Instruction ID: 58e09bbdec6be3aaca5c6aabbc186216ab39682c693c9eba909b437e8dbd07d1
Opcode Fuzzy Hash: d06b59ed235357c892704c902f530fa8deb15b24e084c4a731b1dc3c33e4bcc3
Instruction Fuzzy Hash: 3FF0A5F35882A0DEC368EF7A9444F053FF0A718354B21462AE59CDF241E3344076AF11

Uniqueness

Uniqueness Score: -1.00%

Function 004023E0 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023E0(char __ebx) {
				char _t7;
				CHAR* _t8;
				CHAR* _t19;
				void* _t21;
				void* _t24;

				_t7 =  *0x40a010; // 0xa
				 *(_t21 + 0xa) = _t7;
				_t8 = E00402BCE(1);
				 *(_t21 - 0x38) = E00402BCE(0x12);
				GetPrivateProfileStringA(_t8,  *(_t21 - 0x38), _t21 + 0xa, _t19, 0x3ff, E00402BCE(0xffffffdd)); // executed
				_t24 =  *_t19 - 0xa;
				if(_t24 == 0) {
					 *((intOrPtr*)(_t21 - 4)) = 1;
					 *_t19 = __ebx;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x004023e0
0x004023e8
0x004023ec
0x004023fc
0x00402413
0x00402419
0x0040173b
0x00402793
0x0040279a
0x0040279a
0x00402a5d
0x00402a69

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402413

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: b20ff68c1f91e8945650ad06eb6636fe2efcf37a6f72d7170e5f25b2e3b7c808
Instruction ID: ec2b9ed2aa8753cc56e49b6d1f5b0ead50a941972cde74363bc07da0fbfd84e4
Opcode Fuzzy Hash: b20ff68c1f91e8945650ad06eb6636fe2efcf37a6f72d7170e5f25b2e3b7c808
Instruction Fuzzy Hash: 40E04630904208BAEB006FA08E09EAD3A79EF01710F20003AF9617B0D1E6B89482D72E

Uniqueness

Uniqueness Score: -1.00%

Function 00405F5A Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F5A(void* __eflags, char _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00405EDF(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExA(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00405f64
0x00405f6b
0x00405f7e
0x00000000
0x00405f7e
0x00405f6f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,0079ED48,?,?,00405FE8,0079ED48,?,?,?,00000002,Call), ref: 00405F7E

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction ID: f6689eb4189efde595c0db3434e8a658027b475c8950a5948bd102936423b03e
Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction Fuzzy Hash: A4D0123210420EBBDF119F90DD05FAB371DEB08314F108426FE16A4091D775D930AB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040159D() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesA(E00402BCE(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015a8
0x004015ae
0x004015b0
0x004027bf
0x004027bf
0x00402a5d
0x00402a69

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0bf5c4dde7e69dee31f37b62e5a1206c67b14805358631fa520c04025f4106d9
Instruction ID: 91fe89217483e075e92c8728b5a4931aee7e8ed68981fb3eb44f78270fd31ef9
Opcode Fuzzy Hash: 0bf5c4dde7e69dee31f37b62e5a1206c67b14805358631fa520c04025f4106d9
Instruction Fuzzy Hash: 25D0C232704114DBCB00EFA49B0868E73A1EB00324B30C137E011F21C1D6B8CA059A2D

Uniqueness

Uniqueness Score: -1.00%

Function 004032DD Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004032DD(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004032eb
0x004032f1

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,00030BE4), ref: 004032EB

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 0040418D Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040418D(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x7a2f68, 0x28, _a4, 1); // executed
				return _t2;
			}

0x0040419b
0x004041a1

APIs

SendMessageA.USER32(00000028,?,00000001,00403FBD), ref: 0040419B

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8afc8e775a4383b0d9481be42871f9dd90f51651ac4b72857f61fbe09a3a2cc3
Instruction ID: 18e6939d06ef43c2e98f2159044487ea81de3fce7c02a663ceb4602929a6bce1
Opcode Fuzzy Hash: 8afc8e775a4383b0d9481be42871f9dd90f51651ac4b72857f61fbe09a3a2cc3
Instruction Fuzzy Hash: A2B09235184A00AFDA114B10DE09F457A62E7A4701F008028B240240F0CAB200A5EB09

Uniqueness

Uniqueness Score: -1.00%

Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401F7B(void* __ecx) {
				void* _t8;
				char _t12;
				void* _t14;
				void* _t16;
				CHAR* _t17;
				void* _t20;
				void* _t22;

				_t16 = __ecx;
				_t19 = E00402BCE(_t14);
				E004051FB(0xffffffeb, _t6);
				_t8 = E00405773(_t19); // executed
				_t20 = _t8;
				if(_t20 == _t14) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x20)) != _t14) {
						_t12 = E00406552(_t16, _t20);
						if( *((intOrPtr*)(_t22 - 0x24)) < _t14) {
							if(_t12 != _t14) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E00406032(_t17, _t12);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401f7b
0x00401f81
0x00401f86
0x00401f8c
0x00401f91
0x00401f95
0x004027bf
0x00401f9b
0x00401f9e
0x00401fa1
0x00401fa9
0x00401fb6
0x00401fb8
0x00401fb8
0x00401fab
0x00401fad
0x00401fad
0x00401fa9
0x00401fbf
0x00401fc0
0x00401fc0
0x00402a5d
0x00402a69

APIs

Part of subcall function 004051FB: lstrlenA.KERNEL32(0079ED48,00000000,00798F20,74D0EA30,?,?,?,?,?,?,?,?,?,00403210,00000000,?), ref: 00405234
Part of subcall function 004051FB: lstrlenA.KERNEL32(00403210,0079ED48,00000000,00798F20,74D0EA30,?,?,?,?,?,?,?,?,?,00403210,00000000), ref: 00405244
Part of subcall function 004051FB: lstrcatA.KERNEL32(0079ED48,00403210,00403210,0079ED48,00000000,00798F20,74D0EA30), ref: 00405257
Part of subcall function 004051FB: SetWindowTextA.USER32(0079ED48,0079ED48), ref: 00405269
Part of subcall function 004051FB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040528F
Part of subcall function 004051FB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052A9
Part of subcall function 004051FB: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052B7

Part of subcall function 00405773: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A0D70,Error launching installer), ref: 0040579C
Part of subcall function 00405773: CloseHandle.KERNEL32(?), ref: 004057A9

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0

Part of subcall function 00406552: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406563
Part of subcall function 00406552: GetExitCodeProcess.KERNEL32 ref: 00406585

Part of subcall function 00406032: wsprintfA.USER32 ref: 0040603F

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 0b474e91ea94c30c82c56e492e8a8d82271c7f004b7a703b469e2680d7d9a326
Instruction ID: 38ff014a8e4085178bb50f003d2faa90d0cc15d8516b8928bc727fcbc0eca729
Opcode Fuzzy Hash: 0b474e91ea94c30c82c56e492e8a8d82271c7f004b7a703b469e2680d7d9a326
Instruction Fuzzy Hash: 20F0B432905021EBCB20BFA59D84AEFB2A5DF01319B24463FF102B61D1CB7C4E425A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D6(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402BAC(_t7);
				 *((intOrPtr*)(_t13 - 0x38)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d6
0x004014d7
0x004014e0
0x004014e3
0x004014e7
0x004014e7
0x004014e9
0x00402a5d
0x00402a69

APIs

Sleep.KERNELBASE(00000000), ref: 004014E9

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 6961300aa8bc7fcb8fb7a9f8cdd8332caf209d0fa462235ae900cb187dd187be
Instruction ID: 907d7b6cbf85ab310719ae830fce415652943428c1aa0430d8039b98afce2a90
Opcode Fuzzy Hash: 6961300aa8bc7fcb8fb7a9f8cdd8332caf209d0fa462235ae900cb187dd187be
Instruction Fuzzy Hash: DCD05E73B10100DBD710EFB8BAC445F77A8EB413253308837E402E2091E579C9424628

Uniqueness

Uniqueness Score: -1.00%

Function 73541215 Relevance: 1.3, APIs: 1, Instructions: 4
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E73541215() {
				void* _t1;

				_t1 = GlobalAlloc(0x40,  *0x7354405c); // executed
				return _t1;
			}

0x7354121d
0x73541223

APIs

GlobalAlloc.KERNELBASE(00000040,73541233,?,735412CF,-7354404B,735411AB,-000000A0), ref: 7354121D

Memory Dump Source

Source File: 00000000.00000002.775640570.0000000073541000.00000020.00000001.01000000.00000005.sdmp, Offset: 73540000, based on PE: true

Associated: 00000000.00000002.775623192.0000000073540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775656382.0000000073543000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775675016.0000000073545000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73540000_6culQoI97a.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 0a7457122412f34a343181694090598f26ad0f4e65e7c5e395f36c6cf0f38ac1
Instruction ID: fae2c22734ec59d6037a025ba28a2a6d8bdd1d5aea88d5297c0492f4f597d60f
Opcode Fuzzy Hash: 0a7457122412f34a343181694090598f26ad0f4e65e7c5e395f36c6cf0f38ac1
Instruction Fuzzy Hash: E8A002B7984150DBDE4DFBE2890AF143B61E748741F208140E35D581A4C7765432DB35

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405339 Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00405339(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t113;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x7a2744; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004052CD, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E00406167(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x79f568;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x7a272c - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x7a2f68, 8);
							__eflags =  *0x7a300c - _t150;
							if( *0x7a300c == _t150) {
								_t113 =  *0x79ed40; // 0x94d16c
								E004051FB( *((intOrPtr*)(_t113 + 0x34)), _t150);
							}
							E00404131(1);
							goto L25;
						}
						 *0x79e938 = 2;
						E00404131(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E004041BF(_t157, _a12, _a16);
						}
						ShowWindow( *0x7a2730, _t150);
						ShowWindow(_v8, 8);
						E0040418D(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x7a2f74; // 0x94d040
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x7a2730 = GetDlgItem(_a4, 0x403);
				 *0x7a2728 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x7a2744 = _t128;
				_v8 = _t128;
				E0040418D( *0x7a2730);
				 *0x7a2734 = E00404A7E(4);
				 *0x7a274c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404158(_a4);
				if(( *0x7a2f7c & 0x00000003) != 0) {
					ShowWindow( *0x7a2730, _t150);
					if(( *0x7a2f7c & 0x00000002) != 0) {
						 *0x7a2730 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040418D( *0x7a2728);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x7a2f7c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x0040533f
0x00405347
0x0040534a
0x00405352
0x00405355
0x004054e4
0x004054ea
0x0040550e
0x0040550e
0x0040551a
0x00405520
0x00405542
0x00405542
0x00405548
0x0040559d
0x0040559d
0x004055a0
0x00000000
0x00000000
0x004055a2
0x004055a5
0x004055a8
0x00000000
0x00000000
0x004055b2
0x004055b8
0x004055ba
0x004055bd
0x004056ba
0x00000000
0x004056ba
0x004055cc
0x004055d8
0x004055e1
0x004055e8
0x004055ec
0x004055ef
0x004055f8
0x004055fe
0x00405601
0x00405601
0x00405611
0x00405617
0x0040561a
0x00405625
0x00405625
0x00405626
0x00405629
0x00405630
0x00405637
0x0040563f
0x0040563f
0x0040564d
0x00405653
0x00405656
0x00405656
0x0040565d
0x00405663
0x0040566c
0x00405673
0x0040567c
0x0040567e
0x00405681
0x00405690
0x00405692
0x00405695
0x00405696
0x00405699
0x0040569a
0x0040569b
0x0040569b
0x004056a3
0x004056ae
0x004056b4
0x004056b4
0x00000000
0x0040561a
0x0040554a
0x00405550
0x0040557e
0x00405580
0x00405586
0x00405588
0x00405591
0x00405591
0x00405598
0x00000000
0x00405598
0x00405554
0x0040555e
0x00000000
0x00405522
0x00405522
0x00405528
0x00405563
0x00000000
0x0040556a
0x00405531
0x00405538
0x0040553d
0x00000000
0x0040553d
0x00405520
0x0040535b
0x0040535f
0x00405367
0x0040536b
0x0040536e
0x00405371
0x00405374
0x00405377
0x00405378
0x00405379
0x00405392
0x00405395
0x0040539f
0x004053ae
0x004053b6
0x004053be
0x004053c3
0x004053c6
0x004053d2
0x004053db
0x004053e4
0x00405406
0x0040540c
0x0040541d
0x00405422
0x00405430
0x0040543e
0x0040543e
0x00405443
0x00405451
0x00405451
0x00405456
0x00405459
0x0040545e
0x0040546a
0x00405473
0x00405480
0x0040548f
0x00405482
0x00405487
0x00405487
0x0040549b
0x0040549b
0x004054af
0x004054b8
0x004054c1
0x004054d1
0x004054dd
0x004054dd
0x00000000

APIs

GetDlgItem.USER32 ref: 00405398
GetDlgItem.USER32 ref: 004053A7
GetClientRect.USER32 ref: 004053E4
GetSystemMetrics.USER32 ref: 004053EB
SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040540C
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040541D
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405430
SendMessageA.USER32(?,00001026,00000000,?), ref: 0040543E
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405451
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405473
ShowWindow.USER32(?,00000008), ref: 00405487
GetDlgItem.USER32 ref: 004054A8
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004054B8
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004054D1
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004054DD
GetDlgItem.USER32 ref: 004053B6

Part of subcall function 0040418D: SendMessageA.USER32(00000028,?,00000001,00403FBD), ref: 0040419B

GetDlgItem.USER32 ref: 004054F9
CreateThread.KERNEL32 ref: 00405507
CloseHandle.KERNEL32(00000000), ref: 0040550E
ShowWindow.USER32(00000000), ref: 00405531
ShowWindow.USER32(?,00000008), ref: 00405538
ShowWindow.USER32(00000008), ref: 0040557E
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055B2
CreatePopupMenu.USER32 ref: 004055C3
AppendMenuA.USER32 ref: 004055D8
GetWindowRect.USER32 ref: 004055F8
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405611
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040564D
OpenClipboard.USER32(00000000), ref: 0040565D
EmptyClipboard.USER32 ref: 00405663
GlobalAlloc.KERNEL32(00000042,?), ref: 0040566C
GlobalLock.KERNEL32 ref: 00405676
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040568A
GlobalUnlock.KERNEL32(00000000), ref: 004056A3
SetClipboardData.USER32 ref: 004056AE
CloseClipboard.USER32 ref: 004056B4

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: dee1dd70bc3dae44c318a2559c0bf59ef3862208e7b388c7693d8967826c8269
Instruction ID: 684cfb1aaa76551445c09ef43b39d8f4d2da16edc43e4b0a600a882252a292b3
Opcode Fuzzy Hash: dee1dd70bc3dae44c318a2559c0bf59ef3862208e7b388c7693d8967826c8269
Instruction Fuzzy Hash: 4AA16C70900608BFDF119FA4DD89EAE7B79FB48354F00802AFA45BA1A1C7794E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004045EA Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004045EA(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x79ed40; // 0x94d16c
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + "540027183";
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004057D4(0x3fb, _t146);
					E004063AF(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004057D4(0x3fb, _t146);
							if(E00405B5A(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E004060D4(0x79e538, _t146);
							_t87 = E004064DD(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E004060D4(0x79e538, _t146);
								_t89 = E00405B05(0x79e538);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x79e538,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79e538) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79e538,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405AB3(0x79e538);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x79e538) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404A7E(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x7a273c; // 0x952563
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404A66(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x79e528);
									} else {
										E004049A1(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a3024 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E0040417A(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x79f558 == _t158) {
									E00404543();
								}
								 *0x79f558 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x79f568;
							_v60 = E0040493B;
							_v56 = _t146;
							_v68 = E00406167(_t146, 0x79f568, _t166, 0x79e940, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405A6C(_t146);
								_t124 =  *0x7a2f74; // 0x94d040
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t146 == "C:\\Users\\hardz\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Bracker\\Feberkosten") {
									E00406167(_t146, 0x79f568, _t166, 0, _t125);
									if(lstrcmpiA(0x7a1f00, 0x79f568) != 0) {
										lstrcatA(_t146, 0x7a1f00);
									}
								}
								 *0x79f558 =  *0x79f558 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405AD9(_t146) != 0 && E00405B05(_t146) == 0) {
						E00405A6C(_t146);
					}
					 *0x7a2738 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404158(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404158(_t166);
					E0040418D(_t165);
					_t138 = E004064DD(8);
					if(_t138 == 0) {
						L53:
						return E004041BF(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x004045ea
0x004045f0
0x004045f6
0x00404603
0x00404611
0x00404614
0x0040461c
0x00404622
0x00404622
0x0040462e
0x00404631
0x0040469f
0x004046a6
0x0040477d
0x00404784
0x00404793
0x00404793
0x00404797
0x004047a1
0x004047ae
0x004047b0
0x004047b0
0x004047be
0x004047c5
0x004047cc
0x004047cf
0x00404806
0x00404808
0x0040480e
0x00404813
0x00404817
0x00404819
0x00404819
0x00404835
0x00000000
0x00404837
0x0040483a
0x00404848
0x0040484e
0x0040484f
0x00404852
0x00404855
0x00000000
0x00404855
0x004047d1
0x004047d3
0x004047d7
0x00000000
0x00000000
0x00000000
0x00000000
0x004047d9
0x004047d9
0x004047e6
0x004047eb
0x00000000
0x00000000
0x004047ef
0x004047f1
0x004047f1
0x004047f9
0x004047fb
0x004047fe
0x00404801
0x00404804
0x00000000
0x00000000
0x00000000
0x00000000
0x00404804
0x00404861
0x0040486b
0x0040486e
0x00404871
0x00404878
0x00404878
0x0040487a
0x0040487a
0x0040487f
0x00404881
0x00404889
0x00404890
0x00404892
0x0040489d
0x0040489d
0x00404892
0x004048a4
0x004048ad
0x004048b7
0x004048bf
0x004048da
0x004048c1
0x004048ca
0x004048ca
0x004048bf
0x004048df
0x004048e4
0x004048e9
0x004048f2
0x004048f2
0x004048fb
0x004048fd
0x004048fd
0x00404909
0x00404911
0x0040491b
0x0040491b
0x00404920
0x00000000
0x00404920
0x004047cf
0x00404786
0x0040478d
0x00000000
0x00000000
0x00000000
0x0040478d
0x004046ac
0x004046b5
0x004046cf
0x004046d4
0x004046de
0x004046e5
0x004046f1
0x004046f4
0x004046f7
0x004046fe
0x00404706
0x00404709
0x0040470d
0x00404714
0x0040471c
0x00404776
0x0040471e
0x0040471f
0x00404726
0x0040472b
0x00404730
0x00404738
0x00404745
0x00404759
0x0040475d
0x0040475d
0x00404759
0x00404762
0x0040476f
0x0040476f
0x0040471c
0x00000000
0x004046d4
0x004046c2
0x00000000
0x00000000
0x004046c8
0x00000000
0x00404633
0x00404640
0x00404649
0x00404656
0x00404656
0x0040465d
0x00404663
0x0040466c
0x0040466f
0x00404672
0x0040467a
0x0040467d
0x00404680
0x00404686
0x0040468d
0x00404694
0x00404926
0x00404938
0x0040469a
0x0040469d
0x00000000
0x0040469d
0x00404694

APIs

GetDlgItem.USER32 ref: 00404639
SetWindowTextA.USER32(00000000,?), ref: 00404663
SHBrowseForFolderA.SHELL32(?,0079E940,?), ref: 00404714
CoTaskMemFree.OLE32(00000000), ref: 0040471F
lstrcmpiA.KERNEL32(Call,0079F568,00000000,?,?), ref: 00404751
lstrcatA.KERNEL32(?,Call), ref: 0040475D
SetDlgItemTextA.USER32 ref: 0040476F

Part of subcall function 004057D4: GetDlgItemTextA.USER32 ref: 004057E7

Part of subcall function 004063AF: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\6culQoI97a.exe",74D0FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406407
Part of subcall function 004063AF: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406414
Part of subcall function 004063AF: CharNextA.USER32(?,"C:\Users\user\Desktop\6culQoI97a.exe",74D0FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406419
Part of subcall function 004063AF: CharPrevA.USER32(?,?,74D0FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406429

GetDiskFreeSpaceA.KERNEL32(0079E538,?,?,0000040F,?,0079E538,0079E538,?,00000001,0079E538,?,?,000003FB,?), ref: 0040482D
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404848

Part of subcall function 004049A1: lstrlenA.KERNEL32(0079F568,0079F568,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048BC,000000DF,00000000,00000400,?), ref: 00404A3F
Part of subcall function 004049A1: wsprintfA.USER32 ref: 00404A47
Part of subcall function 004049A1: SetDlgItemTextA.USER32 ref: 00404A5A

Strings

8y, xrefs: 004047B7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten, xrefs: 0040473A
Call, xrefs: 0040474B, 00404750, 0040475B
A, xrefs: 0040470D
540027183, xrefs: 00404603

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: 540027183$8y$A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten$Call
API String ID: 2624150263-989304122
Opcode ID: a4aefe8a33941754a38210bdfdb67fad9402d671bf1433dcbf252a6a4ee896ac
Instruction ID: 0969ed353920fe7c0c653b0854d10b45f8508fdea16f9d8b9f06e94c3a270cc6
Opcode Fuzzy Hash: a4aefe8a33941754a38210bdfdb67fad9402d671bf1433dcbf252a6a4ee896ac
Instruction Fuzzy Hash: 80A17FB1900208ABDB11EFA5CD85AAF77B8EF85314F14843BF701B62D1D77C8A518B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040216B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040216B(void* __eflags) {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405AD9( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408418, _t87, 1, 0x408408, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408428, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\hardz\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Bracker\\Feberkosten\\Pollen47\\Disvoice");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x00402174
0x0040217e
0x00402188
0x00402195
0x004021a0
0x004021a3
0x004021bd
0x004021c3
0x004021c9
0x004021cc
0x004021d6
0x004021da
0x004021da
0x004021df
0x004021f0
0x004021f8
0x004022d4
0x004022d4
0x004022db
0x004021fe
0x004021fe
0x0040220d
0x00402211
0x00402214
0x0040221a
0x00402228
0x0040222b
0x0040222d
0x00402238
0x00402238
0x0040223d
0x0040223f
0x00402246
0x00402246
0x00402249
0x00402252
0x00402255
0x0040225a
0x0040225c
0x00402269
0x00402269
0x0040226c
0x00402278
0x0040227b
0x00402284
0x0040228a
0x00402291
0x004022aa
0x004022ac
0x004022ba
0x004022ba
0x004022aa
0x004022bd
0x004022c3
0x004022c3
0x004022c6
0x004022cc
0x004022d2
0x004022e7
0x00000000
0x00000000
0x00000000
0x004022d2
0x004022dd
0x00402a5d
0x00402a69

APIs

CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Pollen47\Disvoice, xrefs: 00402230

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bracker\Feberkosten\Pollen47\Disvoice
API String ID: 123533781-1299319120
Opcode ID: aad1dd5d420970f0b73939c8816bf56431865aa6b60deac465dd8b32fd3c342b
Instruction ID: 66478de832771c1020eecb70c9dea3013e0956f30c68bb444eb5f27a96bb8e2b
Opcode Fuzzy Hash: aad1dd5d420970f0b73939c8816bf56431865aa6b60deac465dd8b32fd3c342b
Instruction Fuzzy Hash: DC511671A00208AFCB00DFE4C988E9D7BB6FF48314F2041BAF515EB2D1DA799981CB14

Uniqueness

Uniqueness Score: -1.00%

Function 004027A1 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004027A1(char __ebx, CHAR* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E00406032(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E004060D4();
				} else {
					 *((char*)(__edi)) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027b9
0x004027cd
0x004027d8
0x004027d9
0x00402918
0x004027bb
0x004027bb
0x004027bd
0x004027bf
0x004027bf
0x00402a5d
0x00402a69

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 7305d2227633278d199499a668a8e017edd66f9d38e283653f665cc5fa18cc54
Instruction ID: 501d16c749f80da14ed264ffe4d7962c3458ff385ba500142fb475b890c78c7d
Opcode Fuzzy Hash: 7305d2227633278d199499a668a8e017edd66f9d38e283653f665cc5fa18cc54
Instruction Fuzzy Hash: E5F0A771644110DED700EB649A49AEE77689F51314F20457BF102B20C1D6B84A46972A

Uniqueness

Uniqueness Score: -1.00%

Function 004042C3 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004042C3(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x79e534 =  *0x79e534 + 1;
								__eflags =  *0x79e534;
							}
							L25:
							_t110 = _a16;
							L26:
							return E004041BF(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x7a1f00;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									_push(1);
									E00404567(_a4, _v8);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x7a2f68, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x7a2f68, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x79e534; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t103 =  *0x79ed40; // 0x94d16c
					_t25 = _t103 + 0x14; // 0x94d180
					_t112 = _t25;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E0040417A(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E00404543();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x7a273c; // 0x952563
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_t71 =  *0x7a2fb8; // 0x9510e0
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 + _t71;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E0040428E;
					E00404158(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E00404158(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E0040417A( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E0040418D(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t85 =  *0x7a2f74; // 0x94d040
					_t86 =  *(_t85 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x79e534 = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x79e534 = 0;
					return 0;
				}
			}

0x004042d3
0x004043e5
0x004043f8
0x00404454
0x00404454
0x00404458
0x0040451e
0x00404525
0x00404527
0x00404527
0x00404527
0x0040452d
0x0040452d
0x00404530
0x00000000
0x00404537
0x00404466
0x00404468
0x0040446b
0x00404472
0x00404474
0x0040447b
0x0040447d
0x00404480
0x00404483
0x00404488
0x0040448e
0x00404491
0x00404498
0x004044a6
0x004044be
0x004044c0
0x004044c8
0x004044d7
0x004044d9
0x004044d9
0x00404498
0x0040447b
0x004044dc
0x004044e3
0x00000000
0x004044e5
0x004044e5
0x004044ec
0x00000000
0x00000000
0x004044ee
0x004044f2
0x00404503
0x00404503
0x00404505
0x00404509
0x00404517
0x00404517
0x00000000
0x0040451b
0x004044e3
0x00404400
0x00404403
0x00000000
0x00000000
0x0040440b
0x00404411
0x00000000
0x00000000
0x00404417
0x0040441d
0x0040441d
0x00404420
0x00404423
0x00000000
0x00000000
0x00404446
0x00404446
0x00404448
0x0040444a
0x0040444f
0x00000000
0x004042d9
0x004042d9
0x004042dc
0x004042e1
0x004042e3
0x004042f2
0x004042f2
0x004042f4
0x004042f9
0x004042fc
0x004042fe
0x00404303
0x0040430c
0x00404312
0x0040431e
0x00404321
0x0040432a
0x0040432f
0x00404332
0x00404337
0x0040434e
0x00404355
0x00404368
0x0040436b
0x00404380
0x00404382
0x00404387
0x0040438c
0x00404391
0x00404391
0x004043a0
0x004043af
0x004043c1
0x004043c6
0x004043d6
0x004043d8
0x00000000
0x004043de

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040434E
GetDlgItem.USER32 ref: 00404362
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404380
GetSysColor.USER32(?), ref: 00404391
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004043A0
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004043AF
lstrlenA.KERNEL32(?), ref: 004043B2
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043C1
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043D6
GetDlgItem.USER32 ref: 00404438
SendMessageA.USER32(00000000), ref: 0040443B
GetDlgItem.USER32 ref: 00404466
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004044A6
LoadCursorA.USER32 ref: 004044B5
SetCursor.USER32(00000000), ref: 004044BE
LoadCursorA.USER32 ref: 004044D4
SetCursor.USER32(00000000), ref: 004044D7
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404503
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404517

Strings

Call, xrefs: 00404491
N, xrefs: 00404454

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 89bfaba4aad14bbdc3ef2aca23760d41403bea85feb245a06943091ca1e46a07
Instruction ID: 9df2d5718f770f504e0a3d1761d641f71338e4c23cddda8a7d5dd424fc5a0579
Opcode Fuzzy Hash: 89bfaba4aad14bbdc3ef2aca23760d41403bea85feb245a06943091ca1e46a07
Instruction Fuzzy Hash: 2A61B1B1A40208BFDF109F60DD45F6A3B69FB84715F10802AFB05BA2D1D7B8A951CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a2f74; // 0x94d040
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Resultatlst", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x7a2f68; // 0x20438
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x00401019
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Resultatlst,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Resultatlst, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Resultatlst
API String ID: 941294808-3182726754
Opcode ID: 2b80ecd39af3c7aade96203546a39d5d88e703590141695a35fb255926c22a0b
Instruction ID: 8cb536a74e8a95367a30f9a40e648d77c0c0257b52f8be6e86691cf172308c2f
Opcode Fuzzy Hash: 2b80ecd39af3c7aade96203546a39d5d88e703590141695a35fb255926c22a0b
Instruction Fuzzy Hash: 1D417B71800249AFCF058FA5DE459AF7BB9FF45314F00802AF991AA1A0C7789A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D43 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D43(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				intOrPtr _t14;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a12f8 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x7a16f8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a0ef8, "%s=%s\r\n", 0x7a12f8, 0x7a16f8);
						_t14 =  *0x7a2f74; // 0x94d040
						_t53 = _t52 + 0x10;
						E00406167(_t37, 0x400, 0x7a16f8, 0x7a16f8,  *((intOrPtr*)(_t14 + 0x128)));
						_t12 = E00405C6D(0x7a16f8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405CE5(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405BD2(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405BD2(_t38, _t21 + 0xa, 0x40a3d8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405C28(_t24 + _t46, 0x7a0ef8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405D14(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C6D(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x7a12f8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405d43
0x00405d4c
0x00405d53
0x00405d67
0x00405d8f
0x00405d9a
0x00405d9e
0x00405dbe
0x00405dc0
0x00405dc5
0x00405dcf
0x00405ddc
0x00405de1
0x00405de6
0x00405dea
0x00405df9
0x00405dfb
0x00405e08
0x00405e0c
0x00405ea7
0x00000000
0x00405e22
0x00405e2f
0x00405e53
0x00405e57
0x00405e76
0x00405e7a
0x00405e7a
0x00405e7c
0x00405e85
0x00405e90
0x00405e9b
0x00405ea1
0x00000000
0x00405ea1
0x00405e59
0x00405e5c
0x00405e67
0x00405e63
0x00405e65
0x00405e66
0x00405e66
0x00405e6e
0x00405e70
0x00000000
0x00405e70
0x00405e3a
0x00405e40
0x00000000
0x00405e40
0x00405e0c
0x00405dea
0x00405d69
0x00405d74
0x00405d7d
0x00405d81
0x00000000
0x00000000
0x00405d81
0x00405eb2

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405ED4,?,?), ref: 00405D74
GetShortPathNameA.KERNEL32 ref: 00405D7D

Part of subcall function 00405BD2: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BE2
Part of subcall function 00405BD2: lstrlenA.KERNEL32(00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C14

GetShortPathNameA.KERNEL32 ref: 00405D9A
wsprintfA.USER32 ref: 00405DB8
GetFileSize.KERNEL32(00000000,00000000,007A16F8,C0000000,00000004,007A16F8,?,?,?,?,?), ref: 00405DF3
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E02
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E3A
SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,007A0EF8,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405E90
GlobalFree.KERNEL32 ref: 00405EA1
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EA8

Part of subcall function 00405C6D: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\6culQoI97a.exe,80000000,00000003), ref: 00405C71
Part of subcall function 00405C6D: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C93

Strings

[Rename], xrefs: 00405E22, 00405E34
%s=%s, xrefs: 00405DAE

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 0b1fe35b626d56e42c997f45168692cc3ef83c098e0f1d716f4da02acec9d6b8
Instruction ID: 3bd9902b6e4cfcbbd8c27daddc785bf5092739fd3612ff4c635abc71f9dbf801
Opcode Fuzzy Hash: 0b1fe35b626d56e42c997f45168692cc3ef83c098e0f1d716f4da02acec9d6b8
Instruction Fuzzy Hash: 30312531200B156FD3206B75DD48F2B3A5CDF85754F14043AB981F62D2DB7CE9018AAD

Uniqueness

Uniqueness Score: -1.00%

Function 735424D8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E735424D8(intOrPtr* _a4) {
				char _v80;
				int _v84;
				intOrPtr _v88;
				short _v92;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr _t31;
				signed int _t43;
				void* _t44;
				intOrPtr _t45;
				void* _t48;

				_t44 = E73541215();
				_t28 = _a4;
				_t45 =  *((intOrPtr*)(_t28 + 0x814));
				_v88 = _t45;
				_t48 = (_t45 + 0x41 << 5) + _t28;
				do {
					if( *((intOrPtr*)(_t48 - 4)) >= 0) {
					}
					_t43 =  *(_t48 - 8) & 0x000000ff;
					if(_t43 <= 7) {
						switch( *((intOrPtr*)(_t43 * 4 +  &M73542626))) {
							case 0:
								 *_t44 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									_v84 = __ecx;
									__ecx =  *(0x7354307c + __edx * 4);
									__edx = _v84;
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x7354309c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E73541429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x7354405c);
								goto L17;
							case 4:
								__ecx =  *0x7354405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x7354405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L17;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push(__ecx);
								_push( *__eax);
								" {xv@uxv"();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x7354405c, __ebx, __ebx);
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfA(__edi, 0x73544000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t30 =  *(_t48 + 0x14);
					if(_t30 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t48 - 4)) > 0)) {
						GlobalFree(_t30);
					}
					_t31 =  *((intOrPtr*)(_t48 + 0xc));
					if(_t31 != 0) {
						if(_t31 != 0xffffffff) {
							if(_t31 > 0) {
								E735412D1(_t31 - 1, _t44);
								goto L26;
							}
						} else {
							E73541266(_t44);
							L26:
						}
					}
					_v88 = _v88 - 1;
					_t48 = _t48 - 0x20;
				} while (_v88 >= 0);
				return GlobalFree(_t44);
			}

0x735424e4
0x735424e6
0x735424f0
0x735424f6
0x73542500
0x73542504
0x73542509
0x73542509
0x73542511
0x73542518
0x7354251e
0x00000000
0x73542525
0x00000000
0x00000000
0x7354252c
0x73542530
0x73542533
0x73542537
0x7354253e
0x73542542
0x73542548
0x7354254a
0x7354254c
0x7354254c
0x73542553
0x00000000
0x00000000
0x7354255c
0x00000000
0x00000000
0x7354256c
0x00000000
0x00000000
0x73542598
0x735425a0
0x735425aa
0x735425ac
0x735425b1
0x00000000
0x00000000
0x73542574
0x73542578
0x7354257a
0x7354257b
0x7354257d
0x7354258d
0x73542594
0x00000000
0x00000000
0x735425b7
0x735425b9
0x735425bf
0x735425c5
0x735425c5
0x00000000
0x00000000
0x7354251e
0x735425c8
0x735425c8
0x735425cd
0x735425de
0x735425de
0x735425e4
0x735425e9
0x735425ee
0x735425fa
0x735425ff
0x00000000
0x73542604
0x735425f0
0x735425f1
0x73542605
0x73542605
0x735425ee
0x73542606
0x7354260a
0x7354260d
0x73542625

APIs

Part of subcall function 73541215: GlobalAlloc.KERNELBASE(00000040,73541233,?,735412CF,-7354404B,735411AB,-000000A0), ref: 7354121D

GlobalFree.KERNEL32 ref: 735425DE
GlobalFree.KERNEL32 ref: 73542618

Strings

{xv@uxv, xrefs: 7354257D

Memory Dump Source

Source File: 00000000.00000002.775640570.0000000073541000.00000020.00000001.01000000.00000005.sdmp, Offset: 73540000, based on PE: true

Associated: 00000000.00000002.775623192.0000000073540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775656382.0000000073543000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775675016.0000000073545000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73540000_6culQoI97a.jbxd

Similarity

API ID: Global$Free$Alloc
String ID: {xv@uxv
API String ID: 1780285237-1953920604
Opcode ID: c9b5e8b1feef3ead8b02b228c305a1ff6f85168f1ddcdbd47f02e53599d07f58
Instruction ID: 4a6e9e00d77dc4b44293217db93e1dae225c169001575bd9cb88fe36b0b272a2
Opcode Fuzzy Hash: c9b5e8b1feef3ead8b02b228c305a1ff6f85168f1ddcdbd47f02e53599d07f58
Instruction Fuzzy Hash: 3C414572108228EFD30EEF51EC94E6A7BFAEB85340B24492DF5498B150DB319915CB62

Uniqueness

Uniqueness Score: -1.00%

Function 004051FB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004051FB(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7a2744; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x7a3034;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00406167(0, _t39, 0x79ed48, 0x79ed48, _a4);
					}
					_t26 = lstrlenA(0x79ed48);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x7a2728, 0x79ed48);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x79ed48;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x79ed48)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x79ed48, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00405201
0x0040520d
0x00405210
0x00405216
0x00405222
0x00405225
0x00405228
0x0040522e
0x0040522e
0x00405234
0x0040523c
0x0040523f
0x0040525c
0x00405260
0x00405269
0x00405269
0x00405273
0x0040527c
0x00405288
0x0040528f
0x00405293
0x00405296
0x004052a9
0x004052b7
0x004052b7
0x004052bb
0x004052bd
0x004052c0
0x00000000
0x004052c0
0x00405241
0x00405249
0x00405251
0x00405257
0x00000000
0x00405257
0x00405251
0x0040523f
0x004052ca

APIs

lstrlenA.KERNEL32(0079ED48,00000000,00798F20,74D0EA30,?,?,?,?,?,?,?,?,?,00403210,00000000,?), ref: 00405234
lstrlenA.KERNEL32(00403210,0079ED48,00000000,00798F20,74D0EA30,?,?,?,?,?,?,?,?,?,00403210,00000000), ref: 00405244
lstrcatA.KERNEL32(0079ED48,00403210,00403210,0079ED48,00000000,00798F20,74D0EA30), ref: 00405257
SetWindowTextA.USER32(0079ED48,0079ED48), ref: 00405269
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040528F
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052A9
SendMessageA.USER32(?,00001013,?,00000000), ref: 004052B7

Strings

Hy, xrefs: 0040521B

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Hy
API String ID: 2531174081-2517439931
Opcode ID: 84dc479b8b7881d3249495fb7370a8664623c8244ac58232fd13fde5de382175
Instruction ID: 95508abd931072ea88f050004e9a273e6bd30dde68a0f7ca5354031f7b80a04f
Opcode Fuzzy Hash: 84dc479b8b7881d3249495fb7370a8664623c8244ac58232fd13fde5de382175
Instruction Fuzzy Hash: A521A175900118BBDF119FA9DD809DFBFB9EF09354F1480BAF544B6291C6388E408F98

Uniqueness

Uniqueness Score: -1.00%

Function 735422F1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E735422F1(void* __edx, intOrPtr _a4) {
				signed int _v4;
				signed int _v8;
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t43;
				void* _t48;
				signed int* _t50;
				signed char* _t51;

				_v8 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t51 = (_v8 << 5) + _t9;
					_t38 = _t51[0x18];
					if(_t38 == 0) {
						goto L9;
					}
					_t48 = 0x1a;
					if(_t38 == _t48) {
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						if(_t38 <= 0 || _t38 > 0x19) {
							_t51[0x18] = _t48;
						} else {
							_t38 = E735412AD(_t38 - 1);
							L10:
						}
						goto L11;
					} else {
						_t38 = E7354123B();
						L11:
						_t43 = _t38;
						_t13 =  &(_t51[8]); // 0x820
						_t50 = _t13;
						if(_t51[4] >= 0) {
						}
						_t39 =  *_t51 & 0x000000ff;
						_t51[0x1c] = _t51[0x1c] & 0x00000000;
						_v4 = _t39;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t43);
							if(_v8 == 0) {
								return _t40;
							}
							if(_v8 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v8 = _v8 + 1;
							} else {
								_v8 = _v8 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M7354247E))) {
								case 0:
									 *_t50 =  *_t50 & 0x00000000;
									goto L27;
								case 1:
									__eax = E735412FE(__ebx);
									goto L20;
								case 2:
									 *__ebp = E735412FE(__ebx);
									_a4 = __edx;
									goto L27;
								case 3:
									__eax = E73541224(__ebx);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebp = __eax;
									goto L27;
								case 4:
									 *0x7354405c =  *0x7354405c +  *0x7354405c;
									__edi = GlobalAlloc(0x40,  *0x7354405c +  *0x7354405c);
									 *0x7354405c = MultiByteToWideChar(0, 0, __ebx,  *0x7354405c, __edi,  *0x7354405c);
									if(_v4 != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebp = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if( *__ebx != 0) {
										__eax = E735412FE(__ebx);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x7354405c;
									__esi = __esi +  *0x73544064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E73541429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E73541224(0x73544034);
					goto L10;
				}
			}

0x73542306
0x7354230a
0x73542315
0x73542315
0x7354231c
0x73542321
0x00000000
0x00000000
0x73542325
0x73542328
0x00000000
0x00000000
0x7354232d
0x73542338
0x73542348
0x7354233f
0x73542341
0x73542357
0x73542357
0x00000000
0x7354232f
0x7354232f
0x73542358
0x7354235c
0x7354235e
0x7354235e
0x73542361
0x73542361
0x73542369
0x7354236c
0x73542373
0x73542377
0x73542446
0x73542447
0x73542452
0x7354247d
0x7354247d
0x73542462
0x7354246e
0x73542464
0x73542464
0x73542464
0x00000000
0x7354237d
0x7354237d
0x00000000
0x73542384
0x00000000
0x00000000
0x7354238d
0x00000000
0x00000000
0x7354239b
0x7354239e
0x00000000
0x00000000
0x735423a7
0x735423ac
0x735423af
0x735423b0
0x00000000
0x00000000
0x735423bd
0x735423c8
0x735423d7
0x735423e2
0x73542405
0x73542408
0x735423e4
0x735423e8
0x735423ee
0x735423ef
0x735423f2
0x735423f3
0x735423f6
0x735423fd
0x735423fd
0x00000000
0x00000000
0x73542410
0x73542413
0x7354241f
0x73542421
0x00000000
0x00000000
0x73542424
0x73542427
0x73542428
0x7354242f
0x73542436
0x73542439
0x7354243b
0x7354243e
0x00000000
0x00000000
0x7354237d
0x73542377
0x7354234d
0x73542352
0x00000000
0x73542352

APIs

GlobalFree.KERNEL32 ref: 73542447

Part of subcall function 73541224: lstrcpynA.KERNEL32(00000000,?,735412CF,-7354404B,735411AB,-000000A0), ref: 73541234

GlobalAlloc.KERNEL32(00000040,?), ref: 735423C2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 735423D7
GlobalAlloc.KERNEL32(00000040,00000010), ref: 735423E8
CLSIDFromString.OLE32(00000000,00000000), ref: 735423F6
GlobalFree.KERNEL32 ref: 735423FD

Strings

@uxv, xrefs: 735423F6

Memory Dump Source

Source File: 00000000.00000002.775640570.0000000073541000.00000020.00000001.01000000.00000005.sdmp, Offset: 73540000, based on PE: true

Associated: 00000000.00000002.775623192.0000000073540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775656382.0000000073543000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775675016.0000000073545000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73540000_6culQoI97a.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID: @uxv
API String ID: 3730416702-3068791405
Opcode ID: 609b8af03dc23be1604733e231b79c10395c02f0b1d4554e8cebdb562905079f
Instruction ID: 90207bcba72fa4ff4bafa255e5f2c19193ae6eb333e20490f03ec69dd3385252
Opcode Fuzzy Hash: 609b8af03dc23be1604733e231b79c10395c02f0b1d4554e8cebdb562905079f
Instruction Fuzzy Hash: 974180B1508369DFE31DEF65B844B2AB7F8FB80311F24691AF54ACA190E7309545CF61

Uniqueness

Uniqueness Score: -1.00%

Function 004063AF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063AF(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405AD9(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405A97("*?|<>/\":", _t5))) == 0) {
							E00405C28(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004063b1
0x004063b9
0x004063cd
0x004063cd
0x004063d3
0x004063e0
0x004063e0
0x004063e1
0x004063e3
0x004063e7
0x004063e9
0x004063f2
0x004063f4
0x0040640e
0x00406416
0x00406416
0x0040641b
0x0040641d
0x0040641f
0x00406423
0x00406424
0x00406427
0x0040642f
0x00406431
0x00406435
0x00000000
0x00000000
0x0040643b
0x00406440
0x00000000
0x00000000
0x00000000
0x00406440
0x00406445

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\6culQoI97a.exe",74D0FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406407
CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406414
CharNextA.USER32(?,"C:\Users\user\Desktop\6culQoI97a.exe",74D0FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406419
CharPrevA.USER32(?,?,74D0FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406429

Strings

"C:\Users\user\Desktop\6culQoI97a.exe", xrefs: 004063EB
*?|<>/":, xrefs: 004063F7
C:\Users\user\AppData\Local\Temp\, xrefs: 004063B0

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\6culQoI97a.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-534690895
Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction ID: 4c47756038ac22285ba0d5cec53aa64a9461198f7a7023556037c09898c6efe2
Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction Fuzzy Hash: 5B11B6514047A129EB3216285C40B77BF888B97760F19407BE8D2722C2D77C5C5297BD

Uniqueness

Uniqueness Score: -1.00%

Function 004041BF Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041BF(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004041d1
0x00404287
0x00000000
0x00404287
0x004041e2
0x004041e6
0x00000000
0x00404200
0x00404200
0x00404209
0x00000000
0x00000000
0x0040420b
0x00404217
0x0040421a
0x0040421a
0x00404220
0x00404226
0x00404226
0x00404232
0x00404238
0x0040423f
0x00404242
0x00404245
0x00404247
0x00404247
0x0040424f
0x00404255
0x00404255
0x0040425f
0x00404264
0x00404267
0x0040426c
0x0040426f
0x0040426f
0x0040427f
0x0040427f
0x00000000
0x00404282

APIs

GetWindowLongA.USER32 ref: 004041DC
GetSysColor.USER32(00000000), ref: 0040421A
SetTextColor.GDI32(?,00000000), ref: 00404226
SetBkMode.GDI32(?,?), ref: 00404232
GetSysColor.USER32(?), ref: 00404245
SetBkColor.GDI32(?,?), ref: 00404255
DeleteObject.GDI32(?), ref: 0040426F
CreateBrushIndirect.GDI32(?), ref: 00404279

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction ID: 0c29b1994579108119522ba9b7e42ccb12df1f79812dc60d22c4570354a7e24a
Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction Fuzzy Hash: 6021A4B16007049BCB309F78DD08B5BBBF8AF81754B14896EFD92A26E0C734E904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404AAB Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404AAB(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404ab9
0x00404ac6
0x00404acc
0x00404b0a
0x00404b0a
0x00404b19
0x00404b20
0x00000000
0x00404b22
0x00404ace
0x00404add
0x00404ae5
0x00404ae8
0x00404afa
0x00404b00
0x00404b07
0x00000000
0x00404b07
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AC6
GetMessagePos.USER32 ref: 00404ACE
ScreenToClient.USER32 ref: 00404AE8
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404AFA
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B20

Strings

f, xrefs: 00404AFC

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: 246458a00becd8bf3e45cced134e1bc678ff0f74541da5adfbd61824d77d36c3
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: BC015E71900219BADB00DBA4DD85BFFBBBCAF55B11F10012BBB40B61D0C7B4A941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b808->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b818 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b81f = 1;
				 *0x40b81c = _t15 & 0x00000001;
				 *0x40b81d = _t15 & 0x00000002;
				 *0x40b81e = _t15 & 0x00000004;
				E00406167(_t9, _t31, _t33, "Tahoma",  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b808);
				_push(_t18);
				_push(_t33);
				E00406032();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e35
0x00401e40
0x00401e42
0x00401e4f
0x00401e66
0x00401e6b
0x00401e78
0x00401e7d
0x00401e81
0x00401e8c
0x00401e93
0x00401ea5
0x00401eab
0x00401eb0
0x00401eba
0x00402620
0x00401569
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32 ref: 00401E6B
CreateFontIndirectA.GDI32(0040B808), ref: 00401EBA

Strings

Tahoma, xrefs: 00401EA0

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: fc9f16b01a24cae65528eb59c91fd2b9324a8e2726ec0d721fc5ceb8334f1a1e
Instruction ID: 57ae00d383071d6c5df03c611de82deed4414851ba4a5b5ac7ac255a7617b9b1
Opcode Fuzzy Hash: fc9f16b01a24cae65528eb59c91fd2b9324a8e2726ec0d721fc5ceb8334f1a1e
Instruction Fuzzy Hash: 0E019672500240AFD7006BB0AE4A79A3FF8D755301F108839F241B62F2C67804458BAC

Uniqueness

Uniqueness Score: -1.00%

Function 00402DBA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x792118; // 0x51a5a
					_t11 =  *0x79e124; // 0x51a5e
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402dc7
0x00402dd5
0x00402ddb
0x00402ddb
0x00402de9
0x00402deb
0x00402df1
0x00402df8
0x00402dfa
0x00402dfa
0x00402e10
0x00402e20
0x00402e32
0x00402e32
0x00402e3a

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
MulDiv.KERNEL32(00051A5A,00000064,00051A5E), ref: 00402E00
wsprintfA.USER32 ref: 00402E10
SetWindowTextA.USER32(?,?), ref: 00402E20
SetDlgItemTextA.USER32 ref: 00402E32

Strings

verifying installer: %d%%, xrefs: 00402E0A

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 0d8e9bd33d69446e06833ca67107590e0434e761be11da362e4462339046e7f4
Instruction ID: 5b578c44cce9eb850d5b1a327d08a3d6af9bf3f213875045bca18d45615f3dab
Opcode Fuzzy Hash: 0d8e9bd33d69446e06833ca67107590e0434e761be11da362e4462339046e7f4
Instruction Fuzzy Hash: 6601447064020DFBEF109F60DE09EAE3769AB04304F00803AFA06A51D0DBB899519B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004027DF(int __ebx, void* __eflags) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405AD9(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405C48(_t50);
				_t26 = E00405C6D(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x7a2f78; // 0x30c00
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E004032DD(_t45);
						E004032C7(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E004030D8( *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405C28( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405D14( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E004030D8(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004027df
0x004027e1
0x004027ed
0x004027f0
0x004027fa
0x004027fe
0x004027fe
0x00402804
0x00402811
0x00402819
0x0040281c
0x00402822
0x00402830
0x00402835
0x00402839
0x0040283c
0x00402845
0x00402851
0x00402855
0x00402858
0x00402862
0x00402887
0x00402869
0x0040286e
0x00402876
0x0040287c
0x00402881
0x00402881
0x0040288e
0x0040288e
0x0040289b
0x004028a1
0x004028b3
0x004028b3
0x004028b9
0x004028b9
0x004028c4
0x004028c5
0x004028c9
0x004028cd
0x004028d3
0x004028d3
0x004028da
0x004022dd
0x00402a5d
0x00402a69

APIs

GlobalAlloc.KERNEL32(00000040,00030C00,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
GlobalFree.KERNEL32 ref: 0040288E
GlobalFree.KERNEL32 ref: 004028A1
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 5755665d5a07ff276816291a20f7fda962d058b8d5726ef8cf218c2b9027c82a
Instruction ID: 541bef3258e2720658000fa94f276f2b73ea2b938264a1111491e3e624c892cf
Opcode Fuzzy Hash: 5755665d5a07ff276816291a20f7fda962d058b8d5726ef8cf218c2b9027c82a
Instruction Fuzzy Hash: BA21A072800128BBDF217FA5CE48DAE7E79EF05324F20423EF551762D1C67949418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 73541837 Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E73541837(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v52;
				void _t45;
				void _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x7354405c = _a8;
				_t77 = 0;
				 *0x73544060 = _a16;
				_v12 = 0;
				_v8 = E7354123B();
				_t90 = E735412FE(_t42);
				_t87 = _t85;
				_t81 = E7354123B();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E7354123B();
					_t77 = E735412FE(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3c;
						if( *((char*)(_t81 + 1)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E73541429(_t85, _t90, _t87,  &_v52);
								E73541266( &_v52);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E73542EF0(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3e;
						if( *((char*)(_t81 + 1)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((char*)(_t81 + 2)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((char*)(_t81 + 2)) != 0x3e) {
							_t48 = E73542F10(_t59, _t83, _t85);
						} else {
							_t48 = E73542F40(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x7c;
						if( *((char*)(_t81 + 1)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E73542D80(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E73542E30(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((char*)(_t81 + 1)) - 0x26;
					if( *((char*)(_t81 + 1)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E73542D40(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x73541837
0x73541841
0x7354184a
0x7354184d
0x73541852
0x7354185b
0x73541864
0x73541866
0x7354186d
0x7354186f
0x73541872
0x73541876
0x73541882
0x7354188b
0x73541890
0x73541893
0x73541899
0x73541899
0x7354189c
0x7354189f
0x735418a2
0x73541968
0x73541968
0x7354196b
0x735419e5
0x735419e9
0x735419f8
0x735419fb
0x73541a03
0x73541a03
0x73541a03
0x73541a05
0x73541a05
0x73541a06
0x73541a06
0x73541a08
0x73541a0a
0x73541a10
0x73541a19
0x73541a2a
0x73541a35
0x73541a35
0x735419fd
0x735419e0
0x735419e0
0x735419e2
0x735419e2
0x00000000
0x735419e2
0x735419ff
0x73541a01
0x00000000
0x00000000
0x00000000
0x73541a01
0x735419ed
0x735419f1
0x00000000
0x735419f1
0x7354196d
0x7354196d
0x7354196e
0x735419d7
0x735419d9
0x00000000
0x00000000
0x735419db
0x735419de
0x00000000
0x00000000
0x00000000
0x735419de
0x73541970
0x73541970
0x73541971
0x735419aa
0x735419ae
0x735419ca
0x735419cd
0x00000000
0x00000000
0x735419cf
0x00000000
0x00000000
0x735419d1
0x735419d3
0x00000000
0x00000000
0x00000000
0x735419d5
0x735419b0
0x735419b4
0x735419b6
0x735419b8
0x735419ba
0x735419c3
0x735419bc
0x735419bc
0x735419bc
0x00000000
0x735419ba
0x73541973
0x73541973
0x73541976
0x735419a3
0x735419a5
0x00000000
0x735419a5
0x73541978
0x73541978
0x7354197b
0x7354198b
0x7354198f
0x7354199c
0x7354199e
0x00000000
0x7354199e
0x73541991
0x73541993
0x00000000
0x00000000
0x73541995
0x73541998
0x00000000
0x00000000
0x00000000
0x7354199a
0x7354197e
0x7354197f
0x73541985
0x73541987
0x73541987
0x00000000
0x7354197f
0x735418a8
0x73541920
0x73541922
0x73541925
0x73541943
0x73541946
0x7354194c
0x73541951
0x73541927
0x73541927
0x7354192b
0x7354192f
0x73541931
0x73541931
0x73541954
0x73541957
0x00000000
0x7354195d
0x7354195d
0x73541960
0x00000000
0x73541960
0x73541957
0x735418aa
0x735418ad
0x73541911
0x73541913
0x73541915
0x00000000
0x00000000
0x00000000
0x7354191b
0x735418af
0x735418b2
0x00000000
0x00000000
0x735418b4
0x735418b5
0x735418eb
0x735418ef
0x73541907
0x73541909
0x00000000
0x73541909
0x735418f1
0x735418f3
0x00000000
0x00000000
0x735418f9
0x735418fc
0x00000000
0x00000000
0x00000000
0x73541902
0x735418b7
0x735418ba
0x735418e1
0x00000000
0x735418bc
0x735418bc
0x735418bd
0x735418d1
0x735418d3
0x735418bf
0x735418c1
0x735418c7
0x735418c9
0x735418c9
0x735418c1
0x00000000
0x735418bd

APIs

GlobalFree.KERNEL32 ref: 73541893
GlobalFree.KERNEL32 ref: 73541A2A
GlobalFree.KERNEL32 ref: 73541A2F

Memory Dump Source

Source File: 00000000.00000002.775640570.0000000073541000.00000020.00000001.01000000.00000005.sdmp, Offset: 73540000, based on PE: true

Associated: 00000000.00000002.775623192.0000000073540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775656382.0000000073543000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775675016.0000000073545000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73540000_6culQoI97a.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: b4acb627143ba0b08e6c4ce3334a952fb1a8f49eb5d6fd36cd2dc1912172b258
Instruction ID: 6c4e27b760572300152a7511353de029dd3e6ed3ace13cd9359678da8d0e16b0
Opcode Fuzzy Hash: b4acb627143ba0b08e6c4ce3334a952fb1a8f49eb5d6fd36cd2dc1912172b258
Instruction Fuzzy Hash: 91513C72D04258AFDB0E9FB6F54076DBFB9AB84245F3C245AD807E3184C631DB418791

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x7a2f60,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E00406032();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d65
0x00401d69
0x00401d7e
0x00401d6b
0x00401d6d
0x00401d73
0x00401d73
0x00401d84
0x00401d87
0x00401d91
0x00401d94
0x00401d9c
0x00401dad
0x00401db0
0x00401dbb
0x00401db2
0x00401db4
0x00401db4
0x00401dbf
0x00401dcc
0x00401df3
0x00401e02
0x00401e10
0x00401e18
0x00401e20
0x00401e20
0x00401e29
0x00401e2f
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDlgItem.USER32 ref: 00401D7E
GetClientRect.USER32 ref: 00401DCC
LoadImageA.USER32 ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 40392f1eb7072ab94e38a578d4c48b342906e8e096f6e8c8612fbb26fff2dacf
Instruction ID: ebfb82876bdf2138dcddadba10df032a250d68975ffa4ffa2b6a0506bdc7ea5a
Opcode Fuzzy Hash: 40392f1eb7072ab94e38a578d4c48b342906e8e096f6e8c8612fbb26fff2dacf
Instruction Fuzzy Hash: 7F212872A00109AFCB05DFA4DD85AAEBBB5FB48300F24407EF905F62A1CB389941DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00406032();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c2e
0x00401c30
0x00401c37
0x00401c3a
0x00401c3d
0x00401c47
0x00401c4b
0x00401c4e
0x00401c57
0x00401c57
0x00401c5a
0x00401c5e
0x00401c67
0x00401c67
0x00401c6a
0x00401c6e
0x00401c70
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd8
0x00401cdb
0x00401cdb
0x00401ce4
0x00000000
0x00401c72
0x00401c79
0x00401c7b
0x00401c7e
0x00401c84
0x00401c8b
0x00401c8e
0x00401cb6
0x00401cea
0x00401cea
0x00401c90
0x00401c9e
0x00401ca6
0x00401ca9
0x00401ca9
0x00401c8e
0x00401ced
0x00401cf0
0x00401cf6
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: f0dd942a178f56fd373b290941ab0376cb77fac67056b85627442068a5db435e
Instruction ID: 5277f65d77addf964e4e112e3ca2bdcdb488fad455084b9b29b5161e7124752c
Opcode Fuzzy Hash: f0dd942a178f56fd373b290941ab0376cb77fac67056b85627442068a5db435e
Instruction Fuzzy Hash: 4C216071944208BEEB059FB5D98AAAE7FB5EF44304F20847FF502B61D1D6B88540DB28

Uniqueness

Uniqueness Score: -1.00%

Function 004049A1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004049A1(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00406167(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00406167(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00406167(_t41, _t47, 0x79f568, 0x79f568, _a8);
				wsprintfA(_t32 + lstrlenA(0x79f568), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x7a2738, _a4, 0x79f568);
			}

0x004049a7
0x004049ac
0x004049b4
0x004049b5
0x004049c2
0x004049ca
0x004049cb
0x004049cd
0x004049cf
0x004049d1
0x004049d4
0x004049d4
0x004049db
0x004049e1
0x004049e1
0x004049e8
0x004049ef
0x004049f2
0x004049f5
0x004049f5
0x004049f9
0x00404a09
0x00404a0b
0x00404a0e
0x004049b7
0x004049b7
0x004049be
0x004049be
0x00404a16
0x00404a21
0x00404a37
0x00404a47
0x00404a63

APIs

lstrlenA.KERNEL32(0079F568,0079F568,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048BC,000000DF,00000000,00000400,?), ref: 00404A3F
wsprintfA.USER32 ref: 00404A47
SetDlgItemTextA.USER32 ref: 00404A5A

Strings

%u.%u%s%s, xrefs: 00404A29

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: ed987abf90c6e27c05c654f7c34a033b58f0c9b6cb29f4e6cc8d7c7430104512
Instruction ID: 2d600006130e1353e9717e04d579c0b21937dc8f48943746337f7f8a87e4f386
Opcode Fuzzy Hash: ed987abf90c6e27c05c654f7c34a033b58f0c9b6cb29f4e6cc8d7c7430104512
Instruction Fuzzy Hash: 5711B7B760412427DB00667D9C45EAF3298DB85378F250237FA66F71D2E978CC2242A9

Uniqueness

Uniqueness Score: -1.00%

Function 00405B5A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405B5A(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E004060D4(0x7a0970, _a4);
				_t21 = E00405B05(0x7a0970);
				if(_t21 != 0) {
					E004063AF(_t21);
					if(( *0x7a2f7c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x7a0970;
						while(1) {
							_t11 = lstrlenA(0x7a0970);
							_push(0x7a0970);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00406448();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405AB3(0x7a0970);
								continue;
							} else {
								goto L1;
							}
						}
						E00405A6C();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405b66
0x00405b71
0x00405b75
0x00405b7c
0x00405b88
0x00405b94
0x00405b94
0x00405bac
0x00405bad
0x00405bb4
0x00405bb5
0x00000000
0x00000000
0x00405b98
0x00405b9f
0x00405ba7
0x00000000
0x00000000
0x00000000
0x00000000
0x00405b9f
0x00405bb7
0x00000000
0x00405bcb
0x00405b8a
0x00405b8e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405b8e
0x00405b77
0x00000000

APIs

Part of subcall function 004060D4: lstrcpynA.KERNEL32(?,?,00000400,004033F7,Resultatlst,NSIS Error,?,00000007,00000009,0000000B), ref: 004060E1

Part of subcall function 00405B05: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,?,00405B71,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,74D0FA90,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,74D0FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B13
Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B18
Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B2C

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nskAE13.tmp,00000000,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,74D0FA90,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,74D0FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BAD
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nskAE13.tmp,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,00000000,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,74D0FA90,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,74D0FA90,C:\Users\user\AppData\Local\Temp\), ref: 00405BBD

Strings

C:\Users\user\AppData\Local\Temp\nskAE13.tmp, xrefs: 00405B60, 00405B65, 00405B6B, 00405BA6, 00405BAC, 00405BB4, 00405BBC
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B5A

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nskAE13.tmp
API String ID: 3248276644-2741840777
Opcode ID: 4efc29256ecc737a82cedd05a7c6237be84f99c24c6a7e1b03480747464f6d67
Instruction ID: 7cbc09aec6071699a8b6d0bfe618f446c080df756954f9e0a70e7bdf69c0a73f
Opcode Fuzzy Hash: 4efc29256ecc737a82cedd05a7c6237be84f99c24c6a7e1b03480747464f6d67
Instruction Fuzzy Hash: A6F0C825105D5516C622623A0C05E9F3A64CE8732871A063FF8A1B12D3DF3CB9439D6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405A6C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A6C(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405a6d
0x00405a84
0x00405a8c
0x00405a8c
0x00405a94

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403312,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00405A72
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403312,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00405A7B
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405A8C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A6C

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3916508600
Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction ID: 34bed66953ae9f6d257ce18580ddfb03ef3f992d07e6ea95338c5d753b7bd418
Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction Fuzzy Hash: 47D0A7622456307BD20167154C05ECB19088F063047054036F541B2192C73C4C1187FD

Uniqueness

Uniqueness Score: -1.00%

Function 00405B05 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B05(CHAR* _a4) {
				CHAR* _t5;
				char* _t7;
				CHAR* _t9;
				char _t10;
				CHAR* _t11;
				void* _t13;

				_t11 = _a4;
				_t9 = CharNextA(_t11);
				_t5 = CharNextA(_t9);
				_t10 =  *_t11;
				if(_t10 == 0 ||  *_t9 != 0x3a || _t9[1] != 0x5c) {
					if(_t10 != 0x5c || _t11[1] != _t10) {
						L10:
						return 0;
					} else {
						_t13 = 2;
						while(1) {
							_t13 = _t13 - 1;
							_t7 = E00405A97(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 1;
							if(_t13 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextA(_t5);
				}
			}

0x00405b0e
0x00405b15
0x00405b18
0x00405b1a
0x00405b1e
0x00405b33
0x00405b52
0x00000000
0x00405b3a
0x00405b3c
0x00405b3d
0x00405b40
0x00405b41
0x00405b49
0x00000000
0x00000000
0x00405b4b
0x00405b4e
0x00000000
0x00000000
0x00000000
0x00405b4e
0x00000000
0x00405b3d
0x00405b2b
0x00000000
0x00405b2c

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,?,00405B71,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,C:\Users\user\AppData\Local\Temp\nskAE13.tmp,74D0FA90,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,74D0FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B13
CharNextA.USER32(00000000), ref: 00405B18
CharNextA.USER32(00000000), ref: 00405B2C

Strings

C:\Users\user\AppData\Local\Temp\nskAE13.tmp, xrefs: 00405B06

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nskAE13.tmp
API String ID: 3213498283-3340837358
Opcode ID: 1e979eba324918ca677e02d4c6d61fe282ba8a8b0f982e42ab73b577f73820d9
Instruction ID: 64857a031f8c29d5ad2cb6748f8602f3023039c2fddfbd8d295625c88611b6e1
Opcode Fuzzy Hash: 1e979eba324918ca677e02d4c6d61fe282ba8a8b0f982e42ab73b577f73820d9
Instruction Fuzzy Hash: 90F0C251905F646AFF2266640C54B67ABA8CF56350F18407BD280B72C2C27878448FAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402E3D Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E3D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x79e120; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7a2f70;
						if(_t2 >  *0x7a2f70) {
							_t3 = CreateDialogParamA( *0x7a2f60, 0x6f, 0, E00402DBA, 0);
							 *0x79e120 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406519(0);
					}
				} else {
					_t6 =  *0x79e120; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x79e120 = 0;
					return _t6;
				}
			}

0x00402e44
0x00402e5e
0x00402e64
0x00402e6e
0x00402e74
0x00402e7a
0x00402e8b
0x00402e94
0x00000000
0x00402e99
0x00402ea0
0x00402e66
0x00402e6d
0x00402e6d
0x00402e46
0x00402e46
0x00402e4d
0x00402e50
0x00402e50
0x00402e56
0x00402e5d
0x00402e5d

APIs

DestroyWindow.USER32(00000000,00000000,0040301B,00000001), ref: 00402E50
GetTickCount.KERNEL32 ref: 00402E6E
CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
ShowWindow.USER32(00000000,00000005), ref: 00402E99

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 2c4addb43d5c00204abaef2ddcbdcde683c8282d51b9ea1b9effed1c6012b8ed
Instruction ID: 07a7c2fcb6e55b04e3e3d34d53389a9772e5beadce82dbb6bf9e24f56b5acc78
Opcode Fuzzy Hash: 2c4addb43d5c00204abaef2ddcbdcde683c8282d51b9ea1b9effed1c6012b8ed
Instruction Fuzzy Hash: 91F05E30481624EFC621AB64FE0CA9B7B64BB44B41711893FF085B12F8C77808828BDC

Uniqueness

Uniqueness Score: -1.00%

Function 00403852 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403852() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x79e52c; // 0x964d10
				_t3 = E00403837(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x79e52c =  *0x79e52c & 0x00000000;
				return _t3;
			}

0x00403853
0x0040385b
0x00403862
0x00403865
0x00403865
0x00403867
0x0040386c
0x00403873
0x00403879
0x0040387d
0x0040387e
0x00403886

APIs

FreeLibrary.KERNEL32(?,74D0FA90,00000000,C:\Users\user\AppData\Local\Temp\,0040382A,00403644,?,?,00000007,00000009,0000000B), ref: 0040386C
GlobalFree.KERNEL32 ref: 00403873

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403852

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3916508600
Opcode ID: bdac3d50bedc405d14197a73e0b52ba201dc392026dc5281ea4620f547822cc0
Instruction ID: a47bf4f3c2a96a327e4b4819c0cefa3b0cf6e53b08830cce55d404a8342abc97
Opcode Fuzzy Hash: bdac3d50bedc405d14197a73e0b52ba201dc392026dc5281ea4620f547822cc0
Instruction Fuzzy Hash: 22E01D3350112057C6616F55EE0475977AD5F49B26F06806BF880773514774AC534FDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405AB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AB3(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405ab4
0x00405abe
0x00405ac0
0x00405ac7
0x00405acf
0x00000000
0x00000000
0x00000000
0x00405acf
0x00405ad1
0x00405ad6

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\6culQoI97a.exe,C:\Users\user\Desktop\6culQoI97a.exe,80000000,00000003), ref: 00405AB9
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\6culQoI97a.exe,C:\Users\user\Desktop\6culQoI97a.exe,80000000,00000003), ref: 00405AC7

Strings

C:\Users\user\Desktop, xrefs: 00405AB3

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1669384263
Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction ID: b470c799eb173815a0b66f2a5ec0288490d136ddbfbfb3d8272f9cf217b16711
Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction Fuzzy Hash: C5D0A7635089706FE303A2108C44B9F6A48DF17300F1D4462F081A2191C6784C428BFD

Uniqueness

Uniqueness Score: -1.00%

Function 735410E0 Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E735410E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x7354405c = _a8;
				 *0x73544060 = _a16;
				 *0x73544064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73544038, E73541556, _t52);
				_t43 =  *0x7354405c +  *0x7354405c * 4 << 2;
				_t17 = E7354123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E73541266(E735412AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E735412D1( *_t55 - 0x30, E7354123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x73544030;
								 *0x73544030 = _t31;
								E73541508(_t31 + 4,  *0x73544064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x73544030;
							if( *0x73544030 != 0) {
								E73541508( *0x73544064, _t34 + 4, _t43);
								_t37 =  *0x73544030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x73544030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x735410e7
0x735410ef
0x73541103
0x7354110b
0x73541116
0x73541119
0x73541121
0x73541124
0x73541126
0x735411c4
0x735411d0
0x7354112c
0x7354112d
0x7354112d
0x73541130
0x73541131
0x73541134
0x73541203
0x73541206
0x7354119e
0x735411a4
0x735411ac
0x735411b1
0x735411b4
0x00000000
0x735411b4
0x73541209
0x7354120a
0x73541186
0x7354118c
0x73541194
0x00000000
0x73541194
0x73541152
0x73541153
0x7354115b
0x73541168
0x73541170
0x73541179
0x7354117e
0x7354117e
0x00000000
0x73541153
0x7354113a
0x735411d1
0x735411d1
0x735411d8
0x735411e5
0x735411ea
0x735411ef
0x735411f5
0x735411fb
0x735411fb
0x00000000
0x735411d8
0x73541140
0x73541143
0x00000000
0x00000000
0x73541149
0x7354114c
0x7354119b
0x00000000
0x7354119b
0x7354114f
0x73541150
0x73541183
0x00000000
0x73541183
0x00000000
0x735411ba
0x735411ba
0x00000000
0x735411c3

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 7354115B
GlobalFree.KERNEL32 ref: 735411B4
GlobalFree.KERNEL32 ref: 735411C7
GlobalFree.KERNEL32 ref: 735411F5

Memory Dump Source

Source File: 00000000.00000002.775640570.0000000073541000.00000020.00000001.01000000.00000005.sdmp, Offset: 73540000, based on PE: true

Associated: 00000000.00000002.775623192.0000000073540000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775656382.0000000073543000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.775675016.0000000073545000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73540000_6culQoI97a.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ed5670f70205725c6300bc8a819ae8fdc4c16feac8f69468403e5b758e072ca
Instruction ID: 31349e0ab69c7bf2129c03307d3ae7dbddde5fe79b2ed49006f3dc8650cc85a6
Opcode Fuzzy Hash: 6ed5670f70205725c6300bc8a819ae8fdc4c16feac8f69468403e5b758e072ca
Instruction Fuzzy Hash: 863192B25042949FE70DEF66F948F657FF8EB45280B382516E84ECB254D7349A12CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00405BD2 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BD2(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405be2
0x00405be4
0x00405be7
0x00405c13
0x00405bec
0x00405bf5
0x00405bfa
0x00405c05
0x00405c08
0x00405c24
0x00405c0a
0x00405c11
0x00000000
0x00405c11
0x00405c1d
0x00405c21
0x00405c21
0x00405c1b
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BE2
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BFA
CharNextA.USER32(00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C0B
lstrlenA.KERNEL32(00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C14

Memory Dump Source

Source File: 00000000.00000002.773433801.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.773416624.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773455110.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773469871.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.773986017.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774044065.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774054402.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774061186.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774350022.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774390139.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774440818.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774458694.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.774505685.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_6culQoI97a.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction ID: c18a7a17a862b3ccaab34bb7c38a9d703f10cc619688c1102a12456a902c3210
Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction Fuzzy Hash: 65F0F631208914FFDB12DFA4DD40D9EBBB8EF56354B2540B9E840FB210D674EE019BA8

Uniqueness

Uniqueness Score: -1.00%