Edit tour

Windows Analysis Report
invoice.exe

Overview

General Information

Sample Name:	invoice.exe
Analysis ID:	828743
MD5:	f111934675c34cca18d9d76fc34a2e40
SHA1:	6c54e0fbae03df56fee84195f3deb4d2ebd8d8c1
SHA256:	c627b8bb6c4ea0cf03aa2d209d0ecc53ff9784283328dabd44c1675aef0939c2
Tags:	exesigned
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Initial sample is a PE file and has a suspicious name

Found potential ransomware demand text

Uses 32bit PE files

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops certificate files (DER)

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

invoice.exe (PID: 2144 cmdline: C:\Users\user\Desktop\invoice.exe MD5: F111934675C34CCA18D9D76FC34A2E40)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: invoice.exe

ReversingLabs: Detection: 35%

Source: invoice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: invoice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: f:\apps8.0.0.270\sw\src\coexagent\mini-agent\release\Ath_CoexAgent.pdb source: Ath_CoexAgent.exe.0.dr
Source:	Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr

Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00406268 FindFirstFileA,FindClose,	0_2_00406268
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_0040572D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040572D
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_004026F8 FindFirstFileA,	0_2_004026F8

Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1059.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: invoice.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: invoice.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: invoice.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: NMDllHost.exe.0.dr, Mss32.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1059.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1059.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1059.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: invoice.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: invoice.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1059.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: NMDllHost.exe.0.dr, Mss32.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: invoice.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: invoice.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: invoice.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: SourceCodePro-ExtraLight.otf.0.dr	String found in binary or memory: http://scripts.sil.org/OFLSource
Source: invoice.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: invoice.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: invoice.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: NMDllHost.exe.0.dr, Mss32.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: NMDllHost.exe.0.dr, Mss32.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: NMDllHost.exe.0.dr, Mss32.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1059.dll.0.dr	String found in binary or memory: http://www.avast.com0/
Source: invoice.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1059.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://www.nero.com
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: NMDllHost.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: NMDllHost.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: NMDllHost.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Mss32.dll.0.dr, lang-1059.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\Desktop\invoice.exe

Code function: 0_2_004051CA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004051CA

Source: C:\Users\user\Desktop\invoice.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship\vmusbmouse.cat

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Found potential ransomware demand text

Source: NMDllHost.exe.0.dr	String found in binary or memory: ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ
Source: NMDllHost.exe.0.dr	String found in binary or memory: ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ6
Source: Mss32.dll.0.dr	String found in binary or memory: _AIL_unlock@0

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: invoice.exe

Source: invoice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: lang-1059.dll.0.dr

Static PE information: No import functions for PE file found

Source: invoice.exe, 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamepaaklders Nonblameful.exe` vs invoice.exe
Source: invoice.exe	Binary or memory string: OriginalFilenamepaaklders Nonblameful.exe` vs invoice.exe

Source: C:\Users\user\Desktop\invoice.exe

Code function: 0_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004031F1

Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00406742	0_2_00406742
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00404A09	0_2_00404A09
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00406F19	0_2_00406F19

Source: invoice.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\invoice.exe

Process Stats: CPU usage > 98%

Source: invoice.exe

ReversingLabs: Detection: 35%

Source: C:\Users\user\Desktop\invoice.exe

File read: C:\Users\user\Desktop\invoice.exe

Jump to behavior

Source: invoice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

0_2_004031F1

Source: C:\Users\user\Desktop\invoice.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository

Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

File created: C:\Users\user\AppData\Local\Temp\nsfE50D.tmp

Jump to behavior

Source: classification engine

Classification label: mal56.rans.winEXE@1/12@0/0

Source: C:\Users\user\Desktop\invoice.exe

Code function: 0_2_004020CB CoCreateInstance,MultiByteToWideChar,

0_2_004020CB

Source: C:\Users\user\Desktop\invoice.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe

Code function: 0_2_00404496 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404496

Source: invoice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: f:\apps8.0.0.270\sw\src\coexagent\mini-agent\release\Ath_CoexAgent.pdb source: Ath_CoexAgent.exe.0.dr
Source:	Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr

Source: C:\Users\user\Desktop\invoice.exe

Code function: 0_2_10002D20 push eax; ret

0_2_10002D4E

Source: Mss32.dll.0.dr	Static PE information: section name: MSSMIXER
Source: NMDllHost.exe.0.dr	Static PE information: section name: .shared

Source: C:\Users\user\Desktop\invoice.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\invoice.exe	File created: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	File created: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\AdvSplash.dll	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll	Jump to dropped file

Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\invoice.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\invoice.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll	Jump to dropped file

Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_00406268 FindFirstFileA,FindClose,	0_2_00406268
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_0040572D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040572D
Source: C:\Users\user\Desktop\invoice.exe	Code function: 0_2_004026F8 FindFirstFileA,	0_2_004026F8

Source: C:\Users\user\Desktop\invoice.exe	API call chain: ExitProcess graph end node			graph_0-4240
Source: C:\Users\user\Desktop\invoice.exe	API call chain: ExitProcess graph end node			graph_0-4063

Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\invoice.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: vmusbmouse.cat.0.dr

Binary or memory string: VMware, Inc.

Source: C:\Users\user\Desktop\invoice.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\invoice.exe

0_2_004031F1

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Access Token Manipulation	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
invoice.exe	36%	ReversingLabs	Win32.Trojan.Tnega

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\AdvSplash.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.invoice.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File
0.0.invoice.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://subca.ocsp-certum.com05	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://subca.ocsp-certum.com02	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://www.avast.com0/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.certum.pl/ctsca2021.crl0o	invoice.exe	false		high
http://nsis.sf.net/NSIS_Error	invoice.exe	false		high
http://repository.certum.pl/ctnca.cer09	invoice.exe	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	NMDllHost.exe.0.dr, Mss32.dll.0.dr	false		high
http://repository.certum.pl/ctsca2021.cer0	invoice.exe	false		high
http://crl.certum.pl/ctnca.crl0k	invoice.exe	false		high
http://subca.ocsp-certum.com05	invoice.exe	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	NMDllHost.exe.0.dr	false		high
http://ocsp.thawte.com0	NMDllHost.exe.0.dr, Mss32.dll.0.dr	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com02	invoice.exe	false	URL Reputation: safe	unknown
http://www.nero.com	NMDllHost.exe.0.dr	false		high
http://subca.ocsp-certum.com01	invoice.exe	false	URL Reputation: safe	unknown
http://crl.certum.pl/ctnca2.crl0l	invoice.exe	false		high
http://repository.certum.pl/ctnca2.cer09	invoice.exe	false		high
http://www.avast.com0/	invoice.exe, 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1059.dll.0.dr	false	URL Reputation: safe	unknown
http://scripts.sil.org/OFLSource	SourceCodePro-ExtraLight.otf.0.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	invoice.exe	false		high
http://www.symauth.com/cps0(	NMDllHost.exe.0.dr	false		high
http://www.certum.pl/CPS0	invoice.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	828743
Start date and time:	2023-03-17 14:20:40 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	invoice.exe
Detection:	MAL
Classification:	mal56.rans.winEXE@1/12@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 85.7% (good quality ratio 84.2%) Quality average: 87.3% Quality standard deviation: 21.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 44 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: invoice.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll	Justificante de pago.exe	Get hash	malicious	GuLoader	Browse
	Justificante de pago.exe	Get hash	malicious	GuLoader	Browse
	Ticari Hesap #U00d6zetiniz.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Ticari Hesap #U00d6zetiniz.exe	Get hash	malicious	GuLoader	Browse
	Justificante de pago.exe	Get hash	malicious	GuLoader	Browse
	Justificante de Transferencia.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	BBVA-Confirming Facturas Pagadas al Vencimiento.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Justificante de pago.exe	Get hash	malicious	GuLoader	Browse
	Justificante de Transferencia.exe	Get hash	malicious	GuLoader	Browse
	BBVA-Confirming Facturas Pagadas al Vencimiento.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\icon-ui.icns

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1245
Entropy (8bit):	5.462849750105637
Encrypted:	false
SSDEEP:	24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
MD5:	5343C1A8B203C162A3BF3870D9F50FD4
SHA1:	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
SHA-256:	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
SHA-512:	E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	160264
Entropy (8bit):	4.358279117234243
Encrypted:	false
SSDEEP:	768:EVS3TP/nITMkSXnOLeecEKVdPGeGlo1ciX9NtfoxOpGHXGHmeVDj3bRQ9pY/ycVa:EVsPQBRodPDW4zMctML/
MD5:	B47C741673A92A16B48140FCBDA04030
SHA1:	AA7A003DA656320A274F276EE4BF8C27203D1B4C
SHA-256:	E6E775E7A5AC1BFA01B5A5CB9A7532171817408E67E346E33CA3CB091BDEA478
SHA-512:	464BFC63FD715E07C02ED78F9603A1C890F3848C0D46BB7B58D352B3FF1E76612E8D772903C9954159586735567DD493A023BCFADA5E15407725F7267567DC60
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Justificante de pago.exe, Detection: malicious, Browse Filename: Justificante de pago.exe, Detection: malicious, Browse Filename: Ticari Hesap #U00d6zetiniz.exe, Detection: malicious, Browse Filename: Ticari Hesap #U00d6zetiniz.exe, Detection: malicious, Browse Filename: Justificante de pago.exe, Detection: malicious, Browse Filename: Justificante de Transferencia.exe, Detection: malicious, Browse Filename: BBVA-Confirming Facturas Pagadas al Vencimiento.exe, Detection: malicious, Browse Filename: Justificante de pago.exe, Detection: malicious, Browse Filename: Justificante de Transferencia.exe, Detection: malicious, Browse Filename: BBVA-Confirming Facturas Pagadas al Vencimiento.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.@...R.@.P...R.Rich..R.................PE..L....\)b...........!.........P...............................................p.......V....@.......................................... ...M...........R... ...........................................................................................rdata..p...........................@..@.rsrc....M... ...N..................@..@.....\)b........T........................rdata......T....rdata$zzzdbg.... ... ...rsrc$01.....@..H,...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	323584
Entropy (8bit):	6.212800759462987
Encrypted:	false
SSDEEP:	3072:KW+Rs18sEZQEwgD+odVKFKLuFv1kJV0YVJL/vFU/lmJ03Hk7OJ3/b7FG66sN4IqF:j7SdPKZ1kJLLH+lmJgHeOVb7o663L
MD5:	86B8B1F5C1189D68B07666784BE882FE
SHA1:	B023E9442CFC9C9652E1C8990F06DEF08BDC5B01
SHA-256:	0DD8C627F3DDBDB61B1910540C465C0D62C9F8D84C7CBB6C80782DB02D535AF0
SHA-512:	E471BEBDD441756CD840420C862CD84EF18A03144DDCAA20D783399D0736BD012D3984E38BDDB9DF16837B205D0A6ECA4C6FEE1D41553B5002A4B1E1B753E139
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mZ.z...z...z....~..z....n..z....m..z.......z...z...z....q..z.......z....{..z..Rich.z..........PE..L....(.P.................p...p....................@........................................................................@...<...................................P................................N..@............................................text....n.......p.................. ..`.rdata........... ..................@..@.data...@Y.......@..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship\vmusbmouse.cat

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	data
Category:	dropped
Size (bytes):	10376
Entropy (8bit):	7.080841609849737
Encrypted:	false
SSDEEP:	192:pL/2EJC+EhGRmwBYyKaWFWQFV5NB0884LfqnajnWc:11PCFRVJlLWc
MD5:	DBE99D951395F37E5C3F4164D8A22245
SHA1:	238EF179549F6AEB2E3C6F4188365814A965312B
SHA-256:	671CB26C75AC0256B07835AE00E7018AF6126FAE7400BF21E57707E0CC9164B5
SHA-512:	3A931015C1038965028AD70E439F75BA210B1113BBCD8A7C5063DA376DBB577F250BE6141B93F1CB100084A930DAD4B2205864F19F3A5E3911CD6CC0B6D0D0D8
Malicious:	false
Reputation:	low
Preview:	0.(....H........(u0.(q...1.0...`.H.e......0..h..+.....7.....Y0..U0...+.....7.......V...\B........200624081447Z0...+.....7.....0..N0....RA.A.1.6.5.E.2.A.3.9.8.5.E.4.A.A.5.A.9.2.5.3.8.8.2.1.2.1.4.B.1.0.8.3.5.2.3.D.B.F...1..O0@..+.....7...1200...F.i.l.e........v.m.u.s.b.m.o.u.s.e...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+..........^*9..Z.S.!!K..R=.0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...0.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RC.2.2.3.E.C.C.5.6.2.3.D.1.E.C.D.2.3.A.8.0.9.C.A.D.4.B.5.F.C.E.7.C.B.6.C.0.2.F.B...1..G0@..+.....7...1200...F.i.l.e........v.m.u.s.b.m.o.u.s.e...i.n.f...0E..+.....7...17050...+.....7.......0!0...+.........#..b=..#.......l..0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...0.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0J..+.....7..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	353768
Entropy (8bit):	6.836018886719178
Encrypted:	false
SSDEEP:	6144:EpcTapyHuUcl0PUpFawtMR6gP4aHrmtcWR3uA9:MIaQ+l0PoRtW6aHrmtcWRt9
MD5:	B75A8E0DDEEB4330C1DBA37105244B0F
SHA1:	E5302CA8517AC2826B5D56E3395D41C34B5B3DF7
SHA-256:	CC142B9D8B5223E2720C6440CB7A124C0A80D2FB04ECF59AD7331DFD6E3CB51F
SHA-512:	120F91A144B5B6CC9E33B232AE4466AF2E6C5F702F4C04E9A03DD4F239DE752770E4DE2C6BE2CAF3BEE9775C8887EAB9E08A896D7F2EBA1AD8CF928555CC99A3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.lq..."..."..."..."..."h.."..."..."..."e.."..."e.."k.."..."..."..."..."^.2"..."^.3"..."..."..."Rich..."........PE..L...#..<...........!...............................!................................A....................................0..p...P.......X............N..........`T...................................................................................text....w.......x.................. ..`MSSMIXER.G.......H...\|.............. ..`.rdata..%...........................@..@.data............F..................@....rsrc...X...........................@..@.reloc..tW.......X..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	116720
Entropy (8bit):	5.889271571414613
Encrypted:	false
SSDEEP:	3072:g3nqpX2I6OhctR+lCTD01Lcy4J93TnCx86:L2W1oy4J93TCT
MD5:	DBF787BD6E5CE77FB34FF281A144EB96
SHA1:	50B7799ECCA566BE35429828245D44CB04AD8885
SHA-256:	CCBACEEA04837229C95C08274C747ABE069279AFB990DDD89EC743C42ADC0AD9
SHA-512:	07949EC3882D9CB6E2341CE60C6E911F24463B01F484C037E65A2A8F3495543A096B632E01F8480D03FF388D1E811ECF760155F97F1D5329785C506603BB18A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............u.L.u.L.u.LF.bL.u.LF.aL.u.LF.dL.u.LF.`L.u.L..,L.u.L..<L.u.L.u.L.t.Lu.\|L.u.L...L.u.Lu.`L.u.Lu.fL.u.Lu.cL.u.LRich.u.L........PE..L......U..........................................@.......................................@..................................E..........p...........................`...8...........................0&..@............................................text............................... ..`.rdata...N.......P..................@..@.data...p....`.......T..............@....shared..............^..............@....rsrc...p............`..............@..@.reloc...K.......L...d..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Stemningssvingning\Urgently.Suk

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	ASCII text, with very long lines (52812), with no line terminators
Category:	dropped
Size (bytes):	52812
Entropy (8bit):	2.691443133069214
Encrypted:	false
SSDEEP:	768:w3MHvSSEEEE422O9Py2Ve76uBu+O3+xpnY/A8o9kxErpEEEbYRx+KmGSBAM07byk:bvS53XH/Y/A8opMr07bnr
MD5:	4C6FAD70762561B0D38AA152C52796A8
SHA1:	9FAFD1E9CF41E5482AC7960F7F0C20AB5B703D30
SHA-256:	C7CC1E08C3B0850EF02E7F4371D71918B55686581FDE5D124149884EE56C8F4F
SHA-512:	721DC72FF2153615343BCEC4B408337E8BD5012C234237F2005C43C48D1179DEDC1606014DE6659F5A22BC9116C2348C1AD5B05BF128D60572EEAE9346E06EE0
Malicious:	false
Preview:	000075000000840000430035353535350000DF00000063008585008D8D000000000000B7B7008F006100E2E2000000D3004600005D5D00F80000A10000E5E5E5E5E500000000DCDCDC000B0B0000F7F700000000D9D9D9D9D900000000000000B700EFEF0000B2B200DFDFDF0000DADA000000EEEEEEEEEEEEEEEE00670000050000E700D30000929292920000006E000083000B0B0B0017001D0000E700DF00DF00424242000073005B00BDBDBD00000000C6C60000323200000073006E6E005F5F000000BC00003000005B5B5B001515151515150089898989890000002C2C000096000020202000DA0000FD00C2005F000B0B0B002C000000BE00000000D40000DE005656565600393900000000000000000022220046464600A0A0A000626200E5E5E500000000005D5D0000DA00000000323200DE00850000363636363636000000000000111100006D6D6D00D300FE00007C0000006000005D008181818181007B00777700A3000000C2006900B6B600C9000055555555004000003636009000002A00000000004A4A000000ADAD00B300000F000000002F2F2F00DC0034343400000000BCBC0000006F000061002C0000101000000000004E4E4E4E008900FB002121000000007000004800A9001400CC0000000000000042424200E800000000770000000050000000A900000000A2A2

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Udlandsrejse153\Aeroscopic\Clanging\Uskyldsrent\SourceCodePro-ExtraLight.otf

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	OpenType font data
Category:	dropped
Size (bytes):	127080
Entropy (8bit):	7.036042013030407
Encrypted:	false
SSDEEP:	3072:Tz0LOC7z/0cS/Uz0+Gp+dtsVaHGg0IADoQg4RAxL2+p:s7z/0jUz0+GsdBHGg9cg4mvp
MD5:	9ECC8DF598E9EDDE1072942D344CC0CF
SHA1:	9FF240AB48EB7E97237E25D8C6F8CD738BA97CAA
SHA-256:	D945E1C81A59A434E36EEDEF21E64B61CC6901A9E43936AF79C20BDBF57592B1
SHA-512:	09978B7AF39B541C13F5E628BAF789E9FD1635258C74379351612451022D53B38B9F78DA7A74C19BA0FFB7B0C93B63C69EFCFC36285EFBCAF3678ADE7D423AD0
Malicious:	false
Preview:	OTTO.......`BASEe.]........FCFF 0.....Ft..i.DSIG.......`....GDEF............GPOS.s........vGSUB..]....T...JOS/2......P...`cmap.spB......3fhead..h........6hhea.3.....$...$hmtx:C<........Bmaxp. P....H....nameCt........:post...3..FT... ..........JC_.<......................L.:...$.......................X.L.L......................P.. .....X.........X...K...X...^.2.............. .....8.........ADBO... ............`.............. .....J.~.................................$.............<...........H...........T...........`...........l.........&.~.........&......................6...........D..........:.n.....................2...........$.......................D.*.....................4.......................R...........4...........d.l.........0.......................4...........4...........2.(......... .Z.........4.z...................................................................................&...........8...........J...........\.........$.n......... ...........,...........0............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Udlandsrejse153\Aeroscopic\Clanging\Uskyldsrent\cs.txt

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	9204
Entropy (8bit):	5.371514089173945
Encrypted:	false
SSDEEP:	192:iRJ98lWxEb5BvGIrd+mc1OTno+SXhbSIm1JjSvcQpK/w:ijK0GeIrQmEOTno+SXox1JjmpKo
MD5:	641B90F9AEDFC68486D0D20B40F7ECA6
SHA1:	0A683DD844534905336784FADD80498AFE26F6FA
SHA-256:	87A4B9369FD51D76C9032C0E65C3C6221659E086798829072785BE589E55B839
SHA-512:	567CB9F6C31D196A171E5A9C2726A39A9B3D351AC92D4ACF8624213A68C9033ACC31AFAAAD82AA9F5359F32D3A0CA40522E151B8370D553A41ABEB6A6E097078
Malicious:	false
Preview:	.;!@Lang2@!UTF-8!..; 4.30 : Milan Hrub...; 4.33 : Michal Molhanec..; 9.07 : Ji.. Mal.k..; 15.00 : Kry.tof .ern...;..;..;..;..;..;..;..0..7-Zip..Czech...e.tina..401..OK..Storno........&Ano..&Ne..Zav..&t..N.pov.da....Po&kra.ovat..440..Ano na &v.echno..N&e na v.echno..Zastavit..Spustit znovu..&Pozad...P&op.ed...Po&zastavit..Pozastaveno..Jste si jist., .e to chcete stornovat?..500..&Soubor...pr&avy..&Zobrazen...&Obl.ben...&N.stroje..N.po&v.da..540..&Otev..t..Otev..t u&vnit...Otev..t &mimo..&Zobrazit..&Upravit..&P.ejmenovat..Kop.rovat &do.....P.&esunout do.....Vymaza&t..&Rozd.lit soubor.....&Slou.it soubory.....Vlast&nosti..Pozn.mk&a..Vypo..tat kontroln. sou.et..Porovnat soubory..Vytvo.it slo.ku..Vytvo.it soubor..&Konec..Odk.zat..&Alternate Streams..600..Vybrat &v.e..Zru.it v.b.r v.e..&Invertovat v.b.r..Vybrat.....Zru.it v.b.r.....Vybrat podle typu..Zru.it v.b.r podle typu..700..&Velk. ikony..&Mal. ikony..&Seznam..&Podrobn

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\figuranternes.Han

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	data
Category:	dropped
Size (bytes):	218305
Entropy (8bit):	7.337101777894853
Encrypted:	false
SSDEEP:	3072:PdqWTzg/gzZ9xRpRmib28JUBTE+vAsGolsJAsJ7Z/aKespGgyfZrl:HOaZ1nv9J2I+veZiKe2i
MD5:	DF0C864AD6FE636F3AD391B04A408AC7
SHA1:	B0072D5406BA66EDD9F6A1A443D56378BDA688C5
SHA-256:	A802EB02B9345615A947C6B8B57441D7DEBD4300FFEAFC16623CE18F68CABBF2
SHA-512:	2AA97CC2724CA1309B3594F552BAF227CCB7B6F73B29E612A9779D987E9FBE0E41F7CE765083AE16CD3CEC84B826A401279D69200D1AE3A0722B4E3CC731079C
Malicious:	false
Preview:	........kkk..........***...u............................\|.......................44...e............ .DD..TTT.................""...............................UU...[[[......<<.........qq.........l...................1........4........f.............................(......{{.................1......q....66...........:.........................mmm.........55.'...........................111...99.x.LLLLL..........................~................""...))...........#..............@@.b.........4.0....&............\|........................\|\|.................................ppp.8.......ww............W..&...*........````.......~.....................O.,,............C...............................F.....\.........HHHHHHH......o.....^^...d...................ff..... ..D.......I.....W.......................................\...............y..F....ppp..r......................))...........".........................o..........9.22.........~~~.QQQ......C.........................6......~~...................

C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\AdvSplash.dll

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.76010720109437
Encrypted:	false
SSDEEP:	96:HqNXqwK188CgAtXvZBkjDf0yf9ysrtWp2wol:HAqrg1XvZB6kYtWp2
MD5:	88C3BA1802AEF228541820767453E058
SHA1:	4F3AEFB9E4EC27CB49973CB19BD968E54A2BA676
SHA-256:	2722555EC1F72523774B64D25FD4C2B460000BFE82140876D6100DC4FB1F62B1
SHA-512:	718790339E13B53553AFDE6968AE10CDA7B47CBDBFC82599116C8B5B1E8FBBA259F0CE6781908BE027360132A0ABE057DF2FFA7072212ACDA96BFF535E241582
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.Y.o.7Eo.7Eo.7Eo.6EF.7E..jEf.7E;..Em.7E..3En.7ERicho.7E........PE..L.....uY...........!................`........ ...............................P......................................P$..E.... ..d............................@..$.................................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\invoice.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.767999234165119
Encrypted:	false
SSDEEP:	192:cPtkumJX7zBE2kGwfy9S9VkPsFQ1MZ1c:N7O2k5q9wA1MZa
MD5:	C9473CB90D79A374B2BA6040CA16E45C
SHA1:	AB95B54F12796DCE57210D65F05124A6ED81234A
SHA-256:	B80A5CBA69D1853ED5979B0CA0352437BF368A5CFB86CB4528EDADD410E11352
SHA-512:	EAFE7D5894622BC21F663BCA4DD594392EE0F5B29270B6B56B0187093D6A3A103545464FF6398AD32D2CF15DAB79B1F133218BA9BA337DDC01330B5ADA804D7B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L.....uY...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..^....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.953363965326294
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	invoice.exe
File size:	861416
MD5:	f111934675c34cca18d9d76fc34a2e40
SHA1:	6c54e0fbae03df56fee84195f3deb4d2ebd8d8c1
SHA256:	c627b8bb6c4ea0cf03aa2d209d0ecc53ff9784283328dabd44c1675aef0939c2
SHA512:	48b825550b320ebfcccc4260e359ffedad7675913ee7e7a62bd62a3839fd20c8f7cafb9a6e6bb8d7d8a2164674019b696c8851362c0a6b69f4dde8b1da3dc84c
SSDEEP:	12288:cJAEzBf4FZZmubGJ6vVZgj9Zp4RVkdXALai8ZpP7MxhGmeLJfRriFm4gCb5vr:cJBf4guba6voj9mOdXALN8bP7MxhVP5
TLSH:	090523919D24D01ACFCB1A32C6E0AAF51FA93D1DF546350FAB103DDE7AB3016992E1D8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...2.uY.................d...\|.....

File Icon


Icon Hash:	185d7c3f1d094720

Static PE Info

General

Entrypoint:	0x4031f1
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x59759532 [Mon Jul 24 06:35:30 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Levnendes@Printstnings.Gum, OU="Berlinsk Absorptively Uncatholicise ", O=Toffy, L=Parbrook, S=England, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	5/4/2022 1:03:57 AM 5/3/2025 1:03:57 AM
Subject Chain	E=Levnendes@Printstnings.Gum, OU="Berlinsk Absorptively Uncatholicise ", O=Toffy, L=Parbrook, S=England, C=GB
Version:	3
Thumbprint MD5:	56C9BA7DFEC92471D18B65DEBADFD264
Thumbprint SHA-1:	791103B8F445F30749CC09454489D8932043151F
Thumbprint SHA-256:	12660D9C667AA56EF5F4D3C7A46C00BBF32786E1EDB7C6D1BB2EFDC10DDE5337
Serial:	292387F23D7D31A4C4A61C828EB508755809B6A4

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A0h]
call dword ptr [0040809Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F40Ch], eax
je 00007F8F7CA0DE63h
push ebx
call 00007F8F7CA10F1Ah
cmp eax, ebx
je 00007F8F7CA0DE59h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007F8F7CA10E96h
push esi
call dword ptr [00408098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F8F7CA0DE3Dh
push 0000000Ah
call 00007F8F7CA10EEEh
push 00000008h
call 00007F8F7CA10EE7h
push 00000006h
mov dword ptr [0042F404h], eax
call 00007F8F7CA10EDBh
cmp eax, ebx
je 00007F8F7CA0DE61h
push 0000001Eh
call eax
test eax, eax
je 00007F8F7CA0DE59h
or byte ptr [0042F40Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429830h
call dword ptr [00408178h]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8534	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x41000	0x219c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd02c0	0x2228
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6254	0x6400	False	0.6676171875	data	6.4338643172916266	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1354	0x1400	False	0.4599609375	data	5.236269898436511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25518	0x600	False	0.4557291666666667	data	4.044625496015545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x30000	0x11000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x41000	0x219c8	0x21a00	False	0.8901312732342007	data	7.609648735329348	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x41418	0x1224f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x53668	0x6259	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States
RT_ICON	0x598c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x5be70	0x2466	PNG image data, 256 x 256, 4-bit colormap, non-interlaced	English	United States
RT_ICON	0x5e2d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x5f380	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States
RT_ICON	0x60228	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States
RT_ICON	0x60ad0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States
RT_ICON	0x61138	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States
RT_ICON	0x616a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0x61b08	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States
RT_ICON	0x61df0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States
RT_DIALOG	0x61f18	0x120	data	English	United States
RT_DIALOG	0x62038	0x11c	data	English	United States
RT_DIALOG	0x62158	0xc4	data	English	United States
RT_DIALOG	0x62220	0x60	data	English	United States
RT_GROUP_ICON	0x62280	0xae	data	English	United States
RT_VERSION	0x62330	0x354	data	English	United States
RT_MANIFEST	0x62688	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: invoice.exePID: 2144, Parent PID: 3528

General

Target ID:	0
Start time:	14:21:38
Start date:	17/03/2023
Path:	C:\Users\user\Desktop\invoice.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\invoice.exe
Imagebase:	0x400000
File size:	861416 bytes
MD5 hash:	F111934675C34CCA18D9D76FC34A2E40
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: invoice.exePID: 2144, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	23.2%
Dynamic/Decrypted Code Coverage:	13.6%
Signature Coverage:	19.9%
Total number of Nodes:	1470
Total number of Limit Nodes:	45

Executed Functions

Function 004031F1 Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 368
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t54;
				CHAR* _t56;
				void* _t60;
				intOrPtr _t62;
				int _t64;
				int _t67;
				signed int _t68;
				int _t69;
				signed int _t71;
				void* _t95;
				signed int _t111;
				void* _t114;
				void* _t119;
				intOrPtr* _t120;
				char _t123;
				signed int _t142;
				signed int _t143;
				int _t151;
				void* _t152;
				intOrPtr* _t154;
				CHAR* _t157;
				CHAR* _t158;
				void* _t160;
				char* _t161;
				void* _t164;
				void* _t165;
				char _t190;

				 *(_t165 + 0x18) = 0;
				 *((intOrPtr*)(_t165 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t165 + 0x20) = 0;
				 *(_t165 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f40c = _t42;
				if(_t42 != 6) {
					_t120 = E004062FD(0);
					if(_t120 != 0) {
						 *_t120(0xc00);
					}
				}
				_t157 = "UXTHEME";
				do {
					E0040628F(_t157); // executed
					_t157 =  &(_t157[lstrlenA(_t157) + 1]);
				} while ( *_t157 != 0);
				E004062FD(0xa);
				 *0x42f404 = E004062FD(8);
				_t47 = E004062FD(6);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f40f =  *0x42f40f | 0x00000040;
					}
				}
				__imp__#17(_t160);
				__imp__OleInitialize(0); // executed
				 *0x42f4d8 = _t47;
				SHGetFileInfoA(0x429830, 0, _t165 + 0x38, 0x160, 0); // executed
				E00405F65("Yllerion Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t161 = "\"C:\\Users\\jones\\Desktop\\invoice.exe\"";
				E00405F65(_t161, _t51);
				 *0x42f400 = GetModuleHandleA(0);
				_t54 = _t161;
				if("\"C:\\Users\\jones\\Desktop\\invoice.exe\"" == 0x22) {
					 *(_t165 + 0x14) = 0x22;
					_t54 =  &M00435001;
				}
				_t56 = CharNextA(E00405928(_t54,  *(_t165 + 0x14)));
				 *(_t165 + 0x1c) = _t56;
				while(1) {
					_t123 =  *_t56;
					_t173 = _t123;
					if(_t123 == 0) {
						break;
					}
					__eflags = _t123 - 0x20;
					if(_t123 != 0x20) {
						L13:
						__eflags =  *_t56 - 0x22;
						 *(_t165 + 0x14) = 0x20;
						if( *_t56 == 0x22) {
							_t56 =  &(_t56[1]);
							__eflags = _t56;
							 *(_t165 + 0x14) = 0x22;
						}
						__eflags =  *_t56 - 0x2f;
						if( *_t56 != 0x2f) {
							L25:
							_t56 = E00405928(_t56,  *(_t165 + 0x14));
							__eflags =  *_t56 - 0x22;
							if(__eflags == 0) {
								_t56 =  &(_t56[1]);
								__eflags = _t56;
							}
							continue;
						} else {
							_t56 =  &(_t56[1]);
							__eflags =  *_t56 - 0x53;
							if( *_t56 != 0x53) {
								L20:
								__eflags =  *_t56 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t56 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t56 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t56 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t56 - 2)) = 0;
										__eflags =  &(_t56[2]);
										E00405F65("C:\\Users\\jones\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository",  &(_t56[2]));
										L30:
										_t158 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t158);
										_t60 = E004031C0(_t173);
										_t174 = _t60;
										if(_t60 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t62 = E00402D48(_t176,  *(_t165 + 0x20)); // executed
											 *((intOrPtr*)(_t165 + 0x10)) = _t62;
											if(_t62 != 0) {
												L43:
												E004036DB();
												__imp__OleUninitialize();
												_t186 =  *((intOrPtr*)(_t165 + 0x10));
												if( *((intOrPtr*)(_t165 + 0x10)) == 0) {
													__eflags =  *0x42f4b4;
													if( *0x42f4b4 == 0) {
														L67:
														_t64 =  *0x42f4cc;
														__eflags = _t64 - 0xffffffff;
														if(_t64 != 0xffffffff) {
															 *(_t165 + 0x14) = _t64;
														}
														ExitProcess( *(_t165 + 0x14));
													}
													_t67 = OpenProcessToken(GetCurrentProcess(), 0x28, _t165 + 0x18);
													__eflags = _t67;
													_t151 = 2;
													if(_t67 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t165 + 0x24);
														 *(_t165 + 0x38) = 1;
														 *(_t165 + 0x44) = _t151;
														AdjustTokenPrivileges( *(_t165 + 0x2c), 0, _t165 + 0x28, 0, 0, 0);
													}
													_t68 = E004062FD(4);
													__eflags = _t68;
													if(_t68 == 0) {
														L65:
														_t69 = ExitWindowsEx(_t151, 0x80040002);
														__eflags = _t69;
														if(_t69 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t71 =  *_t68(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t71;
														if(_t71 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405681( *((intOrPtr*)(_t165 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f420 == 0) {
												L42:
												 *0x42f4cc =  *0x42f4cc | 0xffffffff;
												 *(_t165 + 0x18) = E004037B5( *0x42f4cc);
												goto L43;
											}
											_t154 = E00405928(_t161, 0);
											if(_t154 < _t161) {
												L39:
												_t183 = _t154 - _t161;
												 *((intOrPtr*)(_t165 + 0x10)) = "Error launching installer";
												if(_t154 < _t161) {
													_t152 = E004055EC(_t186);
													lstrcatA(_t158, "~nsu");
													if(_t152 != 0) {
														lstrcatA(_t158, "A");
													}
													lstrcatA(_t158, ".tmp");
													_t163 = "C:\\Users\\jones\\Desktop";
													if(lstrcmpiA(_t158, "C:\\Users\\jones\\Desktop") != 0) {
														_push(_t158);
														if(_t152 == 0) {
															E004055CF();
														} else {
															E00405552();
														}
														SetCurrentDirectoryA(_t158);
														_t190 = "C:\\Users\\jones\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository"; // 0x43
														if(_t190 == 0) {
															E00405F65("C:\\Users\\jones\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository", _t163);
														}
														E00405F65(0x430000,  *(_t165 + 0x1c));
														_t138 = "A";
														_t164 = 0x1a;
														 *0x430400 = "A";
														do {
															E00405F87(0, 0x429430, _t158, 0x429430,  *((intOrPtr*)( *0x42f414 + 0x120)));
															DeleteFileA(0x429430);
															if( *((intOrPtr*)(_t165 + 0x10)) != 0 && CopyFileA("C:\\Users\\jones\\Desktop\\invoice.exe", 0x429430, 1) != 0) {
																E00405D44(_t138, 0x429430, 0);
																E00405F87(0, 0x429430, _t158, 0x429430,  *((intOrPtr*)( *0x42f414 + 0x124)));
																_t95 = E00405604(0x429430);
																if(_t95 != 0) {
																	CloseHandle(_t95);
																	 *((intOrPtr*)(_t165 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t164 = _t164 - 1;
														} while (_t164 != 0);
														E00405D44(_t138, _t158, 0);
													}
													goto L43;
												}
												 *_t154 = 0;
												_t155 = _t154 + 4;
												if(E004059EB(_t183, _t154 + 4) == 0) {
													goto L43;
												}
												E00405F65("C:\\Users\\jones\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository", _t155);
												E00405F65("C:\\Users\\jones\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository\\Diskofils\\Justiciaryship", _t155);
												 *((intOrPtr*)(_t165 + 0x10)) = 0;
												goto L42;
											}
											_t111 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t154 != _t111) {
												_t154 = _t154 - 1;
												if(_t154 >= _t161) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t158, 0x3fb);
										lstrcatA(_t158, "\\Temp");
										_t114 = E004031C0(_t174);
										_t175 = _t114;
										if(_t114 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t158);
										lstrcatA(_t158, "Low");
										SetEnvironmentVariableA("TEMP", _t158);
										SetEnvironmentVariableA("TMP", _t158);
										_t119 = E004031C0(_t175);
										_t176 = _t119;
										if(_t119 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t142 = _t56[4];
								__eflags = _t142 - 0x20;
								if(_t142 == 0x20) {
									L23:
									_t15 = _t165 + 0x20;
									 *_t15 =  *(_t165 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t142;
								if(_t142 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t143 = _t56[1];
							__eflags = _t143 - 0x20;
							if(_t143 == 0x20) {
								L19:
								 *0x42f4c0 = 1;
								goto L20;
							}
							__eflags = _t143;
							if(_t143 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t56 =  &(_t56[1]);
						__eflags =  *_t56 - 0x20;
					} while ( *_t56 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x00403201
0x00403205
0x0040320d
0x00403211
0x00403216
0x00403222
0x0040322b
0x00403230
0x00403233
0x0040323a
0x00403241
0x00403241
0x0040323a
0x00403243
0x00403248
0x00403249
0x00403255
0x00403259
0x0040325f
0x0040326d
0x00403272
0x00403279
0x0040327d
0x00403281
0x00403283
0x00403283
0x00403281
0x0040328b
0x00403292
0x00403298
0x004032ae
0x004032be
0x004032c3
0x004032c9
0x004032d0
0x004032e3
0x004032e8
0x004032ea
0x004032ec
0x004032f1
0x004032f1
0x00403301
0x00403307
0x004033d0
0x004033d0
0x004033d2
0x004033d4
0x00000000
0x00000000
0x00403310
0x00403313
0x0040331b
0x0040331b
0x0040331e
0x00403323
0x00403325
0x00403325
0x00403326
0x00403326
0x0040332b
0x0040332e
0x004033c0
0x004033c5
0x004033ca
0x004033cd
0x004033cf
0x004033cf
0x004033cf
0x00000000
0x00403334
0x00403334
0x00403335
0x00403338
0x00403350
0x0040337b
0x0040337d
0x00403390
0x004033bb
0x004033be
0x004033dc
0x004033df
0x004033e8
0x004033ed
0x004033f3
0x004033fe
0x00403400
0x00403405
0x00403407
0x0040345f
0x00403464
0x0040346e
0x00403475
0x00403479
0x0040350d
0x0040350d
0x00403512
0x00403518
0x0040351d
0x00403641
0x00403647
0x004036c3
0x004036c3
0x004036c8
0x004036cb
0x004036cd
0x004036cd
0x004036d5
0x004036d5
0x00403657
0x0040365f
0x00403661
0x00403662
0x0040366f
0x00403682
0x0040368a
0x0040368e
0x0040368e
0x00403696
0x0040369b
0x004036a2
0x004036b0
0x004036b2
0x004036b8
0x004036ba
0x00000000
0x00000000
0x00000000
0x004036a4
0x004036aa
0x004036ac
0x004036ae
0x004036bc
0x004036be
0x00000000
0x004036be
0x00000000
0x004036ae
0x004036a2
0x0040352c
0x00403533
0x00403533
0x00403485
0x004034fd
0x004034fd
0x00403509
0x00000000
0x00403509
0x0040348e
0x00403492
0x004034c8
0x004034c8
0x004034ca
0x004034d2
0x00403544
0x00403546
0x0040354d
0x00403555
0x00403555
0x00403560
0x00403565
0x00403574
0x00403578
0x00403579
0x00403582
0x0040357b
0x0040357b
0x0040357b
0x00403588
0x0040358e
0x00403594
0x0040359c
0x0040359c
0x004035aa
0x004035af
0x004035c1
0x004035c9
0x004035cf
0x004035db
0x004035e1
0x004035eb
0x00403601
0x00403612
0x00403618
0x0040361f
0x00403622
0x00403628
0x00403628
0x0040361f
0x0040362c
0x00403632
0x00403632
0x00403637
0x00403637
0x00000000
0x00403574
0x004034d4
0x004034d6
0x004034e1
0x00000000
0x00000000
0x004034e9
0x004034f4
0x004034f9
0x00000000
0x004034f9
0x004034bd
0x004034bf
0x004034c3
0x004034c6
0x00000000
0x00000000
0x00000000
0x004034c6
0x00000000
0x004034bf
0x0040340f
0x0040341b
0x00403420
0x00403425
0x00403427
0x00000000
0x00000000
0x0040342f
0x00403437
0x00403448
0x00403450
0x00403452
0x00403457
0x00403459
0x00000000
0x00000000
0x00000000
0x00403459
0x00000000
0x004033be
0x0040337f
0x00403382
0x00403385
0x0040338b
0x0040338b
0x0040338b
0x0040338b
0x00000000
0x0040338b
0x00403387
0x00403389
0x00000000
0x00000000
0x00000000
0x00403389
0x0040333a
0x0040333d
0x00403340
0x00403346
0x00403346
0x00000000
0x00403346
0x00403342
0x00403344
0x00000000
0x00000000
0x00000000
0x00403344
0x00000000
0x00000000
0x00000000
0x00403315
0x00403315
0x00403315
0x00403316
0x00403316
0x00000000
0x00403315
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 00403216
GetVersion.KERNEL32 ref: 0040321C
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040324F
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040328B
OleInitialize.OLE32(00000000), ref: 00403292
SHGetFileInfoA.SHELL32(00429830,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032AE
GetCommandLineA.KERNEL32(Yllerion Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004032C3
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\invoice.exe",00000000,?,00000006,00000008,0000000A), ref: 004032D6
CharNextA.USER32(00000000,"C:\Users\user\Desktop\invoice.exe",00000020,?,00000006,00000008,0000000A), ref: 00403301
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033FE
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 0040340F
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040341B
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040342F
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403437
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403448
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403450
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403464

Part of subcall function 004062FD: GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
Part of subcall function 004062FD: GetProcAddress.KERNEL32(00000000,?), ref: 0040632A

Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,Yllerion Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72

Part of subcall function 004037B5: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository,1033,Yllerion Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Yllerion Setup: Installing,00000000,00000002,7476FA90), ref: 004038A5
Part of subcall function 004037B5: lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository,1033,Yllerion Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Yllerion Setup: Installing,00000000), ref: 004038B8
Part of subcall function 004037B5: GetFileAttributesA.KERNEL32(Call), ref: 004038C3
Part of subcall function 004037B5: LoadImageA.USER32 ref: 0040390C
Part of subcall function 004037B5: RegisterClassA.USER32 ref: 00403949

Part of subcall function 004036DB: CloseHandle.KERNEL32(00000294,00403512,?,?,00000006,00000008,0000000A), ref: 004036E6

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 00403512
ExitProcess.KERNEL32 ref: 00403533
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403650
OpenProcessToken.ADVAPI32(00000000), ref: 00403657
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040366F
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 0040368E
ExitWindowsEx.USER32(00000002,80040002), ref: 004036B2
ExitProcess.KERNEL32 ref: 004036D5

Part of subcall function 00405681: MessageBoxIndirectA.USER32(0040A218), ref: 004056DC

Strings

SeShutdownPrivilege, xrefs: 00403669
\Temp, xrefs: 00403415
", xrefs: 00403326
C:\Users\user\AppData\Local\Temp\, xrefs: 004033F3, 004033F8, 0040340E, 0040341A, 00403429, 00403436, 00403442, 0040344A, 00403543, 00403554, 0040355F, 0040356B, 00403578, 00403587, 00403636
TMP, xrefs: 0040344B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository, xrefs: 004033E3, 004034E4, 0040358E, 00403597
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship, xrefs: 004034EF
.tmp, xrefs: 0040355A
NSIS Error, xrefs: 004032B4
C:\Users\user\Desktop, xrefs: 00403565, 0040356A, 00403596
TEMP, xrefs: 00403443
Yllerion Setup, xrefs: 004032B9
1033, xrefs: 0040345F
Error launching installer, xrefs: 004034CA
~nsu, xrefs: 0040353E
UXTHEME, xrefs: 00403243, 00403248, 0040324E
"C:\Users\user\Desktop\invoice.exe", xrefs: 004032C9, 004032CF, 00403488
C:\Users\user\Desktop\invoice.exe, xrefs: 004035F0
Low, xrefs: 00403431

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Process$ExitFileHandle$EnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\invoice.exe"$.tmp$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\invoice.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$Yllerion Setup$\Temp$~nsu
API String ID: 3855923921-298697228
Opcode ID: b823c1f3407b5428210c909c51c2acc25d2a7094c9d0c145c1e4b304f3d6dece
Instruction ID: 41c275c355797b12fd9b138c60a2ad170ddd3a1f93bd6a9867a2704463122372
Opcode Fuzzy Hash: b823c1f3407b5428210c909c51c2acc25d2a7094c9d0c145c1e4b304f3d6dece
Instruction Fuzzy Hash: 0DC1E470604741AAD7216F759E49B2F3EACAF45706F44053FF581B61E2CB7C8A098B2E

Uniqueness

Uniqueness Score: -1.00%

Function 004051CA Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004051CA(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t113;
				void* _t121;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ebe4; // 0x10432
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						_t121 = CreateThread(0, 0, E0040515E, GetDlgItem(_a4, 0x3ec), 0,  &_a8); // executed
						FindCloseChangeNotification(_t121);
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E00405F87(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a870;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebcc - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f408, 8);
							__eflags =  *0x42f4ac - _t150;
							if( *0x42f4ac == _t150) {
								_t113 =  *0x42a048; // 0x49a02c
								E0040508C( *((intOrPtr*)(_t113 + 0x34)), _t150);
							}
							E00403FFF(1);
							goto L25;
						}
						 *0x429c40 = 2;
						E00403FFF(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E0040408D(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ebd0, _t150);
						ShowWindow(_v8, 8);
						E0040405B(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f414;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ebd0 = GetDlgItem(_a4, 0x403);
				 *0x42ebc8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ebe4 = _t128;
				_v8 = _t128;
				E0040405B( *0x42ebd0);
				 *0x42ebd4 = E0040492A(4);
				 *0x42ebec = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56); // executed
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404026(_a4);
				if(( *0x42f41c & 0x00000003) != 0) {
					ShowWindow( *0x42ebd0, _t150);
					if(( *0x42f41c & 0x00000002) != 0) {
						 *0x42ebd0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040405B( *0x42ebc8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f41c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x004051d0
0x004051d8
0x004051db
0x004051e3
0x004051e6
0x00405375
0x0040537b
0x00405398
0x0040539f
0x0040539f
0x004053ab
0x004053b1
0x004053d3
0x004053d3
0x004053d9
0x0040542e
0x0040542e
0x00405431
0x00000000
0x00000000
0x00405433
0x00405436
0x00405439
0x00000000
0x00000000
0x00405443
0x00405449
0x0040544b
0x0040544e
0x0040554b
0x00000000
0x0040554b
0x0040545d
0x00405469
0x00405472
0x00405479
0x0040547d
0x00405480
0x00405489
0x0040548f
0x00405492
0x00405492
0x004054a2
0x004054a8
0x004054ab
0x004054b6
0x004054b6
0x004054b7
0x004054ba
0x004054c1
0x004054c8
0x004054d0
0x004054d0
0x004054de
0x004054e4
0x004054e7
0x004054e7
0x004054ee
0x004054f4
0x004054fd
0x00405504
0x0040550d
0x0040550f
0x00405512
0x00405521
0x00405523
0x00405526
0x00405527
0x0040552a
0x0040552b
0x0040552c
0x0040552c
0x00405534
0x0040553f
0x00405545
0x00405545
0x00000000
0x004054ab
0x004053db
0x004053e1
0x0040540f
0x00405411
0x00405417
0x00405419
0x00405422
0x00405422
0x00405429
0x00000000
0x00405429
0x004053e5
0x004053ef
0x00000000
0x004053b3
0x004053b3
0x004053b9
0x004053f4
0x00000000
0x004053fb
0x004053c2
0x004053c9
0x004053ce
0x00000000
0x004053ce
0x004053b1
0x004051ec
0x004051f0
0x004051f8
0x004051fc
0x004051ff
0x00405202
0x00405205
0x00405208
0x00405209
0x0040520a
0x00405223
0x00405226
0x00405230
0x0040523f
0x00405247
0x0040524f
0x00405254
0x00405257
0x00405263
0x0040526c
0x00405275
0x00405297
0x0040529d
0x004052ae
0x004052b3
0x004052c1
0x004052cf
0x004052cf
0x004052d4
0x004052e2
0x004052e2
0x004052e7
0x004052ea
0x004052ef
0x004052fb
0x00405304
0x00405311
0x00405320
0x00405313
0x00405318
0x00405318
0x0040532c
0x0040532c
0x00405340
0x00405349
0x00405352
0x00405362
0x0040536e
0x0040536e
0x00000000

APIs

GetDlgItem.USER32 ref: 00405229
GetDlgItem.USER32 ref: 00405238
GetClientRect.USER32 ref: 00405275
GetSystemMetrics.USER32 ref: 0040527C
SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040529D
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052AE
SendMessageA.USER32(?,00001001,00000000,?), ref: 004052C1
SendMessageA.USER32(?,00001026,00000000,?), ref: 004052CF
SendMessageA.USER32(?,00001024,00000000,?), ref: 004052E2
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405304
ShowWindow.USER32(?,00000008), ref: 00405318
GetDlgItem.USER32 ref: 00405339
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405349
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405362
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040536E
GetDlgItem.USER32 ref: 00405247

Part of subcall function 0040405B: SendMessageA.USER32(00000028,?,00000001,00403E8B), ref: 00404069

GetDlgItem.USER32 ref: 0040538A
CreateThread.KERNELBASE ref: 00405398
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040539F
ShowWindow.USER32(00000000), ref: 004053C2
ShowWindow.USER32(?,00000008), ref: 004053C9
ShowWindow.USER32(00000008), ref: 0040540F
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405443
CreatePopupMenu.USER32 ref: 00405454
AppendMenuA.USER32 ref: 00405469
GetWindowRect.USER32 ref: 00405489
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054A2
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054DE
OpenClipboard.USER32(00000000), ref: 004054EE
EmptyClipboard.USER32 ref: 004054F4
GlobalAlloc.KERNEL32(00000042,?), ref: 004054FD
GlobalLock.KERNEL32 ref: 00405507
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040551B
GlobalUnlock.KERNEL32(00000000), ref: 00405534
SetClipboardData.USER32 ref: 0040553F
CloseClipboard.USER32 ref: 00405545

Strings

Yllerion Setup: Installing, xrefs: 004054BA

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: Yllerion Setup: Installing
API String ID: 4154960007-2322757991
Opcode ID: e9cc725ee0651f9e3bb7bb627a473a378111f32a2011408fb0017e783986cbfa
Instruction ID: ba98567820032f63b871bd6861c5d6e43a3521a54ecc658c1b1e5281d96d67ec
Opcode Fuzzy Hash: e9cc725ee0651f9e3bb7bb627a473a378111f32a2011408fb0017e783986cbfa
Instruction Fuzzy Hash: D6A14971900608BFDF11AF61DE89AAF7F79EB04354F40403AFA41B61A0CB755E519F68

Uniqueness

Uniqueness Score: -1.00%

Function 10001A5D Relevance: 25.0, APIs: 13, Strings: 1, Instructions: 540
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001A5D() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				CHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				CHAR* _t198;
				signed int _t201;
				void* _t203;
				void* _t205;
				CHAR* _t207;
				void* _t215;
				struct HINSTANCE__* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t219;
				signed short _t221;
				struct HINSTANCE__* _t224;
				struct HINSTANCE__* _t226;
				void* _t227;
				char* _t228;
				void* _t239;
				signed char _t240;
				signed int _t241;
				void* _t245;
				struct HINSTANCE__* _t247;
				void* _t248;
				signed int _t250;
				signed int _t252;
				signed int _t258;
				void* _t259;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed char _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed char _t307;
				signed int _t308;
				CHAR* _t309;
				CHAR* _t311;
				CHAR* _t312;
				struct HINSTANCE__* _t313;
				void* _t315;
				signed int _t316;
				void* _t317;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t317 = 0;
				_v48 = 0;
				_t198 = E10001215();
				_v24 = _t198;
				_v28 = _t198;
				_v44 = E10001215();
				_t308 = E1000123B();
				_v52 = _t308;
				_v12 = _t308;
				while(1) {
					_t201 = _v32;
					_v56 = _t201;
					if(_t201 != _t283 && _t317 == _t283) {
						break;
					}
					_t307 =  *_t308;
					_t286 = _t307;
					_t203 = _t286 - _t283;
					if(_t203 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t205 = _v56 - _t283;
						if(_t205 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t317 - _t283;
							if(_t317 == _t283) {
								_t245 = GlobalAlloc(0x40, 0x14a4); // executed
								_t317 = _t245;
								 *(_t317 + 0x810) = _t283;
								 *(_t317 + 0x814) = _t283;
							}
							_t287 = _v36;
							_t43 = _t317 + 8; // 0x8
							_t207 = _t43;
							_t44 = _t317 + 0x408; // 0x408
							_t309 = _t44;
							 *_t317 = _t287;
							 *_t207 =  *_t207 & 0x00000000;
							 *(_t317 + 0x808) = _t283;
							 *_t309 =  *_t309 & 0x00000000;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *(_t317 + 0x80c) = _t283;
							 *(_t317 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t315 = 0;
								GlobalFree(_t317);
								_t317 = E100012FE(_v24);
								__eflags = _t317 - _t283;
								if(_t317 == _t283) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t239 =  *(_t317 + 0x14a0);
									__eflags = _t239 - _t283;
									if(_t239 == _t283) {
										break;
									}
									_t315 = _t317;
									_t317 = _t239;
									__eflags = _t317 - _t283;
									if(_t317 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t315 - _t283;
								if(_t315 != _t283) {
									 *(_t315 + 0x14a0) = _t283;
								}
								_t240 =  *(_t317 + 0x810);
								__eflags = _t240 & 0x00000008;
								if((_t240 & 0x00000008) == 0) {
									_t241 = _t240 | 0x00000002;
									__eflags = _t241;
									 *(_t317 + 0x810) = _t241;
								} else {
									_t317 = E10001534(_t317);
									 *(_t317 + 0x810) =  *(_t317 + 0x810) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L28:
									lstrcpyA(_t207, _v44);
									L29:
									lstrcpyA(_t309, _v24);
									L39:
									_v12 = _v12 + 1;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t308 = _v12;
										continue;
									}
									break;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L29;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t205 != 1) {
							goto L39;
						}
						_t247 = _v16;
						if(_v40 == _t283) {
							_t247 = _t247 - 1;
						}
						 *(_t317 + 0x814) = _t247;
						goto L39;
					}
					_t248 = _t203 - 0x23;
					if(_t248 == 0) {
						__eflags = _t308 - _v52;
						if(_t308 <= _v52) {
							L15:
							_v32 = _t283;
							_v36 = _t283;
							goto L17;
						}
						__eflags =  *((char*)(_t308 - 1)) - 0x3a;
						if( *((char*)(_t308 - 1)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							L40:
							_t250 = _v32 - _t283;
							__eflags = _t250;
							if(_t250 == 0) {
								__eflags = _t307 - 0x2a;
								if(_t307 == 0x2a) {
									_v36 = 2;
									L61:
									_t308 = _v12;
									_v28 = _v24;
									_t283 = 0;
									__eflags = 0;
									L62:
									_t316 = _t308 + 1;
									__eflags = _t316;
									_v12 = _t316;
									goto L63;
								}
								__eflags = _t307 - 0x2d;
								if(_t307 == 0x2d) {
									L132:
									_t252 = _t308 + 1;
									__eflags =  *_t252 - 0x3e;
									if( *_t252 != 0x3e) {
										L134:
										_t252 = _t308 + 1;
										__eflags =  *_t252 - 0x3a;
										if( *_t252 != 0x3a) {
											L141:
											_v28 =  &(_v28[1]);
											 *_v28 = _t307;
											goto L62;
										}
										__eflags = _t307 - 0x2d;
										if(_t307 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t252;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 =  *_v44 & 0x00000000;
										} else {
											 *_v28 =  *_v28 & 0x00000000;
											lstrcpyA(_v44, _v24);
										}
										goto L61;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t307 - 0x3a;
								if(_t307 != 0x3a) {
									goto L141;
								}
								__eflags = _t307 - 0x2d;
								if(_t307 != 0x2d) {
									goto L134;
								}
								goto L132;
							}
							_t258 = _t250 - 1;
							__eflags = _t258;
							if(_t258 == 0) {
								L74:
								_t259 = _t286 - 0x22;
								__eflags = _t259 - 0x55;
								if(_t259 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t259 + 0x1000215a) & 0x000000ff) * 4 +  &M100020F6))) {
									case 0:
										__eax = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L116;
											}
											L115:
											__eflags =  *(__edi + 1) - __dl;
											if( *(__edi + 1) != __dl) {
												L120:
												 *__eax =  *__eax & 0x00000000;
												__ebx = E10001224(_v24);
												goto L91;
											}
											L116:
											__eflags = __cl;
											if(__cl == 0) {
												goto L120;
											}
											__eflags = __cl - __dl;
											if(__cl == __dl) {
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__cl =  *__edi;
											 *__eax =  *__edi;
											__eax = __eax + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 1;
										__ebx = E10001215();
										 &_v12 = E100019FB( &_v12);
										__eax = E10001429(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E100019FB( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(3);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x818) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x828) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E100019FB( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x81c)) = _v8;
											_t133 = _v16 + 0x41; // 0x41
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x830)) = 0;
											 *((intOrPtr*)(__edi + 0x82c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t261 =  *(_t317 + 0x814);
										__eflags = _t261 - _v16;
										if(_t261 > _v16) {
											_v16 = _t261;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t261 - (_v36 == 3);
										if(_t261 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E100019FB( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x82c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x830; // 0x830
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t262 = _t258 - 1;
							__eflags = _t262;
							if(_t262 == 0) {
								_v16 = _t283;
								goto L74;
							}
							__eflags = _t262 != 1;
							if(_t262 != 1) {
								goto L141;
							}
							_t265 = _t286 - 0x21;
							__eflags = _t265;
							if(_t265 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t266 = _t265 - 0x42;
							__eflags = _t266;
							if(_t266 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t317 + 0x810;
									 *_t92 =  *(_t317 + 0x810) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t317 + 0x810) =  *(_t317 + 0x810) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t271 = _t266;
							__eflags = _t271;
							if(_t271 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t272 = _t271 - 9;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(8);
								goto L56;
							}
							_t273 = _t272 - 4;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(4);
								goto L56;
							}
							_t274 = _t273 - 1;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t274 != 0;
							if(_t274 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t277 = _t248 - 5;
					if(_t277 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t283;
						_v20 = _t283;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t283;
						goto L17;
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						_v32 = 2;
						_v8 = _t283;
						_v20 = _t283;
						goto L17;
					}
					if(_t281 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t317 == _t283 ||  *(_t317 + 0x80c) != _t283) {
					L161:
					return _t317;
				} else {
					_t215 =  *_t317 - 1;
					if(_t215 == 0) {
						_t178 = _t317 + 8; // 0x8
						_t311 = _t178;
						__eflags =  *_t311;
						if( *_t311 != 0) {
							_t216 = GetModuleHandleA(_t311);
							__eflags = _t216 - _t283;
							 *(_t317 + 0x808) = _t216;
							if(_t216 != _t283) {
								L150:
								_t183 = _t317 + 0x408; // 0x408
								_t312 = _t183;
								_t217 = E100015A4( *(_t317 + 0x808), _t312);
								__eflags = _t217 - _t283;
								 *(_t317 + 0x80c) = _t217;
								if(_t217 == _t283) {
									__eflags =  *_t312 - 0x23;
									if( *_t312 == 0x23) {
										_t186 = _t317 + 0x409; // 0x409
										_t221 = E100012FE(_t186);
										__eflags = _t221 - _t283;
										if(_t221 != _t283) {
											__eflags = _t221 & 0xffff0000;
											if((_t221 & 0xffff0000) == 0) {
												 *(_t317 + 0x80c) = GetProcAddress( *(_t317 + 0x808), _t221 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t283;
								if(_v48 != _t283) {
									L157:
									_t312[lstrlenA(_t312)] = 0x41;
									_t219 = E100015A4( *(_t317 + 0x808), _t312);
									__eflags = _t219 - _t283;
									if(_t219 != _t283) {
										L145:
										 *(_t317 + 0x80c) = _t219;
										goto L161;
									}
									__eflags =  *(_t317 + 0x80c) - _t283;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t196 = _t317 + 4;
									 *_t196 =  *(_t317 + 4) | 0xffffffff;
									__eflags =  *_t196;
									goto L161;
								} else {
									__eflags =  *(_t317 + 0x80c) - _t283;
									if( *(_t317 + 0x80c) != _t283) {
										goto L161;
									}
									goto L157;
								}
							}
							_t224 = LoadLibraryA(_t311);
							__eflags = _t224 - _t283;
							 *(_t317 + 0x808) = _t224;
							if(_t224 == _t283) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t317 + 0x408; // 0x408
						_t226 = E100012FE(_t179);
						 *(_t317 + 0x80c) = _t226;
						__eflags = _t226 - _t283;
						goto L159;
					}
					_t227 = _t215 - 1;
					if(_t227 == 0) {
						_t176 = _t317 + 0x408; // 0x408
						_t228 = _t176;
						__eflags =  *_t228;
						if( *_t228 == 0) {
							goto L161;
						}
						_t219 = E100012FE(_t228);
						L144:
						goto L145;
					}
					if(_t227 != 1) {
						goto L161;
					}
					_t80 = _t317 + 8; // 0x8
					_t284 = _t80;
					_t313 = E100012FE(_t80);
					 *(_t317 + 0x808) = _t313;
					if(_t313 == 0) {
						goto L160;
					}
					 *(_t317 + 0x84c) =  *(_t317 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t317 + 0x850)) = E10001224(_t284);
					 *(_t317 + 0x83c) =  *(_t317 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t317 + 0x848)) = 1;
					 *((intOrPtr*)(_t317 + 0x838)) = 1;
					_t89 = _t317 + 0x408; // 0x408
					_t219 =  *(_t313->i + E100012FE(_t89) * 4);
					goto L144;
				}
			}

0x10001a65
0x10001a68
0x10001a6b
0x10001a6e
0x10001a71
0x10001a74
0x10001a77
0x10001a79
0x10001a7c
0x10001a81
0x10001a84
0x10001a8c
0x10001a94
0x10001a96
0x10001a99
0x10001aa1
0x10001aa1
0x10001aa6
0x10001aa9
0x00000000
0x00000000
0x10001ab3
0x10001ab5
0x10001aba
0x10001abc
0x10001b2e
0x10001b2e
0x10001b2e
0x10001b32
0x10001b35
0x10001b37
0x10001b59
0x10001b5c
0x10001b5e
0x10001b67
0x10001b6d
0x10001b6f
0x10001b75
0x10001b75
0x10001b7b
0x10001b7e
0x10001b7e
0x10001b81
0x10001b81
0x10001b87
0x10001b89
0x10001b8c
0x10001b92
0x10001b95
0x10001b95
0x10001b97
0x10001b9d
0x10001ba0
0x10001bc4
0x10001bc7
0x00000000
0x00000000
0x10001bca
0x10001bcc
0x10001bda
0x10001bdd
0x10001bdf
0x00000000
0x00000000
0x00000000
0x00000000
0x10001be1
0x10001be1
0x10001be1
0x10001be7
0x10001be9
0x00000000
0x00000000
0x10001beb
0x10001bed
0x10001bef
0x10001bf1
0x00000000
0x00000000
0x00000000
0x10001bf1
0x10001bf3
0x10001bf5
0x10001bf7
0x10001bf7
0x10001bfd
0x10001c03
0x10001c05
0x10001c19
0x10001c19
0x10001c1b
0x10001c07
0x10001c0d
0x10001c10
0x10001c10
0x00000000
0x10001ba2
0x10001ba2
0x10001ba2
0x10001ba3
0x10001bab
0x10001baf
0x10001bb5
0x10001bb9
0x10001c21
0x10001c24
0x10001c27
0x10001cb1
0x10001cb5
0x10001a9e
0x00000000
0x10001a9e
0x00000000
0x10001cb5
0x10001ba5
0x10001ba5
0x10001ba6
0x00000000
0x00000000
0x10001ba8
0x10001ba9
0x00000000
0x00000000
0x00000000
0x10001ba9
0x10001ba0
0x10001b3a
0x00000000
0x00000000
0x10001b43
0x10001b46
0x10001b53
0x10001b53
0x10001b48
0x00000000
0x10001b48
0x10001abe
0x10001ac1
0x10001b12
0x10001b15
0x10001b26
0x10001b26
0x10001b29
0x00000000
0x10001b29
0x10001b17
0x10001b1b
0x00000000
0x00000000
0x10001b1d
0x10001b20
0x10001c2f
0x10001c32
0x10001c32
0x10001c34
0x10001f7a
0x10001f7d
0x10001fe0
0x10001ca2
0x10001ca5
0x10001ca8
0x10001cab
0x10001cab
0x10001cad
0x10001cad
0x10001cad
0x10001cae
0x00000000
0x10001cae
0x10001f7f
0x10001f82
0x10001f8e
0x10001f8e
0x10001f91
0x10001f94
0x10001f9f
0x10001f9f
0x10001fa2
0x10001fa5
0x10001fec
0x10001fef
0x10001ff2
0x00000000
0x10001ff2
0x10001fa7
0x10001faa
0x00000000
0x00000000
0x10001fac
0x10001fb3
0x10001fb3
0x10001fb9
0x10001fbc
0x10001fd8
0x10001fbe
0x10001fc7
0x10001fca
0x10001fca
0x00000000
0x10001fbc
0x10001f96
0x00000000
0x10001f96
0x10001f84
0x10001f87
0x00000000
0x00000000
0x10001f89
0x10001f8c
0x00000000
0x00000000
0x00000000
0x10001f8c
0x10001c3a
0x10001c3a
0x10001c3b
0x10001d6a
0x10001d6a
0x10001d6f
0x10001d72
0x00000000
0x00000000
0x10001d7f
0x00000000
0x10001f22
0x10001f25
0x10001f28
0x10001f28
0x10001f29
0x10001f2c
0x10001f2e
0x10001f30
0x00000000
0x00000000
0x10001f32
0x10001f32
0x10001f35
0x10001f47
0x10001f4a
0x10001f53
0x00000000
0x10001f53
0x10001f37
0x10001f37
0x10001f39
0x00000000
0x00000000
0x10001f3b
0x10001f3d
0x10001f3f
0x10001f3f
0x10001f3f
0x10001f40
0x10001f42
0x10001f44
0x10001f28
0x10001f29
0x10001f2c
0x10001f2e
0x10001f30
0x00000000
0x00000000
0x00000000
0x10001f30
0x00000000
0x10001dc6
0x00000000
0x00000000
0x10001dd2
0x00000000
0x00000000
0x10001db9
0x10001dbd
0x10001dc1
0x00000000
0x00000000
0x10001ef4
0x10001ef8
0x00000000
0x00000000
0x10001efe
0x10001f06
0x10001f0d
0x10001f15
0x00000000
0x00000000
0x10001e91
0x10001e91
0x00000000
0x00000000
0x10001ddb
0x00000000
0x00000000
0x10001f72
0x00000000
0x00000000
0x10001f62
0x00000000
0x00000000
0x10001f66
0x00000000
0x00000000
0x10001f6e
0x00000000
0x00000000
0x10001eb4
0x00000000
0x00000000
0x10001e99
0x10001e9b
0x00000000
0x00000000
0x10001ebc
0x00000000
0x00000000
0x10001ea1
0x00000000
0x00000000
0x10001ea5
0x00000000
0x00000000
0x10001f6a
0x10001f74
0x10001f74
0x00000000
0x00000000
0x10001ec4
0x10001ec8
0x10001ecd
0x10001ed0
0x10001ed1
0x10001ed4
0x10001eda
0x10001eda
0x00000000
0x00000000
0x10001f5a
0x00000000
0x00000000
0x10001ea9
0x10001eac
0x10001eae
0x00000000
0x00000000
0x10001de2
0x10001de2
0x00000000
0x00000000
0x10001eb8
0x10001ebe
0x10001ebe
0x10001de4
0x10001de4
0x10001de7
0x10001dee
0x10001df1
0x10001df3
0x10001df5
0x10001df6
0x10001dfa
0x10001dfd
0x10001e03
0x10001e09
0x10001e09
0x10001e0b
0x10001e0b
0x10001e0e
0x10001e14
0x10001e16
0x10001e1a
0x10001e1f
0x10001e1f
0x10001e21
0x10001e21
0x10001e24
0x10001e27
0x10001e30
0x10001e33
0x10001e36
0x10001e36
0x10001e38
0x10001e3b
0x10001e41
0x00000000
0x10001e41
0x10001e05
0x10001e07
0x00000000
0x00000000
0x00000000
0x00000000
0x10001d86
0x10001d8c
0x10001d8f
0x10001d91
0x10001d91
0x10001d94
0x10001d98
0x10001da5
0x10001da7
0x10001dad
0x10001dad
0x10001dad
0x00000000
0x00000000
0x10001ee2
0x10001ee6
0x10001eeb
0x10001eee
0x10001e47
0x10001e47
0x10001e49
0x00000000
0x00000000
0x10001e4f
0x10001e4f
0x10001e53
0x10001e5a
0x10001e7e
0x10001e7e
0x10001e82
0x10001e84
0x10001e87
0x10001e87
0x10001e8a
0x10001e8a
0x00000000
0x10001e82
0x10001e5f
0x10001e62
0x10001e62
0x10001e69
0x10001e6b
0x10001e6e
0x10001e75
0x10001e76
0x10001e7c
0x10001e7c
0x00000000
0x10001e7c
0x10001e70
0x10001e73
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001d7f
0x10001c41
0x10001c41
0x10001c42
0x10001d67
0x00000000
0x10001d67
0x10001c48
0x10001c49
0x00000000
0x00000000
0x10001c51
0x10001c51
0x10001c54
0x10001c9f
0x00000000
0x10001c9f
0x10001c56
0x10001c56
0x10001c59
0x10001c83
0x10001c86
0x10001c89
0x10001d59
0x10001d59
0x10001d59
0x10001c8f
0x10001c8f
0x10001c8f
0x10001d5f
0x00000000
0x10001d5f
0x10001c5c
0x10001c5c
0x10001c5d
0x10001c80
0x10001c82
0x10001c82
0x00000000
0x10001c82
0x10001c5f
0x10001c5f
0x10001c62
0x10001c7c
0x00000000
0x10001c7c
0x10001c64
0x10001c64
0x10001c67
0x10001c78
0x00000000
0x10001c78
0x10001c69
0x10001c69
0x10001c6a
0x10001c74
0x00000000
0x10001c74
0x10001c6d
0x10001c6e
0x00000000
0x00000000
0x10001c70
0x00000000
0x10001c70
0x00000000
0x10001b20
0x10001ac3
0x10001ac6
0x10001af5
0x10001af9
0x10001b00
0x10001b07
0x10001b0a
0x10001b0d
0x00000000
0x10001b0d
0x10001ac8
0x10001ac9
0x10001ae4
0x10001aeb
0x10001aee
0x00000000
0x10001aee
0x10001ace
0x00000000
0x10001ad4
0x10001ad4
0x10001adb
0x00000000
0x10001adb
0x10001ace
0x10001cc4
0x10001cc9
0x10001cce
0x10001cd2
0x100020ef
0x100020f5
0x10001ce4
0x10001ce6
0x10001ce7
0x1000201a
0x1000201a
0x1000201d
0x10002020
0x1000203d
0x10002043
0x10002045
0x1000204b
0x10002062
0x10002062
0x10002062
0x1000206f
0x10002075
0x10002078
0x1000207e
0x10002080
0x10002083
0x10002085
0x1000208c
0x10002091
0x10002094
0x10002096
0x1000209b
0x100020ad
0x100020ad
0x1000209b
0x10002094
0x10002083
0x100020b3
0x100020b6
0x100020c0
0x100020c8
0x100020d4
0x100020da
0x100020dd
0x1000200f
0x1000200f
0x00000000
0x1000200f
0x100020e3
0x100020e9
0x100020e9
0x00000000
0x00000000
0x100020eb
0x100020eb
0x100020eb
0x100020eb
0x00000000
0x100020b8
0x100020b8
0x100020be
0x00000000
0x00000000
0x00000000
0x100020be
0x100020b6
0x1000204e
0x10002054
0x10002056
0x1000205c
0x00000000
0x00000000
0x00000000
0x1000205c
0x10002022
0x10002029
0x1000202f
0x10002035
0x00000000
0x10002035
0x10001ced
0x10001cee
0x10001ff9
0x10001ff9
0x10001fff
0x10002002
0x00000000
0x00000000
0x10002009
0x1000200e
0x00000000
0x1000200e
0x10001cf5
0x00000000
0x00000000
0x10001cfb
0x10001cfb
0x10001d04
0x10001d09
0x10001d0f
0x00000000
0x00000000
0x10001d15
0x10001d22
0x10001d28
0x10001d32
0x10001d38
0x10001d40
0x10001d50
0x00000000
0x10001d50

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 10001B67
lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
GlobalFree.KERNEL32 ref: 10001BCC
GlobalFree.KERNEL32 ref: 10001CC4
GlobalFree.KERNEL32 ref: 10001CC9
GlobalFree.KERNEL32 ref: 10001CCE
GlobalFree.KERNEL32 ref: 10001E76
lstrcpyA.KERNEL32(?,?), ref: 10001FCA

Strings

Nqt, xrefs: 100020A7

Memory Dump Source

Source File: 00000000.00000002.856054297.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.856040694.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856067293.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856081841.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_invoice.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID: Nqt
API String ID: 4227406936-806837294
Opcode ID: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
Opcode Fuzzy Hash: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0040572D Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040572D(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E004059EB(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4a8 =  *0x42f4a8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00405F65(0x42b878, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405944(_t73);
					} else {
						lstrcatA(0x42b878, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b878,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405928( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00405F65(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004056E5(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E0040508C(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4a8 =  *0x42f4a8 + 1;
										} else {
											E0040508C(0xfffffff1, _t73);
											E00405D44(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040572D(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b878 - 0x5c;
					if( *0x42b878 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E00406268(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E004058FD(_t73);
							_t40 = E004056E5(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E0040508C(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E0040508C(0xfffffff1, _t73);
							return E00405D44(_t72, _t73, 0);
						}
						L33:
						 *0x42f4a8 =  *0x42f4a8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x00405737
0x0040573c
0x00405745
0x00405748
0x00405750
0x00405753
0x00405756
0x0040575e
0x00405760
0x00405761
0x00000000
0x00405761
0x0040576c
0x0040576f
0x0040576f
0x0040576f
0x00405773
0x00405786
0x0040578d
0x00405792
0x00405796
0x004057a6
0x00405798
0x0040579e
0x0040579e
0x004057ab
0x004057ae
0x004057b9
0x004057bf
0x004057c4
0x004057d4
0x004057d6
0x004057dc
0x004057df
0x004057e2
0x0040589a
0x0040589a
0x0040589e
0x004058a0
0x004058a0
0x004058a0
0x004058a0
0x00000000
0x00000000
0x00000000
0x00000000
0x004057e8
0x004057e8
0x004057f1
0x004057f7
0x004057fc
0x004057ff
0x00405801
0x00405805
0x00405807
0x00405807
0x00405805
0x0040580a
0x0040580d
0x00405820
0x00405822
0x00405827
0x0040582e
0x00405849
0x0040584e
0x00405850
0x00405874
0x00405852
0x00405852
0x00405855
0x00405869
0x00405857
0x0040585a
0x00405862
0x00405862
0x00405855
0x00405830
0x00405836
0x00405838
0x0040583e
0x0040583e
0x00405838
0x00000000
0x0040582e
0x0040580f
0x00405812
0x00405814
0x00000000
0x00000000
0x00405816
0x00405818
0x00000000
0x00000000
0x0040581a
0x0040581e
0x00000000
0x00000000
0x00000000
0x00405879
0x00405883
0x00405889
0x00405889
0x00405894
0x00000000
0x00405894
0x004057b0
0x004057b7
0x00000000
0x00000000
0x00000000
0x00405775
0x00405775
0x00405777
0x004058a4
0x004058a6
0x004058a9
0x004058fa
0x004058fa
0x004058fa
0x004058ab
0x004058ae
0x004058b9
0x004058be
0x004058c0
0x00000000
0x00000000
0x004058c3
0x004058cf
0x004058d4
0x004058d6
0x00000000
0x004058f1
0x004058d8
0x004058db
0x00000000
0x00000000
0x004058e0
0x00000000
0x004058e7
0x004058b0
0x004058b0
0x00000000
0x004058b0
0x0040577d
0x00405780
0x00000000
0x00000000
0x00000000
0x00405780

APIs

DeleteFileA.KERNELBASE(?,?,7476FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405756
lstrcatA.KERNEL32(0042B878,\*.*,0042B878,?,?,7476FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040579E
lstrcatA.KERNEL32(?,0040A014,?,0042B878,?,?,7476FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057BF
lstrlenA.KERNEL32(?,?,0040A014,?,0042B878,?,?,7476FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057C5
FindFirstFileA.KERNEL32(0042B878,?,?,?,0040A014,?,0042B878,?,?,7476FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057D6
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405883
FindClose.KERNEL32(00000000), ref: 00405894

Strings

\*.*, xrefs: 00405798
"C:\Users\user\Desktop\invoice.exe", xrefs: 0040572D
C:\Users\user\AppData\Local\Temp\, xrefs: 0040573A

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\invoice.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2808117937
Opcode ID: f7f96faad53d03e1b16e49c91bcd31d62ded0bd436c9b9e205275b97677bab50
Instruction ID: 2a0351abb2716448ee460da7bfccfa5d3c7c3698b554042fcfc8e424752a7a40
Opcode Fuzzy Hash: f7f96faad53d03e1b16e49c91bcd31d62ded0bd436c9b9e205275b97677bab50
Instruction Fuzzy Hash: 2551B132900A04AAEF217B268C45FBF7A78DF42754F14817BF841B61D1D73C8952DEA9

Uniqueness

Uniqueness Score: -1.00%

Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004020CB() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x3c) = E00402AC1(0xfffffff0);
				 *(_t111 - 0xc) = E00402AC1(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x80)) = E00402AC1(2);
				 *((intOrPtr*)(_t111 - 0x7c)) = E00402AC1(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402AC1(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x88) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x78) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E0040596A( *(_t111 - 0xc)) == 0) {
					E00402AC1(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408514, _t87, 1, 0x408504, _t59); // executed
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408524, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\jones\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository\\Diskofils\\Justiciaryship");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x78));
						_t95 =  *((intOrPtr*)(_t111 - 0x7c));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x88));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x80)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x34)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x3c), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x004020d4
0x004020de
0x004020e8
0x004020f2
0x004020fd
0x00402100
0x0040211a
0x00402120
0x00402126
0x00402129
0x00402133
0x00402137
0x00402137
0x0040213c
0x0040214d
0x00402155
0x0040222e
0x0040222e
0x00402235
0x0040215b
0x0040215b
0x0040216a
0x0040216e
0x00402171
0x00402177
0x00402185
0x00402188
0x0040218a
0x00402195
0x00402195
0x0040219a
0x0040219c
0x004021a3
0x004021a3
0x004021a6
0x004021af
0x004021b2
0x004021b7
0x004021b9
0x004021c6
0x004021c6
0x004021c9
0x004021d2
0x004021d5
0x004021de
0x004021e4
0x004021eb
0x00402204
0x00402206
0x00402214
0x00402214
0x00402204
0x00402217
0x0040221d
0x0040221d
0x00402220
0x00402226
0x0040222c
0x00402241
0x00000000
0x00000000
0x00000000
0x0040222c
0x00402237
0x00402954
0x00402960

APIs

CoCreateInstance.OLE32(00408514,?,00000001,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214D
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FC

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship
API String ID: 123533781-2002056710
Opcode ID: 3ab9ca111cfd16ea316d8908730db186f13cf70328ad1dfde5033f2efd3f2ba1
Instruction ID: 70e90dd273e36d6cf470b0c6c9ff695bb876e65ea6d8ae05c01ad1deac9bcbee
Opcode Fuzzy Hash: 3ab9ca111cfd16ea316d8908730db186f13cf70328ad1dfde5033f2efd3f2ba1
Instruction Fuzzy Hash: D9512775A00208BFCF10DFE4C988A9DBBB5EF48318F2045AAF915EB2D1DA799941CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00406268 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406268(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0c0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0c0;
			}

0x00406273
0x0040627c
0x00000000
0x00406289
0x0040627f
0x00000000

APIs

FindFirstFileA.KERNELBASE(7476FA90,0042C0C0,0042BC78,00405A2E,0042BC78,0042BC78,00000000,0042BC78,0042BC78,7476FA90,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,7476FA90,C:\Users\user\AppData\Local\Temp\), ref: 00406273
FindClose.KERNEL32(00000000), ref: 0040627F

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
Instruction ID: e0279db6a2f9a876ecb4b02bc738002a428a13ad585e0dc9357aaf1afb57e826
Opcode Fuzzy Hash: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
Instruction Fuzzy Hash: 9DD012365060209FC25027786D0C85B7A589F053317118B7FF8AAF21E0C7348CA386DC

Uniqueness

Uniqueness Score: -1.00%

Function 00403B52 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403B52(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a858 = _t35;
					if(_t116 == 0x110) {
						 *0x42f408 = _t126;
						 *0x42a86c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429838 = _t92;
						E00404026(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ebe8); // executed
						 *0x42ebcc = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a858 = 1;
					}
					_t123 =  *0x40a1dc; // 0x0
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f440;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E00404072(0x40b);
						while(1) {
							_t37 =  *0x42a858; // 0x1
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0x0
							__eflags = _t39 -  *0x42f444;
							if(_t39 ==  *0x42f444) {
								E0040140B(1);
							}
							__eflags =  *0x42ebcc - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x42f444; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E00405F87(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E00404026(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E00404026(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E00404026(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4ac - _t134;
							_v32 = _t49;
							if( *0x42f4ac != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008); // executed
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100); // executed
							E00404048(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429838, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4ac - _t134;
							if( *0x42f4ac == _t134) {
								_push( *0x42a86c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429838);
							}
							E0040405B();
							E00405F65(0x42a870, E00403B33());
							E00405F87(0x42a870, _t126, _t131,  &(0x42a870[lstrlenA(0x42a870)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a870); // executed
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ebd8); // executed
									 *0x42a048 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f400,  *_t131 +  *0x42ebe0 & 0x0000ffff, _t126,  *( *(_t131 + 4) * 4 + "oA@"), _t131); // executed
									__eflags = _t74 - _t134;
									 *0x42ebd8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E00404026(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ebd8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ebcc - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ebd8, 8); // executed
									E00404072(0x405);
									goto L58;
								}
								__eflags =  *0x42f4ac - _t134;
								if( *0x42f4ac != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4a0 - _t134;
								if( *0x42f4a0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebd8);
						 *0x42f408 = _t134;
						EndDialog(_t126,  *0x429c40);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ebd8, 0x40f, 0, 1);
						__eflags =  *0x42ebcc - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a850, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a850,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E0040408D(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ebd8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4ac - _t134;
										if( *0x42f4ac == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c40 = 1;
											L21:
											_push(0x78);
											L22:
											E00403FFF();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c40 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ebd8);
						 *0x42ebd8 = _a12;
						L58:
						if( *0x42b870 == _t134) {
							_t143 =  *0x42ebd8 - _t134; // 0x1042c
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa); // executed
								 *0x42b870 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403b5b
0x00403b64
0x00403ca5
0x00403ca9
0x00403cad
0x00403caf
0x00403cb4
0x00403cbf
0x00403cca
0x00403ccf
0x00403cd1
0x00403cd3
0x00403cd6
0x00403cdb
0x00403ce9
0x00403cf6
0x00403cfd
0x00403cfd
0x00403cfe
0x00403cfe
0x00403d03
0x00403d09
0x00403d10
0x00403d16
0x00403d18
0x00403d58
0x00403d5d
0x00403d62
0x00403d62
0x00403d67
0x00403d70
0x00403d72
0x00403d77
0x00403d7d
0x00403d81
0x00403d81
0x00403d86
0x00403d8c
0x00000000
0x00000000
0x00403d97
0x00403d9d
0x00000000
0x00000000
0x00403da6
0x00403dae
0x00403db3
0x00403db6
0x00403dbc
0x00403dc1
0x00403dc4
0x00403dca
0x00403dcf
0x00403dd2
0x00403dd8
0x00403de0
0x00403de6
0x00403dec
0x00403df0
0x00403df7
0x00403df7
0x00403df7
0x00403e01
0x00403e13
0x00403e1f
0x00403e24
0x00403e2e
0x00403e34
0x00403e36
0x00403e3b
0x00403e38
0x00403e38
0x00403e38
0x00403e4b
0x00403e63
0x00403e65
0x00403e6b
0x00403e80
0x00403e6d
0x00403e76
0x00403e78
0x00403e78
0x00403e86
0x00403e97
0x00403ea8
0x00403eaf
0x00403eb5
0x00403eb9
0x00403ebe
0x00403ec0
0x00000000
0x00403ec6
0x00403ec6
0x00403ec8
0x00000000
0x00000000
0x00403ece
0x00403ed2
0x00403ef7
0x00403efd
0x00403f03
0x00403f05
0x00000000
0x00000000
0x00403f2b
0x00403f31
0x00403f33
0x00403f38
0x00000000
0x00000000
0x00403f3e
0x00403f41
0x00403f44
0x00403f5b
0x00403f67
0x00403f80
0x00403f86
0x00403f8a
0x00403f8f
0x00403f95
0x00000000
0x00000000
0x00403f9f
0x00403faa
0x00000000
0x00403faa
0x00403ed4
0x00403eda
0x00000000
0x00000000
0x00403ee0
0x00403ee6
0x00000000
0x00000000
0x00000000
0x00403eec
0x00403ec0
0x00403fb7
0x00403fc3
0x00403fca
0x00000000
0x00403d1a
0x00403d1a
0x00403d1d
0x00403d50
0x00403d50
0x00403d52
0x00000000
0x00000000
0x00000000
0x00403d52
0x00403d1f
0x00403d23
0x00403d28
0x00403d2a
0x00000000
0x00000000
0x00403d3a
0x00403d42
0x00000000
0x00403d48
0x00403b76
0x00403b76
0x00403b7a
0x00403b7f
0x00403b8e
0x00403b8e
0x00403b97
0x00403ba0
0x00403bab
0x00403bab
0x00403bb7
0x00403bd3
0x00403bd6
0x00403be9
0x00403bef
0x00403c92
0x00000000
0x00403c9b
0x00403bf5
0x00403c02
0x00403c04
0x00403c06
0x00403c25
0x00403c25
0x00403c28
0x00403c2d
0x00403c30
0x00403c40
0x00403c41
0x00403c43
0x00403c79
0x00403c8c
0x00000000
0x00403c8c
0x00403c45
0x00403c4b
0x00403c64
0x00403c69
0x00403c6b
0x00000000
0x00000000
0x00403c6d
0x00403c59
0x00403c59
0x00403c5b
0x00403c5b
0x00000000
0x00403c5b
0x00403c4e
0x00403c53
0x00000000
0x00403c53
0x00403c32
0x00403c38
0x00000000
0x00000000
0x00403c3a
0x00000000
0x00403c3a
0x00403c2a
0x00000000
0x00403c2a
0x00403c10
0x00403c17
0x00403c1d
0x00403c1f
0x00000000
0x00000000
0x00000000
0x00403c1f
0x00403bdb
0x00000000
0x00403bb9
0x00403bbf
0x00403bc9
0x00403fd0
0x00403fd6
0x00403fd8
0x00403fde
0x00403fe3
0x00403fe9
0x00403fe9
0x00403fde
0x00403ff3
0x00000000
0x00403ff3
0x00403bb7

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B8E
ShowWindow.USER32(?), ref: 00403BAB
DestroyWindow.USER32 ref: 00403BBF
SetWindowLongA.USER32 ref: 00403BDB
GetDlgItem.USER32 ref: 00403BFC
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C10
IsWindowEnabled.USER32(00000000), ref: 00403C17
GetDlgItem.USER32 ref: 00403CC5
GetDlgItem.USER32 ref: 00403CCF
KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403CE9
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D3A
GetDlgItem.USER32 ref: 00403DE0
ShowWindow.USER32(00000000,?), ref: 00403E01
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E13
EnableWindow.USER32(?,?), ref: 00403E2E
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E44
EnableMenuItem.USER32 ref: 00403E4B
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E63
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E76
lstrlenA.KERNEL32(Yllerion Setup: Installing,?,Yllerion Setup: Installing,00000000), ref: 00403EA0
SetWindowTextA.USER32(?,Yllerion Setup: Installing), ref: 00403EAF
ShowWindow.USER32(?,0000000A), ref: 00403FE3

Strings

Yllerion Setup: Installing, xrefs: 00403E90, 00403E96, 00403E9F, 00403EAD

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
String ID: Yllerion Setup: Installing
API String ID: 3906175533-2322757991
Opcode ID: a610b2fa877343fbf3bdc554c55ad236ee119dc4ae72ad2b999ac5e47659cd96
Instruction ID: 825bbfaa6b66e15a56cde4951677423d70b10f791e0768be12abaf391e468a8e
Opcode Fuzzy Hash: a610b2fa877343fbf3bdc554c55ad236ee119dc4ae72ad2b999ac5e47659cd96
Instruction Fuzzy Hash: 80C19F71604205AFDB206F22EE45E2B3EBCFB4570AF40053EFA42B11E1CB7999429B1D

Uniqueness

Uniqueness Score: -1.00%

Function 004037B5 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004037B5(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f414;
				_t17 = E004062FD(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a870;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00405E4C(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a870, 0);
					__eflags =  *0x42a870; // 0x59
					if(__eflags == 0) {
						E00405E4C(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040835A, 0x42a870, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E00405EC3("1033",  *_t17() & 0x0000ffff);
				}
				E00403A7A(_t71, _t84);
				_t80 = "C:\\Users\\jones\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository";
				 *0x42f4a0 =  *0x42f41c & 0x00000020;
				 *0x42f4bc = 0x10000;
				if(E004059EB(_t84, "C:\\Users\\jones\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository") != 0) {
					L16:
					if(E004059EB(_t92, _t80) == 0) {
						E00405F87(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118))); // executed
					}
					_t25 = LoadImageA( *0x42f400, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42ebe8 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403A7A(_t71, __eflags);
							__eflags =  *0x42f4c0;
							if( *0x42f4c0 != 0) {
								_t28 = E0040515E(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ebcc; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a850, 5); // executed
							_t34 = E0040628F("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E0040628F("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42eba0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42eba0);
								 *0x42ebc4 = _t81;
								RegisterClassA(0x42eba0);
							}
							_t36 =  *0x42ebe0; // 0x0
							_t39 = DialogBoxParamA( *0x42f400, _t36 + 0x00000069 & 0x0000ffff, 0, E00403B52, 0); // executed
							E00403705(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f400;
						 *0x42eba4 = E00401000;
						 *0x42ebb0 =  *0x42f400;
						 *0x42ebb4 = _t25;
						 *0x42ebc4 = 0x40a1f4;
						if(RegisterClassA(0x42eba0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a850 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f400, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3a0;
					E00405E4C(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f458, 0x42e3a0, 0);
					_t57 =  *0x42e3a0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3a1;
						 *((char*)(E00405928(0x42e3a1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00405F65(_t80, E004058FD(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405944(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004037bb
0x004037c4
0x004037cb
0x004037cd
0x004037e1
0x004037f3
0x004037fa
0x00403801
0x00403807
0x0040380c
0x00403812
0x00403825
0x00403825
0x00403830
0x004037cf
0x004037da
0x004037da
0x00403835
0x0040383f
0x00403848
0x0040384d
0x0040385e
0x004038e5
0x004038ed
0x004038f6
0x004038f6
0x0040390c
0x00403912
0x00403920
0x004039a1
0x004039a9
0x004039b3
0x004039b8
0x004039be
0x00403a48
0x00403a4d
0x00403a4f
0x00403a6b
0x00000000
0x00403a6b
0x00403a51
0x00403a57
0x00403a5f
0x00403a5f
0x00000000
0x00403a57
0x004039cc
0x004039d7
0x004039dc
0x004039de
0x004039e5
0x004039e5
0x004039f0
0x004039f8
0x004039fa
0x004039fc
0x00403a05
0x00403a08
0x00403a0e
0x00403a0e
0x00403a14
0x00403a2d
0x00403a3e
0x00000000
0x00403a43
0x004039ab
0x004039ad
0x00000000
0x00403922
0x00403922
0x0040392e
0x00403938
0x0040393e
0x00403943
0x00403952
0x00403a70
0x00403a70
0x00000000
0x00403a70
0x00403961
0x0040399c
0x00000000
0x0040399c
0x00403864
0x00403864
0x00403867
0x00403869
0x00000000
0x00000000
0x00403873
0x00403883
0x00403888
0x0040388f
0x00000000
0x00000000
0x00403893
0x00403895
0x004038a2
0x004038a2
0x004038aa
0x004038b0
0x004038d8
0x004038e0
0x00000000
0x004038c2
0x004038c3
0x004038cc
0x004038d2
0x004038d3
0x00000000
0x004038d3
0x004038ce
0x004038d0
0x00000000
0x00000000
0x00000000
0x004038d0
0x004038b0

APIs

Part of subcall function 004062FD: GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
Part of subcall function 004062FD: GetProcAddress.KERNEL32(00000000,?), ref: 0040632A

lstrcatA.KERNEL32(1033,Yllerion Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Yllerion Setup: Installing,00000000,00000002,7476FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\invoice.exe",00000000), ref: 00403830
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository,1033,Yllerion Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Yllerion Setup: Installing,00000000,00000002,7476FA90), ref: 004038A5
lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository,1033,Yllerion Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Yllerion Setup: Installing,00000000), ref: 004038B8
GetFileAttributesA.KERNEL32(Call), ref: 004038C3
LoadImageA.USER32 ref: 0040390C

Part of subcall function 00405EC3: wsprintfA.USER32 ref: 00405ED0

RegisterClassA.USER32 ref: 00403949
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403961
CreateWindowExA.USER32 ref: 00403996
ShowWindow.USER32(00000005,00000000), ref: 004039CC
GetClassInfoA.USER32 ref: 004039F8
GetClassInfoA.USER32 ref: 00403A05
RegisterClassA.USER32 ref: 00403A0E
DialogBoxParamA.USER32 ref: 00403A2D

Strings

RichEd20, xrefs: 004039D2
RichEd32, xrefs: 004039E0
RichEdit, xrefs: 004039FF
RichEdit20A, xrefs: 004039F0, 004039F6
.DEFAULT\Control Panel\International, xrefs: 0040381B
Call, xrefs: 00403873, 0040387B, 00403888, 004038D2, 004038D8
Yllerion Setup: Installing, xrefs: 004037E1, 004037E7, 0040380C, 00403815, 0040382A
_Nb, xrefs: 00403928, 00403990
C:\Users\user\AppData\Local\Temp\, xrefs: 004037BA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository, xrefs: 0040383F, 00403847, 004038DF, 004038E5, 004038F5
1033, xrefs: 004037D5, 0040382B
Control Panel\Desktop\ResourceLocale, xrefs: 004037E9
"C:\Users\user\Desktop\invoice.exe", xrefs: 004037B9
.exe, xrefs: 004038B2

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\invoice.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Yllerion Setup: Installing$_Nb
API String ID: 1975747703-657451802
Opcode ID: 0f9bd367d977802c11df8505ea4cdc09ad3fea20ebf391e442548ca576291c4a
Instruction ID: cf57693f3f88dc886a5042f17341946b18930627488d4c28d640959b633c26bb
Opcode Fuzzy Hash: 0f9bd367d977802c11df8505ea4cdc09ad3fea20ebf391e442548ca576291c4a
Instruction Fuzzy Hash: 3E61D770240600AED620BB669D45F373EACEB44749F40447EF985B22E2DB7C9D029A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402D48 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402D48(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\jones\\Desktop\\invoice.exe";
				 *0x42f410 = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\jones\\Desktop\\invoice.exe", 0x400);
				_t89 = E00405AFE(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\jones\\Desktop";
				E00405F65("C:\\Users\\jones\\Desktop", _t91);
				E00405F65(0x437000, E00405944(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x42142c = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402CE4(1);
					__eflags =  *0x42f418 - _t82;
					if( *0x42f418 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E004031A9( *0x42f418 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402F81(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42f414 = _t94;
							 *0x42f41c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42f420 =  *0x42f420 + 1;
								__eflags =  *0x42f420;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405AB9(0x42f440, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004031A9( *0x415420);
					_t65 = E00403193( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42f418) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403193(0x421430, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402CE4(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42f418;
						if( *0x42f418 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402CE4(0);
							}
							goto L20;
						}
						E00405AB9( &_v44, 0x421430, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x415420; // 0xd02b5
						 *0x42f4c0 =  *0x42f4c0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42f418 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a194
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x42142c; // 0xd24e8
						if(__eflags < 0) {
							_v12 = E004063B4(_v12, 0x421430, _t90);
						}
						 *0x415420 =  *0x415420 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402d50
0x00402d53
0x00402d56
0x00402d59
0x00402d5f
0x00402d70
0x00402d75
0x00402d88
0x00402d8d
0x00402d90
0x00402d96
0x00000000
0x00402d98
0x00402da3
0x00402da9
0x00402dba
0x00402dc1
0x00402dc7
0x00402dc9
0x00402dce
0x00402dd0
0x00402ebd
0x00402ebf
0x00402ec4
0x00402ecb
0x00000000
0x00000000
0x00402ecd
0x00402ed0
0x00402ef4
0x00402ef9
0x00402eff
0x00402f0a
0x00402f0f
0x00402f12
0x00402f13
0x00402f14
0x00402f16
0x00402f1b
0x00402f1e
0x00402f31
0x00402f35
0x00402f3d
0x00402f42
0x00402f44
0x00402f44
0x00402f44
0x00402f4c
0x00402f4c
0x00402f4f
0x00402f50
0x00402f50
0x00402f53
0x00402f55
0x00402f55
0x00402f55
0x00402f5f
0x00402f65
0x00402f73
0x00402f78
0x00000000
0x00402f78
0x00000000
0x00402f1e
0x00402ed8
0x00402ee3
0x00402ee8
0x00402eea
0x00000000
0x00000000
0x00402eef
0x00402ef2
0x00000000
0x00000000
0x00000000
0x00402dd6
0x00402ddb
0x00402de0
0x00402de4
0x00402deb
0x00402df0
0x00402df2
0x00402df4
0x00402df4
0x00402df8
0x00402dfd
0x00402dff
0x00402f29
0x00402f20
0x00000000
0x00402f20
0x00402e05
0x00402e0c
0x00402e88
0x00402e8c
0x00402e90
0x00402e95
0x00000000
0x00402e8c
0x00402e15
0x00402e1a
0x00402e1d
0x00402e22
0x00000000
0x00000000
0x00402e24
0x00402e2b
0x00000000
0x00000000
0x00402e2d
0x00402e34
0x00000000
0x00000000
0x00402e36
0x00402e3d
0x00000000
0x00000000
0x00402e3f
0x00402e46
0x00000000
0x00000000
0x00402e48
0x00402e4e
0x00402e57
0x00402e5d
0x00402e60
0x00402e62
0x00402e68
0x00000000
0x00000000
0x00402e6e
0x00402e72
0x00402e7a
0x00402e7a
0x00402e7d
0x00402e7d
0x00402e80
0x00402e82
0x00402e84
0x00402e84
0x00000000
0x00402e82
0x00402e74
0x00402e78
0x00000000
0x00000000
0x00000000
0x00402e96
0x00402e96
0x00402e9c
0x00402ea8
0x00402ea8
0x00402eab
0x00402eb1
0x00402eb3
0x00402eb3
0x00402ebb
0x00402ebb
0x00000000
0x00402ebb

APIs

GetTickCount.KERNEL32 ref: 00402D59
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\invoice.exe,00000400), ref: 00402D75

Part of subcall function 00405AFE: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\invoice.exe,80000000,00000003), ref: 00405B02
Part of subcall function 00405AFE: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B24

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\invoice.exe,C:\Users\user\Desktop\invoice.exe,80000000,00000003), ref: 00402DC1

Strings

Null, xrefs: 00402E3F
soft, xrefs: 00402E36
C:\Users\user\Desktop, xrefs: 00402DA3, 00402DA8, 00402DAE
Error launching installer, xrefs: 00402D98
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F20
"C:\Users\user\Desktop\invoice.exe", xrefs: 00402D48
C:\Users\user\Desktop\invoice.exe, xrefs: 00402D5F, 00402D6E, 00402D82, 00402DA2
Inst, xrefs: 00402E2D
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D4F
$, xrefs: 00402DC9

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\invoice.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\invoice.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft$$
API String ID: 4283519449-2590419008
Opcode ID: 7ea76b1eabee36cc462c4becf9ee5f087804ecb308710c36f18c8c35563ccf84
Instruction ID: b7ea9236aecaa86e611592eb70b2ed5589fa10121b1bd9207fea2451aa196312
Opcode Fuzzy Hash: 7ea76b1eabee36cc462c4becf9ee5f087804ecb308710c36f18c8c35563ccf84
Instruction Fuzzy Hash: 9D51F431A00215ABDB20AF64DE89B9F7BB8FB14358F50413BE504B72D1C7B88D858B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00405F87 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00405F87(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ebdc; // 0x49bd31
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f458;
				_t39 = 0x42e3a0;
				_t90 = 0x42e3a0;
				if(_a4 >= 0x42e3a0 && _a4 - 0x42e3a0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E00405F87(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3a0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E00405F65(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E00405EC3(_t90,  *0x42f408);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004061CF(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f40c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4a4;
						if( *0x42f4a4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f404;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f408,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f408,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90); // executed
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405E4C((_t80 & 0x0000003f) +  *0x42f458, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f458, _t90, _t80 & 0x00000040); // executed
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00405F87(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E00405F65(_a4, _t39);
			}

0x00405f87
0x00405f87
0x00405f87
0x00405f8d
0x00405f92
0x00405f94
0x00405fa3
0x00405fa3
0x00405fab
0x00405fac
0x00405fad
0x00405fae
0x00405fb1
0x00405fb9
0x00405fbb
0x00405fd2
0x00405fd5
0x00405fd5
0x004061ac
0x004061ac
0x004061b0
0x00000000
0x00000000
0x00405fe2
0x00405fe8
0x00000000
0x00000000
0x00405fee
0x00405fef
0x00405ff2
0x00405ff5
0x0040619f
0x004061a9
0x004061ab
0x004061ab
0x004061a1
0x004061a3
0x004061a5
0x004061a6
0x004061a6
0x00000000
0x0040619f
0x00405ffb
0x00405fff
0x0040600f
0x00406016
0x00406019
0x00406021
0x00406024
0x0040602b
0x0040602c
0x0040602f
0x0040614c
0x0040614f
0x0040617f
0x00406182
0x00406187
0x0040618b
0x0040618b
0x00406190
0x00406196
0x00406198
0x00000000
0x00406198
0x00406151
0x00406154
0x00406169
0x00406170
0x00406156
0x0040615d
0x0040615d
0x00406178
0x0040617b
0x00406144
0x00406145
0x00406145
0x00000000
0x0040617b
0x00406035
0x0040603c
0x0040603e
0x0040603f
0x00406059
0x00406059
0x00406060
0x00406060
0x00406067
0x0040606b
0x0040606b
0x0040606c
0x0040606e
0x004060a7
0x004060aa
0x004060ba
0x004060bd
0x004060c5
0x004060cb
0x004060cb
0x0040612a
0x0040612a
0x0040612c
0x00000000
0x00000000
0x004060cf
0x004060d6
0x004060d7
0x004060d9
0x004060f3
0x00406101
0x00406107
0x00406109
0x00406127
0x00406127
0x00406127
0x00000000
0x00406127
0x0040610f
0x00406118
0x0040611b
0x00406121
0x00406125
0x00000000
0x00000000
0x00000000
0x00406125
0x004060db
0x004060de
0x00000000
0x00000000
0x004060ed
0x004060ef
0x004060f1
0x00000000
0x00000000
0x00000000
0x004060f1
0x00000000
0x0040612a
0x004060b2
0x00000000
0x00406070
0x0040608b
0x00406090
0x00406093
0x00406133
0x00406133
0x00406137
0x0040613f
0x0040613f
0x00000000
0x00406137
0x0040609d
0x0040612e
0x0040612e
0x00406131
0x00000000
0x00000000
0x00000000
0x00406131
0x0040606e
0x00406041
0x00406045
0x00000000
0x00000000
0x00406047
0x0040604b
0x00000000
0x00000000
0x0040604d
0x00406051
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00406051
0x004061b6
0x004061c0
0x004061cc
0x004061cc
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 004060B2
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,00000000,004050C4,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,00000000), ref: 004060C5
SHGetSpecialFolderLocation.SHELL32(004050C4,7476EA30,?,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,00000000,004050C4,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,00000000), ref: 00406101
SHGetPathFromIDListA.SHELL32(7476EA30,Call), ref: 0040610F
CoTaskMemFree.OLE32(7476EA30), ref: 0040611B
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040613F
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,00000000,004050C4,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,00000000,00000000,0041C028,7476EA30), ref: 00406191

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll, xrefs: 00405FAC
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406081
Call, xrefs: 00405FB1, 0040607E, 0040607F, 00406080, 0040609C, 004060B1, 004060C4, 004060E0, 0040610B, 0040613E, 00406144, 0040615C, 0040616F, 0040618A, 00406190, 00406198, 004061C2
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406139

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1725678119
Opcode ID: 5106712905544f5ba106292216a6fc296fbdb3386ca655048f42707a8493570e
Instruction ID: 1b13e8ff18f2312f61c88a614d7ce51b6c0fc9f7833a06fa9902b6248b39176d
Opcode Fuzzy Hash: 5106712905544f5ba106292216a6fc296fbdb3386ca655048f42707a8493570e
Instruction Fuzzy Hash: D561F170A00105AEDF20AF24CC90BBB3BA5EB55314F56413FE903BA2D2C67D4962CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402AC1(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E0040596A(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E004058FD(E00405F65(0x40a418, "C:\\Users\\jones\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository\\Diskofils\\Justiciaryship")), ??);
				} else {
					_push(0x40a418);
					E00405F65();
				}
				E004061CF(0x40a418);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00406268(0x40a418);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405AD9(0x40a418);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405AFE(0x40a418, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E0040508C(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4a8;
						goto L32;
					} else {
						E00405F65(0x40ac18, 0x430000);
						E00405F65(0x430000, 0x40a418);
						E00405F87(_t75, 0x40ac18, 0x40a418, "C:\Users\jones\AppData\Local\Temp\nsfE5AA.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405F65(0x430000, 0x40ac18);
						_t62 = E00405681("C:\Users\jones\AppData\Local\Temp\nsfE5AA.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4a8 =  &( *0x42f4a8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x40a418);
								_push(0xfffffffa);
								E0040508C();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E0040508C(0xffffffea,  *(_t85 - 8));
				 *0x42f4d4 =  *0x42f4d4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E00402F81(); // executed
				 *0x42f4d4 =  *0x42f4d4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405F87(_t75, _t80, 0x40a418, 0x40a418, 0xffffffee);
					} else {
						E00405F87(_t75, _t80, 0x40a418, 0x40a418, 0xffffffe9);
						lstrcatA(0x40a418,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x40a418);
					E00405681();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x0040177c
0x00401798
0x0040177e
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x00402716
0x00402716
0x00402951
0x00402954
0x00402954
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x0040295a
0x0040295a
0x0040295a
0x00401858
0x00401858
0x00401859
0x00401492
0x004022e1
0x004022e1
0x004022e1
0x00401856
0x0040184f
0x0040295c
0x00402960
0x00402960
0x00401883
0x00401888
0x0040188e
0x0040188f
0x00401890
0x00401893
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x004022dc
0x00000000
0x004022dc
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,Yllerion Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72

Part of subcall function 0040508C: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,00000000,0041C028,7476EA30,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
Part of subcall function 0040508C: lstrlenA.KERNEL32(004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,00000000,0041C028,7476EA30,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
Part of subcall function 0040508C: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,004030DC,004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,00000000,0041C028,7476EA30), ref: 004050E8
Part of subcall function 0040508C: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll), ref: 004050FA
Part of subcall function 0040508C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
Part of subcall function 0040508C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
Part of subcall function 0040508C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship, xrefs: 00401786
Call, xrefs: 00401775, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp, xrefs: 004017A3, 00401812, 00401830
C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship$C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp$C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll$Call
API String ID: 1941528284-3307459039
Opcode ID: 98a1d938c2887b8159c1b5f9a529be0333a72b233cb983e9a9a22398b60c3e71
Instruction ID: 024705dcfdf044f05b4b82656432081f20986447a00b4521f0a60d415ab43704
Opcode Fuzzy Hash: 98a1d938c2887b8159c1b5f9a529be0333a72b233cb983e9a9a22398b60c3e71
Instruction Fuzzy Hash: 4841B431A04515BECB107BB58C45EAF3679EF05369F60833BF421F20E1D67C89428A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402F81 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00402F81(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x419428;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004031A9( *0x42f478 + _t62);
				}
				if(E00403193( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E00403193(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E00403193(0x415428, _t98) == 0) {
								goto L41;
							}
							if(E00405BA5(_a8, 0x415428, _t98) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40bd8c =  *0x40bd8c & 0x00000000;
					 *0x40bd88 =  *0x40bd88 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b870 = 8;
					 *0x415418 = 0x40d410;
					 *0x415414 = 0x40d410;
					 *0x415410 = 0x415410;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E00403193(0x415428, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40b860 = 0x415428;
						 *0x40b864 = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40b868 = _t95;
							 *0x40b86c = _v12;
							_t75 = E00406422("?mA");
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40b868; // 0x41c028
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x42f4d4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040508C(0,  &_v88);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40b868; // 0x41c028
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405BA5(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x00402f89
0x00402f8d
0x00402f90
0x00402f95
0x00402f97
0x00402f97
0x00402f9e
0x00402fa2
0x00402fa7
0x00402fa9
0x00402fa9
0x00402fb0
0x00402fb5
0x00402fc0
0x00402fc0
0x00402fd2
0x00403181
0x00403181
0x00000000
0x00402fd8
0x00402fdc
0x0040312e
0x00403171
0x00403173
0x00403173
0x0040317f
0x00403186
0x00403189
0x00000000
0x00000000
0x00000000
0x00000000
0x0040317f
0x00403133
0x00000000
0x00000000
0x00403135
0x00403138
0x0040313b
0x0040313e
0x00403140
0x00403140
0x00403150
0x00000000
0x00000000
0x0040315e
0x00403128
0x00403128
0x00403183
0x00403183
0x00000000
0x00403183
0x00403160
0x00403163
0x0040316a
0x00000000
0x00000000
0x00000000
0x0040316c
0x00000000
0x00403138
0x00402fe8
0x00402fea
0x00402ff1
0x00402ff8
0x00402ff8
0x00402fff
0x00403007
0x00403011
0x00403016
0x0040301e
0x00403028
0x0040302b
0x00000000
0x00000000
0x00000000
0x00000000
0x00403031
0x00403031
0x00403031
0x00403039
0x0040303b
0x0040303b
0x0040304c
0x00000000
0x00000000
0x00403052
0x00403055
0x0040305b
0x00403061
0x00403061
0x0040306c
0x00403072
0x00403077
0x0040307e
0x00403081
0x00000000
0x00000000
0x00403087
0x0040308d
0x0040308f
0x00403098
0x0040309a
0x004030c8
0x004030ce
0x004030d7
0x004030dc
0x004030dc
0x004030e1
0x0040311c
0x00000000
0x00000000
0x00000000
0x004030e3
0x004030e7
0x004030fe
0x00403103
0x00403106
0x00403109
0x0040310c
0x00403110
0x00000000
0x00000000
0x00000000
0x00403116
0x004030f0
0x004030f7
0x00000000
0x00000000
0x004030f9
0x00000000
0x004030f9
0x004030e1
0x00403124
0x00000000
0x00403124
0x00000000
0x00403031

APIs

GetTickCount.KERNEL32 ref: 00402FE8
GetTickCount.KERNEL32 ref: 0040308F
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004030B8
wsprintfA.USER32 ref: 004030C8

Strings

?mA, xrefs: 00403055, 00403067
(TA, xrefs: 0040303E
... %d%%, xrefs: 004030C2
(TA, xrefs: 00403142

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: (TA$(TA$... %d%%$?mA
API String ID: 551687249-1330877741
Opcode ID: 3a673b9f7453c760f6c1792c8fc342caba0986dfdf2a426a9d97dd1df172e485
Instruction ID: f4b3021151c61e236b0315b1fcc5adb3b60be84788d5942dbd3e7f3cce39453d
Opcode Fuzzy Hash: 3a673b9f7453c760f6c1792c8fc342caba0986dfdf2a426a9d97dd1df172e485
Instruction Fuzzy Hash: 86517D71900219EBDB10DF65DA4469E7BB8EF48356F14853BE800BB2D0C7789E41CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040508C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040508C(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ebe4; // 0x10432
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f4d4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405F87(0, _t39, 0x42a050, 0x42a050, _a4);
					}
					_t26 = lstrlenA(0x42a050);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ebc8, 0x42a050); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a050;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52); // executed
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a050)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a050, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00405092
0x0040509e
0x004050a1
0x004050a7
0x004050b3
0x004050b6
0x004050b9
0x004050bf
0x004050bf
0x004050c5
0x004050cd
0x004050d0
0x004050ed
0x004050f1
0x004050fa
0x004050fa
0x00405104
0x0040510d
0x00405119
0x00405120
0x00405124
0x00405127
0x0040513a
0x00405148
0x00405148
0x0040514c
0x0040514e
0x00405151
0x00000000
0x00405151
0x004050d2
0x004050da
0x004050e2
0x004050e8
0x00000000
0x004050e8
0x004050e2
0x004050d0
0x0040515b

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,00000000,0041C028,7476EA30,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
lstrlenA.KERNEL32(004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,00000000,0041C028,7476EA30,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,004030DC,004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,00000000,0041C028,7476EA30), ref: 004050E8
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll), ref: 004050FA
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll, xrefs: 004050AC, 004050BE, 004050C4, 004050E7, 004050F3

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll
API String ID: 2531174081-2476765945
Opcode ID: 6726e748f555af4487e9f26b6748d9644d7c6f8c225b3de0595c0d78e911238a
Instruction ID: 508789985144291932d060d6ef0b432b589b283746e8f0e3613f73f9cddaab2c
Opcode Fuzzy Hash: 6726e748f555af4487e9f26b6748d9644d7c6f8c225b3de0595c0d78e911238a
Instruction Fuzzy Hash: 9E217A71A00518BFDB119FA5CD85EDFBFA9EB05354F14807AF944AA290C6398A418F98

Uniqueness

Uniqueness Score: -1.00%

Function 00405552 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405552(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408374;
				_v36.Group = 0x408374;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408364;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x0040555d
0x00405561
0x00405564
0x0040556a
0x0040556e
0x00405572
0x0040557a
0x00405581
0x00405587
0x0040558e
0x00405595
0x0040559d
0x0040559f
0x00000000
0x0040559f
0x004055a9
0x004055b0
0x004055c6
0x00000000
0x00000000
0x00000000
0x004055c8
0x004055cc

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405595
GetLastError.KERNEL32 ref: 004055A9
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055BE
GetLastError.KERNEL32 ref: 004055C8

Strings

C:\Users\user\Desktop, xrefs: 00405552
C:\Users\user\AppData\Local\Temp\, xrefs: 00405578

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-2028306314
Opcode ID: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
Instruction ID: d93b5df8f7ffc7c008eac1e7bdc238e6dcac3e6f5ce479452586b7e310885e58
Opcode Fuzzy Hash: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
Instruction Fuzzy Hash: 550108B1C00219EADF11DBA1CD047EFBFB9EF04354F00803AD545B6290D77896088FA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040628F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040628F(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004062a6
0x004062af
0x004062b1
0x004062b1
0x004062b5
0x004062c7
0x004062c1
0x004062c1
0x004062c1
0x004062cb
0x004062df
0x004062f3
0x004062fa

APIs

GetSystemDirectoryA.KERNEL32 ref: 004062A6
wsprintfA.USER32 ref: 004062DF
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062F3

Strings

%s%s.dll, xrefs: 004062D9
\, xrefs: 004062B7
UXTHEME, xrefs: 00406298

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction ID: 90c405808a5079913e9fc86ee6967ca4c100a0af48b71fe7beb271d56a4ee20c
Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction Fuzzy Hash: 89F0F630510609AADB15AB64DD0DFEB365CAB08304F1405BEA686F11C1EA78E9398B99

Uniqueness

Uniqueness Score: -1.00%

Function 00401FFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E00401FFD(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f4d8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4a8 =  *0x42f4a8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402AC1(0xfffffff0);
				 *(_t34 + 8) = E00402AC1(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E0040508C(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, "X]K", 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403755(_t30) != 0) {
						FreeLibrary(_t30); // executed
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401ffd
0x00401ffd
0x00402002
0x00402009
0x004020c4
0x00402237
0x00402237
0x00402951
0x00402954
0x00402960
0x00402960
0x00402018
0x00402022
0x00402025
0x00402034
0x00402038
0x0040203e
0x00402042
0x004020bd
0x00000000
0x004020bd
0x00402044
0x0040204d
0x00402051
0x00402095
0x00402053
0x00402056
0x00402059
0x00402089
0x0040205b
0x0040205e
0x00402067
0x00402069
0x00402069
0x00402067
0x00402059
0x0040209d
0x004020b2
0x004020b2
0x00000000
0x0040209d
0x00402028
0x0040202e
0x00402032
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402028

Part of subcall function 0040508C: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,00000000,0041C028,7476EA30,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
Part of subcall function 0040508C: lstrlenA.KERNEL32(004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,00000000,0041C028,7476EA30,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
Part of subcall function 0040508C: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,004030DC,004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,00000000,0041C028,7476EA30), ref: 004050E8
Part of subcall function 0040508C: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll), ref: 004050FA
Part of subcall function 0040508C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
Part of subcall function 0040508C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
Part of subcall function 0040508C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402038
GetProcAddress.KERNEL32(00000000,?), ref: 00402048
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B2

Strings

X]K, xrefs: 00402077

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: X]K
API String ID: 2987980305-1945443611
Opcode ID: 344385d6562e94f53280d8f746c1f287a273f2558a62102750f58fdb2a953ff5
Instruction ID: 3b54ba627a5d3606a08c88bc2c88048367fe0e0edc5ddf34d35ff9eabd327fef
Opcode Fuzzy Hash: 344385d6562e94f53280d8f746c1f287a273f2558a62102750f58fdb2a953ff5
Instruction Fuzzy Hash: A721DB71A04225ABCF207FA48E49B6E7670AB14358F20413BFB11B62D0CBBD4942966E

Uniqueness

Uniqueness Score: -1.00%

Function 00405B2D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405B2D(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3b4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405b31
0x00405b37
0x00405b38
0x00405b38
0x00405b3d
0x00405b3e
0x00405b41
0x00405b4b
0x00405b58
0x00405b5b
0x00405b63
0x00000000
0x00000000
0x00405b67
0x00000000
0x00000000
0x00405b69
0x00000000
0x00405b69
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405B41
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B5B

Strings

"C:\Users\user\Desktop\invoice.exe", xrefs: 00405B2D
nsa, xrefs: 00405B38
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B30

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\invoice.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2730699530
Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction ID: 439a7608ba980c1fff97265348ba0c774925dff8d33d3cb941cf273fff524f8a
Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction Fuzzy Hash: B0F082363042086BDB108F66DD04B9B7BA9DF91750F14803BFA48AA280D6B4E9588799

Uniqueness

Uniqueness Score: -1.00%

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E100016BD(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000405c = _a8;
				 *0x10004060 = _a16;
				 *0x10004064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004038, E10001556);
				_push(1); // executed
				_t34 = E10001A5D(); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E100021B0(_t50);
					}
					E100021FA(_t65, _t50);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100023D8(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x818; // 0x818
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E10001559(_t50);
								_t15 = _t50 + 0x818; // 0x818
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x820)) = _t38;
								 *_t70 = 3;
								E100023D8(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100023D8(_t50);
							_t34 = GlobalFree(E10001266(E10001559(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E1000239E(_t50);
							if(( *(_t50 + 0x810) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x808);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x810) & 0x00000020) != 0) {
								_t34 = E100014E2( *0x10004058);
							}
						}
						if(( *(_t50 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002A9F(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E100027E4(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002587(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x100016bd
0x100016bd
0x100016bd
0x100016c7
0x100016cf
0x100016dc
0x100016ea
0x100016ed
0x100016ef
0x100016f4
0x100016f9
0x1000180c
0x1000180c
0x100016ff
0x10001703
0x10001706
0x1000170b
0x1000170d
0x10001713
0x10001719
0x10001749
0x10001750
0x10001774
0x100017b3
0x10001776
0x10001776
0x10001777
0x1000177a
0x10001780
0x10001784
0x10001787
0x1000178c
0x1000178c
0x10001793
0x10001799
0x1000179f
0x100017ab
0x100017ac
0x100017af
0x10001752
0x10001753
0x10001768
0x10001768
0x100017bd
0x100017c0
0x100017cd
0x100017d4
0x100017dc
0x100017df
0x100017df
0x100017dc
0x100017ec
0x100017f4
0x100017f9
0x100017ec
0x10001801
0x00000000
0x10001803
0x00000000
0x10001804
0x10001801
0x1000171d
0x10001720
0x1000173e
0x00000000
0x00000000
0x10001741
0x10001746
0x10001746
0x10001748
0x00000000
0x10001748
0x10001722
0x10001723
0x1000172b
0x1000172c
0x00000000
0x1000172c
0x10001725
0x10001726
0x10001734
0x00000000
0x10001734
0x10001729
0x00000000
0x00000000
0x00000000
0x10001729

APIs

Part of subcall function 10001A5D: GlobalFree.KERNEL32 ref: 10001CC4
Part of subcall function 10001A5D: GlobalFree.KERNEL32 ref: 10001CC9
Part of subcall function 10001A5D: GlobalFree.KERNEL32 ref: 10001CCE

GlobalFree.KERNEL32 ref: 10001768
FreeLibrary.KERNEL32(?), ref: 100017DF
GlobalFree.KERNEL32 ref: 10001804

Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2

Part of subcall function 10002587: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025F9

Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,10004010,00000000,10001695,00000000), ref: 10001572

Strings

, xrefs: 100017E5

Memory Dump Source

Source File: 00000000.00000002.856054297.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.856040694.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856067293.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856081841.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_invoice.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 87444a894296e8d40cc63a4c2e1c416a7af340e3bff12e61cd27f34ad68e5005
Instruction ID: 474564f2ddd1a30fda7ef2e88bb39d7445f8f4f5c00c78564696995dcbc9c57a
Opcode Fuzzy Hash: 87444a894296e8d40cc63a4c2e1c416a7af340e3bff12e61cd27f34ad68e5005
Instruction Fuzzy Hash: C4319E79408205DAFB41DF649CC5BCA37ECFB042D5F118465FA0A9A09EDF78A8858B60

Uniqueness

Uniqueness Score: -1.00%

Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004023D0(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t18;
				void* _t19;
				int _t22;
				long _t23;
				int _t28;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t35;
				void* _t37;
				void* _t40;

				_t31 = __edx;
				_t28 = __ebx;
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				_t32 = __eax;
				 *(_t37 - 0x3c) =  *(_t37 - 0x14);
				 *(_t37 - 0x34) = E00402AC1(2);
				_t18 = E00402AC1(0x11);
				 *(_t37 - 4) = 1;
				_t19 = E00402B51(_t40, _t32, _t18, 2); // executed
				 *(_t37 + 8) = _t19;
				if(_t19 != __ebx) {
					_t22 = 0;
					if(_t35 == 1) {
						E00402AC1(0x23);
						_t22 = lstrlenA(0x40ac18) + 1;
					}
					if(_t35 == 4) {
						 *0x40ac18 = E00402A9F(3);
						 *((intOrPtr*)(_t37 - 0x80)) = _t31;
						_t22 = _t35;
					}
					if(_t35 == 3) {
						_t22 = E00402F81( *((intOrPtr*)(_t37 - 0x1c)), _t28, 0x40ac18, 0xc00);
					}
					_t23 = RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x34), _t28,  *(_t37 - 0x3c), 0x40ac18, _t22); // executed
					if(_t23 == 0) {
						 *(_t37 - 4) = _t28;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *(_t37 - 4);
				return 0;
			}

0x004023d0
0x004023d0
0x004023d0
0x004023d3
0x004023da
0x004023e4
0x004023e7
0x004023f0
0x004023f7
0x004023fe
0x00402401
0x00402407
0x00402411
0x00402415
0x00402420
0x00402420
0x00402424
0x0040242e
0x00402434
0x00402437
0x00402437
0x0040243b
0x00402447
0x00402447
0x00402458
0x00402460
0x00402462
0x00402462
0x00402465
0x0040253c
0x0040253c
0x00402954
0x00402960

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp,00000023,00000011,00000002), ref: 0040241B
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp,00000000,00000011,00000002), ref: 00402458
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp,00000000,00000011,00000002), ref: 0040253C

Strings

C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp, xrefs: 0040240C, 0040242E, 00402442, 0040244D

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp
API String ID: 2655323295-1302241692
Opcode ID: 0b155a889f0a1852a4c8b5c80891aed8b0995d715a5fa6eccbfd1d5d818aefb1
Instruction ID: f3bc197a49376025d104d1766b7c26e04d62aafcfa214307c08bf0afb556c6f3
Opcode Fuzzy Hash: 0b155a889f0a1852a4c8b5c80891aed8b0995d715a5fa6eccbfd1d5d818aefb1
Instruction Fuzzy Hash: AD117271F00215BEDF10AFA59E89A9E7A74DB54314F20403AF908B61D1CAB84D419B68

Uniqueness

Uniqueness Score: -1.00%

Function 100027E4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 100028A3
GetLastError.KERNEL32 ref: 100029AA

Strings

@Mqt, xrefs: 100029AA

Memory Dump Source

Source File: 00000000.00000002.856054297.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.856040694.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856067293.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856081841.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_invoice.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: @Mqt
API String ID: 1214770103-2740872224
Opcode ID: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
Instruction ID: 7088a7f0c219bdfd589eed4d744adbaf06b55c7882bf085a68ef70f7e309f44b
Opcode Fuzzy Hash: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
Instruction Fuzzy Hash: 385194BA908215DFF711EF60D9C575937A8EB443E0F21842AEA08E721DDF34A9818B55

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402AC1(0xfffffff0);
				_t13 = E00405996(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405928(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004055CF(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004055EC(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E00405552(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405F65("C:\\Users\\jones\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository\\Diskofils\\Justiciaryship", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x00402237
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402954
0x00402960

APIs

Part of subcall function 00405996: CharNextA.USER32(?,?,0042BC78,?,00405A02,0042BC78,0042BC78,7476FA90,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,7476FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059A4
Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059A9
Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059BD

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 00405552: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405595

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship
API String ID: 1892508949-2002056710
Opcode ID: 6e9d8b0bdd6535f5ad521cfe25d2546e39bd3477eb11d702e3e3618c9b95e55c
Instruction ID: 323619fe81b3529d61600e1e0eff0ce417d4ac591c1c2d39a63079fc07480124
Opcode Fuzzy Hash: 6e9d8b0bdd6535f5ad521cfe25d2546e39bd3477eb11d702e3e3618c9b95e55c
Instruction Fuzzy Hash: 2B11C431608152EBCB217BA54D415BF2AB4DA96324B28093FE9D1B22E2D63D4D425A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405E4C(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405DEB(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00405e5a
0x00405e5c
0x00405e74
0x00405e79
0x00405e7e
0x00405ebb
0x00405ebb
0x00405e80
0x00405e92
0x00405e9d
0x00405ea3
0x00405ead
0x00000000
0x00000000
0x00405ead
0x00405ec0

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,00406090,80000002), ref: 00405E92
RegCloseKey.ADVAPI32(?,?,00406090,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll), ref: 00405E9D

Strings

Call, xrefs: 00405E4F, 00405E83

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 792f73651c5f0961c7d778f0fa8b648c5274768340d5a4a072e3937443cccb1f
Instruction ID: 9bec2c93df88531f10cf132d6bbbb6393b4a4aad9e102c5e2669e285c315f56d
Opcode Fuzzy Hash: 792f73651c5f0961c7d778f0fa8b648c5274768340d5a4a072e3937443cccb1f
Instruction Fuzzy Hash: B7015A72500619ABEF228F61CD09FDB3BACEF55365F00802AF955A2191D378DA54CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 10002709 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000404c, 4, 0x40, 0x1000403c); // executed
					 *0x1000404c = 0xc2;
					 *0x1000403c = 0;
					 *0x10004044 = 0;
					 *0x10004058 = 0;
					 *0x10004048 = 0;
					 *0x10004040 = 0;
					 *0x10004050 = 0;
					 *0x1000404e = 0;
				}
				return 1;
			}

0x10002712
0x10002717
0x10002727
0x1000272f
0x10002736
0x1000273b
0x10002740
0x10002745
0x1000274a
0x1000274f
0x10002754
0x10002754
0x1000275c

APIs

VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 10002727

Strings

`gqt@Mqt, xrefs: 10002727

Memory Dump Source

Source File: 00000000.00000002.856054297.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.856040694.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856067293.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856081841.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_invoice.jbxd

Similarity

API ID: ProtectVirtual
String ID: `gqt@Mqt
API String ID: 544645111-3052285678
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: e09dfa788fffc30199ef0a9f627684cb70e95bce5f527532b7ad3e980fb418b3
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: 67F09BF19092A0DEF360DF688CC47063FE4E3983D5B03852AE358F6269EB7441448B19

Uniqueness

Uniqueness Score: -1.00%

Function 0040246D Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040246D(int* __ebx, char* __esi) {
				void* _t17;
				char* _t18;
				long _t21;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402B01(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402AC1(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x3c) = 0x400;
					_t21 = RegQueryValueExA(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x3c); // executed
					if(_t21 != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E00405EC3(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x3ff] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33);
					RegCloseKey();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *(_t37 - 4);
				return 0;
			}

0x0040246d
0x0040246d
0x00402472
0x00402479
0x0040247b
0x00402482
0x00402484
0x00402716
0x0040248a
0x0040248d
0x0040249d
0x004024a8
0x004024d8
0x004024d8
0x004024da
0x004024aa
0x004024ae
0x004024c7
0x004024ce
0x004024d1
0x004024b0
0x004024b3
0x004024be
0x00402535
0x00000000
0x00000000
0x00000000
0x004024b3
0x004024ae
0x0040253b
0x0040253c
0x0040253c
0x00402954
0x00402960

APIs

RegQueryValueExA.KERNELBASE(00000000,00000000,?,?,?,?), ref: 0040249D
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp,00000000,00000011,00000002), ref: 0040253C

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: d5f40faacd95a21481491f01a0c82694c2c8638f2aef99c4c7bd6aebdaa41cb0
Instruction ID: 63e30908c11e451fd6d37fbe2862c18829a27713504d584fb03aa75526d5f0f4
Opcode Fuzzy Hash: d5f40faacd95a21481491f01a0c82694c2c8638f2aef99c4c7bd6aebdaa41cb0
Instruction Fuzzy Hash: 0D110471A00205EECB14CF64DA889AF7AB4DF04304F20403FE446B72C0D6B88A42DB29

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f450;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ebec =  *0x42ebec + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ebec, 0x7530,  *0x42ebd4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
Instruction ID: f90ead50954d10692fd747fd35726c7c61e2fcf071c036ef7d407bcf2d164b43
Opcode Fuzzy Hash: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
Instruction Fuzzy Hash: 4601F4317242109BE7199B399D04B6A3698E710719F54823FF852F61F1D678EC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00401E25 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E43
EnableWindow.USER32(00000000,00000000), ref: 00401E4E

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: a14bac78f0f093d0819e34cdb63e8fe71bbe50b719fbc7a327d4eb1dfebe48e0
Instruction ID: 3dc443410be61cb95396677418e376cd67e931bc8a1c74ede8e95758ff339cf3
Opcode Fuzzy Hash: a14bac78f0f093d0819e34cdb63e8fe71bbe50b719fbc7a327d4eb1dfebe48e0
Instruction Fuzzy Hash: B3E01272B082129FD714EBB6AA495AE77B4EB40325B10403BE415F11D1DE7888419F5D

Uniqueness

Uniqueness Score: -1.00%

Function 004062FD Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062FD(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E0040628F(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406305
0x00406308
0x0040630f
0x00406317
0x00406323
0x00000000
0x0040632a
0x0040631a
0x00406321
0x00000000
0x00406332
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
GetProcAddress.KERNEL32(00000000,?), ref: 0040632A

Part of subcall function 0040628F: GetSystemDirectoryA.KERNEL32 ref: 004062A6
Part of subcall function 0040628F: wsprintfA.USER32 ref: 004062DF
Part of subcall function 0040628F: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062F3

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: ec1a34f72467b36b6d3b50eb043fa95794862aef332a9bc5e598c085f3d55eb5
Instruction ID: 0a5867ae11c12db0e7684f2d0d3995392d51af775f5f68958dac655171f1c28e
Opcode Fuzzy Hash: ec1a34f72467b36b6d3b50eb043fa95794862aef332a9bc5e598c085f3d55eb5
Instruction Fuzzy Hash: 83E08C32604221ABD210AB749E0493B63A8EF98740306483EF94AF2240DB3C9C7296A9

Uniqueness

Uniqueness Score: -1.00%

Function 00405AFE Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405AFE(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405b02
0x00405b0f
0x00405b24
0x00405b2a

APIs

GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\invoice.exe,80000000,00000003), ref: 00405B02
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B24

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405AD9 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AD9(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405ade
0x00405ae4
0x00405ae9
0x00405af2
0x00405af2
0x00405afb

APIs

GetFileAttributesA.KERNELBASE(?,?,004056F1,?,?,00000000,004058D4,?,?,?,?), ref: 00405ADE
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405AF2

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction ID: a8f15113e5c9b75401305b8f42f7b900fd80c9315a1f16fe78aaf2180abbdc87
Opcode Fuzzy Hash: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction Fuzzy Hash: B8D0C972504122ABC2102728AE0889BBB55DB54271702CB35F9B9A26B1DB304C56AA98

Uniqueness

Uniqueness Score: -1.00%

Function 004055CF Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055CF(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004055d5
0x004055dd
0x00000000
0x004055e3
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004031E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 004055D5
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004055E3

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction ID: ff59ce228810ab0b399ea54ffc24e93d20618ce1ebfa51e1db99450e15aaec59
Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction Fuzzy Hash: FAC08C30200101ABDB010B318F08B073A62AB80380F0288396042E00B4CA308004C92E

Uniqueness

Uniqueness Score: -1.00%

Function 004025C4 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025C4(intOrPtr __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _t27;
				intOrPtr _t33;
				void* _t38;
				void* _t41;

				_t33 = __edx;
				 *((intOrPtr*)(_t38 - 8)) = __ebx;
				_t27 = E00402A9F(2);
				_t41 = _t27 - 1;
				 *((intOrPtr*)(_t38 - 0x3c)) = _t33;
				 *((intOrPtr*)(_t38 - 0xc)) = _t27;
				if(_t41 < 0) {
					L24:
					 *0x42f4a8 =  *0x42f4a8 +  *(_t38 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *((intOrPtr*)(__ebp - 0xc)) = 0x3ff;
					}
					if( *__esi == __bl) {
						L21:
						__esi =  *((intOrPtr*)(__ebp - 8));
						goto L22;
					} else {
						 *((char*)(__ebp + 0xb)) = __bl;
						 *(__ebp - 0x30) = E00405EDC(__ecx, __esi);
						if( *((intOrPtr*)(__ebp - 0xc)) <= __ebx) {
							goto L21;
						} else {
							__esi =  *((intOrPtr*)(__ebp - 8));
							while(1) {
								__eax = __ebp - 0xd;
								__eax = E00405B76( *(__ebp - 0x30), __ebp - 0xd, 1); // executed
								if(__eax == 0) {
									break;
								}
								if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
									 *(__ebp - 0xd) & 0x000000ff = E00405EC3(__edi,  *(__ebp - 0xd) & 0x000000ff);
								} else {
									if( *((char*)(__ebp + 0xb)) == 0xd ||  *((char*)(__ebp + 0xb)) == 0xa) {
										__al =  *(__ebp - 0xd);
										if( *((intOrPtr*)(__ebp + 0xb)) == __al || __al != 0xd && __al != 0xa) {
											__eax = SetFilePointer( *(__ebp - 0x30), 0xffffffff, __ebx, 1);
										} else {
											 *((char*)(__esi + __edi)) = __al;
											__esi = __esi + 1;
										}
										break;
									} else {
										__al =  *(__ebp - 0xd);
										 *((char*)(__esi + __edi)) = __al;
										__esi = __esi + 1;
										 *((char*)(__ebp + 0xb)) = __al;
										if(__al == __bl) {
											break;
										} else {
											if(__esi <  *((intOrPtr*)(__ebp - 0xc))) {
												continue;
											} else {
												break;
											}
										}
									}
								}
								goto L25;
							}
							L22:
							 *((char*)(__esi + __edi)) = __bl;
							if(_t41 == 0) {
								 *(_t38 - 4) = 1;
							}
							goto L24;
						}
					}
				}
				L25:
				return 0;
			}

0x004025c4
0x004025c6
0x004025c9
0x004025ce
0x004025d2
0x004025d5
0x004025d8
0x00402951
0x00402954
0x004025de
0x004025de
0x004025e5
0x004025e7
0x004025e7
0x004025ec
0x00402674
0x00402674
0x00000000
0x004025f2
0x004025f3
0x004025fe
0x00402601
0x00000000
0x00402603
0x00402603
0x00402606
0x00402606
0x0040260f
0x00402616
0x00000000
0x00000000
0x0040261b
0x00402644
0x0040261d
0x00402621
0x0040264e
0x00402654
0x0040266c
0x0040265e
0x0040265e
0x00402661
0x00402661
0x00000000
0x00402629
0x00402629
0x0040262c
0x0040262f
0x00402632
0x00402635
0x00000000
0x00402637
0x0040263a
0x00000000
0x0040263c
0x00000000
0x0040263c
0x0040263a
0x00402635
0x00402621
0x00000000
0x0040261b
0x00402677
0x00402677
0x004015b0
0x00402716
0x00402716
0x00000000
0x004015b0
0x00402601
0x004025ec
0x0040295a
0x00402960

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: e235dcb744ebcc946608d91797e9ef60a83683288e53699933f586765b830fd2
Instruction ID: 7874e25a1fd417281295b021b6ee833f9e9a2ca8db09fa59ccc2d9f5114d9ff1
Opcode Fuzzy Hash: e235dcb744ebcc946608d91797e9ef60a83683288e53699933f586765b830fd2
Instruction Fuzzy Hash: 33213B70D04299BECF318B689548AAEBF709F11304F14847FE4D0B62D1C5BE8A82CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00402682 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00402682(intOrPtr __edx, void* __eflags) {
				long _t7;
				long _t9;
				LONG* _t11;
				void* _t13;
				intOrPtr _t14;
				void* _t17;
				void* _t19;

				_t14 = __edx;
				_push(ds);
				if(__eflags != 0) {
					_t7 = E00402A9F(2);
					_pop(_t13);
					 *((intOrPtr*)(_t19 - 0x3c)) = _t14;
					_t9 = SetFilePointer(E00405EDC(_t13, _t17), _t7, _t11,  *(_t19 - 0x1c)); // executed
					if( *((intOrPtr*)(_t19 - 0x24)) >= _t11) {
						_push(_t9);
						E00405EC3();
					}
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402682
0x00402682
0x00402683
0x0040268b
0x00402690
0x00402691
0x004026a0
0x004026a9
0x004028f7
0x004028f9
0x004028f9
0x004026a9
0x00402954
0x00402960

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004026A0

Part of subcall function 00405EC3: wsprintfA.USER32 ref: 00405ED0

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 7662d08dcc9a9cf2f1584379864cce10a11a63027859f8beda7d63d36f93d70d
Instruction ID: f1c15ab6bd15a9d9cc501090f462d0785fe3296bea48be5e975bb3477ad6cc2f
Opcode Fuzzy Hash: 7662d08dcc9a9cf2f1584379864cce10a11a63027859f8beda7d63d36f93d70d
Instruction Fuzzy Hash: 49E06DB2B04216AED700BBA5AA49DBFBB68DB40314F20403BF544F10C1CA788D029B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E19 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E19(void* __eflags, intOrPtr _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00405D70(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExA(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00405e23
0x00405e2c
0x00405e42
0x00000000
0x00405e42
0x00405e30
0x00000000

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B72,00000000,?,?), ref: 00405E42

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: bcdd098ccac6e5ba1724694a98921d4690075513e21ad273718db18b073b7b07
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 3FE0E67201050DBEDF095F50DD0EDBB371DEB14304F00492EFA55D4090E6B5AD209E74

Uniqueness

Uniqueness Score: -1.00%

Function 00405B76 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B76(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405b7a
0x00405b8a
0x00405b92
0x00000000
0x00405b99
0x00000000
0x00405b9b

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031A6,00000000,00000000,00402FD0,000000FF,00000004,00000000,00000000,00000000), ref: 00405B8A

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction ID: d6e1a33fd195441beba49eedd959afadaf6b56434895abd4101947bffd5346ea
Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction Fuzzy Hash: 21E0EC3221065EABDF10AE559C04AEB7B6CEB05360F004437F915E3150D635F9219BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405BA5 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BA5(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405ba9
0x00405bb9
0x00405bc1
0x00000000
0x00405bc8
0x00000000
0x00405bca

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040315C,00000000,00415428,000000FF,00415428,000000FF,000000FF,00000004,00000000), ref: 00405BB9

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: 823d1a00ca840d25d454e1cdeec80758da7ba5e35e2b738bcb0e321267d0793f
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: DEE0EC3222075EAFDF50AE559C00AEB7B7CEB05760F004437F925E2190E631F9219BAC

Uniqueness

Uniqueness Score: -1.00%

Function 00405DEB Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DEB(void* __eflags, intOrPtr _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00405D70(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExA(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00405df5
0x00405dfc
0x00405e0f
0x00000000
0x00405e0f
0x00405e00
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405E79,?,?,?,?,00000002,Call), ref: 00405E0F

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: dc79c12829c29cd0bf07e2dbeefb197667dc07549b84f10616122407915bdb74
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: E4D0123210060DBBDF115F90ED05FAB371DEB48314F004826FE45A4091E775D670AF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040159D() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesA(E00402AC1(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015a8
0x004015ae
0x004015b0
0x00402716
0x00402716
0x00402954
0x00402960

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5ad63c811bd6e2538171b99d50506fd6de1cb9b06f815e9fd29dad5dee90db35
Instruction ID: 006896c4a7345e69559ade13805c89d17ea4f3f6c129434cfdd3d67a61d48342
Opcode Fuzzy Hash: 5ad63c811bd6e2538171b99d50506fd6de1cb9b06f815e9fd29dad5dee90db35
Instruction Fuzzy Hash: 10D012727081129BCB10EBA8AB48A9E77A49B50324B308137D515F31D1E6B9C945672D

Uniqueness

Uniqueness Score: -1.00%

Function 00404072 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404072(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x42ebd8; // 0x1042c
				if(_t2 != 0) {
					_t3 = SendMessageA(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00404072
0x00404079
0x00404084
0x00000000
0x00404084
0x0040408a

APIs

SendMessageA.USER32(0001042C,00000000,00000000,00000000), ref: 00404084

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
Instruction ID: da44989f2a2ecf2e1eb1395d2787a6f6d01b979c61270caf9d732ef337717c06
Opcode Fuzzy Hash: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
Instruction Fuzzy Hash: B6C04C717406006AEA208B519E49F0677586750B11F1484397751F50D0C675E410DE1C

Uniqueness

Uniqueness Score: -1.00%

Function 00405647 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405647(struct _SHELLEXECUTEINFOA* _a4) {
				struct _SHELLEXECUTEINFOA* _t4;
				int _t5;

				_t4 = _a4;
				_t4->lpIDList = _t4->lpIDList & 0x00000000;
				_t4->cbSize = 0x3c; // executed
				_t5 = ShellExecuteExA(_t4); // executed
				return _t5;
			}

0x00405647
0x0040564c
0x00405650
0x00405656
0x0040565c

APIs

ShellExecuteExA.SHELL32(?,0040444B,?), ref: 00405656

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
Instruction ID: fedc52184ae6edd1acf052e6849869f1d6de8b7351bc39b82099fbd6471e80b9
Opcode Fuzzy Hash: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
Instruction Fuzzy Hash: ECC092B2000200DFE301CF90CB18F077BE8AF55306F028058E1C49A160C7788810CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040405B Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040405B(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x42f408, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00404069
0x0040406f

APIs

SendMessageA.USER32(00000028,?,00000001,00403E8B), ref: 00404069

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
Instruction ID: 0adc9c0e194aa77c868d6ef978719a9753de7db756a7c543b14a3307e76eee0a
Opcode Fuzzy Hash: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
Instruction Fuzzy Hash: B2B09235280A00AAEA215B00DE09F467A62A764701F408038B240250B1CAB200A6DB18

Uniqueness

Uniqueness Score: -1.00%

Function 004031A9 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031A9(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004031b7
0x004031bd

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F0F,?), ref: 004031B7

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404048 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404048(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x42a86c, _a4); // executed
				return _t2;
			}

0x00404052
0x00404058

APIs

KiUserCallbackDispatcher.NTDLL(?,00403E24), ref: 00404052

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
Instruction ID: d750239a91494785f156a03a2b8d5ac9aaa4eec5ddabb582aaccf4f48b9497e5
Opcode Fuzzy Hash: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
Instruction Fuzzy Hash: C9A012710000009BCB015B00EF04C057F61AB507007018434A2404003186310432FF1D

Uniqueness

Uniqueness Score: -1.00%

Function 00405928 Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405928(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}

0x00405928
0x0040593b
0x0040593b
0x0040593f
0x00000000
0x00000000
0x00405932
0x00405935
0x00000000
0x00405935
0x00000000
0x00405932
0x00405941

APIs

CharNextA.USER32(?,00403300,"C:\Users\user\Desktop\invoice.exe",00000020,?,00000006,00000008,0000000A), ref: 00405935

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: ab770555e48e960fe56669f96fddfbd721eaa147c7a26f8897114aa6290c2379
Instruction ID: 7684f00181daf88c57417910904709560662328d072bdde6cde5de17fb9a4117
Opcode Fuzzy Hash: ab770555e48e960fe56669f96fddfbd721eaa147c7a26f8897114aa6290c2379
Instruction Fuzzy Hash: 1CC08CB440DA80E7CA104B2091749777FE4BA52360F2884AAF4C263260C238AC40DF2A

Uniqueness

Uniqueness Score: -1.00%

Function 10001215 Relevance: 1.3, APIs: 1, Instructions: 4
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001215() {
				void* _t1;

				_t1 = GlobalAlloc(0x40,  *0x1000405c); // executed
				return _t1;
			}

0x1000121d
0x10001223

APIs

GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

Memory Dump Source

Source File: 00000000.00000002.856054297.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.856040694.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856067293.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856081841.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_invoice.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction ID: 35b308b173d9b0532f6cde55f5bface33093279d7ce3c78a2cc6db588f634b90
Opcode Fuzzy Hash: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction Fuzzy Hash: 6CA002B1945620DBFE429BE08D9EF1B3B25E748781F01C040E315641BCCA754010DF39

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404A09 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00404A09(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				int _t194;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t273;
				long _t276;
				int _t277;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				int _t295;
				int _t296;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageA;
				_v20 =  *0x42f448;
				_t282 = 0;
				_v24 =  *0x42f414 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x42f41d & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6a) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404957(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x418 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x42f41c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x42a854; // 0x0
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x42a868; // 0x0
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x42a854 = _t282;
								 *0x42a868 = _t282;
								 *0x42f480 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x42f41d & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E004049D7();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_t194 =  *0x42a868; // 0x0
									_v32 = _t194;
									_t195 =  *0x42f448;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42f44c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										_t197 =  *0x42ebdc; // 0x49bd31
										if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
											E00404912(0x3ff, 0xfffffffb, E0040492A(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x106]);
									} while (_v20 <  *0x42f44c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x42a868);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageA(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageA(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageA(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageA(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x42f480 = _t306;
					 *0x42a868 = GlobalAlloc(0x40,  *0x42f44c << 2);
					_t252 = LoadBitmapA( *0x42f400, 0x6e);
					 *0x42a85c =  *0x42a85c | 0xffffffff;
					_t313 = _t252;
					 *0x42a864 = SetWindowLongA(_v8, 0xfffffffc, E00405000);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42a854 = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a854);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t282, E00405F87(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E00404026(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E00404026(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42f44c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										_t273 = SendMessageA(_v8, 0x1100, 0,  &_v84);
										_t295 =  *0x42a868; // 0x0
										 *(_t295 + _t316 * 4) = _t273;
									} else {
										_t284 = SendMessageA(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_t296 =  *0x42a868; // 0x0
									_v32 = 1;
									 *(_t296 + _t316 * 4) = _t276;
									_t277 =  *0x42a868; // 0x0
									_t284 =  *(_t277 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x418]);
							_v28 = _t302;
						} while (_t316 <  *0x42f44c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E0040405B(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040405B(_v12);
								L91:
								return E0040408D(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404a18
0x00404a29
0x00404a2e
0x00404a36
0x00404a3c
0x00404a44
0x00404a52
0x00404a55
0x00404c75
0x00404c7c
0x00404c90
0x00404c7e
0x00404c80
0x00404c83
0x00404c84
0x00404c8b
0x00404c8b
0x00404c9c
0x00404caa
0x00404cad
0x00404cc3
0x00404d38
0x00404d3b
0x00404d3d
0x00404d47
0x00404d55
0x00404d55
0x00404d57
0x00404d61
0x00404d67
0x00404d6a
0x00404d6d
0x00404d88
0x00404d6f
0x00404d79
0x00404d79
0x00404d6d
0x00404d61
0x00000000
0x00404d3b
0x00404cc8
0x00404cd3
0x00404cd8
0x00404cdf
0x00404ce4
0x00404ce8
0x00404cf3
0x00404cf3
0x00404cf7
0x00404cfb
0x00404cff
0x00404d12
0x00404d01
0x00404d01
0x00404d08
0x00404d0e
0x00404d0a
0x00404d0a
0x00404d0a
0x00404d08
0x00404d16
0x00404d18
0x00404d2b
0x00404d2e
0x00404d31
0x00404d31
0x00404cfb
0x00000000
0x00404ce8
0x00404cca
0x00404cd1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404d8b
0x00404d8b
0x00404d92
0x00404e03
0x00404e0b
0x00404e13
0x00404e13
0x00404e1c
0x00404e1e
0x00404e25
0x00404e28
0x00404e28
0x00404e2e
0x00404e35
0x00404e38
0x00404e38
0x00404e3e
0x00404e44
0x00404e4a
0x00404e4a
0x00404e57
0x00404fad
0x00404fb4
0x00404fd1
0x00404fd7
0x00404fe9
0x00404fe9
0x00000000
0x00404e5d
0x00404e5f
0x00404e64
0x00404e69
0x00404e6e
0x00404e70
0x00404e70
0x00404e71
0x00404e72
0x00404e74
0x00404e74
0x00404e7c
0x00404ebd
0x00404ebf
0x00404ec4
0x00404ecf
0x00404ed2
0x00404ed7
0x00404ede
0x00404ee1
0x00404f83
0x00404f89
0x00404f8f
0x00404f97
0x00404fa8
0x00404fa8
0x00000000
0x00404f97
0x00404ee7
0x00404eea
0x00404ef0
0x00404ef5
0x00404ef7
0x00404ef9
0x00404eff
0x00404f06
0x00404f0b
0x00404f12
0x00404f15
0x00404f15
0x00404f1c
0x00404f28
0x00404f2c
0x00404f2e
0x00404f2e
0x00404f1e
0x00404f20
0x00404f20
0x00404f4e
0x00404f5a
0x00404f69
0x00404f69
0x00404f6b
0x00404f6e
0x00404f77
0x00000000
0x00404e7e
0x00404e89
0x00404e8c
0x00404e91
0x00404e93
0x00404e97
0x00404ea7
0x00404eb1
0x00404eb3
0x00404eb6
0x00000000
0x00000000
0x00000000
0x00000000
0x00404e99
0x00404e99
0x00404e9f
0x00404ea1
0x00404ea1
0x00404ea2
0x00404ea3
0x00000000
0x00404e99
0x00404e7c
0x00404e57
0x00404d9a
0x00000000
0x00404db0
0x00404dba
0x00404dbf
0x00000000
0x00000000
0x00404dd1
0x00404dd6
0x00404de2
0x00404de2
0x00404de4
0x00404df3
0x00404df5
0x00404df9
0x00404dfc
0x00000000
0x00404dfc
0x00404d9a
0x00404a5b
0x00404a60
0x00404a69
0x00404a70
0x00404a7e
0x00404a89
0x00404a8f
0x00404a9d
0x00404ab1
0x00404ab6
0x00404ac3
0x00404ac8
0x00404ade
0x00404aef
0x00404afc
0x00404afc
0x00404aff
0x00404b05
0x00404b07
0x00404b0a
0x00404b0f
0x00404b14
0x00404b16
0x00404b16
0x00404b36
0x00404b36
0x00404b38
0x00404b39
0x00404b3e
0x00404b41
0x00404b44
0x00404b48
0x00404b4d
0x00404b52
0x00404b56
0x00404b5b
0x00404b60
0x00404b62
0x00404b6a
0x00404c34
0x00404c47
0x00000000
0x00404b70
0x00404b73
0x00404b76
0x00404b79
0x00404b79
0x00404b7f
0x00404b85
0x00404b88
0x00404b8e
0x00404b8f
0x00404b94
0x00404b9d
0x00404ba4
0x00404ba7
0x00404baa
0x00404bad
0x00404be9
0x00404c0a
0x00404c0c
0x00404c12
0x00404beb
0x00404bf8
0x00404bf8
0x00404baf
0x00404bb2
0x00404bc1
0x00404bcb
0x00404bcd
0x00404bd3
0x00404bda
0x00404bdd
0x00404be2
0x00404be2
0x00404bad
0x00404c18
0x00404c19
0x00404c25
0x00404c25
0x00404c32
0x00404c4d
0x00404c51
0x00404c6e
0x00404c73
0x00000000
0x00404c53
0x00404c58
0x00404c61
0x00404feb
0x00404ffd
0x00404ffd
0x00404c51
0x00000000
0x00404c32
0x00404b6a

APIs

GetDlgItem.USER32 ref: 00404A21
GetDlgItem.USER32 ref: 00404A2C
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A76
LoadBitmapA.USER32 ref: 00404A89
SetWindowLongA.USER32 ref: 00404AA2
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AB6
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AC8
SendMessageA.USER32(?,00001109,00000002), ref: 00404ADE
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404AEA
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AFC
DeleteObject.GDI32(00000000), ref: 00404AFF
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B2A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B36
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BCB
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BF6
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C0A
GetWindowLongA.USER32 ref: 00404C39
SetWindowLongA.USER32 ref: 00404C47
ShowWindow.USER32(?,00000005), ref: 00404C58
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D55
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DBA
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DCF
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DF3
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E13
ImageList_Destroy.COMCTL32(00000000), ref: 00404E28
GlobalFree.KERNEL32 ref: 00404E38
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EB1
SendMessageA.USER32(?,00001102,?,?), ref: 00404F5A
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F69
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F89
ShowWindow.USER32(?,00000000), ref: 00404FD7
GetDlgItem.USER32 ref: 00404FE2
ShowWindow.USER32(00000000), ref: 00404FE9

Strings

N, xrefs: 00404C93
M, xrefs: 00404BB2
, xrefs: 00404FC1

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 7e23995b76108e92cb9e54bee6c6a3cf5fdfe82eb0d160314d46ac34ca410947
Instruction ID: 5e7fd9033250abe3372a8cc080de2667683fe8f184775387c018329cb0bba4e6
Opcode Fuzzy Hash: 7e23995b76108e92cb9e54bee6c6a3cf5fdfe82eb0d160314d46ac34ca410947
Instruction Fuzzy Hash: 9502A1B0A00209AFEB20DF55DD85AAE7BB5FB84315F14413AFA10B62E1C7789D42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404496 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404496(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;
				void* _t205;

				_t156 = __edx;
				_t82 =  *0x42a048; // 0x49a02c
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405665(0x3fb, _t146);
					E004061CF(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405665(0x3fb, _t146);
							if(E004059EB(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405F65(0x429840, _t146);
							_t87 = E004062FD(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405F65(0x429840, _t146);
								_t89 = E00405996(0x429840);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429840,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429840) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429840,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405944(0x429840);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429840) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E0040492A(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ebdc; // 0x49bd31
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404912(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429830);
									} else {
										E0040484D(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f4c4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00404048(0 | _v8 == _t158);
								if(_v8 == _t158) {
									_t205 =  *0x42a860 - _t158; // 0x0
									if(_t205 == 0) {
										E004043EF();
									}
								}
								 *0x42a860 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a870;
							_v60 = E004047E7;
							_v56 = _t146;
							_v68 = E00405F87(_t146, 0x42a870, _t166, 0x429c48, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004058FD(_t146);
								_t125 =  *((intOrPtr*)( *0x42f414 + 0x11c));
								if( *((intOrPtr*)( *0x42f414 + 0x11c)) != 0 && _t146 == "C:\\Users\\jones\\AppData\\Local\\Microsoft\\Windows\\INetCache\\predepository") {
									E00405F87(_t146, 0x42a870, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3a0, 0x42a870) != 0) {
										lstrcatA(_t146, 0x42e3a0);
									}
								}
								 *0x42a860 =  *0x42a860 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					} else {
						_a8 = 0x40f;
						goto L12;
					}
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E0040596A(_t146) != 0 && E00405996(_t146) == 0) {
						E004058FD(_t146);
					}
					 *0x42ebd8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404026(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404026(_t166);
					E0040405B(_t165);
					_t138 = E004062FD(7);
					if(_t138 == 0) {
						L53:
						return E0040408D(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x00404496
0x0040449c
0x004044a2
0x004044af
0x004044bd
0x004044c0
0x004044c8
0x004044ce
0x004044ce
0x004044da
0x004044dd
0x0040454b
0x00404552
0x00404629
0x00404630
0x0040463f
0x0040463f
0x00404643
0x0040464d
0x0040465a
0x0040465c
0x0040465c
0x0040466a
0x00404671
0x00404678
0x0040467b
0x004046b2
0x004046b4
0x004046ba
0x004046bf
0x004046c3
0x004046c5
0x004046c5
0x004046e1
0x00000000
0x004046e3
0x004046e6
0x004046f4
0x004046fa
0x004046fb
0x004046fe
0x00404701
0x00000000
0x00404701
0x0040467d
0x0040467f
0x00404683
0x00000000
0x00000000
0x00000000
0x00000000
0x00404685
0x00404685
0x00404692
0x00404697
0x00000000
0x00000000
0x0040469b
0x0040469d
0x0040469d
0x004046a5
0x004046a7
0x004046aa
0x004046ad
0x004046b0
0x00000000
0x00000000
0x00000000
0x00000000
0x004046b0
0x0040470d
0x00404717
0x0040471a
0x0040471d
0x00404724
0x00404724
0x00404726
0x00404726
0x0040472b
0x0040472d
0x00404735
0x0040473c
0x0040473e
0x00404749
0x00404749
0x0040473e
0x00404750
0x00404759
0x00404763
0x0040476b
0x00404786
0x0040476d
0x00404776
0x00404776
0x0040476b
0x0040478b
0x00404790
0x00404795
0x0040479e
0x0040479e
0x004047a7
0x004047a9
0x004047a9
0x004047b5
0x004047bd
0x004047bf
0x004047c5
0x004047c7
0x004047c7
0x004047c5
0x004047cc
0x00000000
0x004047cc
0x0040467b
0x00404632
0x00404639
0x00000000
0x00000000
0x00000000
0x00404639
0x00404558
0x00404561
0x0040457b
0x00404580
0x0040458a
0x00404591
0x0040459d
0x004045a0
0x004045a3
0x004045aa
0x004045b2
0x004045b5
0x004045b9
0x004045c0
0x004045c8
0x00404622
0x004045ca
0x004045cb
0x004045d2
0x004045dc
0x004045e4
0x004045f1
0x00404605
0x00404609
0x00404609
0x00404605
0x0040460e
0x0040461b
0x0040461b
0x004045c8
0x00000000
0x00404580
0x0040456e
0x00000000
0x00404574
0x00404574
0x00000000
0x00404574
0x004044df
0x004044ec
0x004044f5
0x00404502
0x00404502
0x00404509
0x0040450f
0x00404518
0x0040451b
0x0040451e
0x00404526
0x00404529
0x0040452c
0x00404532
0x00404539
0x00404540
0x004047d2
0x004047e4
0x00404546
0x00404549
0x00000000
0x00404549
0x00404540

APIs

GetDlgItem.USER32 ref: 004044E5
SetWindowTextA.USER32(00000000,?), ref: 0040450F
SHBrowseForFolderA.SHELL32(?,00429C48,?), ref: 004045C0
CoTaskMemFree.OLE32(00000000), ref: 004045CB
lstrcmpiA.KERNEL32(Call,Yllerion Setup: Installing,00000000,?,?), ref: 004045FD
lstrcatA.KERNEL32(?,Call), ref: 00404609
SetDlgItemTextA.USER32 ref: 0040461B

Part of subcall function 00405665: GetDlgItemTextA.USER32 ref: 00405678

Part of subcall function 004061CF: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\invoice.exe",7476FA90,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406227
Part of subcall function 004061CF: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406234
Part of subcall function 004061CF: CharNextA.USER32(?,"C:\Users\user\Desktop\invoice.exe",7476FA90,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406239
Part of subcall function 004061CF: CharPrevA.USER32(?,?,7476FA90,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406249

GetDiskFreeSpaceA.KERNEL32(00429840,?,?,0000040F,?,00429840,00429840,?,00000001,00429840,?,?,000003FB,?), ref: 004046D9
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046F4

Part of subcall function 0040484D: lstrlenA.KERNEL32(Yllerion Setup: Installing,Yllerion Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404768,000000DF,00000000,00000400,?), ref: 004048EB
Part of subcall function 0040484D: wsprintfA.USER32 ref: 004048F3
Part of subcall function 0040484D: SetDlgItemTextA.USER32 ref: 00404906

Strings

A, xrefs: 004045B9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository, xrefs: 004045E6
Call, xrefs: 004045F7, 004045FC, 00404607
Yllerion Setup: Installing, xrefs: 00404593, 004045F6

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository$Call$Yllerion Setup: Installing
API String ID: 2624150263-977495788
Opcode ID: 032b3df766434426d98d5d6b576ada36a61d7b9502b5faa4e1f3676bff7237ef
Instruction ID: e7c3eafb31c7d15e6a6da749512948d226074c80576101813d8e7fa34d4e7a23
Opcode Fuzzy Hash: 032b3df766434426d98d5d6b576ada36a61d7b9502b5faa4e1f3676bff7237ef
Instruction Fuzzy Hash: 44A190B1900209ABDB11AFA6CD45AAFB7B8EF85314F14843BF605B72D1D77C89418B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004026F8(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402AC1(2), _t19 - 0x1c8) != 0xffffffff) {
					E00405EC3(__edi, _t6);
					_push(_t19 - 0x19c);
					_push(__esi);
					E00405F65();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402710
0x00402724
0x0040272f
0x00402730
0x0040286f
0x00402712
0x00402712
0x00402714
0x00402716
0x00402716
0x00402954
0x00402960

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 35474e701519af4a3bfe5b21ab3a1074e282d3bfb0b95cafabb6a5a8f21aa47d
Instruction ID: 5589ad20af1132df25b1d4da55578e461c11660e8300270abb34f4e41d1b37c2
Opcode Fuzzy Hash: 35474e701519af4a3bfe5b21ab3a1074e282d3bfb0b95cafabb6a5a8f21aa47d
Instruction Fuzzy Hash: 8BF0A0726041119AD710E7B49999EEEB778DB21324F60057BE685F20C1C6B88A469B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00406742 Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406742(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E00406EB1( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4083f8; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4083f8; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00406F19( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406E71))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a3e8 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a3e8 + __eax * 2) & 0x0000ffff =  *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a3e8 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a3e8 + __eax * 2) & 0x0000ffff =  *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E00406EB1( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E00406EB1( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e388;
												if( *0x42e388 != 0) {
													L22:
													_t412 =  *0x40a40c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a410; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d204; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d200; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d208;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d688;
													if(_t416 < 0x42d688) {
														L15:
														__eflags = _t416 - 0x42d444;
														_t438 = 8;
														if(_t416 > 0x42d444) {
															__eflags = _t416 - 0x42d608;
															if(_t416 >= 0x42d608) {
																__eflags = _t416 - 0x42d668;
																if(_t416 < 0x42d668) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00406F19(0x42d208, 0x120, 0x101, 0x40840c, 0x40844c, 0x42d204, 0x40a40c, 0x42db08, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d208, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d208 + _t440;
														E00406F19(0x42d208, 0x1e, 0, 0x40848c, 0x4084c8, 0x42d200, 0x40a410, 0x42db08, _t448 - 8);
														 *0x42e388 =  *0x42e388 + 1;
														__eflags =  *0x42e388;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405AB9( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00406EB1( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a3e8 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a3e8 + __eax * 2) & 0x0000ffff =  *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00406F19( &(__esi[3]), __edi, 0x101, 0x40840c, 0x40844c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00406F19(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40848c, 0x4084c8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00406EB1( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406742
0x00406742
0x00406742
0x00406742
0x00406742
0x00406746
0x00000000
0x00000000
0x0040674c
0x0040674c
0x0040674f
0x00406752
0x00406757
0x00406759
0x0040675c
0x0040675f
0x00406762
0x00406762
0x00406765
0x00000000
0x00000000
0x00406767
0x00406767
0x0040676a
0x0040676f
0x00406771
0x00406774
0x0040677a
0x004064d9
0x004064d9
0x004064dc
0x004064e2
0x004064e8
0x004064f1
0x004064f7
0x004064fa
0x00406501
0x00406506
0x0040650c
0x00406517
0x00406517
0x00406780
0x00406780
0x0040678a
0x00000000
0x00000000
0x00406790
0x00406790
0x00406794
0x00406797
0x00406797
0x0040679b
0x004067a1
0x004067a1
0x004067a4
0x004067a7
0x004067ad
0x00000000
0x00000000
0x004067af
0x004067d1
0x004067d1
0x004067d4
0x00000000
0x00000000
0x004067b1
0x004067b5
0x00000000
0x00000000
0x004067bb
0x004067bb
0x004067be
0x004067c1
0x004067c6
0x004067c8
0x004067cb
0x004067ce
0x004067ce
0x004067d6
0x004067d6
0x004067dc
0x004067df
0x004067e2
0x004067e2
0x004067e9
0x004067ed
0x004067f1
0x004067f4
0x004067f7
0x004067fd
0x00406802
0x00000000
0x00000000
0x00406804
0x00406818
0x00406818
0x0040681c
0x00000000
0x00000000
0x00406806
0x00406809
0x00406809
0x00406810
0x00406815
0x00406815
0x00406815
0x0040681e
0x0040681e
0x00406821
0x0040682f
0x00406835
0x0040683a
0x00406840
0x00406846
0x0040684c
0x00406853
0x00406867
0x00406867
0x00406e36
0x00406e36
0x00406e36
0x00406e3b
0x00000000
0x00000000
0x00406473
0x00406473
0x00000000
0x00406a6e
0x00406a6e
0x00406a72
0x00406a75
0x00406a78
0x00406a7b
0x00000000
0x00000000
0x00406a81
0x00406a81
0x00406aa6
0x00406aa6
0x00406aa6
0x00406aa8
0x00000000
0x00000000
0x00406a86
0x00406a86
0x00406a8a
0x00000000
0x00000000
0x00406a90
0x00406a90
0x00406a93
0x00406a96
0x00406a99
0x00406a9b
0x00406a9d
0x00406aa0
0x00406aa3
0x00406aa3
0x00406aa3
0x00406aaa
0x00406aaa
0x00406ab2
0x00406ab5
0x00406ab8
0x00406abb
0x00406abf
0x00406ac2
0x00406ac4
0x00406ac7
0x00406ac9
0x00406add
0x00406add
0x00406ae0
0x00406afa
0x00406afa
0x00406afd
0x00000000
0x00000000
0x00406b03
0x00406b03
0x00406b06
0x00000000
0x00000000
0x00406b0c
0x00406b0c
0x00000000
0x00406b0c
0x00406ae2
0x00406ae5
0x00406aec
0x00406aef
0x00000000
0x00406aef
0x00406acb
0x00406acf
0x00406ad2
0x00000000
0x00000000
0x00406b17
0x00406b17
0x00406b3c
0x00406b3c
0x00406b3c
0x00406b3e
0x00000000
0x00000000
0x00406b1c
0x00406b1c
0x00406b20
0x00000000
0x00000000
0x00406b26
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b31
0x00406b33
0x00406b36
0x00406b39
0x00406b39
0x00406b39
0x00406b40
0x00406b48
0x00406b4b
0x00406b4e
0x00406b50
0x00406b53
0x00406b53
0x00406b55
0x00406b59
0x00406b5c
0x00406b5f
0x00406b62
0x00000000
0x00000000
0x00406b68
0x00406b68
0x00406b8d
0x00406b8d
0x00406b8d
0x00406b8f
0x00000000
0x00000000
0x00406b6d
0x00406b6d
0x00406b71
0x00000000
0x00000000
0x00406b77
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b82
0x00406b84
0x00406b87
0x00406b8a
0x00406b8a
0x00406b8a
0x00406b91
0x00406b91
0x00406b99
0x00406b9c
0x00406b9f
0x00406ba2
0x00406ba6
0x00406ba9
0x00406bab
0x00406bae
0x00406bb1
0x00406bcb
0x00406bcb
0x00406bce
0x00000000
0x00000000
0x00406bd4
0x00406bd4
0x00406bd7
0x00406bde
0x00000000
0x00406bde
0x00406bb3
0x00406bb6
0x00406bbd
0x00406bc0
0x00000000
0x00000000
0x00406be6
0x00406be6
0x00406c0b
0x00406c0b
0x00406c0b
0x00406c0d
0x00000000
0x00000000
0x00406beb
0x00406beb
0x00406bef
0x00000000
0x00000000
0x00406bf5
0x00406bf5
0x00406bf8
0x00406bfb
0x00406bfe
0x00406c00
0x00406c02
0x00406c05
0x00406c08
0x00406c08
0x00406c08
0x00406c0f
0x00406c17
0x00406c1a
0x00406c1d
0x00406c1f
0x00406c22
0x00406c22
0x00406c24
0x00000000
0x00000000
0x00406c2a
0x00406c2a
0x00406c2d
0x00406c32
0x00406c34
0x00406c3a
0x00406c3c
0x00406c51
0x00406c53
0x00406c53
0x00406c3e
0x00406c44
0x00406c46
0x00406c48
0x00406c48
0x00406c55
0x00406c59
0x00406c5c
0x00406c62
0x00406c62
0x00406c65
0x00406c65
0x00406c65
0x00406c67
0x00000000
0x00000000
0x00406c6d
0x00406c6d
0x00406c73
0x00406c75
0x00406c9a
0x00406c9d
0x00406ca3
0x00406ca8
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb9
0x00406cc2
0x00406cc8
0x00406cc8
0x00406cbb
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cca
0x00406cd0
0x00406cd2
0x00406cd5
0x00406cd7
0x00406cdd
0x00406cdf
0x00406ce1
0x00406ce3
0x00406ce5
0x00406ce8
0x00406cf1
0x00406cf4
0x00406cf4
0x00406cea
0x00406cea
0x00406ced
0x00406ced
0x00406ce8
0x00406cdf
0x00406cf6
0x00406cf8
0x00000000
0x00000000
0x00000000
0x00000000
0x00406cf8
0x00406c77
0x00406c77
0x00406c7d
0x00406c83
0x00406c85
0x00000000
0x00000000
0x00406c87
0x00406c87
0x00406c89
0x00406c8b
0x00406c94
0x00406c94
0x00406c8d
0x00406c8d
0x00406c90
0x00406c90
0x00406c96
0x00406c98
0x00000000
0x00000000
0x00406cfe
0x00406cfe
0x00406d03
0x00406d05
0x00406d06
0x00406d07
0x00406d08
0x00406d0e
0x00406d11
0x00406d14
0x00406d17
0x00406d19
0x00406d1f
0x00406d1f
0x00406d22
0x00406d22
0x00406d22
0x00406d22
0x00406d2b
0x00000000
0x00000000
0x00406d30
0x00406d30
0x00406d33
0x00406d36
0x00406d38
0x00406dcf
0x00406dcf
0x00406dd2
0x00406dd4
0x00406dd5
0x00406dd6
0x00406dd9
0x00000000
0x00406dd9
0x00406d3e
0x00406d3e
0x00406d44
0x00406d46
0x00406d6b
0x00406d6e
0x00406d74
0x00406d79
0x00406d7f
0x00406d85
0x00406d87
0x00406d8a
0x00406d93
0x00406d99
0x00406d99
0x00406d8c
0x00406d8e
0x00406d90
0x00406d90
0x00406d9b
0x00406da1
0x00406da3
0x00406da6
0x00406da8
0x00406dae
0x00406db0
0x00406db2
0x00406db4
0x00406db6
0x00406db9
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dbb
0x00406dbb
0x00406dbe
0x00406dbe
0x00406db9
0x00406db0
0x00406dc7
0x00406dc9
0x00000000
0x00000000
0x00000000
0x00000000
0x00406dc9
0x00406d48
0x00406d48
0x00406d4e
0x00406d54
0x00406d56
0x00000000
0x00000000
0x00406d58
0x00406d58
0x00406d5a
0x00406d5c
0x00406d63
0x00406d63
0x00406d65
0x00406d5e
0x00406d5e
0x00406d60
0x00406d60
0x00406d67
0x00406d69
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de1
0x00406de1
0x00406de4
0x00406de6
0x00406de9
0x00406dec
0x00406dec
0x00406dec
0x00406dec
0x00000000
0x00000000
0x00000000
0x0040649a
0x0040647e
0x00000000
0x00406484
0x00406487
0x00406491
0x00406494
0x00406497
0x00000000
0x00406497
0x0040647e
0x004064a2
0x004064a5
0x004064a9
0x004064b3
0x004064bd
0x004064c0
0x004064c6
0x004065fa
0x004065fc
0x00406602
0x00406605
0x00406608
0x00000000
0x00406608
0x004064cc
0x004064cc
0x004064cd
0x00406525
0x00406525
0x0040652c
0x004065d2
0x004065d2
0x004065d7
0x004065da
0x004065df
0x004065e2
0x004065e7
0x004065ea
0x004065ef
0x004065f2
0x004065f2
0x00000000
0x00406532
0x00406532
0x00406532
0x00406532
0x00406536
0x00406536
0x00406558
0x0040655b
0x0040655d
0x00406560
0x00406565
0x0040653b
0x0040653b
0x00406540
0x00406542
0x00406544
0x00406549
0x0040654f
0x00406554
0x00406556
0x00406556
0x0040654b
0x0040654b
0x0040654b
0x00406549
0x00000000
0x00406567
0x00406594
0x00406599
0x0040659b
0x0040659c
0x0040659e
0x0040659f
0x0040659f
0x0040659f
0x004065c7
0x004065cc
0x004065cc
0x00000000
0x004065cc
0x00406565
0x0040652c
0x004064cf
0x004064cf
0x004064d0
0x0040651a
0x00000000
0x0040651a
0x004064d2
0x004064d3
0x00000000
0x00000000
0x00000000
0x00000000
0x0040662f
0x0040662f
0x0040662f
0x00406632
0x00000000
0x00000000
0x0040660f
0x0040660f
0x00406613
0x00000000
0x00000000
0x00406619
0x00406619
0x0040661c
0x0040661f
0x00406624
0x00406626
0x00406629
0x0040662c
0x0040662c
0x0040662c
0x00406634
0x00406634
0x00406637
0x00406639
0x0040663e
0x00406641
0x00406643
0x00406646
0x00000000
0x00000000
0x0040664c
0x0040664c
0x0040664e
0x00000000
0x00000000
0x00406654
0x00406654
0x00406658
0x00000000
0x00000000
0x0040665e
0x0040665e
0x00406661
0x00406663
0x00406701
0x00406701
0x00406704
0x00406706
0x00406706
0x00406709
0x0040670c
0x0040670e
0x00406710
0x00406712
0x00406712
0x0040671b
0x00406720
0x00406723
0x00406726
0x00406729
0x0040672c
0x0040672c
0x0040672c
0x0040672f
0x00406735
0x00406735
0x0040673b
0x0040673b
0x0040673b
0x00000000
0x0040672f
0x00406669
0x00406669
0x0040666f
0x00406672
0x00406674
0x0040669f
0x004066a2
0x004066a8
0x004066ad
0x004066b3
0x004066b9
0x004066bb
0x004066be
0x004066c7
0x004066cd
0x004066cd
0x004066c0
0x004066c2
0x004066c4
0x004066c4
0x004066cf
0x004066d5
0x004066d8
0x004066da
0x004066dc
0x004066e2
0x004066e4
0x004066e6
0x004066e9
0x004066f2
0x004066f2
0x004066f4
0x004066eb
0x004066eb
0x004066ee
0x004066ee
0x004066f6
0x004066f6
0x004066e4
0x004066f9
0x004066fb
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fb
0x00406676
0x00406676
0x0040667c
0x00406682
0x00406684
0x00000000
0x00000000
0x00406686
0x00406686
0x00406688
0x0040668a
0x0040668d
0x00406694
0x00406694
0x00406696
0x0040668f
0x0040668f
0x00406691
0x00406691
0x00406698
0x0040669a
0x0040669d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a1
0x004067a4
0x004067a7
0x004067ad
0x00000000
0x00000000
0x00000000
0x00000000
0x00406984
0x00406984
0x00406984
0x00406987
0x0040698a
0x0040698c
0x0040698f
0x00406995
0x0040699c
0x0040699e
0x00000000
0x00000000
0x00406872
0x00406872
0x0040689a
0x0040689a
0x0040689a
0x0040689c
0x00000000
0x00000000
0x0040687a
0x0040687a
0x0040687e
0x00000000
0x00000000
0x00406884
0x00406884
0x00406887
0x0040688a
0x0040688d
0x0040688f
0x00406891
0x00406894
0x00406897
0x00406897
0x00406897
0x0040689e
0x0040689e
0x004068a6
0x004068a9
0x004068af
0x004068b2
0x004068b6
0x004068ba
0x004068bd
0x004068c0
0x004068d8
0x004068d8
0x004068db
0x004068e9
0x004068ec
0x004068dd
0x004068dd
0x004068df
0x004068e6
0x004068e6
0x00406915
0x00406915
0x00406915
0x00406918
0x0040691a
0x00000000
0x00000000
0x004068f5
0x004068f5
0x004068f9
0x00000000
0x00000000
0x004068ff
0x004068ff
0x00406902
0x00406905
0x00406908
0x0040690a
0x0040690c
0x0040690f
0x00406912
0x00406912
0x00406912
0x0040691c
0x0040691c
0x0040691e
0x00406920
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406935
0x00406937
0x0040693a
0x0040693d
0x00406942
0x00406945
0x00406948
0x0040694b
0x00406952
0x00406955
0x00406957
0x00000000
0x00000000
0x0040695d
0x0040695d
0x00406961
0x00406972
0x00406972
0x00406972
0x00406974
0x00406974
0x00406978
0x00406978
0x00406978
0x0040697a
0x0040697b
0x0040697e
0x0040697e
0x0040697e
0x00406981
0x00000000
0x00406981
0x00406963
0x00406963
0x00406966
0x00000000
0x00000000
0x0040696c
0x0040696c
0x00000000
0x0040696c
0x004068c2
0x004068c2
0x004068c4
0x004068c6
0x004068c9
0x004068cc
0x004068d0
0x004068d0
0x004069a4
0x004069a4
0x004069a7
0x004069ae
0x004069b2
0x004069b4
0x004069b7
0x004069ba
0x004069bf
0x004069c2
0x004069c4
0x004069c5
0x004069c8
0x004069d3
0x004069d6
0x004069ed
0x004069f2
0x004069f9
0x004069fe
0x00406a02
0x00406a04
0x00406a04
0x00406a04
0x00406a07
0x00406a09
0x00000000
0x00406a0f
0x00406a0f
0x00406a13
0x00406a1e
0x00406a31
0x00406a36
0x00406a3b
0x00406a3d
0x00000000
0x00000000
0x00406a43
0x00406a43
0x00406a46
0x00406a48
0x00406a56
0x00406a56
0x00406a59
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00000000
0x00406a6b
0x00406a4a
0x00406a4a
0x00406a50
0x00000000
0x00000000
0x00000000
0x00406a50
0x00000000
0x00000000
0x00000000
0x00406def
0x00406def
0x00406df5
0x00406dfb
0x00406e00
0x00406e06
0x00406e0c
0x00406e0e
0x00406e11
0x00406e1a
0x00406e20
0x00406e20
0x00406e13
0x00406e15
0x00406e17
0x00406e17
0x00406e22
0x00406e24
0x00406e27
0x00406e62
0x00406e62
0x00000000
0x00406e29
0x00406e29
0x00406e29
0x00406e2f
0x00406e32
0x00406e34
0x00406e69
0x00406e6b
0x00000000
0x00406e6b
0x00000000
0x00406e34
0x00000000
0x00406473
0x00406e41
0x00000000
0x00406e41
0x00406855
0x00406857
0x00000000
0x00000000
0x00406859
0x00406859
0x0040685c
0x00000000
0x0040685c
0x004067a1
0x00406762
0x00406e46
0x00406e49
0x00406e4b
0x00406e54
0x00406e5a
0x00000000

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4aeacf9715bb3b10a0377ad2d0224b4eefc29aff23ed095be582f5b156e71c
Instruction ID: 12ef56279526f9f53f22afc89151adbe845766d01d6fb7ada6890335ffbed449
Opcode Fuzzy Hash: 8a4aeacf9715bb3b10a0377ad2d0224b4eefc29aff23ed095be582f5b156e71c
Instruction Fuzzy Hash: 5EE19A7190070ADFCB24CF58C980BAABBF1EB45305F15852EE497A72D1E338AA91CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406F19 Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00406F19(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d688 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d688;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d688 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00406f24
0x00406f2c
0x00406f30
0x00406f32
0x00406f35
0x00406f37
0x00406f37
0x00406f39
0x00406f40
0x00406f42
0x00406f42
0x00406f48
0x00406f5d
0x00406f65
0x00406f67
0x00406f69
0x00406f6c
0x00406f6d
0x00406f6d
0x00406f73
0x00000000
0x00000000
0x00406f75
0x00406f78
0x00000000
0x00000000
0x00000000
0x00406f78
0x00406f7c
0x00406f7f
0x00406f81
0x00406f81
0x00406f84
0x00406f8a
0x00406f8b
0x00000000
0x00000000
0x00000000
0x00406f8b
0x00406f90
0x00406f93
0x00406f95
0x00406f95
0x00406f9b
0x00406f9d
0x00406fae
0x00406fa1
0x00406fa5
0x0040724a
0x00000000
0x0040724a
0x00406fab
0x00406fac
0x00406fac
0x00406fb4
0x00406fb7
0x00406fbb
0x00406fbd
0x00406fbf
0x00406fc2
0x00000000
0x00000000
0x00406fca
0x00406fd0
0x00406fd2
0x00406fd4
0x00406fd5
0x00406fea
0x00406fea
0x00406fed
0x00406fef
0x00406fef
0x00406ff1
0x00406ff6
0x00406ff8
0x00406fff
0x00407001
0x00407009
0x00407009
0x0040700b
0x0040700c
0x0040701b
0x0040701f
0x00407023
0x00407026
0x00407029
0x0040702e
0x00407031
0x00407037
0x0040703e
0x00407044
0x0040723d
0x0040723d
0x00407242
0x00407251
0x00000000
0x00000000
0x00000000
0x00407242
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705e
0x00000000
0x00000000
0x00407069
0x0040706c
0x0040706d
0x0040706f
0x00407075
0x00407078
0x00000000
0x00000000
0x0040707e
0x0040707f
0x00407082
0x00407085
0x00407088
0x0040708e
0x00407090
0x00407090
0x00407098
0x0040709c
0x004070a1
0x004070c6
0x004070cc
0x004070ce
0x004070d0
0x004070d3
0x004070dc
0x00000000
0x00000000
0x004070a3
0x004070a3
0x004070ac
0x004070b0
0x00000000
0x00000000
0x004070c1
0x004070c1
0x004070c4
0x00000000
0x00000000
0x004070b4
0x004070b7
0x004070b9
0x004070bd
0x00000000
0x00000000
0x004070bf
0x004070bf
0x00000000
0x004070c1
0x004070e5
0x004070eb
0x004070f5
0x004070f7
0x004070fc
0x004070fe
0x00407134
0x00407100
0x00407100
0x00407103
0x00407106
0x00407110
0x00407113
0x0040711a
0x00407125
0x0040712c
0x0040712c
0x00407136
0x00407139
0x0040713b
0x00407141
0x00407141
0x0040714a
0x0040714d
0x00407152
0x00407161
0x00407169
0x0040716e
0x00407192
0x0040719a
0x0040719e
0x004071a4
0x00407170
0x0040717e
0x00407181
0x00407187
0x00407187
0x004071a8
0x00407163
0x00407163
0x00407163
0x004071b9
0x004071bd
0x004071c9
0x004071c4
0x004071c7
0x004071c7
0x004071d1
0x004071d6
0x004071de
0x004071da
0x004071dc
0x004071dc
0x004071e4
0x004071e6
0x004071ed
0x004071f7
0x00407201
0x0040721d
0x00407221
0x00407066
0x0040706c
0x0040706d
0x0040706f
0x00407075
0x00407078
0x00000000
0x00000000
0x00000000
0x00407078
0x00000000
0x00000000
0x00000000
0x00000000
0x00407203
0x00407203
0x00407203
0x00407208
0x00407211
0x0040721a
0x00000000
0x0040721a
0x00407227
0x00407227
0x0040722a
0x00407231
0x00407234
0x00000000
0x00407057
0x00406fd7
0x00406fd9
0x00406fd9
0x00406fdd
0x00406fe0
0x00406fe1
0x00406fe1
0x00000000
0x00406fd9
0x00406f4d
0x00406f53
0x00000000

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
Instruction ID: 968ea090ea57439d934916100a42e081e4144f1e312078ddc892fc3721ce49e9
Opcode Fuzzy Hash: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
Instruction Fuzzy Hash: 18C14A31E0421ACBCF14CF68D4905EEBBB2BF99314F25866AD8567B380D734A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040416F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040416F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x42983c =  *0x42983c + 1;
								__eflags =  *0x42983c;
							}
							L25:
							_t110 = _a16;
							L26:
							return E0040408D(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x42e3a0;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									_push(1);
									E00404413(_a4, _v8);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f408, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f408, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x42983c; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t103 =  *0x42a048; // 0x49a02c
					_t25 = _t103 + 0x14; // 0x49a040
					_t112 = _t25;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E00404048(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E004043EF();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x42ebdc; // 0x49bd31
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 +  *0x42f458;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E0040413A;
					E00404026(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E00404026(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E00404048( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E0040405B(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t86 =  *( *0x42f414 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x42983c = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x42983c = 0;
					return 0;
				}
			}

0x0040417f
0x00404291
0x004042a4
0x00404300
0x00404300
0x00404304
0x004043ca
0x004043d1
0x004043d3
0x004043d3
0x004043d3
0x004043d9
0x004043d9
0x004043dc
0x00000000
0x004043e3
0x00404312
0x00404314
0x00404317
0x0040431e
0x00404320
0x00404327
0x00404329
0x0040432c
0x0040432f
0x00404334
0x0040433a
0x0040433d
0x00404344
0x00404352
0x0040436a
0x0040436c
0x00404374
0x00404383
0x00404385
0x00404385
0x00404344
0x00404327
0x00404388
0x0040438f
0x00000000
0x00404391
0x00404391
0x00404398
0x00000000
0x00000000
0x0040439a
0x0040439e
0x004043af
0x004043af
0x004043b1
0x004043b5
0x004043c3
0x004043c3
0x00000000
0x004043c7
0x0040438f
0x004042ac
0x004042af
0x00000000
0x00000000
0x004042b7
0x004042bd
0x00000000
0x00000000
0x004042c3
0x004042c9
0x004042c9
0x004042cc
0x004042cf
0x00000000
0x00000000
0x004042f2
0x004042f2
0x004042f4
0x004042f6
0x004042fb
0x00000000
0x00404185
0x00404185
0x00404188
0x0040418d
0x0040418f
0x0040419e
0x0040419e
0x004041a5
0x004041a8
0x004041aa
0x004041af
0x004041b8
0x004041be
0x004041ca
0x004041cd
0x004041d6
0x004041db
0x004041de
0x004041e3
0x004041fa
0x00404201
0x00404214
0x00404217
0x0040422c
0x00404233
0x00404238
0x0040423d
0x0040423d
0x0040424c
0x0040425b
0x0040426d
0x00404272
0x00404282
0x00404284
0x00000000
0x0040428a

APIs

CheckDlgButton.USER32 ref: 004041FA
GetDlgItem.USER32 ref: 0040420E
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040422C
GetSysColor.USER32(?), ref: 0040423D
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040424C
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040425B
lstrlenA.KERNEL32(?), ref: 0040425E
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040426D
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404282
GetDlgItem.USER32 ref: 004042E4
SendMessageA.USER32(00000000), ref: 004042E7
GetDlgItem.USER32 ref: 00404312
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404352
LoadCursorA.USER32 ref: 00404361
SetCursor.USER32(00000000), ref: 0040436A
LoadCursorA.USER32 ref: 00404380
SetCursor.USER32(00000000), ref: 00404383
SendMessageA.USER32(00000111,00000001,00000000), ref: 004043AF
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043C3

Strings

N, xrefs: 00404300
:A@, xrefs: 0040436E
Call, xrefs: 0040433D

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: :A@$Call$N
API String ID: 3103080414-988963664
Opcode ID: cd245b479e67a0965af24715bd7e729d27bd81987a0dae74a39f742a14bba925
Instruction ID: 4cc5751811e84191dd39768f0d3a0055f5535ab869bb222e46a2b56927204bf5
Opcode Fuzzy Hash: cd245b479e67a0965af24715bd7e729d27bd81987a0dae74a39f742a14bba925
Instruction Fuzzy Hash: DA6183B1A00205BFEB10AF61DD45F6A7B69EB84715F00413AFB05BA1D1C7B8A951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f414;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Yllerion Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f408;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Yllerion Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
Yllerion Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Yllerion Setup
API String ID: 941294808-2001645527
Opcode ID: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
Instruction ID: bc05fa60d2536021e17fc8d2ced0f843766159cda975d832d6f25ccf31630e85
Opcode Fuzzy Hash: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
Instruction Fuzzy Hash: C8419C71800209AFCF058F95DE459AFBBB9FF44310F00802EF9A1AA1A0C774D955DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405BD4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BD4(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c600 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca00, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c200, "%s=%s\r\n", 0x42c600, 0x42ca00);
						_t53 = _t52 + 0x10;
						E00405F87(_t37, 0x400, 0x42ca00, 0x42ca00,  *((intOrPtr*)( *0x42f414 + 0x128)));
						_t12 = E00405AFE(0x42ca00, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405B76(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405A63(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405A63(_t38, _t21 + 0xa, 0x40a3b8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405AB9(_t24 + _t46, 0x42c200, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405BA5(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405AFE(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c600, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405bd4
0x00405bdd
0x00405be4
0x00405bf8
0x00405c20
0x00405c2b
0x00405c2f
0x00405c4f
0x00405c56
0x00405c60
0x00405c6d
0x00405c72
0x00405c77
0x00405c7b
0x00405c8a
0x00405c8c
0x00405c99
0x00405c9d
0x00405d38
0x00000000
0x00405cb3
0x00405cc0
0x00405ce4
0x00405ce8
0x00405d07
0x00405d0b
0x00405d0b
0x00405d0d
0x00405d16
0x00405d21
0x00405d2c
0x00405d32
0x00000000
0x00405d32
0x00405cea
0x00405ced
0x00405cf8
0x00405cf4
0x00405cf6
0x00405cf7
0x00405cf7
0x00405cff
0x00405d01
0x00000000
0x00405d01
0x00405ccb
0x00405cd1
0x00000000
0x00405cd1
0x00405c9d
0x00405c7b
0x00405bfa
0x00405c05
0x00405c0e
0x00405c12
0x00000000
0x00000000
0x00405c12
0x00405d43

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D65,?,?), ref: 00405C05
GetShortPathNameA.KERNEL32 ref: 00405C0E

Part of subcall function 00405A63: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A73
Part of subcall function 00405A63: lstrlenA.KERNEL32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA5

GetShortPathNameA.KERNEL32 ref: 00405C2B
wsprintfA.USER32 ref: 00405C49
GetFileSize.KERNEL32(00000000,00000000,0042CA00,C0000000,00000004,0042CA00,?,?,?,?,?), ref: 00405C84
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C93
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CCB
SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,0042C200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D21
GlobalFree.KERNEL32 ref: 00405D32
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D39

Part of subcall function 00405AFE: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\invoice.exe,80000000,00000003), ref: 00405B02
Part of subcall function 00405AFE: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B24

Strings

%s=%s, xrefs: 00405C3F
[Rename], xrefs: 00405CB3, 00405CC5

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 363ee5158e29d41a6ab622f5bcc6767fef57e6b00bf8f5aa156339dff7e04b73
Instruction ID: 17f8f1309641d4637e2ed4fc5cbc189083b9795c86085c8cd532ee5919f79a85
Opcode Fuzzy Hash: 363ee5158e29d41a6ab622f5bcc6767fef57e6b00bf8f5aa156339dff7e04b73
Instruction Fuzzy Hash: 61310131601B19ABD2206B65AD8DF6B3A5CDF45714F14053BBA01F62D2EA7CA8018EBD

Uniqueness

Uniqueness Score: -1.00%

Function 004061CF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004061CF(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E0040596A(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405928("*?|<>/\":", _t5))) == 0) {
							E00405AB9(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004061d1
0x004061d9
0x004061ed
0x004061ed
0x004061f3
0x00406200
0x00406200
0x00406201
0x00406203
0x00406207
0x00406209
0x00406212
0x00406214
0x0040622e
0x00406236
0x00406236
0x0040623b
0x0040623d
0x0040623f
0x00406243
0x00406244
0x00406247
0x0040624f
0x00406251
0x00406255
0x00000000
0x00000000
0x0040625b
0x00406260
0x00000000
0x00000000
0x00000000
0x00406260
0x00406265

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\invoice.exe",7476FA90,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406227
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406234
CharNextA.USER32(?,"C:\Users\user\Desktop\invoice.exe",7476FA90,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406239
CharPrevA.USER32(?,?,7476FA90,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406249

Strings

"C:\Users\user\Desktop\invoice.exe", xrefs: 0040620B
*?|<>/":, xrefs: 00406217
C:\Users\user\AppData\Local\Temp\, xrefs: 004061D0

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\invoice.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-89088941
Opcode ID: 5f1665aab2a45dc98a0c2aad5c019af140aadccb050e4449eaa375ca2787231f
Instruction ID: ed3a47555f86895cac8e455d85beb05a749fa7fcd8deb799c497f9efd275ca90
Opcode Fuzzy Hash: 5f1665aab2a45dc98a0c2aad5c019af140aadccb050e4449eaa375ca2787231f
Instruction Fuzzy Hash: D111E26180579029FB3226380C44B776F884F6A760F1900BFE8D2722C3CA7C5C62966E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C61 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C61(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x415420; // 0xd02b5
					_t11 =  *0x42142c; // 0xd24e8
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402c6e
0x00402c7c
0x00402c82
0x00402c82
0x00402c90
0x00402c92
0x00402c98
0x00402c9f
0x00402ca1
0x00402ca1
0x00402cb7
0x00402cc7
0x00402cd9
0x00402cd9
0x00402ce1

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C7C
MulDiv.KERNEL32(000D02B5,00000064,000D24E8), ref: 00402CA7
wsprintfA.USER32 ref: 00402CB7
SetWindowTextA.USER32(?,?), ref: 00402CC7
SetDlgItemTextA.USER32 ref: 00402CD9

Strings

verifying installer: %d%%, xrefs: 00402CB1
$, xrefs: 00402C98

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%$$
API String ID: 1451636040-2655702876
Opcode ID: 8cf66896cf3f33f8ea8d40d262e26d06426d7b5af9806429cf1dba26c1fd6b47
Instruction ID: 537944924eabc97b3cccf86cf440a0916c3cc685b10ad000e4021125f5d30dc2
Opcode Fuzzy Hash: 8cf66896cf3f33f8ea8d40d262e26d06426d7b5af9806429cf1dba26c1fd6b47
Instruction Fuzzy Hash: 3401FF7164020DFBEF209F61DD09EEE37A9AB04305F008039FA06A92D0DBB999558F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040408D Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040408D(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x0040409f
0x00404133
0x00000000
0x00404133
0x004040b0
0x004040b4
0x00000000
0x00000000
0x004040ba
0x004040c3
0x004040c6
0x004040c6
0x004040cc
0x004040d2
0x004040d2
0x004040de
0x004040e4
0x004040eb
0x004040ee
0x004040f1
0x004040f3
0x004040f3
0x004040fb
0x00404101
0x00404101
0x0040410b
0x00404110
0x00404113
0x00404118
0x0040411b
0x0040411b
0x0040412b
0x0040412b
0x00000000

APIs

GetWindowLongA.USER32 ref: 004040AA
GetSysColor.USER32(00000000), ref: 004040C6
SetTextColor.GDI32(?,00000000), ref: 004040D2
SetBkMode.GDI32(?,?), ref: 004040DE
GetSysColor.USER32(?), ref: 004040F1
SetBkColor.GDI32(?,?), ref: 00404101
DeleteObject.GDI32(?), ref: 0040411B
CreateBrushIndirect.GDI32(?), ref: 00404125

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction ID: 2d9fb341b818c34885f35f6e6d755d1b55c6e7706bb7847a6dc6733995099f15
Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction Fuzzy Hash: 1A216F71500704ABCB219F68DE08A4BBBF8AF41714F048939EAD5F66A0C734E948CB64

Uniqueness

Uniqueness Score: -1.00%

Function 100023D8 Relevance: 10.6, APIs: 7, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E100023D8(intOrPtr* _a4) {
				char _v80;
				intOrPtr _v84;
				short _v92;
				intOrPtr* _t22;
				void* _t24;
				intOrPtr _t25;
				signed int _t33;
				void* _t37;
				intOrPtr _t38;
				void* _t41;

				_t37 = E10001215();
				_t22 = _a4;
				_t38 =  *((intOrPtr*)(_t22 + 0x814));
				_v84 = _t38;
				_t41 = (_t38 + 0x41 << 5) + _t22;
				do {
					if( *((intOrPtr*)(_t41 - 4)) != 0xffffffff) {
					}
					_t33 =  *(_t41 - 8);
					if(_t33 <= 7) {
						switch( *((intOrPtr*)(_t33 * 4 +  &M100024FB))) {
							case 0:
								 *_t37 = 0;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x1000405c);
								goto L15;
							case 4:
								__ecx =  *0x1000405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x1000405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L15;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push( &_v80);
								_push( *__eax);
								__imp__StringFromGUID2();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x1000405c, __ebx, __ebx);
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfA(__edi, 0x10004000);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t24 =  *(_t41 + 0x14);
					if(_t24 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t41 - 4)) > 0)) {
						GlobalFree(_t24);
					}
					_t25 =  *((intOrPtr*)(_t41 + 0xc));
					if(_t25 != 0) {
						if(_t25 != 0xffffffff) {
							if(_t25 > 0) {
								E100012D1(_t25 - 1, _t37);
								goto L24;
							}
						} else {
							E10001266(_t37);
							L24:
						}
					}
					_v84 = _v84 - 1;
					_t41 = _t41 - 0x20;
				} while (_v84 >= 0);
				return GlobalFree(_t37);
			}

0x100023e4
0x100023e6
0x100023f0
0x100023f6
0x10002400
0x10002404
0x10002408
0x10002408
0x10002410
0x10002416
0x1000241c
0x00000000
0x10002423
0x00000000
0x00000000
0x10002427
0x00000000
0x00000000
0x10002431
0x00000000
0x00000000
0x10002441
0x00000000
0x00000000
0x1000246d
0x10002475
0x1000247f
0x10002481
0x10002486
0x00000000
0x00000000
0x10002449
0x1000244d
0x1000244f
0x10002450
0x10002452
0x10002462
0x10002469
0x00000000
0x00000000
0x1000248c
0x1000248e
0x10002494
0x1000249a
0x1000249a
0x00000000
0x00000000
0x1000241c
0x1000249d
0x1000249d
0x100024a2
0x100024b3
0x100024b3
0x100024b9
0x100024be
0x100024c3
0x100024cf
0x100024d4
0x00000000
0x100024d9
0x100024c5
0x100024c6
0x100024da
0x100024da
0x100024c3
0x100024db
0x100024df
0x100024e2
0x100024fa

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalFree.KERNEL32 ref: 100024B3
GlobalFree.KERNEL32 ref: 100024ED

Memory Dump Source

Source File: 00000000.00000002.856054297.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.856040694.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856067293.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856081841.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_invoice.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
Instruction ID: c0db1d51d0d8beb2da32add46ec64f24e8f484468aa98c5ce89375ba0c102a5a
Opcode Fuzzy Hash: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
Instruction Fuzzy Hash: 0831A9B1504211EFF322DB94CCC4C2B7BBDEB853D4B118929FA4193228CB31AC94DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00404957 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404957(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404965
0x00404972
0x00404978
0x004049b6
0x004049b6
0x004049c5
0x004049cc
0x00000000
0x004049ce
0x0040497a
0x00404989
0x00404991
0x00404994
0x004049a6
0x004049ac
0x004049b3
0x00000000
0x004049b3
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404972
GetMessagePos.USER32 ref: 0040497A
ScreenToClient.USER32 ref: 00404994
SendMessageA.USER32(?,00001111,00000000,?), ref: 004049A6
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049CC

Strings

f, xrefs: 004049A8

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: 403e93763916a0c69708d0661a5269b1e580af1e573dd698745729a1614bb606
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: 02015EB190021DBAEB01DBA4DD85BFFBBFCAF55711F10412BBA50B61C0C7B499018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401D95 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401D95(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402A9F(2);
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				0x40b820->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b830 = E00402A9F(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				 *0x40b837 = 1;
				 *0x40b834 = _t15 & 0x00000001;
				 *0x40b835 = _t15 & 0x00000002;
				 *0x40b836 = _t15 & 0x00000004;
				E00405F87(_t9, _t31, _t33, "Times New Roman",  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b820);
				_push(_t18);
				_push(_t33);
				E00405EC3();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401d95
0x00401da0
0x00401da2
0x00401daf
0x00401dc6
0x00401dcb
0x00401dd8
0x00401ddd
0x00401de1
0x00401dec
0x00401df3
0x00401e05
0x00401e0b
0x00401e10
0x00401e1a
0x00402577
0x00401569
0x004028f9
0x00402954
0x00402960

APIs

GetDC.USER32(?), ref: 00401D98
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
ReleaseDC.USER32 ref: 00401DCB
CreateFontIndirectA.GDI32(0040B820), ref: 00401E1A

Strings

Times New Roman, xrefs: 00401E00

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: 8d956707ffe88138eff2d14c933710156e05edfb94d5aae4ab48e4845a293012
Instruction ID: e9269c0f41cd5a79e17a17131fa0488204b4df503fc5c3e11bd14e9e74a55962
Opcode Fuzzy Hash: 8d956707ffe88138eff2d14c933710156e05edfb94d5aae4ab48e4845a293012
Instruction Fuzzy Hash: 24014072944344AEE7006BB4AE49BA97FE8EB15705F109439F141B61F2CB790405CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 100021FA Relevance: 9.1, APIs: 6, Instructions: 137
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100021FA(void* __edx, intOrPtr _a4) {
				signed int _v4;
				void* _t36;
				signed int _t37;
				void* _t38;
				void* _t41;
				void* _t46;
				signed int* _t48;
				signed int* _t49;

				_v4 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t49 = (_v4 << 5) + _t9;
					_t36 = _t49[6];
					if(_t36 == 0) {
						goto L9;
					}
					_t46 = 0x1a;
					if(_t36 == _t46) {
						goto L9;
					}
					if(_t36 != 0xffffffff) {
						if(_t36 <= 0 || _t36 > 0x19) {
							_t49[6] = _t46;
						} else {
							_t36 = E100012AD(_t36 - 1);
							L10:
						}
						goto L11;
					} else {
						_t36 = E1000123B();
						L11:
						_t41 = _t36;
						_t13 =  &(_t49[2]); // 0x820
						_t48 = _t13;
						if(_t49[1] != 0xffffffff) {
						}
						_t37 =  *_t49;
						_t49[7] = _t49[7] & 0x00000000;
						if(_t37 > 7) {
							L27:
							_t38 = GlobalFree(_t41);
							if(_v4 == 0) {
								return _t38;
							}
							if(_v4 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v4 = _v4 + 1;
							} else {
								_v4 = _v4 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t37 * 4 +  &M1000237E))) {
								case 0:
									 *_t48 =  *_t48 & 0x00000000;
									goto L27;
								case 1:
									__eax = E100012FE(__ebx);
									goto L20;
								case 2:
									 *__ebp = E100012FE(__ebx);
									_a4 = __edx;
									goto L27;
								case 3:
									__eax = E10001224(__ebx);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebp = __eax;
									goto L27;
								case 4:
									 *0x1000405c =  *0x1000405c +  *0x1000405c;
									__edi = GlobalAlloc(0x40,  *0x1000405c +  *0x1000405c);
									 *0x1000405c = MultiByteToWideChar(0, 0, __ebx,  *0x1000405c, __edi,  *0x1000405c);
									if( *__esi != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebp = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if( *__ebx != 0) {
										__eax = E100012FE(__ebx);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x1000405c;
									__esi = __esi +  *0x10004064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E10001429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t36 = E10001224(0x10004034);
					goto L10;
				}
			}

0x1000220e
0x10002212
0x1000221d
0x1000221d
0x10002224
0x10002229
0x00000000
0x00000000
0x1000222d
0x10002230
0x00000000
0x00000000
0x10002235
0x10002240
0x10002250
0x10002247
0x10002249
0x1000225f
0x1000225f
0x00000000
0x10002237
0x10002237
0x10002260
0x10002264
0x10002266
0x10002266
0x10002269
0x10002269
0x10002271
0x10002273
0x1000227a
0x10002347
0x10002348
0x10002353
0x1000237d
0x1000237d
0x10002363
0x1000236f
0x10002365
0x10002365
0x10002365
0x00000000
0x10002280
0x10002280
0x00000000
0x10002287
0x00000000
0x00000000
0x10002290
0x00000000
0x00000000
0x1000229e
0x100022a1
0x00000000
0x00000000
0x100022aa
0x100022af
0x100022b2
0x100022b3
0x00000000
0x00000000
0x100022c0
0x100022cb
0x100022da
0x100022e3
0x10002306
0x10002309
0x100022e5
0x100022e9
0x100022ef
0x100022f0
0x100022f3
0x100022f4
0x100022f7
0x100022fe
0x100022fe
0x00000000
0x00000000
0x10002311
0x10002314
0x10002320
0x10002322
0x00000000
0x00000000
0x10002325
0x10002328
0x10002329
0x10002330
0x10002337
0x1000233a
0x1000233c
0x1000233f
0x00000000
0x00000000
0x10002280
0x1000227a
0x10002255
0x1000225a
0x00000000
0x1000225a

APIs

GlobalFree.KERNEL32 ref: 10002348

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234

GlobalAlloc.KERNEL32(00000040,?), ref: 100022C5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022DA
GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E9
CLSIDFromString.OLE32(00000000,00000000), ref: 100022F7
GlobalFree.KERNEL32 ref: 100022FE

Memory Dump Source

Source File: 00000000.00000002.856054297.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.856040694.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856067293.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856081841.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_invoice.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
Instruction ID: a642113aa4013a2ca06c871554e8d399cf46bf4099943ddf9e0960cc50565d32
Opcode Fuzzy Hash: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
Instruction Fuzzy Hash: A941BCB1508311EFF320DF648C84B6AB7E8FF443D0F11892AF946D61A9DB34AA40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00402736 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402736(int __ebx) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402AC1(0xfffffff0);
				 *(_t56 - 0x34) = _t23;
				if(E0040596A(_t50) == 0) {
					E00402AC1(0xffffffed);
				}
				E00405AD9(_t50);
				_t26 = E00405AFE(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f418;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E004031A9(_t45);
						E00403193(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x3c) = _t54;
						if(_t54 != _t45) {
							E00402F81( *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x84) =  *_t54;
								E00405AB9( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x84);
							}
							GlobalFree( *(_t56 - 0x3c));
						}
						E00405BA5( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E00402F81(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x34));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x00402736
0x00402738
0x00402744
0x00402747
0x00402751
0x00402755
0x00402755
0x0040275b
0x00402768
0x00402770
0x00402773
0x00402779
0x00402787
0x0040278c
0x00402790
0x00402793
0x0040279c
0x004027a8
0x004027ac
0x004027af
0x004027b9
0x004027de
0x004027c0
0x004027c5
0x004027cd
0x004027d3
0x004027d8
0x004027d8
0x004027e5
0x004027e5
0x004027f2
0x004027f8
0x0040280a
0x0040280a
0x00402810
0x00402810
0x0040281b
0x0040281c
0x00402820
0x00402824
0x0040282a
0x0040282a
0x00402831
0x00402237
0x00402954
0x00402960

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040278A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027A6
GlobalFree.KERNEL32 ref: 004027E5
GlobalFree.KERNEL32 ref: 004027F8
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402810
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402824

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 0a6e144848f4cf5ec871b7427f26d1c5b8ffe33ee9db8fbfbd958a55083b1002
Instruction ID: 6644526d81fa5c7ff175c86addd85cc92bc24fd3ec06af29a2511a4f4fc8a5d3
Opcode Fuzzy Hash: 0a6e144848f4cf5ec871b7427f26d1c5b8ffe33ee9db8fbfbd958a55083b1002
Instruction Fuzzy Hash: 3B21BC71800124BBDF216FA5DE89D9E7B79EF04324F10423AF924762E0CA784D418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040484D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040484D(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405F87(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405F87(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405F87(_t41, _t47, 0x42a870, 0x42a870, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a870), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ebd8, _a4, 0x42a870);
			}

0x00404853
0x00404858
0x00404860
0x00404861
0x0040486e
0x00404876
0x00404877
0x00404879
0x0040487b
0x0040487d
0x00404880
0x00404880
0x00404887
0x0040488d
0x0040488d
0x00404894
0x0040489b
0x0040489e
0x004048a1
0x004048a1
0x004048a5
0x004048b5
0x004048b7
0x004048ba
0x00404863
0x00404863
0x0040486a
0x0040486a
0x004048c2
0x004048cd
0x004048e3
0x004048f3
0x0040490f

APIs

lstrlenA.KERNEL32(Yllerion Setup: Installing,Yllerion Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404768,000000DF,00000000,00000400,?), ref: 004048EB
wsprintfA.USER32 ref: 004048F3
SetDlgItemTextA.USER32 ref: 00404906

Strings

%u.%u%s%s, xrefs: 004048D5
Yllerion Setup: Installing, xrefs: 004048DD, 004048E2, 004048E8, 004048FC

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Yllerion Setup: Installing
API String ID: 3540041739-850023234
Opcode ID: 54db272fd9225231769cced90d3b9a540a189ef805a7877c8ea43c669973e61d
Instruction ID: 46e1028d5dd9cf3fa3a12b124fa319e283dc00677a7b855ac62dacd231200cde
Opcode Fuzzy Hash: 54db272fd9225231769cced90d3b9a540a189ef805a7877c8ea43c669973e61d
Instruction Fuzzy Hash: 8D11E477A041282BEB0075699C41EBF3298DB82374F24463BFE65F21D1E979CC1246E9

Uniqueness

Uniqueness Score: -1.00%

Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000180D(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v52;
				void* _t43;
				signed int _t44;
				signed int _t59;
				void _t63;
				void _t64;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t80;
				signed int _t84;
				signed int _t86;
				signed int _t89;
				void* _t100;

				_t84 = __edx;
				 *0x1000405c = _a8;
				_t59 = 0;
				 *0x10004060 = _a16;
				_v12 = 0;
				_v8 = E1000123B();
				_t89 = E100012FE(_t41);
				_t86 = _t84;
				_t43 = E1000123B();
				_t63 =  *_t43;
				_a8 = _t43;
				if(_t63 != 0x7e && _t63 != 0x21) {
					_a16 = E1000123B();
					_t59 = E100012FE(_t56);
					_v12 = _t84;
					GlobalFree(_a16);
					_t43 = _a8;
				}
				_t64 =  *_t43;
				_t100 = _t64 - 0x2f;
				if(_t100 > 0) {
					_t65 = _t64 - 0x3c;
					__eflags = _t65;
					if(_t65 == 0) {
						__eflags =  *((char*)(_t43 + 1)) - 0x3c;
						if( *((char*)(_t43 + 1)) != 0x3c) {
							__eflags = _t86 - _v12;
							if(__eflags > 0) {
								L54:
								_t44 = 0;
								__eflags = 0;
								L55:
								asm("cdq");
								L56:
								_t89 = _t44;
								L57:
								_t86 = _t84;
								L58:
								E10001429(_t84, _t89, _t86,  &_v52);
								E10001266( &_v52);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L47:
								__eflags = 0;
								L48:
								_t44 = 1;
								goto L55;
							}
							__eflags = _t89 - _t59;
							if(_t89 < _t59) {
								goto L47;
							}
							goto L54;
						}
						_t84 = _t86;
						_t44 = E10002CD0(_t89, _t59, _t84);
						goto L56;
					}
					_t67 = _t65 - 1;
					__eflags = _t67;
					if(_t67 == 0) {
						__eflags = _t89 - _t59;
						if(_t89 != _t59) {
							goto L54;
						}
						__eflags = _t86 - _v12;
						if(_t86 != _v12) {
							goto L54;
						}
						goto L47;
					}
					_t68 = _t67 - 1;
					__eflags = _t68;
					if(_t68 == 0) {
						__eflags =  *((char*)(_t43 + 1)) - 0x3e;
						if( *((char*)(_t43 + 1)) != 0x3e) {
							__eflags = _t86 - _v12;
							if(__eflags < 0) {
								goto L54;
							}
							if(__eflags > 0) {
								goto L47;
							}
							__eflags = _t89 - _t59;
							if(_t89 <= _t59) {
								goto L54;
							}
							goto L47;
						}
						_t84 = _t86;
						_t44 = E10002CF0(_t89, _t59, _t84);
						goto L56;
					}
					_t70 = _t68 - 0x20;
					__eflags = _t70;
					if(_t70 == 0) {
						_t89 = _t89 ^ _t59;
						_t86 = _t86 ^ _v12;
						goto L58;
					}
					_t71 = _t70 - 0x1e;
					__eflags = _t71;
					if(_t71 == 0) {
						__eflags =  *((char*)(_t43 + 1)) - 0x7c;
						if( *((char*)(_t43 + 1)) != 0x7c) {
							_t89 = _t89 | _t59;
							_t86 = _t86 | _v12;
							goto L58;
						}
						__eflags = _t89 | _t86;
						if((_t89 | _t86) != 0) {
							goto L47;
						}
						__eflags = _t59 | _v12;
						if((_t59 | _v12) != 0) {
							goto L47;
						}
						goto L54;
					}
					__eflags = _t71 == 0;
					if(_t71 == 0) {
						_t89 =  !_t89;
						_t86 =  !_t86;
					}
					goto L58;
				}
				if(_t100 == 0) {
					L21:
					__eflags = _t59 | _v12;
					if((_t59 | _v12) != 0) {
						_v24 = E10002B60(_t89, _t86, _t59, _v12);
						_v20 = _t84;
						_t89 = E10002C10(_t89, _t86, _t59, _v12);
						_t43 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t84 = _t86;
					}
					__eflags =  *_t43 - 0x2f;
					if( *_t43 != 0x2f) {
						goto L57;
					} else {
						_t89 = _v24;
						_t86 = _v20;
						goto L58;
					}
				}
				_t76 = _t64 - 0x21;
				if(_t76 == 0) {
					_t44 = 0;
					__eflags = _t89 | _t86;
					if((_t89 | _t86) != 0) {
						goto L55;
					}
					goto L48;
				}
				_t77 = _t76 - 4;
				if(_t77 == 0) {
					goto L21;
				}
				_t78 = _t77 - 1;
				if(_t78 == 0) {
					__eflags =  *((char*)(_t43 + 1)) - 0x26;
					if( *((char*)(_t43 + 1)) != 0x26) {
						_t89 = _t89 & _t59;
						_t86 = _t86 & _v12;
						goto L58;
					}
					__eflags = _t89 | _t86;
					if((_t89 | _t86) == 0) {
						goto L54;
					}
					__eflags = _t59 | _v12;
					if((_t59 | _v12) == 0) {
						goto L54;
					}
					goto L47;
				}
				_t79 = _t78 - 4;
				if(_t79 == 0) {
					_t44 = E10002B20(_t89, _t86, _t59, _v12);
					goto L56;
				} else {
					_t80 = _t79 - 1;
					if(_t80 == 0) {
						_t89 = _t89 + _t59;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t80 == 0) {
							_t89 = _t89 - _t59;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L58;
				}
			}

0x1000180d
0x10001817
0x10001820
0x10001823
0x10001828
0x10001831
0x1000183a
0x1000183c
0x1000183e
0x10001843
0x10001845
0x1000184b
0x10001858
0x10001861
0x10001866
0x10001869
0x1000186f
0x1000186f
0x10001872
0x10001875
0x10001878
0x1000193e
0x1000193e
0x10001941
0x100019aa
0x100019ae
0x100019bd
0x100019c0
0x100019c8
0x100019c8
0x100019c8
0x100019ca
0x100019ca
0x100019cb
0x100019cb
0x100019cd
0x100019cd
0x100019cf
0x100019d5
0x100019de
0x100019ef
0x100019fa
0x100019fa
0x100019c2
0x100019a5
0x100019a5
0x100019a7
0x100019a7
0x00000000
0x100019a7
0x100019c4
0x100019c6
0x00000000
0x00000000
0x00000000
0x100019c6
0x100019b2
0x100019b6
0x00000000
0x100019b6
0x10001943
0x10001943
0x10001944
0x1000199c
0x1000199e
0x00000000
0x00000000
0x100019a0
0x100019a3
0x00000000
0x00000000
0x00000000
0x100019a3
0x10001946
0x10001946
0x10001947
0x1000197c
0x10001980
0x1000198f
0x10001992
0x00000000
0x00000000
0x10001994
0x00000000
0x00000000
0x10001996
0x10001998
0x00000000
0x00000000
0x00000000
0x1000199a
0x10001984
0x10001988
0x00000000
0x10001988
0x10001949
0x10001949
0x1000194c
0x10001975
0x10001977
0x00000000
0x10001977
0x1000194e
0x1000194e
0x10001951
0x1000195d
0x10001961
0x1000196e
0x10001970
0x00000000
0x10001970
0x10001963
0x10001965
0x00000000
0x00000000
0x10001967
0x1000196a
0x00000000
0x00000000
0x00000000
0x1000196c
0x10001954
0x10001955
0x10001957
0x10001959
0x10001959
0x00000000
0x10001955
0x1000187e
0x100018f6
0x100018f8
0x100018fb
0x10001917
0x1000191a
0x10001925
0x10001927
0x100018fd
0x100018fd
0x10001901
0x10001905
0x10001905
0x1000192a
0x1000192d
0x00000000
0x10001933
0x10001933
0x10001936
0x00000000
0x10001936
0x1000192d
0x10001880
0x10001883
0x100018e7
0x100018e9
0x100018eb
0x00000000
0x00000000
0x00000000
0x100018f1
0x10001885
0x10001888
0x00000000
0x00000000
0x1000188a
0x1000188b
0x100018c1
0x100018c5
0x100018dd
0x100018df
0x00000000
0x100018df
0x100018c7
0x100018c9
0x00000000
0x00000000
0x100018cf
0x100018d2
0x00000000
0x00000000
0x00000000
0x100018d8
0x1000188d
0x10001890
0x100018b7
0x00000000
0x10001892
0x10001892
0x10001893
0x100018a7
0x100018a9
0x10001895
0x10001897
0x1000189d
0x1000189f
0x1000189f
0x10001897
0x00000000
0x10001893

APIs

GlobalFree.KERNEL32 ref: 10001869
GlobalFree.KERNEL32 ref: 100019EF
GlobalFree.KERNEL32 ref: 100019F4

Memory Dump Source

Source File: 00000000.00000002.856054297.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.856040694.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856067293.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856081841.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_invoice.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: e61c022a33ae2d8226f4f9d8dc9768096fb4d6cd4e5c598d89deb3e57b8d12c3
Instruction ID: adaf369aa6dab84e94bee76403d526b7d43184adb12fe210256c1aedb67fe499
Opcode Fuzzy Hash: e61c022a33ae2d8226f4f9d8dc9768096fb4d6cd4e5c598d89deb3e57b8d12c3
Instruction Fuzzy Hash: 43512536D04159AEFB55DFB488A4AEEBBF6EF453C0F124169E841B315DCA306E4087D2

Uniqueness

Uniqueness Score: -1.00%

Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D3B(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x48);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402AC1(_t21), _t21,  *(_t27 - 0x40) *  *(_t27 - 0x20),  *(_t27 - 0x3c) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d45
0x00401d4c
0x00401d7b
0x00401d83
0x00401d8a
0x00401d8a
0x00402954
0x00402960

APIs

GetDlgItem.USER32 ref: 00401D3F
GetClientRect.USER32 ref: 00401D4C
LoadImageA.USER32 ref: 00401D6D
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
DeleteObject.GDI32(00000000), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: e7b13135481585f1ae21f8f3a2a21f2ebc81ae0f190e6cb519dc2edadbd9593c
Instruction ID: b94dd0b2fc2efe961c915ac3dbaedcbaa59703da1128c811c259d0727350af9e
Opcode Fuzzy Hash: e7b13135481585f1ae21f8f3a2a21f2ebc81ae0f190e6cb519dc2edadbd9593c
Instruction Fuzzy Hash: 6EF0FFB2600515BFDB00EBA4DE88DAFB7BCEB44301B04447AF645F2191CA748D018B38

Uniqueness

Uniqueness Score: -1.00%

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C04(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402A9F(3);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402A9F(4);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402AC1(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402AC1(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402AC1();
					_t32 = E00402AC1();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402A9F();
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t41 = E00402A9F(2);
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00405EC3();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c04
0x00401c06
0x00401c0d
0x00401c10
0x00401c13
0x00401c1d
0x00401c21
0x00401c24
0x00401c2d
0x00401c2d
0x00401c30
0x00401c34
0x00401c3d
0x00401c3d
0x00401c40
0x00401c44
0x00401c46
0x00401c9b
0x00401c9d
0x00401ca6
0x00401cae
0x00401cb1
0x00401cb1
0x00401cba
0x00000000
0x00401c48
0x00401c4f
0x00401c51
0x00401c54
0x00401c5a
0x00401c61
0x00401c64
0x00401c8c
0x00401cc0
0x00401cc0
0x00401c66
0x00401c74
0x00401c7c
0x00401c7f
0x00401c7f
0x00401c64
0x00401cc3
0x00401cc6
0x00401ccc
0x004028f9
0x004028f9
0x00402954
0x00402960

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C

Strings

!, xrefs: 00401C40

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 8c877d5979cff4b3ce41adc99c27d6fc77d82e5cc3f5856b61787971cd0c7bbc
Instruction ID: bdc01a124477b6dd133b62af0939e03034df0dda3ad70936a50ebcebbcd9d6cc
Opcode Fuzzy Hash: 8c877d5979cff4b3ce41adc99c27d6fc77d82e5cc3f5856b61787971cd0c7bbc
Instruction Fuzzy Hash: 9F218F71A44209BEEB15DFA5D946AED7BB0EB84304F14803EF505F61D1DA7889408F28

Uniqueness

Uniqueness Score: -1.00%

Function 004058FD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058FD(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x004058fe
0x00405915
0x0040591d
0x0040591d
0x00405925

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00405903
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 0040590C
lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 0040591D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004058FD

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction ID: 647ad7e742d71b16062aa4f61d1124f0b3f0fcedfae467302285f0529c6cb9e2
Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction Fuzzy Hash: 46D0C9A2606A317AD21227159C09EDB6A4CCF57755B054076F640B61A1CA7C4D428BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402BB4(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				char _v272;
				void* _t19;
				signed int _t26;
				intOrPtr* _t28;
				signed int _t33;
				signed int _t34;
				signed int _t35;

				_t34 = _a12;
				_t35 = _t34 & 0x00000300;
				_t33 = _t34 & 0x00000001;
				_t19 = E00405DEB(__eflags, _a4, _a8, _t35 | 0x00000008,  &_v8);
				if(_t19 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						_t26 = E00402BB4(__eflags, _v8,  &_v272, _a12);
						__eflags = _t26;
						if(_t26 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t28 = E004062FD(3);
					if(_t28 == 0) {
						return RegDeleteKeyA(_a4, _a8);
					}
					return  *_t28(_a4, _a8, _t35, 0);
				}
				return _t19;
			}

0x00402bbf
0x00402bc8
0x00402bd1
0x00402bdd
0x00402be4
0x00402c08
0x00402bee
0x00402bf0
0x00402c43
0x00000000
0x00402c4b
0x00402bff
0x00402c04
0x00402c06
0x00000000
0x00000000
0x00402c06
0x00402c22
0x00402c2a
0x00402c31
0x00000000
0x00402c54
0x00000000
0x00402c3c
0x00402c5e

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
RegCloseKey.ADVAPI32(?), ref: 00402C22
RegCloseKey.ADVAPI32(?), ref: 00402C43

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 11be2661f8599cd0237f1c1554e4f8b4188825d64962de0b1740bf644c97f38e
Instruction ID: b62f4967d327be975f6bbb281b4945b449d6b6e398a7fc8ef6fb9c274ae0afe8
Opcode Fuzzy Hash: 11be2661f8599cd0237f1c1554e4f8b4188825d64962de0b1740bf644c97f38e
Instruction Fuzzy Hash: 9A118832500109BBEF01AF91CF09B9E3B79EF08341F104036BA05B50E0E7B4EE52AB68

Uniqueness

Uniqueness Score: -1.00%

Function 00402CE4 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402CE4(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x421428; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42f410;
						if(_t2 >  *0x42f410) {
							_t3 = CreateDialogParamA( *0x42f400, 0x6f, 0, E00402C61, 0);
							 *0x421428 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406339(0);
					}
				} else {
					_t6 =  *0x421428; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x421428 = 0;
					return _t6;
				}
			}

0x00402ceb
0x00402d05
0x00402d0b
0x00402d15
0x00402d1b
0x00402d21
0x00402d32
0x00402d3b
0x00000000
0x00402d40
0x00402d47
0x00402d0d
0x00402d14
0x00402d14
0x00402ced
0x00402ced
0x00402cf4
0x00402cf7
0x00402cf7
0x00402cfd
0x00402d04
0x00402d04

APIs

DestroyWindow.USER32(00000000,00000000,00402EC4,00000001), ref: 00402CF7
GetTickCount.KERNEL32 ref: 00402D15
CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D32
ShowWindow.USER32(00000000,00000005), ref: 00402D40

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 2469aab9b0bab78131693435c259bb338fdfc1179cff7f610c16a2f3c60769c5
Instruction ID: 5343e4f3fd542578671bd54a8d6f819db7b5394acccd132b40ed42660498aa91
Opcode Fuzzy Hash: 2469aab9b0bab78131693435c259bb338fdfc1179cff7f610c16a2f3c60769c5
Instruction Fuzzy Hash: 01F05430601521EBC7207F24FE8CA8F7A64BB08B11791047AF445B21F4DBB448C28B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00405000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405000(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t11;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					__eflags = _t15 - 0x200;
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						__eflags = _t15 - 0x419;
						if(_t15 == 0x419) {
							__eflags =  *0x42a85c - _t16; // 0x0
							if(__eflags != 0) {
								_push(_t16);
								_push(6);
								 *0x42a85c = _t16;
								E004049D7();
							}
						}
						L11:
						return CallWindowProcA( *0x42a864, _a4, _t15, _a12, _t16);
					}
					_t11 = IsWindowVisible(_a4);
					__eflags = _t11;
					if(_t11 == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404957(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 == 0x20) {
					E00404072(0x413);
					return 0;
				}
				goto L10;
			}

0x00405004
0x0040500e
0x00405024
0x0040502a
0x0040504c
0x0040504f
0x0040504f
0x00405055
0x00405057
0x0040505d
0x0040505f
0x00405060
0x00405062
0x00405068
0x00405068
0x0040505d
0x00405072
0x00000000
0x00405080
0x0040502f
0x00405035
0x00405037
0x0040506f
0x0040506f
0x00000000
0x0040506f
0x00405043
0x00405045
0x00000000
0x00405045
0x00405014
0x0040501b
0x00000000
0x00405020
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040502F
CallWindowProcA.USER32 ref: 00405080

Part of subcall function 00404072: SendMessageA.USER32(0001042C,00000000,00000000,00000000), ref: 00404084

Strings

, xrefs: 00405010

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0b5703a8dab1bd1bd7dd9e2c337de487c6e053b4983eba3ecfb903a9c205ce24
Instruction ID: 2f0027df7ddfe28b71d6e39f600ecebaf2ba5c74aec8f2e947ae9809186c917a
Opcode Fuzzy Hash: 0b5703a8dab1bd1bd7dd9e2c337de487c6e053b4983eba3ecfb903a9c205ce24
Instruction Fuzzy Hash: 48017171500609ABDF205F51DD80E6F3B65EB84754F14403BFA01751D2C77A8CA29F9A

Uniqueness

Uniqueness Score: -1.00%

Function 004059EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004059EB(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405F65(0x42bc78, _a4);
				_t21 = E00405996(0x42bc78);
				if(_t21 != 0) {
					E004061CF(_t21);
					if(( *0x42f41c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42bc78;
						while(1) {
							_t11 = lstrlenA(0x42bc78);
							_push(0x42bc78);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00406268();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405944(0x42bc78);
								continue;
							} else {
								goto L1;
							}
						}
						E004058FD();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x004059f7
0x00405a02
0x00405a06
0x00405a0d
0x00405a19
0x00405a25
0x00405a25
0x00405a3d
0x00405a3e
0x00405a45
0x00405a46
0x00000000
0x00000000
0x00405a29
0x00405a30
0x00405a38
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a30
0x00405a48
0x00000000
0x00405a5c
0x00405a1b
0x00405a1f
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a1f
0x00405a08
0x00000000

APIs

Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,Yllerion Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72

Part of subcall function 00405996: CharNextA.USER32(?,?,0042BC78,?,00405A02,0042BC78,0042BC78,7476FA90,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,7476FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059A4
Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059A9
Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059BD

lstrlenA.KERNEL32(0042BC78,00000000,0042BC78,0042BC78,7476FA90,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,7476FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A3E
GetFileAttributesA.KERNEL32(0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,00000000,0042BC78,0042BC78,7476FA90,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,7476FA90,C:\Users\user\AppData\Local\Temp\), ref: 00405A4E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004059EB

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3081826266
Opcode ID: abce9bb9807016b4c276db8bae45b4b3eed95d690bc7d0fbdb1e72e6f8ad0fcb
Instruction ID: 1f06baf1138d21f74630751e728cacf5283a8138a78bcc2982ba797f27b9272c
Opcode Fuzzy Hash: abce9bb9807016b4c276db8bae45b4b3eed95d690bc7d0fbdb1e72e6f8ad0fcb
Instruction Fuzzy Hash: 53F0C831315DA256C622323A1D45AAF1B45CE87338709477FF891B12D2EB3C89439EBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405604 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405604(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c078->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c078,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x0040560d
0x0040562d
0x00405635
0x0040563a
0x00000000
0x00405640
0x00405644

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C078,Error launching installer), ref: 0040562D
CloseHandle.KERNEL32(?), ref: 0040563A

Strings

Error launching installer, xrefs: 00405617

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
Instruction ID: a14d50d96640d218925096829ca07d1800dc2b789f456133151d87fd2ad2a836
Opcode Fuzzy Hash: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
Instruction Fuzzy Hash: 9EE046F0640209BFEB109FA0ED49F7F7AACEB00704F404921BD00F2290E67499088A7C

Uniqueness

Uniqueness Score: -1.00%

Function 00403720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403720() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x429834; // 0x4ce6d8
				_t3 = E00403705(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x429834 =  *0x429834 & 0x00000000;
				return _t3;
			}

0x00403721
0x00403729
0x00403730
0x00403733
0x00403733
0x00403735
0x0040373a
0x00403741
0x00403747
0x0040374b
0x0040374c
0x00403754

APIs

FreeLibrary.KERNEL32(?,7476FA90,00000000,C:\Users\user\AppData\Local\Temp\,004036F8,00403512,?,?,00000006,00000008,0000000A), ref: 0040373A
GlobalFree.KERNEL32 ref: 00403741

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403720

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
Instruction ID: 7d8ce370987dd57b7bf148727d206b09ac62311aee63c146eb442539f55f5a8e
Opcode Fuzzy Hash: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
Instruction Fuzzy Hash: 39E0C27391212097C7313F54EE0871ABBA86F46B22F0A403AE8407B26487745C428BCC

Uniqueness

Uniqueness Score: -1.00%

Function 00405944 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405944(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405945
0x0040594f
0x00405951
0x00405958
0x00405960
0x00000000
0x00000000
0x00000000
0x00405960
0x00405962
0x00405967

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\invoice.exe,C:\Users\user\Desktop\invoice.exe,80000000,00000003), ref: 0040594A
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\invoice.exe,C:\Users\user\Desktop\invoice.exe,80000000,00000003), ref: 00405958

Strings

C:\Users\user\Desktop, xrefs: 00405944

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction ID: 9e2646df26482555437471894173605ef17f2c9d125cfcd2b42401f98a5df656
Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction Fuzzy Hash: D6D0C9A240DDB1AEE70363249C04B9F6A88DF17710F0944A6E180B61A5C77C4D828BAD

Uniqueness

Uniqueness Score: -1.00%

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x1000405c = _a8;
				 *0x10004060 = _a16;
				 *0x10004064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004038, E10001556, _t52);
				_t43 =  *0x1000405c +  *0x1000405c * 4 << 2;
				_t17 = E1000123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E10001266(E100012AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E100012D1( *_t55 - 0x30, E1000123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x10004030;
								 *0x10004030 = _t31;
								E10001508(_t31 + 4,  *0x10004064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x10004030;
							if( *0x10004030 != 0) {
								E10001508( *0x10004064, _t34 + 4, _t43);
								_t37 =  *0x10004030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x10004030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x100010e7
0x100010ef
0x10001103
0x1000110b
0x10001116
0x10001119
0x10001121
0x10001124
0x10001126
0x100011c4
0x100011d0
0x1000112c
0x1000112d
0x1000112d
0x10001130
0x10001131
0x10001134
0x10001203
0x10001206
0x1000119e
0x100011a4
0x100011ac
0x100011b1
0x100011b4
0x00000000
0x100011b4
0x10001209
0x1000120a
0x10001186
0x1000118c
0x10001194
0x00000000
0x10001194
0x10001152
0x10001153
0x1000115b
0x10001168
0x10001170
0x10001179
0x1000117e
0x1000117e
0x00000000
0x10001153
0x1000113a
0x100011d1
0x100011d1
0x100011d8
0x100011e5
0x100011ea
0x100011ef
0x100011f5
0x100011fb
0x100011fb
0x00000000
0x100011d8
0x10001140
0x10001143
0x00000000
0x00000000
0x10001149
0x1000114c
0x1000119b
0x00000000
0x1000119b
0x1000114f
0x10001150
0x10001183
0x00000000
0x10001183
0x00000000
0x100011ba
0x100011ba
0x00000000
0x100011c3

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
GlobalFree.KERNEL32 ref: 100011B4
GlobalFree.KERNEL32 ref: 100011C7
GlobalFree.KERNEL32 ref: 100011F5

Memory Dump Source

Source File: 00000000.00000002.856054297.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.856040694.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856067293.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.856081841.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_invoice.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00405A63 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A63(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405a73
0x00405a75
0x00405a78
0x00405aa4
0x00405a7d
0x00405a86
0x00405a8b
0x00405a96
0x00405a99
0x00405ab5
0x00405a9b
0x00405aa2
0x00000000
0x00405aa2
0x00405aae
0x00405ab2
0x00405ab2
0x00405aac
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A73
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A8B
CharNextA.USER32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A9C
lstrlenA.KERNEL32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA5

Memory Dump Source

Source File: 00000000.00000002.837700061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.837694337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837708195.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837716661.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.837788784.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_invoice.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction ID: de8867e187cffd76a1833f018909c3af52f45fcf8c0597c8515af2ce59788131
Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction Fuzzy Hash: F5F0C231201818AFCB02DBA4CD80D9EBBA8EF46350B2540B9E840F7211D774DE019FA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report invoice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\icon-ui.icns

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Antimodernly\trever\Hovedinteressers\lang-1059.dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Ath_CoexAgent.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Diskofils\Justiciaryship\vmusbmouse.cat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\Mss32.dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Inkshed\NMDllHost.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Stemningssvingning\Urgently.Suk

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Udlandsrejse153\Aeroscopic\Clanging\Uskyldsrent\SourceCodePro-ExtraLight.otf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\Udlandsrejse153\Aeroscopic\Clanging\Uskyldsrent\cs.txt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\predepository\figuranternes.Han

C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\AdvSplash.dll

C:\Users\user\AppData\Local\Temp\nsfE5AA.tmp\System.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
invoice.exe

Function 004031F1 Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 368
stringcomfileCOMMON

Function 004051CA Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 10001A5D Relevance: 25.0, APIs: 13, Strings: 1, Instructions: 540
stringmemoryCOMMON

Function 0040572D Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Function 00406268 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00403B52 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 004037B5 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402D48 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Function 00405F87 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00402F81 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Function 0040508C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00405552 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 0040628F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00401FFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Function 00405B2D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 00405E4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Function 10002709 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
memoryCOMMON

Function 0040246D Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 004062FD Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405AFE Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405AD9 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 004055CF Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 004025C4 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Function 00402682 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Function 00405E19 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Function 00405B76 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 00405BA5 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 00405DEB Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18
COMMON