Edit tour

Windows Analysis Report
download.exe

Overview

General Information

Sample Name:	download.exe
Analysis ID:	830512
MD5:	064fa36da0c2ca360b0906cc5bfe67c6
SHA1:	a6623c33cbd86bdaee063f897bea1692621494e5
SHA256:	6974c5051372213d0e90147660c4b21bfff238e20c6449acb19f1901bf4729c8
Infos:

Detection

GuLoader

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

Uses 32bit PE files

PE file does not import any functions

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

PE / OLE file has an invalid certificate

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

download.exe (PID: 5412 cmdline: C:\Users\user\Desktop\download.exe MD5: 064FA36DA0C2CA360B0906CC5BFE67C6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-usering/ https://blog.morphisec.com/guloader-the-rat-downloader https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.779236025.000000000693F000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: download.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: download.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00405745 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405745
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004026FE FindFirstFileA,	0_2_004026FE
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00406280 FindFirstFileA,FindClose,	0_2_00406280

Source: C:\Users\user\Desktop\download.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: lang-1032.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: lang-1032.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: lang-1032.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: lang-1032.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: lang-1032.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: lang-1032.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: lang-1032.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: lang-1032.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: lang-1032.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: lang-1032.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: download.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: download.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: lang-1032.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: lang-1032.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: lang-1032.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: download.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: download.exe	String found in binary or memory: http://s.symcd.com06
Source: download.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: download.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: download.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: lang-1032.dll.0.dr	String found in binary or memory: http://www.avast.com0/
Source: lang-1032.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: download.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: download.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: download.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: lang-1032.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_004051E2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004051E2

Source: download.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: lang-1032.dll.0.dr

Static PE information: No import functions for PE file found

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_004031E9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004031E9

Source: C:\Users\user\Desktop\download.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00404A21		0_2_00404A21
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_73B61A98		0_2_73B61A98

Source: download.exe

Static PE information: invalid certificate

Source: lang-1032.dll.0.dr

Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)

Source: C:\Users\user\Desktop\download.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\download.exe

File read: C:\Users\user\Desktop\download.exe

Jump to behavior

Source: download.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\download.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\download.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\download.exe

0_2_004031E9

Source: C:\Users\user\Desktop\download.exe

File created: C:\Users\user\AppData\Local\Temp\nsz8D99.tmp

Jump to behavior

Source: classification engine

Classification label: mal52.troj.evad.winEXE@1/5@0/0

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_004020D1 CoCreateInstance,MultiByteToWideChar,

0_2_004020D1

Source: C:\Users\user\Desktop\download.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_004044AE GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004044AE

Source: download.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.779236025.000000000693F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_73B62F20 push eax; ret

0_2_73B62F4E

Source: C:\Users\user\Desktop\download.exe	File created: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\download.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\lang-1032.dll			Jump to dropped file

Source: C:\Users\user\Desktop\download.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\download.exe

RDTSC instruction interceptor: First address: 0000000006DC4A92 second address: 0000000006DC4A92 instructions: 0x00000000 rdtsc 0x00000002 test edx, ecx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F4174E1A261h 0x0000000c pushad 0x0000000d mov si, C771h 0x00000011 cmp si, C771h 0x00000016 jne 00007F4174E1D60Dh 0x0000001c popad 0x0000001d inc ebp 0x0000001e inc ebx 0x0000001f jmp 00007F4174E1A465h 0x00000024 nop 0x00000025 rdtsc

Source: C:\Users\user\Desktop\download.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\lang-1032.dll

Jump to dropped file

Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00405745 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405745
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004026FE FindFirstFileA,	0_2_004026FE
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00406280 FindFirstFileA,FindClose,	0_2_00406280

Source: C:\Users\user\Desktop\download.exe	API call chain: ExitProcess graph end node			graph_0-4683
Source: C:\Users\user\Desktop\download.exe	API call chain: ExitProcess graph end node			graph_0-4678

Source: C:\Users\user\Desktop\download.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: C:\Users\user\Desktop\download.exe

0_2_004031E9

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Access Token Manipulation	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\lang-1032.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\lang-1032.dll	0%	Virustotal	Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.download.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File
0.0.download.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.avast.com0/	0%	URL Reputation	safe
http://www.avast.com0/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.avast.com0/	lang-1032.dll.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_Error	download.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	download.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	830512
Start date and time:	2023-03-20 13:00:18 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	download.exe
Detection:	MAL
Classification:	mal52.troj.evad.winEXE@1/5@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 63.8% (good quality ratio 62.4%) Quality average: 88.8% Quality standard deviation: 21.4%
HCA Information:	Successful, ratio: 98% Number of executed functions: 60 Number of non-executed functions: 24
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll	5Ieb5xJWO6.exe	Get hash	malicious	Nanocore, GuLoader	Browse
	xfsmHEylH8.exe	Get hash	malicious	GuLoader	Browse
	5Ieb5xJWO6.exe	Get hash	malicious	Unknown	Browse
	xfsmHEylH8.exe	Get hash	malicious	GuLoader	Browse
	RACE userING SDN BHD 0203_Pdf.exe	Get hash	malicious	GuLoader, Remcos	Browse
	RACE userING SDN BHD 0203_Pdf.exe	Get hash	malicious	GuLoader	Browse
	FV-083471-23-02-22-269407#U00b7pdf.exe	Get hash	malicious	AveMaria, GuLoader, UACMe	Browse
	FV-083471-23-02-22-269407#U00b7pdf.exe	Get hash	malicious	GuLoader	Browse
	IT01879020517_uGIim-xml-p7m#U00b7pdf.exe	Get hash	malicious	NanoCore, GuLoader	Browse
	IT01879020517_uGIim-xml-p7m#U00b7pdf.exe	Get hash	malicious	GuLoader	Browse
	request for quote (Iberia Express Aircraft) 15-02-2023#U00b7pdf.exe	Get hash	malicious	AveMaria, GuLoader, UACMe	Browse
	request for quote (Iberia Express Aircraft) 15-02-2023#U00b7pdf.exe	Get hash	malicious	GuLoader	Browse
	file.exe	Get hash	malicious	GuLoader, Remcos	Browse
	file.exe	Get hash	malicious	GuLoader	Browse
	Invitation to Bid Quotation 15-02-2023#U00b7pdf.ex.exe	Get hash	malicious	AveMaria, GuLoader, UACMe	Browse
	Invitation to Bid Quotation 15-02-2023#U00b7pdf.ex.exe	Get hash	malicious	GuLoader	Browse
	TNOR_CYCLE_C2_220006954787_32106010359796_E_BDA_0_E_20221211_112633#U00b7pdf.exe	Get hash	malicious	NanoCore, GuLoader	Browse
	TNOR_CYCLE_C2_220006954787_32106010359796_E_BDA_0_E_20221211_112633#U00b7pdf.exe	Get hash	malicious	Unknown	Browse
	black.scr.exe	Get hash	malicious	GuLoader	Browse
	black.scr.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\download.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.825582780706362
Encrypted:	false
SSDEEP:	192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4
MD5:	FBE295E5A1ACFBD0A6271898F885FE6A
SHA1:	D6D205922E61635472EFB13C2BB92C9AC6CB96DA
SHA-256:	A1390A78533C47E55CC364E97AF431117126D04A7FAED49390210EA3E89DD0E1
SHA-512:	2CB596971E504EAF1CE8E3F09719EBFB3F6234CEA5CA7B0D33EC7500832FF4B97EC2BBE15A1FBF7E6A5B02C59DB824092B9562CD8991F4D027FEAB6FD3177B06
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: 5Ieb5xJWO6.exe, Detection: malicious, Browse Filename: xfsmHEylH8.exe, Detection: malicious, Browse Filename: 5Ieb5xJWO6.exe, Detection: malicious, Browse Filename: xfsmHEylH8.exe, Detection: malicious, Browse Filename: RACE userING SDN BHD 0203_Pdf.exe, Detection: malicious, Browse Filename: RACE userING SDN BHD 0203_Pdf.exe, Detection: malicious, Browse Filename: FV-083471-23-02-22-269407#U00b7pdf.exe, Detection: malicious, Browse Filename: FV-083471-23-02-22-269407#U00b7pdf.exe, Detection: malicious, Browse Filename: IT01879020517_uGIim-xml-p7m#U00b7pdf.exe, Detection: malicious, Browse Filename: IT01879020517_uGIim-xml-p7m#U00b7pdf.exe, Detection: malicious, Browse Filename: request for quote (Iberia Express Aircraft) 15-02-2023#U00b7pdf.exe, Detection: malicious, Browse Filename: request for quote (Iberia Express Aircraft) 15-02-2023#U00b7pdf.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Invitation to Bid Quotation 15-02-2023#U00b7pdf.ex.exe, Detection: malicious, Browse Filename: Invitation to Bid Quotation 15-02-2023#U00b7pdf.ex.exe, Detection: malicious, Browse Filename: TNOR_CYCLE_C2_220006954787_32106010359796_E_BDA_0_E_20221211_112633#U00b7pdf.exe, Detection: malicious, Browse Filename: TNOR_CYCLE_C2_220006954787_32106010359796_E_BDA_0_E_20221211_112633#U00b7pdf.exe, Detection: malicious, Browse Filename: black.scr.exe, Detection: malicious, Browse Filename: black.scr.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L....~.\...........!..... ...........(.......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text...O........ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\Afreager.For

Download File

Process:	C:\Users\user\Desktop\download.exe
File Type:	data
Category:	dropped
Size (bytes):	310762
Entropy (8bit):	7.153872132508062
Encrypted:	false
SSDEEP:	6144:gjumg/DuSWsGx6RZLOMqkcjpwn2+3VJInGwhTFLI:gjumgbhWsGWZ+kcj2n2OJInJhTS
MD5:	A1C8FEE704DB305175D7A96481B66C73
SHA1:	F26BE75182187BB5AA73C170605CF171D62DC023
SHA-256:	004CC2CA7789AB32D71678F5174DFC0F8EF1BA70A457929037E8CE0E4FD625C2
SHA-512:	4F5865B975DDD54A7770D89A28ADD620C5A675225F8F7974E68A6173B33C6FCA853D98AD1E2B054147B2ACD6C810BF90A252C30034973AB08B9CBACD69E6B965
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\Poserne\Bedugget39.Rus

Download File

Process:	C:\Users\user\Desktop\download.exe
File Type:	data
Category:	dropped
Size (bytes):	142071
Entropy (8bit):	7.998708530523099
Encrypted:	true
SSDEEP:	3072:NZcIfJJvbMxWCmEblH1ZC0+UM53+9I1dPg4kh89+08iFRbleoK:5DMxW4fz1e3+9Sg9Z1iFRleoK
MD5:	2CB77C7D9E16C0EF410FA8BC1CC1185A
SHA1:	0FCBA04A0B4B4563D62A073080E173590BEEBEDD
SHA-256:	A0BFB53FAD74C41F699F171902C1D6A0AC33A81963697A3F674234B2FF36203A
SHA-512:	33FDB3488F9BF085D7CDA649984BAE271194ECB64B569B5BDB1D09DE48C5D5407D75CDC2EA1A59E8E199F821CE4DA5F101D0A7CAA44E544E78C8D8507B6BC751
Malicious:	false
Reputation:	low
Preview:	>2'...JuK.(p@wC..D.5i....C....M%...O.0D.]...N.........%...xu...k).~.Pz..1/......}a.........._........`.a.k.N%Ze..a..o~..=..\...^'...v/.\K...\.....5.......B..{.A..t..vh.....sl}...Fft>..`....`.>.27(...J..........u{..csucM...a.V.'..a<.N3f.$......%@h8G..).G.>..M{....o...3..~X...w.AS.X...7.Y...v2..+....!u.... n&..vt..FR#s..w.j...........}...J...sA..w.......L@....+X3dq(.; ...k\|....i...G.....z~sF`Q}a....[..Q...I.........A..[.?...i.D..e..$d..e..KC....4+J....c...'.">6R.2.0....<R+.}.H0)u49..oK.v._...F).8.e..J..;.!....[.&E...V.....[.%.H....p3.......M.!.`,WX..J....an.e..h.u%P...{.....s...Q.._/.e?..R,..$)..N.^.P..Z\...mj8D.<3...ke...j...W...9..7D.I?...Zp\|.3.......M.s.S.4....!l.].aW.=v..Q...9..?...u...0.N....Sg....~..8....,.[./......8P\....S..k.....\.._...[=.P.....d./gKdP-_.5BU..u2u6x...)..E..`.{..@.....!.......g.j.r.\.6.\.+...vr.b..oE..h.;..I.,...(......=.d..p./lr)*...bH....gjJ..........:.x...K)xh.C...../....L..~B..Vh..l.zb.V.6qm...p..ER

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\lang-1032.dll

Download File

Process:	C:\Users\user\Desktop\download.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	178696
Entropy (8bit):	4.4006904456537335
Encrypted:	false
SSDEEP:	3072:A8kCKqgt37ZJvMQSOnMIomX6YZVG5dWCR7+nyadqLEzBUyQj2UGBOyj:CvM7yj
MD5:	8AD3A9D8C3DDA9854C13D213D00A8DB8
SHA1:	74283E98F0426DFA7854CEEF9BA43217F39DAB36
SHA-256:	DA07C1D13136E3BAABB9D0598AF99BCB48898BF5DBCA0F0477602BEA957198E9
SHA-512:	C30CA6FA4A62A6383C15AB8B95CD88714AF5C3A63F7FC9C8F767FED18E295B885B765B630831F456D16DB5DA7AA037CA931FCB3F412AB95A8D5E46B1B44497CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.@...R.@.P...R.Rich..R.................PE..L....\)b...........!......................................................................@.......................................... ..`................ ...........................................................................................rdata..p...........................@..@.rsrc...`.... ......................@..@.....\)b........T........................rdata......T....rdata$zzzdbg.... ... ...rsrc$01.....@...s...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\microphone-sensitivity-low-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\download.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	291
Entropy (8bit):	6.913400639640828
Encrypted:	false
SSDEEP:	6:6v/lhPysSFX/Fd8cy2TY3594VW6yTpm/v4pRw+jGbcnFbp:6v/7yFvn8cGJkv3twD
MD5:	303E1921A67BAE379BC4B36352F391AA
SHA1:	AB361F32C8F1811EC7DB6EB96DAD417753323DB4
SHA-256:	1FC1141E644151384931853426BD36B5293BCAFE380189515850B9CC8FF158D7
SHA-512:	0A355819B8EB530A30710D536CCF6F5AACA7E9050C7CA9F591E31DC8BCBCEFC83EC9EA5B1E3B9356D64A66B42D04A0DD504A97B7AFC6CA35E7CED23A82A74C93
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...1N.Q........V6R.H....w...A.`.5v..`mK.ZH.Z8.l`.l._2y......k..8....a.il...8.~.I@.Y.Le.'<G.....a....h...W@.q.3..n..(jb.P.`......X....1..1...!f./..h.~..!..q....3...x.g.7u.{St3......w./Q..g.....*a.]..T..T.~.?.+2.pM......IEND.B`.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.546765550553085
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	download.exe
File size:	680560
MD5:	064fa36da0c2ca360b0906cc5bfe67c6
SHA1:	a6623c33cbd86bdaee063f897bea1692621494e5
SHA256:	6974c5051372213d0e90147660c4b21bfff238e20c6449acb19f1901bf4729c8
SHA512:	39845a084b66442a1eb114621df67fe6db88e758b4564b79c01eff6a1935dcaba4149f0d3c68e243258b7da5f3ce197a904e226f561a0dfc1377ff22419a6026
SSDEEP:	12288:Z4oLK6+zAX00AF1pOSJe3xbIvli343lKZwIcBRPgYxFz18+t9Z1kU:6PQ00AF1pOSJeBUyqKKrf318U9Z1z
TLSH:	F2E4F15A2B7AC815D065E9F85AE3C50D5C749E14183CABD25BB1283EEBFC2527B0F047
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@............/...........s.../...............+.......Rich............................PE..L......\.................b....9....

File Icon


Icon Hash:	c4ccc6e6e4f6f640

Static PE Info

General

Entrypoint:	0x4031e9
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F01 [Sat Dec 15 22:24:01 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=barket, OU="Biselg Halo Uvitinic ", E=Strammende@Kummerfuld.Kur, O=barket, L=Middleton, S=Tennessee, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	1/24/2023 3:36:10 PM 1/23/2026 3:36:10 PM
Subject Chain	CN=barket, OU="Biselg Halo Uvitinic ", E=Strammende@Kummerfuld.Kur, O=barket, L=Middleton, S=Tennessee, C=US
Version:	3
Thumbprint MD5:	F856691DCF4BB6A788E55B70FE388011
Thumbprint SHA-1:	0C5E3286DBBB50FA720930F437DDBC472FF1EFDF
Thumbprint SHA-256:	7BCC618A115B3494BA1A7F1A5EDFACF31559C85478D2F90A7916E2A476BCF411
Serial:	807C3D2B116DDE7C

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A0h]
call dword ptr [0040809Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A2F4Ch], eax
je 00007F4174AB06C3h
push ebx
call 00007F4174AB379Ah
cmp eax, ebx
je 00007F4174AB06B9h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007F4174AB3716h
push esi
call dword ptr [00408098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F4174AB069Dh
push 0000000Ah
call 00007F4174AB376Eh
push 00000008h
call 00007F4174AB3767h
push 00000006h
mov dword ptr [007A2F44h], eax
call 00007F4174AB375Bh
cmp eax, ebx
je 00007F4174AB06C1h
push 0000001Eh
call eax
test eax, eax
je 00007F4174AB06B9h
or byte ptr [007A2F4Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [007A3018h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0079E500h
call dword ptr [00408178h]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8430	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c7000	0x37c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa4d40	0x1530	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6068	0x6200	False	0.671875	data	6.450713900012796	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1250	0x1400	False	0.430078125	data	5.041636133183931	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x399058	0x400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a4000	0x23000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c7000	0x37c28	0x37e00	False	0.4934109340044743	data	6.083319493650987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3c7460	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States
RT_ICON	0x3d7c88	0xd177	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x3e4e00	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States
RT_ICON	0x3ee2a8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States
RT_ICON	0x3f3730	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States
RT_ICON	0x3f7958	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x3f9f00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x3fafa8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States
RT_ICON	0x3fbe50	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States
RT_ICON	0x3fc7d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States
RT_ICON	0x3fd080	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States
RT_ICON	0x3fd6e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States
RT_ICON	0x3fdc50	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0x3fe0b8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States
RT_ICON	0x3fe3a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States
RT_DIALOG	0x3fe4c8	0x100	data	English	United States
RT_DIALOG	0x3fe5c8	0x11c	data	English	United States
RT_DIALOG	0x3fe6e8	0xc4	data	English	United States
RT_DIALOG	0x3fe7b0	0x60	data	English	United States
RT_GROUP_ICON	0x3fe810	0xd8	data	English	United States
RT_MANIFEST	0x3fe8e8	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: download.exePID: 5412, Parent PID: 3452

General

Target ID:	0
Start time:	13:01:17
Start date:	20/03/2023
Path:	C:\Users\user\Desktop\download.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\download.exe
Imagebase:	0x400000
File size:	680560 bytes
MD5 hash:	064FA36DA0C2CA360B0906CC5BFE67C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.779236025.000000000693F000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: download.exePID: 5412, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	26.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.1%
Total number of Nodes:	1505
Total number of Limit Nodes:	51

Executed Functions

Function 004031E9 Relevance: 93.1, APIs: 32, Strings: 21, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				intOrPtr _t86;
				intOrPtr _t92;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				intOrPtr _t177;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x7a2f4c = _t42;
				if(_t42 != 6) {
					_t119 = E00406315(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E004062A7(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E00406315(0xa);
				 *0x7a2f44 = E00406315(8);
				_t47 = E00406315(6);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x7a2f4f =  *0x7a2f4f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x7a3018 = _t47;
				SHGetFileInfoA(0x79e500, 0, _t164 + 0x38, 0x160, 0); // executed
				E00405F7D("Doktorgraden Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Users\\engineer\\Desktop\\download.exe\"";
				E00405F7D(_t160, _t51);
				 *0x7a2f40 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Users\\engineer\\Desktop\\download.exe\"" == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M007A9001;
				}
				_t55 = CharNextA(E00405940(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405940(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E00405F7D("C:\\Users\\engineer\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Heize",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\engineer\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157);
										_t59 = E004031B8(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402D63(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E004036D1();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x7a2ff4; // 0x0
													if(__eflags == 0) {
														L67:
														_t63 =  *0x7a300c;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E00406315(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405699( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											_t177 =  *0x7a2f60; // 0x0
											if(_t177 == 0) {
												L42:
												 *0x7a300c =  *0x7a300c | 0xffffffff;
												 *(_t164 + 0x18) = E004037AB( *0x7a300c);
												goto L43;
											}
											_t153 = E00405940(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E00405604(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Users\\engineer\\Desktop";
													if(lstrcmpiA(_t157, "C:\\Users\\engineer\\Desktop") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E004055E7();
														} else {
															E0040556A();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\engineer\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Heize"; // 0x43
														if(_t189 == 0) {
															E00405F7D("C:\\Users\\engineer\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Heize", _t162);
														}
														E00405F7D("kernel32::EnumResourceTypesW(i 0,i r1,i 0)",  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														do {
															_t86 =  *0x7a2f54; // 0xb3aa10
															E00405F9F(0, 0x79e100, _t157, 0x79e100,  *((intOrPtr*)(_t86 + 0x120)));
															DeleteFileA(0x79e100);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Users\\engineer\\Desktop\\download.exe", 0x79e100, 1) != 0) {
																E00405D5C(_t137, 0x79e100, 0);
																_t92 =  *0x7a2f54; // 0xb3aa10
																E00405F9F(0, 0x79e100, _t157, 0x79e100,  *((intOrPtr*)(_t92 + 0x124)));
																_t94 = E0040561C(0x79e100);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															"77070336" =  &("77070336"[1]);
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E00405D5C(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E00405A03(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E00405F7D("C:\\Users\\engineer\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Heize", _t154);
												E00405F7D("C:\\Users\\engineer\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Heize", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E004031B8(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E004031B8(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x7a3000 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x004031f9
0x004031fd
0x00403205
0x00403209
0x0040320e
0x0040321a
0x00403223
0x00403228
0x0040322b
0x00403232
0x00403239
0x00403239
0x00403232
0x0040323b
0x00403240
0x00403241
0x0040324d
0x00403251
0x00403257
0x00403265
0x0040326a
0x00403271
0x00403275
0x00403279
0x0040327b
0x0040327b
0x00403279
0x00403283
0x0040328a
0x00403290
0x004032a6
0x004032b6
0x004032bb
0x004032c1
0x004032c8
0x004032d4
0x004032de
0x004032e0
0x004032e2
0x004032e7
0x004032e7
0x004032f7
0x004032fd
0x004033c6
0x004033c6
0x004033c8
0x004033ca
0x00000000
0x00000000
0x00403306
0x00403309
0x00403311
0x00403311
0x00403314
0x00403319
0x0040331b
0x0040331b
0x0040331c
0x0040331c
0x00403321
0x00403324
0x004033b6
0x004033bb
0x004033c0
0x004033c3
0x004033c5
0x004033c5
0x004033c5
0x00000000
0x0040332a
0x0040332a
0x0040332b
0x0040332e
0x00403346
0x00403371
0x00403373
0x00403386
0x004033b1
0x004033b4
0x004033d2
0x004033d5
0x004033de
0x004033e3
0x004033e9
0x004033f4
0x004033f6
0x004033fb
0x004033fd
0x00403455
0x0040345a
0x00403464
0x0040346b
0x0040346f
0x00403503
0x00403503
0x00403508
0x0040350e
0x00403513
0x00403637
0x0040363d
0x004036b9
0x004036b9
0x004036be
0x004036c1
0x004036c3
0x004036c3
0x004036cb
0x004036cb
0x0040364d
0x00403655
0x00403657
0x00403658
0x00403665
0x00403678
0x00403680
0x00403684
0x00403684
0x0040368c
0x00403691
0x00403698
0x004036a6
0x004036a8
0x004036ae
0x004036b0
0x00000000
0x00000000
0x00000000
0x0040369a
0x004036a0
0x004036a2
0x004036a4
0x004036b2
0x004036b4
0x00000000
0x004036b4
0x00000000
0x004036a4
0x00403698
0x00403522
0x00403529
0x00403529
0x00403475
0x0040347b
0x004034f3
0x004034f3
0x004034ff
0x00000000
0x004034ff
0x00403484
0x00403488
0x004034be
0x004034be
0x004034c0
0x004034c8
0x0040353a
0x0040353c
0x00403543
0x0040354b
0x0040354b
0x00403556
0x0040355b
0x0040356a
0x0040356e
0x0040356f
0x00403578
0x00403571
0x00403571
0x00403571
0x0040357e
0x00403584
0x0040358a
0x00403592
0x00403592
0x004035a0
0x004035a5
0x004035b7
0x004035c5
0x004035c5
0x004035d1
0x004035d7
0x004035e1
0x004035f7
0x004035fc
0x00403608
0x0040360e
0x00403615
0x00403618
0x0040361e
0x0040361e
0x00403615
0x00403622
0x00403628
0x00403628
0x0040362d
0x0040362d
0x00000000
0x0040356a
0x004034ca
0x004034cc
0x004034d7
0x00000000
0x00000000
0x004034df
0x004034ea
0x004034ef
0x00000000
0x004034ef
0x004034b3
0x004034b5
0x004034b9
0x004034bc
0x00000000
0x00000000
0x00000000
0x004034bc
0x00000000
0x004034b5
0x00403405
0x00403411
0x00403416
0x0040341b
0x0040341d
0x00000000
0x00000000
0x00403425
0x0040342d
0x0040343e
0x00403446
0x00403448
0x0040344d
0x0040344f
0x00000000
0x00000000
0x00000000
0x0040344f
0x00000000
0x004033b4
0x00403375
0x00403378
0x0040337b
0x00403381
0x00403381
0x00403381
0x00403381
0x00000000
0x00403381
0x0040337d
0x0040337f
0x00000000
0x00000000
0x00000000
0x0040337f
0x00403330
0x00403333
0x00403336
0x0040333c
0x0040333c
0x00000000
0x0040333c
0x00403338
0x0040333a
0x00000000
0x00000000
0x00000000
0x0040333a
0x00000000
0x00000000
0x00000000
0x0040330b
0x0040330b
0x0040330b
0x0040330c
0x0040330c
0x00000000
0x0040330b
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 0040320E
GetVersion.KERNEL32 ref: 00403214
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403247
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403283
OleInitialize.OLE32(00000000), ref: 0040328A
SHGetFileInfoA.SHELL32(0079E500,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032A6
GetCommandLineA.KERNEL32(Doktorgraden Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004032BB
CharNextA.USER32(00000000,"C:\Users\user\Desktop\download.exe",00000020,"C:\Users\user\Desktop\download.exe",00000000,?,00000006,00000008,0000000A), ref: 004032F7
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033F4
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403405
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403411
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403425
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040342D
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040343E
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403446
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040345A

Part of subcall function 00406315: GetModuleHandleA.KERNEL32(?,?,?,0040325C,0000000A), ref: 00406327
Part of subcall function 00406315: GetProcAddress.KERNEL32(00000000,?), ref: 00406342

Part of subcall function 004037AB: GetUserDefaultUILanguage.KERNELBASE(00000002,746AFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\download.exe",00000000), ref: 004037C5
Part of subcall function 004037AB: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize,1033,0079F540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F540,00000000,00000002,746AFA90), ref: 0040389B
Part of subcall function 004037AB: lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize,1033,0079F540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F540,00000000), ref: 004038AE
Part of subcall function 004037AB: GetFileAttributesA.KERNEL32(Call), ref: 004038B9
Part of subcall function 004037AB: LoadImageA.USER32 ref: 00403902
Part of subcall function 004037AB: RegisterClassA.USER32 ref: 0040393F

Part of subcall function 004036D1: CloseHandle.KERNEL32(000002AC,00403508,?,?,00000006,00000008,0000000A), ref: 004036DC

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 00403508
ExitProcess.KERNEL32 ref: 00403529
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403646
OpenProcessToken.ADVAPI32(00000000), ref: 0040364D
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403665
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403684
ExitWindowsEx.USER32(00000002,80040002), ref: 004036A8
ExitProcess.KERNEL32 ref: 004036CB

Part of subcall function 00405699: MessageBoxIndirectA.USER32 ref: 004056F4

Strings

"C:\Users\user\Desktop\download.exe", xrefs: 004032C1, 004032C7, 0040347E
TMP, xrefs: 00403441
\Temp, xrefs: 0040340B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize, xrefs: 004033D9, 004034DA, 00403584, 0040358D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize, xrefs: 004034E5
Low, xrefs: 00403427
NSIS Error, xrefs: 004032AC
~nsu, xrefs: 00403534
", xrefs: 0040331C
Doktorgraden Setup, xrefs: 004032B1
SeShutdownPrivilege, xrefs: 0040365F
C:\Users\user\Desktop\download.exe, xrefs: 004035E6
TEMP, xrefs: 00403439
kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 0040359B
77070336, xrefs: 004035BF, 00403622
1033, xrefs: 00403455
C:\Users\user\AppData\Local\Temp\, xrefs: 004033E9, 004033EE, 00403404, 00403410, 0040341F, 0040342C, 00403438, 00403440, 00403539, 0040354A, 00403555, 00403561, 0040356E, 0040357D, 0040362C
C:\Users\user\Desktop, xrefs: 0040355B, 00403560, 0040358C
.tmp, xrefs: 00403550
Error launching installer, xrefs: 004034C0
UXTHEME, xrefs: 0040323B, 00403240, 00403246

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\download.exe"$.tmp$1033$77070336$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize$C:\Users\user\Desktop$C:\Users\user\Desktop\download.exe$Doktorgraden Setup$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$kernel32::EnumResourceTypesW(i 0,i r1,i 0)$~nsu
API String ID: 1314998376-628541056
Opcode ID: e0b5db9666b9a3f6237ddd60c5d2e51e03b24921c130a1ce91c854595f011bcd
Instruction ID: 7bf8744e0b649f959f8498b36092dc0538a6711c388ee02d62fe24b7258f1436
Opcode Fuzzy Hash: e0b5db9666b9a3f6237ddd60c5d2e51e03b24921c130a1ce91c854595f011bcd
Instruction Fuzzy Hash: 42C1E670104741AAD7216F759D89A2F3EACAF86706F04447FF582B51E2DB7C8A058B2F

Uniqueness

Uniqueness Score: -1.00%

Function 004051E2 Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004051E2(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t113;
				void* _t121;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x7a2724; // 0x10396
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						_t121 = CreateThread(0, 0, E00405176, GetDlgItem(_a4, 0x3ec), 0,  &_a8); // executed
						FindCloseChangeNotification(_t121);
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E00405F9F(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x79f540;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x7a270c - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x7a2f48, 8);
							__eflags =  *0x7a2fec - _t150; // 0x0
							if(__eflags == 0) {
								_t113 =  *0x79ed18; // 0xb3ab3c
								E004050A4( *((intOrPtr*)(_t113 + 0x34)), _t150);
							}
							E00403FF5(1);
							goto L25;
						}
						 *0x79e910 = 2;
						E00403FF5(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00404083(_t157, _a12, _a16);
						}
						ShowWindow( *0x7a2710, _t150);
						ShowWindow(_v8, 8);
						E00404051(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x7a2f54; // 0xb3aa10
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x7a2710 = GetDlgItem(_a4, 0x403);
				 *0x7a2708 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x7a2724 = _t128;
				_v8 = _t128;
				E00404051( *0x7a2710);
				 *0x7a2714 = E00404942(4);
				 *0x7a272c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56); // executed
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E0040401C(_a4);
				if(( *0x7a2f5c & 0x00000003) != 0) {
					ShowWindow( *0x7a2710, _t150);
					if(( *0x7a2f5c & 0x00000002) != 0) {
						 *0x7a2710 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404051( *0x7a2708);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x7a2f5c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x004051e8
0x004051f0
0x004051f3
0x004051fb
0x004051fe
0x0040538d
0x00405393
0x004053b0
0x004053b7
0x004053b7
0x004053c3
0x004053c9
0x004053eb
0x004053eb
0x004053f1
0x00405446
0x00405446
0x00405449
0x00000000
0x00000000
0x0040544b
0x0040544e
0x00405451
0x00000000
0x00000000
0x0040545b
0x00405461
0x00405463
0x00405466
0x00405563
0x00000000
0x00405563
0x00405475
0x00405481
0x0040548a
0x00405491
0x00405495
0x00405498
0x004054a1
0x004054a7
0x004054aa
0x004054aa
0x004054ba
0x004054c0
0x004054c3
0x004054ce
0x004054ce
0x004054cf
0x004054d2
0x004054d9
0x004054e0
0x004054e8
0x004054e8
0x004054f6
0x004054fc
0x004054ff
0x004054ff
0x00405506
0x0040550c
0x00405515
0x0040551c
0x00405525
0x00405527
0x0040552a
0x00405539
0x0040553b
0x0040553e
0x0040553f
0x00405542
0x00405543
0x00405544
0x00405544
0x0040554c
0x00405557
0x0040555d
0x0040555d
0x00000000
0x004054c3
0x004053f3
0x004053f9
0x00405427
0x00405429
0x0040542f
0x00405431
0x0040543a
0x0040543a
0x00405441
0x00000000
0x00405441
0x004053fd
0x00405407
0x00000000
0x004053cb
0x004053cb
0x004053d1
0x0040540c
0x00000000
0x00405413
0x004053da
0x004053e1
0x004053e6
0x00000000
0x004053e6
0x004053c9
0x00405204
0x00405208
0x00405210
0x00405214
0x00405217
0x0040521a
0x0040521d
0x00405220
0x00405221
0x00405222
0x0040523b
0x0040523e
0x00405248
0x00405257
0x0040525f
0x00405267
0x0040526c
0x0040526f
0x0040527b
0x00405284
0x0040528d
0x004052af
0x004052b5
0x004052c6
0x004052cb
0x004052d9
0x004052e7
0x004052e7
0x004052ec
0x004052fa
0x004052fa
0x004052ff
0x00405302
0x00405307
0x00405313
0x0040531c
0x00405329
0x00405338
0x0040532b
0x00405330
0x00405330
0x00405344
0x00405344
0x00405358
0x00405361
0x0040536a
0x0040537a
0x00405386
0x00405386
0x00000000

APIs

GetDlgItem.USER32 ref: 00405241
GetDlgItem.USER32 ref: 00405250
GetClientRect.USER32 ref: 0040528D
GetSystemMetrics.USER32 ref: 00405294
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004052B5
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052C6
SendMessageA.USER32(?,00001001,00000000,?), ref: 004052D9
SendMessageA.USER32(?,00001026,00000000,?), ref: 004052E7
SendMessageA.USER32(?,00001024,00000000,?), ref: 004052FA
ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040531C
ShowWindow.USER32(?,00000008), ref: 00405330
GetDlgItem.USER32 ref: 00405351
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405361
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040537A
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405386
GetDlgItem.USER32 ref: 0040525F

Part of subcall function 00404051: SendMessageA.USER32(00000028,?,00000001,00403E81), ref: 0040405F

GetDlgItem.USER32 ref: 004053A2
CreateThread.KERNELBASE ref: 004053B0
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004053B7
ShowWindow.USER32(00000000), ref: 004053DA
ShowWindow.USER32(?,00000008), ref: 004053E1
ShowWindow.USER32(00000008), ref: 00405427
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040545B
CreatePopupMenu.USER32 ref: 0040546C
AppendMenuA.USER32 ref: 00405481
GetWindowRect.USER32 ref: 004054A1
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054BA
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054F6
OpenClipboard.USER32(00000000), ref: 00405506
EmptyClipboard.USER32 ref: 0040550C
GlobalAlloc.KERNEL32(00000042,?), ref: 00405515
GlobalLock.KERNEL32 ref: 0040551F
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405533
GlobalUnlock.KERNEL32(00000000), ref: 0040554C
SetClipboardData.USER32 ref: 00405557
CloseClipboard.USER32 ref: 0040555D

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID:
API String ID: 4154960007-0
Opcode ID: dadd1f5a3a53f6153d4068de795145be5a4dbd7634b151cd1cb0500ee1942e15
Instruction ID: cba8cb344929e6fa6818a5c25344ad4bfa6cf128d012b59fb2cbbdf576d19343
Opcode Fuzzy Hash: dadd1f5a3a53f6153d4068de795145be5a4dbd7634b151cd1cb0500ee1942e15
Instruction Fuzzy Hash: C2A16B70900608BFDF119F64DE89EAE7B79FF48354F00402AFA45B61A1C7794E529F68

Uniqueness

Uniqueness Score: -1.00%

Function 00405745 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405745(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405A03(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x7a2fe8 =  *0x7a2fe8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00405F7D(0x7a0548, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E0040595C(_t73);
					} else {
						lstrcatA(0x7a0548, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]); // executed
						_t40 = FindFirstFileA(0x7a0548,  &_v336); // executed
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405940( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00405F7D(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004056FD(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E004050A4(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x7a2fe8 =  *0x7a2fe8 + 1;
										} else {
											E004050A4(0xfffffff1, _t73);
											E00405D5C(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405745(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x7a0548 - 0x5c;
					if( *0x7a0548 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E00406280(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405915(_t73);
							_t40 = E004056FD(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E004050A4(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E004050A4(0xfffffff1, _t73);
							return E00405D5C(_t72, _t73, 0);
						}
						L33:
						 *0x7a2fe8 =  *0x7a2fe8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x0040574f
0x00405754
0x0040575d
0x00405760
0x00405768
0x0040576b
0x0040576e
0x00405776
0x00405778
0x00405779
0x00000000
0x00405779
0x00405784
0x00405787
0x00405787
0x00405787
0x0040578b
0x0040579e
0x004057a5
0x004057aa
0x004057ae
0x004057be
0x004057b0
0x004057b6
0x004057b6
0x004057c3
0x004057c6
0x004057d1
0x004057d7
0x004057dc
0x004057ec
0x004057ee
0x004057f4
0x004057f7
0x004057fa
0x004058b2
0x004058b2
0x004058b6
0x004058b8
0x004058b8
0x004058b8
0x004058b8
0x00000000
0x00000000
0x00000000
0x00000000
0x00405800
0x00405800
0x00405809
0x0040580f
0x00405814
0x00405817
0x00405819
0x0040581d
0x0040581f
0x0040581f
0x0040581d
0x00405822
0x00405825
0x00405838
0x0040583a
0x0040583f
0x00405846
0x00405861
0x00405866
0x00405868
0x0040588c
0x0040586a
0x0040586a
0x0040586d
0x00405881
0x0040586f
0x00405872
0x0040587a
0x0040587a
0x0040586d
0x00405848
0x0040584e
0x00405850
0x00405856
0x00405856
0x00405850
0x00000000
0x00405846
0x00405827
0x0040582a
0x0040582c
0x00000000
0x00000000
0x0040582e
0x00405830
0x00000000
0x00000000
0x00405832
0x00405836
0x00000000
0x00000000
0x00000000
0x00405891
0x0040589b
0x004058a1
0x004058a1
0x004058ac
0x00000000
0x004058ac
0x004057c8
0x004057cf
0x00000000
0x00000000
0x00000000
0x0040578d
0x0040578d
0x0040578f
0x004058bc
0x004058be
0x004058c1
0x00405912
0x00405912
0x00405912
0x004058c3
0x004058c6
0x004058d1
0x004058d6
0x004058d8
0x00000000
0x00000000
0x004058db
0x004058e7
0x004058ec
0x004058ee
0x00000000
0x00405909
0x004058f0
0x004058f3
0x00000000
0x00000000
0x004058f8
0x00000000
0x004058ff
0x004058c8
0x004058c8
0x00000000
0x004058c8
0x00405795
0x00405798
0x00000000
0x00000000
0x00000000
0x00405798

APIs

DeleteFileA.KERNELBASE(?,?,746AFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040576E
lstrcatA.KERNEL32(Forgngeliges.rea,\*.*,Forgngeliges.rea,?,?,746AFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057B6
lstrcatA.KERNEL32(?,0040A014,?,Forgngeliges.rea,?,?,746AFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057D7
lstrlenA.KERNEL32(?,?,0040A014,?,Forgngeliges.rea,?,?,746AFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057DD
FindFirstFileA.KERNELBASE(Forgngeliges.rea,?,?,?,0040A014,?,Forgngeliges.rea,?,?,746AFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057EE
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040589B
FindClose.KERNEL32(00000000), ref: 004058AC

Strings

"C:\Users\user\Desktop\download.exe", xrefs: 00405745
Forgngeliges.rea, xrefs: 0040579E, 004057A4, 004057B5, 004057EB
C:\Users\user\AppData\Local\Temp\, xrefs: 00405752
\*.*, xrefs: 004057B0

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\download.exe"$C:\Users\user\AppData\Local\Temp\$Forgngeliges.rea$\*.*
API String ID: 2035342205-2705473732
Opcode ID: 7ffff7cd34069f0b96449660ed6e7fefb86e4840da2f9e0b27970072ed7274d0
Instruction ID: 8fe5727fece67214ca9e537269006626f4bb6c92c430407bbf8d6e8d58a7b1f2
Opcode Fuzzy Hash: 7ffff7cd34069f0b96449660ed6e7fefb86e4840da2f9e0b27970072ed7274d0
Instruction Fuzzy Hash: 6A51C131800A09AADF217B218C85BBF7A78DF42714F14817FF855B51D2D73C8952DE69

Uniqueness

Uniqueness Score: -1.00%

Function 73B61A98 Relevance: 18.6, APIs: 12, Instructions: 565
stringmemorylibraryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E73B61A98() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				CHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				CHAR* _t199;
				signed int _t202;
				void* _t204;
				void* _t206;
				CHAR* _t208;
				void* _t216;
				struct HINSTANCE__* _t217;
				signed int _t218;
				signed int _t220;
				signed int _t222;
				struct HINSTANCE__* _t225;
				signed int _t227;
				void* _t228;
				char* _t229;
				void* _t240;
				signed char _t241;
				signed int _t242;
				void* _t246;
				signed int _t248;
				void* _t249;
				signed int _t251;
				signed int _t253;
				signed int _t259;
				signed int _t262;
				signed int _t264;
				void* _t267;
				void* _t271;
				signed int _t273;
				signed char _t276;
				void _t277;
				signed int _t278;
				signed int _t290;
				signed int _t291;
				void* _t293;
				signed int _t297;
				signed int _t300;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed char _t308;
				signed int _t309;
				CHAR* _t310;
				CHAR* _t312;
				CHAR* _t313;
				struct HINSTANCE__* _t314;
				void* _t316;
				signed int _t317;
				void* _t318;

				_t273 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t318 = 0;
				_v48 = 0;
				_t199 = E73B61215();
				_v24 = _t199;
				_v28 = _t199;
				_v44 = E73B61215();
				_t309 = E73B6123B();
				_v52 = _t309;
				_v12 = _t309;
				while(1) {
					_t202 = _v32;
					_v56 = _t202;
					if(_t202 != _t273 && _t318 == _t273) {
						break;
					}
					_t308 =  *_t309;
					_t276 = _t308;
					_t204 = _t276 - _t273;
					if(_t204 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t206 = _v56 - _t273;
						if(_t206 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t318 - _t273;
							if(_t318 == _t273) {
								_t246 = GlobalAlloc(0x40, 0x14a4); // executed
								_t318 = _t246;
								 *(_t318 + 0x810) = _t273;
								 *(_t318 + 0x814) = _t273;
							}
							_t277 = _v36;
							_t43 = _t318 + 8; // 0x8
							_t208 = _t43;
							_t44 = _t318 + 0x408; // 0x408
							_t310 = _t44;
							 *_t318 = _t277;
							 *_t208 =  *_t208 & 0x00000000;
							 *(_t318 + 0x808) = _t273;
							 *_t310 =  *_t310 & 0x00000000;
							_t278 = _t277 - _t273;
							__eflags = _t278;
							 *(_t318 + 0x80c) = _t273;
							 *(_t318 + 4) = _t273;
							if(_t278 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t316 = 0;
								GlobalFree(_t318);
								_t318 = E73B612FE(_v24);
								__eflags = _t318 - _t273;
								if(_t318 == _t273) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t240 =  *(_t318 + 0x14a0);
									__eflags = _t240 - _t273;
									if(_t240 == _t273) {
										break;
									}
									_t316 = _t318;
									_t318 = _t240;
									__eflags = _t318 - _t273;
									if(_t318 != _t273) {
										continue;
									}
									break;
								}
								__eflags = _t316 - _t273;
								if(_t316 != _t273) {
									 *(_t316 + 0x14a0) = _t273;
								}
								_t241 =  *(_t318 + 0x810);
								__eflags = _t241 & 0x00000008;
								if((_t241 & 0x00000008) == 0) {
									_t242 = _t241 | 0x00000002;
									__eflags = _t242;
									 *(_t318 + 0x810) = _t242;
								} else {
									_t318 = E73B61534(_t318);
									 *(_t318 + 0x810) =  *(_t318 + 0x810) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t290 = _t278 - 1;
								__eflags = _t290;
								if(_t290 == 0) {
									L28:
									lstrcpyA(_t208, _v44);
									L29:
									lstrcpyA(_t310, _v24);
									L39:
									_v12 = _v12 + 1;
									_v28 = _v24;
									L56:
									if(_v32 != 0xffffffff) {
										_t309 = _v12;
										continue;
									}
									break;
								}
								_t291 = _t290 - 1;
								__eflags = _t291;
								if(_t291 == 0) {
									goto L29;
								}
								__eflags = _t291 != 1;
								if(_t291 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t206 == 1) {
							_t248 = _v16;
							if(_v40 == _t273) {
								_t248 = _t248 - 1;
							}
							 *(_t318 + 0x814) = _t248;
						}
						goto L39;
					}
					_t249 = _t204 - 0x23;
					if(_t249 == 0) {
						__eflags = _t309 - _v52;
						if(_t309 <= _v52) {
							L15:
							_v32 = _t273;
							_v36 = _t273;
							goto L17;
						}
						__eflags =  *((char*)(_t309 - 1)) - 0x3a;
						if( *((char*)(_t309 - 1)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t273;
						if(_v32 == _t273) {
							L40:
							_t251 = _v32 - _t273;
							__eflags = _t251;
							if(_t251 == 0) {
								__eflags = _t308 - 0x2a;
								if(_t308 == 0x2a) {
									_v36 = 2;
									L54:
									_t309 = _v12;
									_v28 = _v24;
									_t273 = 0;
									__eflags = 0;
									L55:
									_t317 = _t309 + 1;
									__eflags = _t317;
									_v12 = _t317;
									goto L56;
								}
								__eflags = _t308 - 0x2d;
								if(_t308 == 0x2d) {
									L145:
									_t253 = _t309 + 1;
									__eflags =  *_t253 - 0x3e;
									if( *_t253 != 0x3e) {
										L147:
										_t253 = _t309 + 1;
										__eflags =  *_t253 - 0x3a;
										if( *_t253 != 0x3a) {
											L154:
											_v28 =  &(_v28[1]);
											 *_v28 = _t308;
											goto L55;
										}
										__eflags = _t308 - 0x2d;
										if(_t308 == 0x2d) {
											goto L154;
										}
										_v36 = 1;
										L150:
										_v12 = _t253;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 =  *_v44 & 0x00000000;
										} else {
											 *_v28 =  *_v28 & 0x00000000;
											lstrcpyA(_v44, _v24);
										}
										goto L54;
									}
									_v36 = 3;
									goto L150;
								}
								__eflags = _t308 - 0x3a;
								if(_t308 != 0x3a) {
									goto L154;
								}
								__eflags = _t308 - 0x2d;
								if(_t308 != 0x2d) {
									goto L147;
								}
								goto L145;
							}
							_t259 = _t251 - 1;
							__eflags = _t259;
							if(_t259 == 0) {
								L77:
								_t293 = _t276 + 0xffffffde;
								__eflags = _t293 - 0x55;
								if(_t293 > 0x55) {
									goto L54;
								}
								switch( *((intOrPtr*)(( *(_t293 + 0x73b62219) & 0x000000ff) * 4 +  &M73B6218D))) {
									case 0:
										__eax = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L129;
											}
											L128:
											__eflags =  *(__edi + 1) - __dl;
											if( *(__edi + 1) != __dl) {
												L133:
												 *__eax =  *__eax & 0x00000000;
												__eax = E73B61224(_v24);
												__ebx = __eax;
												goto L94;
											}
											L129:
											__eflags = __cl;
											if(__cl == 0) {
												goto L133;
											}
											__eflags = __cl - __dl;
											if(__cl == __dl) {
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__cl =  *__edi;
											 *__eax =  *__edi;
											__eax = __eax + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L129;
											}
											goto L128;
										}
									case 1:
										_v8 = 1;
										goto L54;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L54;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L82;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L54;
										}
										_v12 = _v12 - 1;
										__ebx = E73B61215();
										 &_v12 = E73B61A36( &_v12);
										__eax = E73B61429(__edx, __eax, __edx, __ebx);
										goto L94;
									case 5:
										L102:
										_v20 = _v20 + 1;
										goto L54;
									case 6:
										_push(7);
										goto L120;
									case 7:
										_push(0x19);
										goto L140;
									case 8:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L104;
									case 9:
										_push(0x15);
										goto L140;
									case 0xa:
										_push(0x16);
										goto L140;
									case 0xb:
										_push(0x18);
										goto L140;
									case 0xc:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L115;
									case 0xd:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L106;
									case 0xe:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L108;
									case 0xf:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L119;
									case 0x10:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L110;
									case 0x11:
										_push(3);
										goto L120;
									case 0x12:
										_push(0x17);
										L140:
										_pop(__ebx);
										goto L95;
									case 0x13:
										__eax =  &_v12;
										__eax = E73B61A36( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L94;
									case 0x14:
										__ebx = 0xffffffff;
										goto L95;
									case 0x15:
										__eax = 0;
										__eflags = 0;
										goto L113;
									case 0x16:
										__ecx = 0;
										__eflags = 0;
										goto L88;
									case 0x17:
										__eax = 0;
										__eax = 1;
										__eflags = 1;
										goto L117;
									case 0x18:
										_t261 =  *(_t318 + 0x814);
										__eflags = _t261 - _v16;
										if(_t261 > _v16) {
											_v16 = _t261;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t261 - (_v36 == 3);
										if(_t261 != _v36 == 3) {
											L82:
											_v40 = 1;
										}
										goto L54;
									case 0x19:
										L104:
										__ecx = 0;
										_v8 = 2;
										__ecx = 1;
										goto L88;
									case 0x1a:
										L115:
										_push(5);
										goto L120;
									case 0x1b:
										L106:
										__ecx = 0;
										_v8 = 3;
										__ecx = 1;
										goto L88;
									case 0x1c:
										L108:
										__ecx = 0;
										__ecx = 1;
										goto L88;
									case 0x1d:
										L119:
										_push(6);
										goto L120;
									case 0x1e:
										L110:
										_push(2);
										goto L120;
									case 0x1f:
										__eax =  &_v12;
										__eax = E73B61A36( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										goto L94;
									case 0x20:
										L113:
										_v48 = _v48 + 1;
										_push(3);
										_pop(__ecx);
										goto L88;
									case 0x21:
										L117:
										_push(4);
										L120:
										_pop(__ecx);
										L88:
										__edi = _v16;
										__edx =  *(0x73b6305c + __ecx * 4);
										__eax =  ~__eax;
										asm("sbb eax, eax");
										_v40 = 1;
										__edi = _v16 << 5;
										__eax = __eax & 0x00008000;
										__edi = (_v16 << 5) + __esi;
										__eax = __eax | __ecx;
										__eflags = _v8;
										 *(__edi + 0x818) = __eax;
										if(_v8 < 0) {
											L90:
											__edx = 0;
											__edx = 1;
											__eflags = 1;
											L91:
											__eflags = _v8 - 1;
											 *(__edi + 0x828) = __edx;
											if(_v8 == 1) {
												__eax =  &_v12;
												__eax = E73B61A36( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x81c)) = _v8;
											_t132 = _v16 + 0x41; // 0x41
											_t132 = _t132 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t132 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x830)) = 0;
											 *((intOrPtr*)(__edi + 0x82c)) = 0;
											L94:
											__eflags = __ebx;
											if(__ebx == 0) {
												goto L54;
											}
											L95:
											__eflags = _v20;
											_v40 = 1;
											if(_v20 != 0) {
												L100:
												__eflags = _v20 - 1;
												if(_v20 == 1) {
													__eax = _v16;
													__eax = _v16 << 5;
													__eflags = __eax;
													 *(__eax + __esi + 0x82c) = __ebx;
												}
												goto L102;
											}
											_v16 = _v16 << 5;
											_t140 = __esi + 0x830; // 0x830
											__edi = (_v16 << 5) + _t140;
											__eax =  *__edi;
											__eflags = __eax - 0xffffffff;
											if(__eax <= 0xffffffff) {
												L98:
												__eax = GlobalFree(__eax);
												L99:
												 *__edi = __ebx;
												goto L100;
											}
											__eflags = __eax - 0x19;
											if(__eax <= 0x19) {
												goto L99;
											}
											goto L98;
										}
										__eflags = __edx;
										if(__edx > 0) {
											goto L91;
										}
										goto L90;
									case 0x22:
										goto L54;
								}
							}
							_t262 = _t259 - 1;
							__eflags = _t262;
							if(_t262 == 0) {
								_v16 = _t273;
								goto L77;
							}
							__eflags = _t262 != 1;
							if(_t262 != 1) {
								goto L154;
							}
							__eflags = _t276 - 0x6e;
							if(__eflags > 0) {
								_t297 = _t276 - 0x72;
								__eflags = _t297;
								if(_t297 == 0) {
									_push(4);
									L71:
									_pop(_t264);
									L72:
									__eflags = _v8 - 1;
									if(_v8 != 1) {
										_t92 = _t318 + 0x810;
										 *_t92 =  *(_t318 + 0x810) &  !_t264;
										__eflags =  *_t92;
									} else {
										 *(_t318 + 0x810) =  *(_t318 + 0x810) | _t264;
									}
									_v8 = 1;
									goto L54;
								}
								_t300 = _t297 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									_push(0x10);
									goto L71;
								}
								__eflags = _t300 != 0;
								if(_t300 != 0) {
									goto L54;
								}
								_push(0x40);
								goto L71;
							}
							if(__eflags == 0) {
								_push(8);
								goto L71;
							}
							_t303 = _t276 - 0x21;
							__eflags = _t303;
							if(_t303 == 0) {
								_v8 =  ~_v8;
								goto L54;
							}
							_t304 = _t303 - 0x11;
							__eflags = _t304;
							if(_t304 == 0) {
								_t264 = 0x100;
								goto L72;
							}
							_t305 = _t304 - 0x31;
							__eflags = _t305;
							if(_t305 == 0) {
								_t264 = 1;
								goto L72;
							}
							__eflags = _t305 != 0;
							if(_t305 != 0) {
								goto L54;
							}
							_push(0x20);
							goto L71;
						}
						goto L15;
					}
					_t267 = _t249 - 5;
					if(_t267 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t273;
						_v20 = _t273;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t273;
						goto L17;
					}
					_t271 = _t267 - 1;
					if(_t271 == 0) {
						_v32 = 2;
						_v8 = _t273;
						_v20 = _t273;
						goto L17;
					}
					if(_t271 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t318 == _t273 ||  *(_t318 + 0x80c) != _t273) {
					L175:
					return _t318;
				} else {
					_t216 =  *_t318 - 1;
					if(_t216 == 0) {
						_t179 = _t318 + 8; // 0x8
						_t312 = _t179;
						__eflags =  *_t312;
						if( *_t312 != 0) {
							_t217 = GetModuleHandleA(_t312);
							__eflags = _t217 - _t273;
							 *(_t318 + 0x808) = _t217;
							if(_t217 != _t273) {
								L163:
								_t184 = _t318 + 0x408; // 0x408
								_t313 = _t184;
								_t218 = E73B615C2( *(_t318 + 0x808), _t313);
								__eflags = _t218 - _t273;
								 *(_t318 + 0x80c) = _t218;
								if(_t218 != _t273) {
									L169:
									__eflags = _v48 - _t273;
									if(_v48 != _t273) {
										L171:
										_t313[lstrlenA(_t313)] = 0x41;
										_t220 = E73B615C2( *(_t318 + 0x808), _t313);
										__eflags = _t220 - _t273;
										if(_t220 != _t273) {
											L158:
											 *(_t318 + 0x80c) = _t220;
											goto L175;
										}
										__eflags =  *(_t318 + 0x80c) - _t273;
										L173:
										if(__eflags != 0) {
											goto L175;
										}
										L174:
										_t197 = _t318 + 4;
										 *_t197 =  *(_t318 + 4) | 0xffffffff;
										__eflags =  *_t197;
										goto L175;
									}
									__eflags =  *(_t318 + 0x80c) - _t273;
									if( *(_t318 + 0x80c) != _t273) {
										goto L175;
									}
									goto L171;
								}
								__eflags =  *_t313 - 0x23;
								if( *_t313 != 0x23) {
									goto L169;
								}
								_t187 = _t318 + 0x409; // 0x409
								_t222 = E73B612FE(_t187);
								__eflags = _t222 - _t273;
								if(_t222 == _t273) {
									goto L169;
								}
								__eflags = _t222 & 0xffff0000;
								if ((_t222 & 0xffff0000) != 0) goto L169;
								_push(ss);
							}
							_t225 = LoadLibraryA(_t312);
							__eflags = _t225 - _t273;
							 *(_t318 + 0x808) = _t225;
							if(_t225 == _t273) {
								goto L174;
							}
							goto L163;
						}
						_t180 = _t318 + 0x408; // 0x408
						_t227 = E73B612FE(_t180);
						 *(_t318 + 0x80c) = _t227;
						__eflags = _t227 - _t273;
						goto L173;
					}
					_t228 = _t216 - 1;
					if(_t228 == 0) {
						_t177 = _t318 + 0x408; // 0x408
						_t229 = _t177;
						__eflags =  *_t229;
						if( *_t229 == 0) {
							goto L175;
						}
						_t220 = E73B612FE(_t229);
						L157:
						goto L158;
					}
					if(_t228 != 1) {
						goto L175;
					}
					_t77 = _t318 + 8; // 0x8
					_t274 = _t77;
					_t314 = E73B612FE(_t77);
					 *(_t318 + 0x808) = _t314;
					if(_t314 == 0) {
						goto L174;
					}
					 *(_t318 + 0x84c) =  *(_t318 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t318 + 0x850)) = E73B61224(_t274);
					 *(_t318 + 0x83c) =  *(_t318 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t318 + 0x848)) = 1;
					 *((intOrPtr*)(_t318 + 0x838)) = 1;
					_t86 = _t318 + 0x408; // 0x408
					_t220 =  *(_t314->i + E73B612FE(_t86) * 4);
					goto L157;
				}
			}

0x73b61aa0
0x73b61aa3
0x73b61aa6
0x73b61aa9
0x73b61aac
0x73b61aaf
0x73b61ab2
0x73b61ab4
0x73b61ab7
0x73b61abc
0x73b61abf
0x73b61ac7
0x73b61acf
0x73b61ad1
0x73b61ad4
0x73b61adc
0x73b61adc
0x73b61ae1
0x73b61ae4
0x00000000
0x00000000
0x73b61aee
0x73b61af0
0x73b61af5
0x73b61af7
0x73b61b69
0x73b61b69
0x73b61b69
0x73b61b6d
0x73b61b70
0x73b61b72
0x73b61b94
0x73b61b97
0x73b61b99
0x73b61ba2
0x73b61ba8
0x73b61baa
0x73b61bb0
0x73b61bb0
0x73b61bb6
0x73b61bb9
0x73b61bb9
0x73b61bbc
0x73b61bbc
0x73b61bc2
0x73b61bc4
0x73b61bc7
0x73b61bcd
0x73b61bd0
0x73b61bd0
0x73b61bd2
0x73b61bd8
0x73b61bdb
0x73b61bff
0x73b61c02
0x00000000
0x00000000
0x73b61c05
0x73b61c07
0x73b61c15
0x73b61c18
0x73b61c1a
0x00000000
0x00000000
0x00000000
0x00000000
0x73b61c1c
0x73b61c1c
0x73b61c1c
0x73b61c22
0x73b61c24
0x00000000
0x00000000
0x73b61c26
0x73b61c28
0x73b61c2a
0x73b61c2c
0x00000000
0x00000000
0x00000000
0x73b61c2c
0x73b61c2e
0x73b61c30
0x73b61c32
0x73b61c32
0x73b61c38
0x73b61c3e
0x73b61c40
0x73b61c54
0x73b61c54
0x73b61c56
0x73b61c42
0x73b61c48
0x73b61c4b
0x73b61c4b
0x00000000
0x73b61bdd
0x73b61bdd
0x73b61bdd
0x73b61bde
0x73b61be6
0x73b61bea
0x73b61bf0
0x73b61bf4
0x73b61c5c
0x73b61c5f
0x73b61c62
0x73b61cd4
0x73b61cd8
0x73b61ad9
0x00000000
0x73b61ad9
0x00000000
0x73b61cd8
0x73b61be0
0x73b61be0
0x73b61be1
0x00000000
0x00000000
0x73b61be3
0x73b61be4
0x00000000
0x00000000
0x00000000
0x73b61be4
0x73b61bdb
0x73b61b75
0x73b61b7e
0x73b61b81
0x73b61b8e
0x73b61b8e
0x73b61b83
0x73b61b83
0x00000000
0x73b61b75
0x73b61af9
0x73b61afc
0x73b61b4d
0x73b61b50
0x73b61b61
0x73b61b61
0x73b61b64
0x00000000
0x73b61b64
0x73b61b52
0x73b61b56
0x00000000
0x00000000
0x73b61b58
0x73b61b5b
0x73b61c67
0x73b61c6a
0x73b61c6a
0x73b61c6c
0x73b62011
0x73b62014
0x73b62077
0x73b61cc5
0x73b61cc8
0x73b61ccb
0x73b61cce
0x73b61cce
0x73b61cd0
0x73b61cd0
0x73b61cd0
0x73b61cd1
0x00000000
0x73b61cd1
0x73b62016
0x73b62019
0x73b62025
0x73b62025
0x73b62028
0x73b6202b
0x73b62036
0x73b62036
0x73b62039
0x73b6203c
0x73b62083
0x73b62086
0x73b62089
0x00000000
0x73b62089
0x73b6203e
0x73b62041
0x00000000
0x00000000
0x73b62043
0x73b6204a
0x73b6204a
0x73b62050
0x73b62053
0x73b6206f
0x73b62055
0x73b6205e
0x73b62061
0x73b62061
0x00000000
0x73b62053
0x73b6202d
0x00000000
0x73b6202d
0x73b6201b
0x73b6201e
0x00000000
0x00000000
0x73b62020
0x73b62023
0x00000000
0x00000000
0x00000000
0x73b62023
0x73b61c72
0x73b61c72
0x73b61c73
0x73b61dbc
0x73b61dbc
0x73b61dc3
0x73b61dc6
0x00000000
0x00000000
0x73b61dd3
0x00000000
0x73b61fb9
0x73b61fbc
0x73b61fbf
0x73b61fbf
0x73b61fc0
0x73b61fc3
0x73b61fc5
0x73b61fc7
0x00000000
0x00000000
0x73b61fc9
0x73b61fc9
0x73b61fcc
0x73b61fde
0x73b61fe1
0x73b61fe4
0x73b61fea
0x00000000
0x73b61fea
0x73b61fce
0x73b61fce
0x73b61fd0
0x00000000
0x00000000
0x73b61fd2
0x73b61fd4
0x73b61fd6
0x73b61fd6
0x73b61fd6
0x73b61fd7
0x73b61fd9
0x73b61fdb
0x73b61fbf
0x73b61fc0
0x73b61fc3
0x73b61fc5
0x73b61fc7
0x00000000
0x00000000
0x00000000
0x73b61fc7
0x00000000
0x73b61e1a
0x00000000
0x00000000
0x73b61e26
0x00000000
0x00000000
0x73b61e0d
0x73b61e11
0x73b61e15
0x00000000
0x00000000
0x73b61f8b
0x73b61f8f
0x00000000
0x00000000
0x73b61f95
0x73b61f9d
0x73b61fa4
0x73b61fac
0x00000000
0x00000000
0x73b61ef3
0x73b61ef3
0x00000000
0x00000000
0x73b61e2f
0x00000000
0x00000000
0x73b62009
0x00000000
0x00000000
0x73b61efb
0x73b61efd
0x73b61efd
0x00000000
0x00000000
0x73b61ff9
0x00000000
0x00000000
0x73b61ffd
0x00000000
0x00000000
0x73b62005
0x00000000
0x00000000
0x73b61f42
0x73b61f44
0x73b61f44
0x00000000
0x00000000
0x73b61f0d
0x73b61f0f
0x73b61f0f
0x00000000
0x00000000
0x73b61f1f
0x73b61f21
0x73b61f21
0x00000000
0x00000000
0x73b61f50
0x73b61f52
0x73b61f52
0x00000000
0x00000000
0x73b61f2a
0x73b61f2c
0x73b61f2c
0x00000000
0x00000000
0x73b61f31
0x00000000
0x00000000
0x73b62001
0x73b6200b
0x73b6200b
0x00000000
0x00000000
0x73b61f5b
0x73b61f5f
0x73b61f64
0x73b61f67
0x73b61f68
0x73b61f6b
0x73b61f71
0x73b61f71
0x00000000
0x00000000
0x73b61ff1
0x00000000
0x00000000
0x73b61f35
0x73b61f35
0x00000000
0x00000000
0x73b61e36
0x73b61e36
0x00000000
0x00000000
0x73b61f49
0x73b61f4b
0x73b61f4b
0x00000000
0x00000000
0x73b61dda
0x73b61de0
0x73b61de3
0x73b61de5
0x73b61de5
0x73b61de8
0x73b61dec
0x73b61df9
0x73b61dfb
0x73b61e01
0x73b61e01
0x73b61e01
0x00000000
0x00000000
0x73b61efe
0x73b61efe
0x73b61f00
0x73b61f07
0x00000000
0x00000000
0x73b61f45
0x73b61f45
0x00000000
0x00000000
0x73b61f10
0x73b61f10
0x73b61f12
0x73b61f19
0x00000000
0x00000000
0x73b61f22
0x73b61f22
0x73b61f24
0x00000000
0x00000000
0x73b61f53
0x73b61f53
0x00000000
0x00000000
0x73b61f2d
0x73b61f2d
0x00000000
0x00000000
0x73b61f79
0x73b61f7d
0x73b61f82
0x73b61f85
0x00000000
0x00000000
0x73b61f37
0x73b61f37
0x73b61f3a
0x73b61f3c
0x00000000
0x00000000
0x73b61f4c
0x73b61f4c
0x73b61f55
0x73b61f55
0x73b61e38
0x73b61e38
0x73b61e3b
0x73b61e42
0x73b61e44
0x73b61e46
0x73b61e4d
0x73b61e50
0x73b61e55
0x73b61e57
0x73b61e59
0x73b61e5d
0x73b61e63
0x73b61e69
0x73b61e69
0x73b61e6b
0x73b61e6b
0x73b61e6c
0x73b61e6c
0x73b61e70
0x73b61e76
0x73b61e78
0x73b61e7c
0x73b61e81
0x73b61e81
0x73b61e83
0x73b61e83
0x73b61e86
0x73b61e89
0x73b61e92
0x73b61e95
0x73b61e98
0x73b61e98
0x73b61e9a
0x73b61e9d
0x73b61ea3
0x73b61ea9
0x73b61ea9
0x73b61eab
0x00000000
0x00000000
0x73b61eb1
0x73b61eb1
0x73b61eb5
0x73b61ebc
0x73b61ee0
0x73b61ee0
0x73b61ee4
0x73b61ee6
0x73b61ee9
0x73b61ee9
0x73b61eec
0x73b61eec
0x00000000
0x73b61ee4
0x73b61ec1
0x73b61ec4
0x73b61ec4
0x73b61ecb
0x73b61ecd
0x73b61ed0
0x73b61ed7
0x73b61ed8
0x73b61ede
0x73b61ede
0x00000000
0x73b61ede
0x73b61ed2
0x73b61ed5
0x00000000
0x00000000
0x00000000
0x73b61ed5
0x73b61e65
0x73b61e67
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x73b61dd3
0x73b61c79
0x73b61c79
0x73b61c7a
0x73b61db9
0x00000000
0x73b61db9
0x73b61c80
0x73b61c81
0x00000000
0x00000000
0x73b61c87
0x73b61c8a
0x73b61d7e
0x73b61d7e
0x73b61d81
0x73b61d96
0x73b61d98
0x73b61d98
0x73b61d99
0x73b61d9c
0x73b61d9f
0x73b61dab
0x73b61dab
0x73b61dab
0x73b61da1
0x73b61da1
0x73b61da1
0x73b61db1
0x00000000
0x73b61db1
0x73b61d83
0x73b61d83
0x73b61d84
0x73b61d92
0x00000000
0x73b61d92
0x73b61d87
0x73b61d88
0x00000000
0x00000000
0x73b61d8e
0x00000000
0x73b61d8e
0x73b61c90
0x73b61d7a
0x00000000
0x73b61d7a
0x73b61c96
0x73b61c96
0x73b61c99
0x73b61cc2
0x00000000
0x73b61cc2
0x73b61c9b
0x73b61c9b
0x73b61c9e
0x73b61cb8
0x00000000
0x73b61cb8
0x73b61ca0
0x73b61ca0
0x73b61ca3
0x73b61cb2
0x00000000
0x73b61cb2
0x73b61ca6
0x73b61ca7
0x00000000
0x00000000
0x73b61ca9
0x00000000
0x73b61ca9
0x00000000
0x73b61b5b
0x73b61afe
0x73b61b01
0x73b61b30
0x73b61b34
0x73b61b3b
0x73b61b42
0x73b61b45
0x73b61b48
0x00000000
0x73b61b48
0x73b61b03
0x73b61b04
0x73b61b1f
0x73b61b26
0x73b61b29
0x00000000
0x73b61b29
0x73b61b09
0x00000000
0x73b61b0f
0x73b61b0f
0x73b61b16
0x00000000
0x73b61b16
0x73b61b09
0x73b61ce7
0x73b61cec
0x73b61cf1
0x73b61cf5
0x73b62186
0x73b6218c
0x73b61d07
0x73b61d09
0x73b61d0a
0x73b620b1
0x73b620b1
0x73b620b4
0x73b620b7
0x73b620d4
0x73b620da
0x73b620dc
0x73b620e2
0x73b620f9
0x73b620f9
0x73b620f9
0x73b62106
0x73b6210c
0x73b6210f
0x73b62115
0x73b6214a
0x73b6214a
0x73b6214d
0x73b62157
0x73b6215f
0x73b6216b
0x73b62171
0x73b62174
0x73b620a6
0x73b620a6
0x00000000
0x73b620a6
0x73b6217a
0x73b62180
0x73b62180
0x00000000
0x00000000
0x73b62182
0x73b62182
0x73b62182
0x73b62182
0x00000000
0x73b62182
0x73b6214f
0x73b62155
0x00000000
0x00000000
0x00000000
0x73b62155
0x73b62117
0x73b6211a
0x00000000
0x00000000
0x73b6211c
0x73b62123
0x73b62128
0x73b6212b
0x00000000
0x00000000
0x73b6212d
0x73b62132
0x73b62133
0x73b62133
0x73b620e5
0x73b620eb
0x73b620ed
0x73b620f3
0x00000000
0x00000000
0x00000000
0x73b620f3
0x73b620b9
0x73b620c0
0x73b620c6
0x73b620cc
0x00000000
0x73b620cc
0x73b61d10
0x73b61d11
0x73b62090
0x73b62090
0x73b62096
0x73b62099
0x00000000
0x00000000
0x73b620a0
0x73b620a5
0x00000000
0x73b620a5
0x73b61d18
0x00000000
0x00000000
0x73b61d1e
0x73b61d1e
0x73b61d27
0x73b61d2c
0x73b61d32
0x00000000
0x00000000
0x73b61d38
0x73b61d45
0x73b61d4b
0x73b61d55
0x73b61d5b
0x73b61d63
0x73b61d73
0x00000000
0x73b61d73

APIs

Part of subcall function 73B61215: GlobalAlloc.KERNELBASE(00000040,73B61233,?,73B612CF,-73B6404B,73B611AB,-000000A0), ref: 73B6121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 73B61BA2
lstrcpyA.KERNEL32(00000008,?), ref: 73B61BEA
lstrcpyA.KERNEL32(00000408,?), ref: 73B61BF4
GlobalFree.KERNEL32 ref: 73B61C07
GlobalFree.KERNEL32 ref: 73B61CE7
GlobalFree.KERNEL32 ref: 73B61CEC
GlobalFree.KERNEL32 ref: 73B61CF1
GlobalFree.KERNEL32 ref: 73B61ED8
lstrcpyA.KERNEL32(?,?), ref: 73B62061
GetModuleHandleA.KERNEL32(00000008), ref: 73B620D4
LoadLibraryA.KERNEL32(00000008), ref: 73B620E5

Memory Dump Source

Source File: 00000000.00000002.795929704.0000000073B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B60000, based on PE: true

Associated: 00000000.00000002.795920126.0000000073B60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795937300.0000000073B63000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795946501.0000000073B65000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b60000_download.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$HandleLibraryLoadModule
String ID:
API String ID: 1962388997-0
Opcode ID: b4d8cbb0dbd7180bd4577ee912ae84f66dc0984c8514b82a6e1d5eb0f934f89f
Instruction ID: 96b52486f29facb11fa9835857363b6fe3a0718ff54874a5cbad8d71d2f6f426
Opcode Fuzzy Hash: b4d8cbb0dbd7180bd4577ee912ae84f66dc0984c8514b82a6e1d5eb0f934f89f
Instruction Fuzzy Hash: C8229B71D0460ADFEB12CFA4C9807AEBBF9FB84304F14453ED196EA282E7749A45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 004020D1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004020D1() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x3c) = E00402ACB(0xfffffff0);
				 *(_t111 - 0xc) = E00402ACB(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x80)) = E00402ACB(2);
				 *((intOrPtr*)(_t111 - 0x7c)) = E00402ACB(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402ACB(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x88) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x78) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405982( *(_t111 - 0xc)) == 0) {
					E00402ACB(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408410, _t87, 1, 0x408400, _t59); // executed
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408420, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\engineer\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Heize");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x78));
						_t95 =  *((intOrPtr*)(_t111 - 0x7c));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x88));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x80)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x34)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x3c), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x004020da
0x004020e4
0x004020ee
0x004020f8
0x00402103
0x00402106
0x00402120
0x00402126
0x0040212c
0x0040212f
0x00402139
0x0040213d
0x0040213d
0x00402142
0x00402153
0x0040215b
0x00402234
0x00402234
0x0040223b
0x00402161
0x00402161
0x00402170
0x00402174
0x00402177
0x0040217d
0x0040218b
0x0040218e
0x00402190
0x0040219b
0x0040219b
0x004021a0
0x004021a2
0x004021a9
0x004021a9
0x004021ac
0x004021b5
0x004021b8
0x004021bd
0x004021bf
0x004021cc
0x004021cc
0x004021cf
0x004021d8
0x004021db
0x004021e4
0x004021ea
0x004021f1
0x0040220a
0x0040220c
0x0040221a
0x0040221a
0x0040220a
0x0040221d
0x00402223
0x00402223
0x00402226
0x0040222c
0x00402232
0x00402247
0x00000000
0x00000000
0x00000000
0x00402232
0x0040223d
0x0040295a
0x00402966

APIs

CoCreateInstance.OLE32(00408410,?,00000001,00408400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402153
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402202

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize, xrefs: 00402193

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize
API String ID: 123533781-2525576826
Opcode ID: ef1db2cd258f2806f86d9ee1c0931d75bca39e6baeeefc11e908261b269a4f67
Instruction ID: 9e9d5d88055110978c4ae6826d2e5e59fb59f3b6f63c31ddbaa09ad4cf03e3db
Opcode Fuzzy Hash: ef1db2cd258f2806f86d9ee1c0931d75bca39e6baeeefc11e908261b269a4f67
Instruction Fuzzy Hash: F4511871A00208BFCF10DFE4C989A9D7BB5BF48318F2085AAF515EB2D1DA799941CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00406280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406280(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x7a0d90); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a0d90;
			}

0x0040628b
0x00406294
0x00000000
0x004062a1
0x00406297
0x00000000

APIs

FindFirstFileA.KERNELBASE(746AFA90,007A0D90,Forgngeliges.rea,00405A46,Forgngeliges.rea,Forgngeliges.rea,00000000,Forgngeliges.rea,Forgngeliges.rea,746AFA90,?,C:\Users\user\AppData\Local\Temp\,00405765,?,746AFA90,C:\Users\user\AppData\Local\Temp\), ref: 0040628B
FindClose.KERNEL32(00000000), ref: 00406297

Strings

Forgngeliges.rea, xrefs: 00406280

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: Forgngeliges.rea
API String ID: 2295610775-2553225184
Opcode ID: c24f07e19fd736ab640c4fa4be5052e5aaef0f0ac654c0d60e62e1f7b242b1f9
Instruction ID: 649fadc54739959b3e8e38c8a8f4dd54304d89d7bf2914afa8982a1acff588dd
Opcode Fuzzy Hash: c24f07e19fd736ab640c4fa4be5052e5aaef0f0ac654c0d60e62e1f7b242b1f9
Instruction Fuzzy Hash: E0D012729051205FCA006778AE0C84B7A589F46370B114B7AB4AAF15E0CA788C7286D8

Uniqueness

Uniqueness Score: -1.00%

Function 004026FE Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E004026FE(char __ebx, char* __edi, char* __esi) {
				void* _t6;
				void* _t19;

				_t6 = FindFirstFileA(E00402ACB(2), _t19 - 0x1c8); // executed
				if(_t6 != 0xffffffff) {
					E00405EDB(__edi, _t6);
					_push(_t19 - 0x19c);
					_push(__esi);
					E00405F7D();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x0040270d
0x00402716
0x0040272a
0x00402735
0x00402736
0x00402875
0x00402718
0x00402718
0x0040271a
0x0040271c
0x0040271c
0x0040295a
0x00402966

APIs

FindFirstFileA.KERNELBASE(00000000,?,00000002), ref: 0040270D

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 07c9c5e6fa8ca5f70392b9ad02f2e3e7aaa5e6d26e7ff85ab513adcc9cd2cd8c
Instruction ID: d02168588d0434b50479f8c5d7bfa648a046adbf5aa12c789179644532e0cc19
Opcode Fuzzy Hash: 07c9c5e6fa8ca5f70392b9ad02f2e3e7aaa5e6d26e7ff85ab513adcc9cd2cd8c
Instruction Fuzzy Hash: 19F0A072604111EBD701E7A49949DEEB7688F15328FA0457BE281F20C1D6B88A459B3A

Uniqueness

Uniqueness Score: -1.00%

Function 004037AB Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004037AB(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				signed int _t21;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				intOrPtr _t55;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				struct HINSTANCE__* _t71;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x7a2f54; // 0xb3aa10
				_t17 = E00406315(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x79f540;
					"1033" = 0x30;
					 *0x7aa001 = 0x78;
					 *0x7aa002 = 0;
					E00405E64(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x79f540, 0);
					__eflags =  *0x79f540;
					if(__eflags == 0) {
						E00405E64(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M00408362, 0x79f540, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					_t67 =  *_t17(); // executed
					E00405EDB("1033", _t67 & 0x0000ffff);
				}
				E00403A70(_t71, _t84);
				_t21 =  *0x7a2f5c; // 0x80
				_t80 = "C:\\Users\\engineer\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Heize";
				 *0x7a2fe0 = _t21 & 0x00000020;
				 *0x7a2ffc = 0x10000;
				if(E00405A03(_t84, "C:\\Users\\engineer\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Heize") != 0) {
					L16:
					if(E00405A03(_t92, _t80) == 0) {
						E00405F9F(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118))); // executed
					}
					_t25 = LoadImageA( *0x7a2f40, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a2728 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403A70(_t71, __eflags);
							__eflags =  *0x7a3000;
							if( *0x7a3000 != 0) {
								_t28 = E00405176(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a270c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x79f520, 5); // executed
							_t34 = E004062A7("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E004062A7("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x7a26e0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x7a26e0);
								 *0x7a2704 = _t81;
								RegisterClassA(0x7a26e0);
							}
							_t36 =  *0x7a2720; // 0x0
							_t39 = DialogBoxParamA( *0x7a2f40, _t36 + 0x00000069 & 0x0000ffff, 0, E00403B48, 0); // executed
							E004036FB(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x7a2f40; // 0x400000
						 *0x7a26e4 = 0x401000;
						 *0x7a26f0 = _t71;
						 *0x7a26f4 = _t25;
						 *0x7a2704 = 0x40a1f4;
						if(RegisterClassA(0x7a26e0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x79f520 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a2f40, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t55 =  *0x7a2f98; // 0xb3e8b8
					_t74 = 0x7a1ee0;
					E00405E64(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) + _t55, 0x7a1ee0, 0);
					_t57 =  *0x7a1ee0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x7a1ee1;
						 *((char*)(E00405940(0x7a1ee1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00405F7D(_t80, E00405915(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E0040595C(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004037b1
0x004037ba
0x004037c1
0x004037c3
0x004037d7
0x004037e9
0x004037f0
0x004037f7
0x004037fd
0x00403802
0x00403808
0x0040381b
0x0040381b
0x00403826
0x004037c5
0x004037c5
0x004037d0
0x004037d0
0x0040382b
0x00403830
0x00403835
0x0040383e
0x00403843
0x00403854
0x004038db
0x004038e3
0x004038ec
0x004038ec
0x00403902
0x00403908
0x00403916
0x00403997
0x0040399f
0x004039a9
0x004039ae
0x004039b4
0x00403a3e
0x00403a43
0x00403a45
0x00403a61
0x00000000
0x00403a61
0x00403a47
0x00403a4d
0x00403a55
0x00403a55
0x00000000
0x00403a4d
0x004039c2
0x004039cd
0x004039d2
0x004039d4
0x004039db
0x004039db
0x004039e6
0x004039ee
0x004039f0
0x004039f2
0x004039fb
0x004039fe
0x00403a04
0x00403a04
0x00403a0a
0x00403a23
0x00403a34
0x00000000
0x00403a39
0x004039a1
0x004039a3
0x00000000
0x00403918
0x00403918
0x00403924
0x0040392e
0x00403934
0x00403939
0x00403948
0x00403a66
0x00403a66
0x00000000
0x00403a66
0x00403957
0x00403992
0x00000000
0x00403992
0x0040385a
0x0040385a
0x0040385d
0x0040385f
0x00000000
0x00000000
0x00403864
0x00403869
0x00403879
0x0040387e
0x00403885
0x00000000
0x00000000
0x00403889
0x0040388b
0x00403898
0x00403898
0x004038a0
0x004038a6
0x004038ce
0x004038d6
0x00000000
0x004038b8
0x004038b9
0x004038c2
0x004038c8
0x004038c9
0x00000000
0x004038c9
0x004038c4
0x004038c6
0x00000000
0x00000000
0x00000000
0x004038c6
0x004038a6

APIs

Part of subcall function 00406315: GetModuleHandleA.KERNEL32(?,?,?,0040325C,0000000A), ref: 00406327
Part of subcall function 00406315: GetProcAddress.KERNEL32(00000000,?), ref: 00406342

GetUserDefaultUILanguage.KERNELBASE(00000002,746AFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\download.exe",00000000), ref: 004037C5

Part of subcall function 00405EDB: wsprintfA.USER32 ref: 00405EE8

lstrcatA.KERNEL32(1033,0079F540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F540,00000000,00000002,746AFA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\download.exe",00000000), ref: 00403826
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize,1033,0079F540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F540,00000000,00000002,746AFA90), ref: 0040389B
lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize,1033,0079F540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F540,00000000), ref: 004038AE
GetFileAttributesA.KERNEL32(Call), ref: 004038B9
LoadImageA.USER32 ref: 00403902
RegisterClassA.USER32 ref: 0040393F
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403957
CreateWindowExA.USER32 ref: 0040398C
ShowWindow.USER32(00000005,00000000), ref: 004039C2
GetClassInfoA.USER32 ref: 004039EE
GetClassInfoA.USER32 ref: 004039FB
RegisterClassA.USER32 ref: 00403A04
DialogBoxParamA.USER32 ref: 00403A23

Strings

.exe, xrefs: 004038A8
"C:\Users\user\Desktop\download.exe", xrefs: 004037AF
Call, xrefs: 00403869, 00403871, 0040387E, 004038C8, 004038CE
RichEd20, xrefs: 004039C8
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize, xrefs: 00403835, 0040383D, 004038D5, 004038DB, 004038EB
RichEdit20A, xrefs: 004039E6, 004039EC
_Nb, xrefs: 0040391E, 00403986
Control Panel\Desktop\ResourceLocale, xrefs: 004037DF
RichEd32, xrefs: 004039D6
&z, xrefs: 00403911
RichEdit, xrefs: 004039F5
.DEFAULT\Control Panel\International, xrefs: 00403811
1033, xrefs: 004037CB, 00403821
C:\Users\user\AppData\Local\Temp\, xrefs: 004037B0

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\download.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$&z
API String ID: 606308-2613217240
Opcode ID: 7c17711a53f5d675b216d633321a2e6c9060460c0893605bcdabe41a28e1cda8
Instruction ID: dff23d5ef8b44838d5d7b4120faab130ca8a02140368ea181f7986d44215ec0e
Opcode Fuzzy Hash: 7c17711a53f5d675b216d633321a2e6c9060460c0893605bcdabe41a28e1cda8
Instruction Fuzzy Hash: 4661B571240600BED610AF659D45F3B3AACDB85749F00857FF981B62E2DB7D9D028B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403B48 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403B48(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t142;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x79f528 = _t35;
					if(_t116 == 0x110) {
						 *0x7a2f48 = _t126;
						 *0x79f53c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79e508 = _t92;
						E0040401C(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x7a2728); // executed
						 *0x7a270c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x79f528 = 1;
					}
					_t123 =  *0x40a1dc; // 0x0
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x7a2f80;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E00404068(0x40b);
						while(1) {
							_t37 =  *0x79f528;
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0x0
							__eflags = _t39 -  *0x7a2f84; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x7a270c - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x7a2f84; // 0x2
							__eflags =  *0x40a1dc - _t44; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E00405F9F(_t117, _t126, _t131, 0x7ab800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E0040401C(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E0040401C(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E0040401C(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x7a2fec - _t134; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008); // executed
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100); // executed
							E0040403E(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x79e508, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x7a2fec - _t134; // 0x0
							if(__eflags == 0) {
								_push( *0x79f53c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x79e508);
							}
							E00404051();
							E00405F7D(0x79f540, E00403B29());
							E00405F9F(0x79f540, _t126, _t131,  &(0x79f540[lstrlenA(0x79f540)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x79f540); // executed
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x7a2718); // executed
									 *0x79ed18 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x7a2f40,  *_t131 +  *0x7a2720 & 0x0000ffff, _t126,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131); // executed
									__eflags = _t74 - _t134;
									 *0x7a2718 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E0040401C(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x7a2718, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x7a270c - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x7a2718, 8); // executed
									E00404068(0x405);
									goto L58;
								}
								__eflags =  *0x7a2fec - _t134; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x7a2fe0 - _t134; // 0x1
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a2718);
						 *0x7a2f48 = _t134;
						EndDialog(_t126,  *0x79e910);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x7a2718, 0x40f, 0, 1);
						__eflags =  *0x7a270c - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x79f520, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x79f520,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E00404083(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x7a2718, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x7a2fec - _t134; // 0x0
										if(__eflags == 0) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x79e910 = 1;
											L21:
											_push(0x78);
											L22:
											E00403FF5();
											goto L26;
										}
										E0040140B(_t128);
										 *0x79e910 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x7a2718);
						 *0x7a2718 = _a12;
						L58:
						_t142 =  *0x7a0540 - _t134; // 0x1
						if(_t142 == 0) {
							_t143 =  *0x7a2718 - _t134; // 0x10390
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa); // executed
								 *0x7a0540 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403b51
0x00403b5a
0x00403c9b
0x00403c9f
0x00403ca3
0x00403ca5
0x00403caa
0x00403cb5
0x00403cc0
0x00403cc5
0x00403cc7
0x00403cc9
0x00403ccc
0x00403cd1
0x00403cdf
0x00403cec
0x00403cf3
0x00403cf3
0x00403cf4
0x00403cf4
0x00403cf9
0x00403cff
0x00403d06
0x00403d0c
0x00403d0e
0x00403d4e
0x00403d53
0x00403d58
0x00403d58
0x00403d5d
0x00403d66
0x00403d68
0x00403d6d
0x00403d73
0x00403d77
0x00403d77
0x00403d7c
0x00403d82
0x00000000
0x00000000
0x00403d88
0x00403d8d
0x00403d93
0x00000000
0x00000000
0x00403d9c
0x00403da4
0x00403da9
0x00403dac
0x00403db2
0x00403db7
0x00403dba
0x00403dc0
0x00403dc5
0x00403dc8
0x00403dce
0x00403dd6
0x00403ddc
0x00403de2
0x00403de6
0x00403ded
0x00403ded
0x00403ded
0x00403df7
0x00403e09
0x00403e15
0x00403e1a
0x00403e24
0x00403e2a
0x00403e2c
0x00403e31
0x00403e2e
0x00403e2e
0x00403e2e
0x00403e41
0x00403e59
0x00403e5b
0x00403e61
0x00403e76
0x00403e63
0x00403e6c
0x00403e6e
0x00403e6e
0x00403e7c
0x00403e8d
0x00403e9e
0x00403ea5
0x00403eab
0x00403eaf
0x00403eb4
0x00403eb6
0x00000000
0x00403ebc
0x00403ebc
0x00403ebe
0x00000000
0x00000000
0x00403ec4
0x00403ec8
0x00403eed
0x00403ef3
0x00403ef9
0x00403efb
0x00000000
0x00000000
0x00403f21
0x00403f27
0x00403f29
0x00403f2e
0x00000000
0x00000000
0x00403f34
0x00403f37
0x00403f3a
0x00403f51
0x00403f5d
0x00403f76
0x00403f7c
0x00403f80
0x00403f85
0x00403f8b
0x00000000
0x00000000
0x00403f95
0x00403fa0
0x00000000
0x00403fa0
0x00403eca
0x00403ed0
0x00000000
0x00000000
0x00403ed6
0x00403edc
0x00000000
0x00000000
0x00000000
0x00403ee2
0x00403eb6
0x00403fad
0x00403fb9
0x00403fc0
0x00000000
0x00403d10
0x00403d10
0x00403d13
0x00403d46
0x00403d46
0x00403d48
0x00000000
0x00000000
0x00000000
0x00403d48
0x00403d15
0x00403d19
0x00403d1e
0x00403d20
0x00000000
0x00000000
0x00403d30
0x00403d38
0x00000000
0x00403d3e
0x00403b6c
0x00403b6c
0x00403b70
0x00403b75
0x00403b84
0x00403b84
0x00403b8d
0x00403b96
0x00403ba1
0x00403ba1
0x00403bad
0x00403bc9
0x00403bcc
0x00403bdf
0x00403be5
0x00403c88
0x00000000
0x00403c91
0x00403beb
0x00403bf8
0x00403bfa
0x00403bfc
0x00403c1b
0x00403c1b
0x00403c1e
0x00403c23
0x00403c26
0x00403c36
0x00403c37
0x00403c39
0x00403c6f
0x00403c82
0x00000000
0x00403c82
0x00403c3b
0x00403c41
0x00403c5a
0x00403c5f
0x00403c61
0x00000000
0x00000000
0x00403c63
0x00403c4f
0x00403c4f
0x00403c51
0x00403c51
0x00000000
0x00403c51
0x00403c44
0x00403c49
0x00000000
0x00403c49
0x00403c28
0x00403c2e
0x00000000
0x00000000
0x00403c30
0x00000000
0x00403c30
0x00403c20
0x00000000
0x00403c20
0x00403c06
0x00403c0d
0x00403c13
0x00403c15
0x00000000
0x00000000
0x00000000
0x00403c15
0x00403bd1
0x00000000
0x00403baf
0x00403bb5
0x00403bbf
0x00403fc6
0x00403fc6
0x00403fcc
0x00403fce
0x00403fd4
0x00403fd9
0x00403fdf
0x00403fdf
0x00403fd4
0x00403fe9
0x00000000
0x00403fe9
0x00403bad

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B84
ShowWindow.USER32(?), ref: 00403BA1
DestroyWindow.USER32 ref: 00403BB5
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BD1
GetDlgItem.USER32 ref: 00403BF2
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C06
IsWindowEnabled.USER32(00000000), ref: 00403C0D
GetDlgItem.USER32 ref: 00403CBB
GetDlgItem.USER32 ref: 00403CC5
KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403CDF
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D30
GetDlgItem.USER32 ref: 00403DD6
ShowWindow.USER32(00000000,?), ref: 00403DF7
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E09
EnableWindow.USER32(?,?), ref: 00403E24
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E3A
EnableMenuItem.USER32 ref: 00403E41
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E59
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E6C
lstrlenA.KERNEL32(0079F540,?,0079F540,00000000), ref: 00403E96
SetWindowTextA.USER32(?,0079F540), ref: 00403EA5
ShowWindow.USER32(?,0000000A), ref: 00403FD9

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
String ID:
API String ID: 3906175533-0
Opcode ID: 15b6375a1e693d3e2cd3c5fe237b60442a4c361cd33fb8cff5c4eaa7748e9161
Instruction ID: be3397b8ddd8732ae82b8f0fff634cab03aa6bc43632f84706db7e79d14484ee
Opcode Fuzzy Hash: 15b6375a1e693d3e2cd3c5fe237b60442a4c361cd33fb8cff5c4eaa7748e9161
Instruction Fuzzy Hash: CEC1C271504600AFEB216F65ED85E2B3ABCEB85706F00453EF641B11F2CB3D9A429B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402D63 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402D63(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\engineer\\Desktop\\download.exe";
				 *0x7a2f50 = _t43 + 0x3e8; // executed
				GetModuleFileNameA(0, "C:\\Users\\engineer\\Desktop\\download.exe", 0x400); // executed
				_t89 = E00405B16(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\engineer\\Desktop";
				E00405F7D("C:\\Users\\engineer\\Desktop", _t91);
				E00405F7D(0x7ab000, E0040595C(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x7960fc = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402CFF(1);
					__eflags =  *0x7a2f58 - _t82; // 0x3fc00
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x7a2f58; // 0x3fc00
						E004031A1(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402F9C(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7a2f54 = _t94;
							 *0x7a2f5c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7a2f60 =  *0x7a2f60 + 1;
								__eflags =  *0x7a2f60;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405AD1(0x7a2f80, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004031A1( *0x78a0f4);
					_t65 = E0040318B( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x7a2f58; // 0x3fc00
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E0040318B(0x796100, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402CFF(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7a2f58;
						if( *0x7a2f58 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402CFF(0);
							}
							goto L20;
						}
						E00405AD1( &_v44, 0x796100, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x78a0f4; // 0xa4d3a
						 *0x7a3000 =  *0x7a3000 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7a2f58 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a194
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x7960fc; // 0xa6270
						if(__eflags < 0) {
							_v12 = E004063CC(_v12, 0x796100, _t90);
						}
						 *0x78a0f4 =  *0x78a0f4 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402d6b
0x00402d6e
0x00402d71
0x00402d74
0x00402d7a
0x00402d8b
0x00402d90
0x00402da3
0x00402da8
0x00402dab
0x00402db1
0x00000000
0x00402db3
0x00402dbe
0x00402dc4
0x00402dd5
0x00402ddc
0x00402de2
0x00402de4
0x00402de9
0x00402deb
0x00402ed8
0x00402eda
0x00402edf
0x00402ee6
0x00000000
0x00000000
0x00402ee8
0x00402eeb
0x00402f0f
0x00402f14
0x00402f1a
0x00402f1c
0x00402f25
0x00402f2a
0x00402f2d
0x00402f2e
0x00402f2f
0x00402f31
0x00402f36
0x00402f39
0x00402f4c
0x00402f50
0x00402f58
0x00402f5d
0x00402f5f
0x00402f5f
0x00402f5f
0x00402f67
0x00402f67
0x00402f6a
0x00402f6b
0x00402f6b
0x00402f6e
0x00402f70
0x00402f70
0x00402f70
0x00402f7a
0x00402f80
0x00402f8e
0x00402f93
0x00000000
0x00402f93
0x00000000
0x00402f39
0x00402ef3
0x00402efe
0x00402f03
0x00402f05
0x00000000
0x00000000
0x00402f0a
0x00402f0d
0x00000000
0x00000000
0x00000000
0x00402df1
0x00402df6
0x00402df6
0x00402dfb
0x00402dff
0x00402e06
0x00402e0b
0x00402e0d
0x00402e0f
0x00402e0f
0x00402e13
0x00402e18
0x00402e1a
0x00402f44
0x00402f3b
0x00000000
0x00402f3b
0x00402e20
0x00402e27
0x00402ea3
0x00402ea7
0x00402eab
0x00402eb0
0x00000000
0x00402ea7
0x00402e30
0x00402e35
0x00402e38
0x00402e3d
0x00000000
0x00000000
0x00402e3f
0x00402e46
0x00000000
0x00000000
0x00402e48
0x00402e4f
0x00000000
0x00000000
0x00402e51
0x00402e58
0x00000000
0x00000000
0x00402e5a
0x00402e61
0x00000000
0x00000000
0x00402e63
0x00402e69
0x00402e72
0x00402e78
0x00402e7b
0x00402e7d
0x00402e83
0x00000000
0x00000000
0x00402e89
0x00402e8d
0x00402e95
0x00402e95
0x00402e98
0x00402e98
0x00402e9b
0x00402e9d
0x00402e9f
0x00402e9f
0x00000000
0x00402e9d
0x00402e8f
0x00402e93
0x00000000
0x00000000
0x00000000
0x00402eb1
0x00402eb1
0x00402eb7
0x00402ec3
0x00402ec3
0x00402ec6
0x00402ecc
0x00402ece
0x00402ece
0x00402ed6
0x00402ed6
0x00000000
0x00402ed6

APIs

GetTickCount.KERNEL32 ref: 00402D74
GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\download.exe,00000400), ref: 00402D90

Part of subcall function 00405B16: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\download.exe,80000000,00000003), ref: 00405B1A
Part of subcall function 00405B16: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B3C

GetFileSize.KERNEL32(00000000,00000000,007AB000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\download.exe,C:\Users\user\Desktop\download.exe,80000000,00000003), ref: 00402DDC

Strings

"C:\Users\user\Desktop\download.exe", xrefs: 00402D63
pb, xrefs: 00402DE4
C:\Users\user\Desktop\download.exe, xrefs: 00402D7A, 00402D89, 00402D9D, 00402DBD
Inst, xrefs: 00402E48
:M, xrefs: 00402E69, 00402EC6
Null, xrefs: 00402E5A
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D6A
C:\Users\user\Desktop, xrefs: 00402DBE, 00402DC3, 00402DC9
Error launching installer, xrefs: 00402DB3
soft, xrefs: 00402E51
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\download.exe"$:M$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\download.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$pb$soft
API String ID: 4283519449-4108120628
Opcode ID: c070d1a6a1e642fc9781c75ed052fb1a39172e96787f639e7ba8b58f5885ef14
Instruction ID: e7e10bf14dd6c84c423c7e0fea7576ec82b222124ef8da9379000f3ec2b80706
Opcode Fuzzy Hash: c070d1a6a1e642fc9781c75ed052fb1a39172e96787f639e7ba8b58f5885ef14
Instruction Fuzzy Hash: 7151D371940215AFDB119F64DE89A5F7BB8EB04368F10413BF904B62D1D7BC8E818B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F9F Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00405F9F(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				intOrPtr _t76;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x7a271c; // 0xb3fc7d
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_t76 =  *0x7a2f98; // 0xb3e8b8
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 + _t76;
				_t39 = 0x7a1ee0;
				_t90 = 0x7a1ee0;
				if(_a4 >= 0x7a1ee0 && _a4 - 0x7a1ee0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E00405F9F(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x7a1ee0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = "kernel32::EnumResourceTypesW(i 0,i r1,i 0)" + (_t97 << 0xa);
							E00405F7D(_t90, "kernel32::EnumResourceTypesW(i 0,i r1,i 0)" + (_t97 << 0xa));
						} else {
							E00405EDB(_t90,  *0x7a2f48);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004061E7(_t90);
						}
						goto L42;
					}
					_t52 =  *0x7a2f4c; // 0x42ee000a
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x7a2fe4;
						if( *0x7a2fe4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x7a2f44; // 0x73b71340
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x7a2f48,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x7a2f48,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90); // executed
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405E64((_t80 & 0x0000003f) +  *0x7a2f98, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x7a2f98, _t90, _t80 & 0x00000040); // executed
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00405F9F(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E00405F7D(_a4, _t39);
			}

0x00405f9f
0x00405f9f
0x00405f9f
0x00405fa5
0x00405faa
0x00405fac
0x00405fbb
0x00405fbb
0x00405fbd
0x00405fc3
0x00405fc4
0x00405fc5
0x00405fc6
0x00405fc9
0x00405fd1
0x00405fd3
0x00405fea
0x00405fed
0x00405fed
0x004061c4
0x004061c4
0x004061c8
0x00000000
0x00000000
0x00405ffa
0x00406000
0x00000000
0x00000000
0x00406006
0x00406007
0x0040600a
0x0040600d
0x004061b7
0x004061c1
0x004061c3
0x004061c3
0x004061b9
0x004061bb
0x004061bd
0x004061be
0x004061be
0x00000000
0x004061b7
0x00406013
0x00406017
0x00406027
0x0040602e
0x00406031
0x00406039
0x0040603c
0x00406043
0x00406044
0x00406047
0x00406164
0x00406167
0x00406197
0x0040619a
0x0040619f
0x004061a3
0x004061a3
0x004061a8
0x004061ae
0x004061b0
0x00000000
0x004061b0
0x00406169
0x0040616c
0x00406181
0x00406188
0x0040616e
0x00406175
0x00406175
0x00406190
0x00406193
0x0040615c
0x0040615d
0x0040615d
0x00000000
0x00406193
0x0040604d
0x00406054
0x00406056
0x00406057
0x00406071
0x00406071
0x00406078
0x00406078
0x0040607f
0x00406083
0x00406083
0x00406084
0x00406086
0x004060bf
0x004060c2
0x004060d2
0x004060d5
0x004060dd
0x004060e3
0x004060e3
0x00406142
0x00406142
0x00406144
0x00000000
0x00000000
0x004060e7
0x004060ee
0x004060ef
0x004060f1
0x0040610b
0x00406119
0x0040611f
0x00406121
0x0040613f
0x0040613f
0x0040613f
0x00000000
0x0040613f
0x00406127
0x00406130
0x00406133
0x00406139
0x0040613d
0x00000000
0x00000000
0x00000000
0x0040613d
0x004060f3
0x004060f6
0x00000000
0x00000000
0x00406105
0x00406107
0x00406109
0x00000000
0x00000000
0x00000000
0x00406109
0x00000000
0x00406142
0x004060ca
0x00000000
0x00406088
0x004060a3
0x004060a8
0x004060ab
0x0040614b
0x0040614b
0x0040614f
0x00406157
0x00406157
0x00000000
0x0040614f
0x004060b5
0x00406146
0x00406146
0x00406149
0x00000000
0x00000000
0x00000000
0x00406149
0x00406086
0x00406059
0x0040605d
0x00000000
0x00000000
0x0040605f
0x00406063
0x00000000
0x00000000
0x00406065
0x00406069
0x00000000
0x0040606b
0x0040606b
0x00000000
0x0040606b
0x00406069
0x004061ce
0x004061d8
0x004061e4
0x004061e4
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 004060CA
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,00000000,004050DC,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,00000000), ref: 004060DD
SHGetSpecialFolderLocation.SHELL32(004050DC,746AEA30,?,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,00000000,004050DC,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,00000000), ref: 00406119
SHGetPathFromIDListA.SHELL32(746AEA30,Call), ref: 00406127
CoTaskMemFree.OLE32(746AEA30), ref: 00406133
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406157
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,00000000,004050DC,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,00000000,00000000,00790EF8,746AEA30), ref: 004061A9

Strings

Call, xrefs: 00405FC9, 00406096, 00406097, 00406098, 004060B4, 004060C9, 004060DC, 004060F8, 00406123, 00406156, 0040615C, 00406174, 00406187, 004061A2, 004061A8, 004061B0, 004061DA
kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 00406181
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406151
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406099
Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll, xrefs: 00405FC4

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$kernel32::EnumResourceTypesW(i 0,i r1,i 0)
API String ID: 717251189-3002163377
Opcode ID: bb64b4f7ee53809b8b713d72881a51aa8b5a5b4d150e8921106cb3b28257d830
Instruction ID: af1646b593eff3a51ac73f0ed8843f2caf1d37b4bb9fd39580f45c5e5a4eb59e
Opcode Fuzzy Hash: bb64b4f7ee53809b8b713d72881a51aa8b5a5b4d150e8921106cb3b28257d830
Instruction Fuzzy Hash: 8B61E471904205AEDF119F24CC84BBE7BB59B46314F16813FE903BA2D2D67D4992CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402ACB(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405982(_t82);
				_push(_t82);
				_t83 = "Call";
				if(_t33 == 0) {
					lstrcatA(E00405915(E00405F7D(_t83, "C:\\Users\\engineer\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Heize")), ??);
				} else {
					E00405F7D();
				}
				E004061E7(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00406280(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405AF1(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405B16(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E004050A4(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x7a2fe8;
						goto L32;
					} else {
						E00405F7D(0x40abe8, "kernel32::EnumResourceTypesW(i 0,i r1,i 0)");
						E00405F7D("kernel32::EnumResourceTypesW(i 0,i r1,i 0)", _t83);
						E00405F9F(_t75, 0x40abe8, _t83, "C:\Users\engineer\AppData\Local\Temp\nsp8E94.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405F7D("kernel32::EnumResourceTypesW(i 0,i r1,i 0)", 0x40abe8);
						_t62 = E00405699("C:\Users\engineer\AppData\Local\Temp\nsp8E94.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x7a2fe8 =  &( *0x7a2fe8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E004050A4();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E004050A4(0xffffffea,  *(_t85 - 8));
				 *0x7a3014 =  *0x7a3014 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E00402F9C(); // executed
				 *0x7a3014 =  *0x7a3014 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405F9F(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E00405F9F(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405699();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x00401775
0x0040177c
0x00401798
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x0040271c
0x0040271c
0x00402957
0x0040295a
0x0040295a
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402960
0x00402960
0x00402960
0x00401858
0x00401858
0x00401859
0x00401492
0x004022e7
0x004022e7
0x004022e7
0x00401856
0x0040184f
0x00402962
0x00402966
0x00402966
0x00401883
0x00401888
0x0040188e
0x0040188f
0x00401890
0x00401893
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x004022e2
0x00000000
0x004022e2
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405F7D: lstrcpynA.KERNEL32(?,?,00000400,004032BB,Doktorgraden Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F8A

Part of subcall function 004050A4: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,00000000,00790EF8,746AEA30,?,?,?,?,?,?,?,?,?,004030D4,00000000,?), ref: 004050DD
Part of subcall function 004050A4: lstrlenA.KERNEL32(004030D4,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,00000000,00790EF8,746AEA30,?,?,?,?,?,?,?,?,?,004030D4,00000000), ref: 004050ED
Part of subcall function 004050A4: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,004030D4,004030D4,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,00000000,00790EF8,746AEA30), ref: 00405100
Part of subcall function 004050A4: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll), ref: 00405112
Part of subcall function 004050A4: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405138
Part of subcall function 004050A4: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405152
Part of subcall function 004050A4: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405160

Strings

C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll, xrefs: 00401826, 00401842
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize, xrefs: 00401786
kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 0040180D, 00401819, 00401831
Call, xrefs: 00401775, 0040177E, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\nsp8E94.tmp, xrefs: 004017A3, 00401812, 00401830

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp$C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize$Call$kernel32::EnumResourceTypesW(i 0,i r1,i 0)
API String ID: 1941528284-2755452303
Opcode ID: 9a5605cb4b42d854ed3e71e11744a9bbd68fac51504bf36e7d4b4d6d5f5762d9
Instruction ID: 3f5d23f0505a0c405a30723695d383d48bc8799a0a07943a114376d49cde1fe8
Opcode Fuzzy Hash: 9a5605cb4b42d854ed3e71e11744a9bbd68fac51504bf36e7d4b4d6d5f5762d9
Instruction Fuzzy Hash: B841B471900519BACF10BBB5CC46DAF76B9DF41368B20823BF522F11E1D67C8A419A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004050A4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004050A4(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7a2724; // 0x10396
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x7a3014;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405F9F(0, _t39, 0x79ed20, 0x79ed20, _a4);
					}
					_t26 = lstrlenA(0x79ed20);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x7a2708, 0x79ed20); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x79ed20;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52); // executed
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x79ed20)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x79ed20, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x004050aa
0x004050b6
0x004050b9
0x004050bf
0x004050cb
0x004050ce
0x004050d1
0x004050d7
0x004050d7
0x004050dd
0x004050e5
0x004050e8
0x00405105
0x00405109
0x00405112
0x00405112
0x0040511c
0x00405125
0x00405131
0x00405138
0x0040513c
0x0040513f
0x00405152
0x00405160
0x00405160
0x00405164
0x00405166
0x00405169
0x00000000
0x00405169
0x004050ea
0x004050f2
0x004050fa
0x00405100
0x00000000
0x00405100
0x004050fa
0x004050e8
0x00405173

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,00000000,00790EF8,746AEA30,?,?,?,?,?,?,?,?,?,004030D4,00000000,?), ref: 004050DD
lstrlenA.KERNEL32(004030D4,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,00000000,00790EF8,746AEA30,?,?,?,?,?,?,?,?,?,004030D4,00000000), ref: 004050ED
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,004030D4,004030D4,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,00000000,00790EF8,746AEA30), ref: 00405100
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll), ref: 00405112
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405138
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405152
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405160

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll, xrefs: 004050C4, 004050D6, 004050DC, 004050FF, 0040510B

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll
API String ID: 2531174081-2827759233
Opcode ID: 0e5bc111e7764b859d703c7cd38c1a52b54818a96c636b509d6d72182c6d6877
Instruction ID: 0aa0aab3041eb49126eaccb75638caacaba84434fae24d46564a95eb40ba5f91
Opcode Fuzzy Hash: 0e5bc111e7764b859d703c7cd38c1a52b54818a96c636b509d6d72182c6d6877
Instruction Fuzzy Hash: 85219D71D00518BEDF119FA5DD81ADFBFA9EB45354F14807AF504BA291C7388E418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402003 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E00402003(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x7a3018");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x7a2fe8 =  *0x7a2fe8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402ACB(0xfffffff0);
				 *(_t34 + 8) = E00402ACB(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E004050A4(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, "kernel32::EnumResourceTypesW(i 0,i r1,i 0)", 0x40b828, "\xef\xbf\xbd/z"); // 						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E0040374B(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00402003
0x00402003
0x00402008
0x0040200f
0x004020ca
0x0040223d
0x0040223d
0x00402957
0x0040295a
0x00402966
0x00402966
0x0040201e
0x00402028
0x0040202b
0x0040203a
0x0040203e
0x00402044
0x00402048
0x004020c3
0x00000000
0x004020c3
0x0040204a
0x00402053
0x00402057
0x0040209b
0x00402059
0x0040205c
0x0040205f
0x0040208f
0x00402061
0x00402064
0x0040206d
0x0040206f
0x0040206f
0x0040206d
0x0040205f
0x004020a3
0x004020b8
0x004020b8
0x00000000
0x004020a3
0x0040202e
0x00402034
0x00402038
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 0040202E

Part of subcall function 004050A4: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,00000000,00790EF8,746AEA30,?,?,?,?,?,?,?,?,?,004030D4,00000000,?), ref: 004050DD
Part of subcall function 004050A4: lstrlenA.KERNEL32(004030D4,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,00000000,00790EF8,746AEA30,?,?,?,?,?,?,?,?,?,004030D4,00000000), ref: 004050ED
Part of subcall function 004050A4: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,004030D4,004030D4,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,00000000,00790EF8,746AEA30), ref: 00405100
Part of subcall function 004050A4: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll), ref: 00405112
Part of subcall function 004050A4: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405138
Part of subcall function 004050A4: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405152
Part of subcall function 004050A4: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405160

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040203E
GetProcAddress.KERNEL32(00000000,?), ref: 0040204E
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B8

Strings

/z, xrefs: 00402078
kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 00402082

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: kernel32::EnumResourceTypesW(i 0,i r1,i 0)$/z
API String ID: 2987980305-3189396245
Opcode ID: 9aeb0591653983f514cebad0a088f2aa39606e66c6905f689282f6ccaa1c1da9
Instruction ID: d65959635370e5528591cca9a5c3cbe7578547ab5d5b00e4bd8bf8e39d7723e8
Opcode Fuzzy Hash: 9aeb0591653983f514cebad0a088f2aa39606e66c6905f689282f6ccaa1c1da9
Instruction Fuzzy Hash: 8121D871A00215BBCF207FA48E4DBAE76A0AF55318F20413BF611B21D0CBBD4A42D66E

Uniqueness

Uniqueness Score: -1.00%

Function 00401D9B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00401D9B(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402AA9(2);
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				0x40b7e8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b7f8 = E00402AA9(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				 *0x40b7ff = 1;
				 *0x40b7fc = _t15 & 0x00000001;
				 *0x40b7fd = _t15 & 0x00000002;
				 *0x40b7fe = _t15 & 0x00000004;
				E00405F9F(_t9, _t31, _t33, "Times New Roman",  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b7e8); // executed
				_push(_t18);
				_push(_t33);
				E00405EDB();
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401d9b
0x00401da6
0x00401da8
0x00401db5
0x00401dcc
0x00401dd1
0x00401dde
0x00401de3
0x00401de7
0x00401df2
0x00401df9
0x00401e0b
0x00401e11
0x00401e16
0x00401e20
0x0040257d
0x00401569
0x004028ff
0x0040295a
0x00402966

APIs

GetDC.USER32(?), ref: 00401D9E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB8
MulDiv.KERNEL32(00000000,00000000), ref: 00401DC0
ReleaseDC.USER32 ref: 00401DD1
CreateFontIndirectA.GDI32(0040B7E8), ref: 00401E20

Strings

Times New Roman, xrefs: 00401E06

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: 59217911188accf6f2e31d03a92226d57be6280b8a76530822411e1e331ee477
Instruction ID: 2ad56a654efc6cf1735b667c3c7d9d5e2d080a44a70240ddf1560951203afcdd
Opcode Fuzzy Hash: 59217911188accf6f2e31d03a92226d57be6280b8a76530822411e1e331ee477
Instruction Fuzzy Hash: BE01B171944242AFE7015BB1AE4AB9A7FB4DB95305F10443AF251BB2E2CB7800459F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040556A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040556A(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x40837c;
				_v36.Group = 0x40837c;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x40836c;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405575
0x00405579
0x0040557c
0x00405582
0x00405586
0x0040558a
0x00405592
0x00405599
0x0040559f
0x004055a6
0x004055ad
0x004055b5
0x004055b7
0x00000000
0x004055b7
0x004055c1
0x004055c8
0x004055de
0x00000000
0x00000000
0x00000000
0x004055e0
0x004055e4

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004055AD
GetLastError.KERNEL32 ref: 004055C1
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055D6
GetLastError.KERNEL32 ref: 004055E0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405590
C:\Users\user\Desktop, xrefs: 0040556A

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1229045261
Opcode ID: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction ID: 8e14915602655dbf828c4b629b8158281e3d0c3d6c971d66ca898635d28fe6e6
Opcode Fuzzy Hash: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
Instruction Fuzzy Hash: D2010871C00219EAEF019BA1CD087EFBBB9EF14354F10803AD545B6290D77896498FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004062A7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004062A7(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004062be
0x004062c7
0x004062c9
0x004062c9
0x004062cd
0x004062df
0x004062d9
0x004062d9
0x004062d9
0x004062e3
0x004062f7
0x0040630b
0x00406312

APIs

GetSystemDirectoryA.KERNEL32 ref: 004062BE
wsprintfA.USER32 ref: 004062F7
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040630B

Strings

%s%s.dll, xrefs: 004062F1
\, xrefs: 004062CF
UXTHEME, xrefs: 004062B0

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction ID: 791f79d561c984125f31c7fb7d360261de965b4457e35f8f8c4567f5ddaa11b7
Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction Fuzzy Hash: F0F0F630500619ABEB14AB64DD0EFEB375CAB08305F1405BEA686E10C1EAB8D8358B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00402F9C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00402F9C(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t74;
				long _t75;
				intOrPtr _t76;
				void* _t77;
				int _t87;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t94;
				long _t95;
				signed int _t96;
				int _t97;
				int _t98;
				intOrPtr _t99;
				void* _t100;
				void* _t101;

				_t96 = _a16;
				_t91 = _a12;
				_v12 = _t96;
				if(_t91 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t91;
				if(_t91 == 0) {
					_v16 = 0x78e0f8;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					_t89 =  *0x7a2fb8; // 0x410de
					E004031A1(_t89 + _t62);
				}
				if(E0040318B( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t91 != 0) {
							if(_a16 < _t96) {
								_t96 = _a16;
							}
							if(E0040318B(_t91, _t96) != 0) {
								_v8 = _t96;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t91) {
							goto L44;
						}
						_t87 = _v12;
						while(1) {
							_t97 = _a16;
							if(_a16 >= _t87) {
								_t97 = _t87;
							}
							if(E0040318B(0x78a0f8, _t97) == 0) {
								goto L41;
							}
							_t69 = E00405BBD(_a8, 0x78a0f8, _t97); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t97;
							_a16 = _a16 - _t97;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40b858 =  *0x40b858 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b840 = 0xb;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t98 = 0x4000;
						if(_a16 < 0x4000) {
							_t98 = _a16;
						}
						if(E0040318B(0x78a0f8, _t98) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t98;
						 *0x40b830 = 0x78a0f8;
						 *0x40b834 = _t98;
						while(1) {
							_t94 = _v16;
							 *0x40b838 = _t94;
							 *0x40b83c = _v12;
							_t74 = E0040643A(0x40b830);
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t99 =  *0x40b838; // 0x790ef8
							_t100 = _t99 - _t94;
							_t75 = GetTickCount();
							_t95 = _t75;
							if(( *0x7a3014 & 0x00000001) != 0 && (_t75 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t101 = _t101 + 0xc;
								E004050A4(0,  &_v88);
								_v20 = _t95;
							}
							if(_t100 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t76 =  *0x40b838; // 0x790ef8
									_v8 = _v8 + _t100;
									_v12 = _v12 - _t100;
									_v16 = _t76;
									L23:
									if(_v24 != 4) {
										continue;
									}
									goto L44;
								}
								_t77 = E00405BBD(_a8, _v16, _t100); // executed
								if(_t77 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t100;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x00402fa4
0x00402fa8
0x00402fab
0x00402fb0
0x00402fb2
0x00402fb2
0x00402fb9
0x00402fbd
0x00402fc2
0x00402fc4
0x00402fc4
0x00402fcb
0x00402fd0
0x00402fd2
0x00402fdb
0x00402fdb
0x00402fed
0x00403179
0x00403179
0x00000000
0x00402ff3
0x00402ff7
0x00403126
0x00403169
0x0040316b
0x0040316b
0x00403177
0x0040317e
0x00403181
0x00000000
0x00000000
0x00000000
0x00000000
0x00403177
0x0040312b
0x00000000
0x00000000
0x0040312d
0x00403130
0x00403133
0x00403136
0x00403138
0x00403138
0x00403148
0x00000000
0x00000000
0x0040314f
0x00403156
0x00403120
0x00403120
0x0040317b
0x0040317b
0x00000000
0x0040317b
0x00403158
0x0040315b
0x00403162
0x00000000
0x00000000
0x00000000
0x00403164
0x00000000
0x00403130
0x00403003
0x00403005
0x0040300c
0x0040300c
0x00403013
0x00403019
0x00403020
0x00403023
0x00000000
0x00000000
0x00000000
0x00000000
0x00403029
0x00403029
0x00403029
0x00403031
0x00403033
0x00403033
0x00403044
0x00000000
0x00000000
0x0040304a
0x0040304d
0x00403053
0x00403059
0x00403059
0x00403064
0x0040306a
0x0040306f
0x00403076
0x00403079
0x00000000
0x00000000
0x0040307f
0x00403085
0x00403087
0x00403090
0x00403092
0x004030c0
0x004030c6
0x004030cf
0x004030d4
0x004030d4
0x004030d9
0x00403114
0x00000000
0x00000000
0x00000000
0x004030db
0x004030df
0x004030f6
0x004030fb
0x004030fe
0x00403101
0x00403104
0x00403108
0x00000000
0x00000000
0x00000000
0x0040310e
0x004030e8
0x004030ef
0x00000000
0x00000000
0x004030f1
0x00000000
0x004030f1
0x004030d9
0x0040311c
0x00000000
0x0040311c
0x00000000
0x00403029

APIs

GetTickCount.KERNEL32 ref: 00403003
GetTickCount.KERNEL32 ref: 00403087
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004030B0
wsprintfA.USER32 ref: 004030C0

Strings

... %d%%, xrefs: 004030BA

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: b11fd70d94a81fe884c456641f4daf6d98b7f28d8fc69cfe95d6e3ccae84ae35
Instruction ID: a5b3666d5e6f2648317cea794876ab8fd5a8a7e10cba6e045702c7ef747b340d
Opcode Fuzzy Hash: b11fd70d94a81fe884c456641f4daf6d98b7f28d8fc69cfe95d6e3ccae84ae35
Instruction Fuzzy Hash: A6518E72901219ABCF10DF65DA44A9F7BB8EF08756F14413BE900BB2D0C7789E51CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405B45 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405B45(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3b4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405b49
0x00405b4f
0x00405b50
0x00405b50
0x00405b55
0x00405b56
0x00405b59
0x00405b63
0x00405b70
0x00405b73
0x00405b7b
0x00000000
0x00000000
0x00405b7f
0x00000000
0x00000000
0x00405b81
0x00000000
0x00405b81
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405B59
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B73

Strings

"C:\Users\user\Desktop\download.exe", xrefs: 00405B45
nsa, xrefs: 00405B50
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B48

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\download.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1052832176
Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction ID: e9fbc8f02783c34a78cbc278a62deb557e4d22a3c76f63b2365399c79cbf5e20
Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction Fuzzy Hash: A0F082363042086BDB109F56ED04BAB7BA9DFA1760F14803BFA489B280D6B4A9548B58

Uniqueness

Uniqueness Score: -1.00%

Function 73B616DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E73B616DB(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v88;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x73b6405c = _a8;
				 *0x73b64060 = _a16;
				 *0x73b64064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73b64038, E73B61556);
				_push(1); // executed
				_t37 = E73B61A98(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E73B6226F(_t54);
					}
					E73B622B1(_t67, _t54);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_t37 = E73B62498(_t54);
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x818; // 0x818
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E73B6156B(_t54,  &_v88);
								 *(_t54 + 0x834) =  *(_t54 + 0x834) & 0x00000000;
								_t18 = _t54 + 0x818; // 0x818
								_t72 = _t18;
								 *((intOrPtr*)(_t54 + 0x820)) = _t42;
								 *_t72 = 3;
								E73B62498(_t54);
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							E73B62498(_t54);
							_t37 = GlobalFree(E73B61266(E73B61559(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E73B6245E(_t54);
							if(( *(_t54 + 0x810) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x808);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x810) & 0x00000020) != 0) {
								_t37 = E73B614E2( *0x73b64058);
							}
						}
						if(( *(_t54 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E73B62C83(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E73B629F8(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E73B62672(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x73b616db
0x73b616db
0x73b616db
0x73b616e5
0x73b616ed
0x73b616fa
0x73b61708
0x73b6170b
0x73b6170d
0x73b61712
0x73b61717
0x73b61836
0x73b61836
0x73b6171d
0x73b61721
0x73b61724
0x73b61729
0x73b6172b
0x73b61731
0x73b61737
0x73b61767
0x73b6176e
0x73b61792
0x73b617dd
0x73b61794
0x73b61794
0x73b61795
0x73b6179b
0x73b6179c
0x73b617a6
0x73b617a9
0x73b617ae
0x73b617b5
0x73b617b5
0x73b617bc
0x73b617c2
0x73b617c8
0x73b617d5
0x73b617d6
0x73b617d9
0x73b61770
0x73b61771
0x73b61786
0x73b61786
0x73b617e7
0x73b617ea
0x73b617f7
0x73b617fe
0x73b61806
0x73b61809
0x73b61809
0x73b61806
0x73b61816
0x73b6181e
0x73b61823
0x73b61816
0x73b6182b
0x00000000
0x73b6182d
0x00000000
0x73b6182e
0x73b6182b
0x73b6173b
0x73b6173e
0x73b6175c
0x00000000
0x00000000
0x73b6175f
0x73b61764
0x73b61764
0x73b61766
0x00000000
0x73b61766
0x73b61740
0x73b61741
0x73b61749
0x73b6174a
0x00000000
0x73b6174a
0x73b61743
0x73b61744
0x73b61752
0x00000000
0x73b61752
0x73b61747
0x00000000
0x00000000
0x00000000
0x73b61747

APIs

Part of subcall function 73B61A98: GlobalFree.KERNEL32 ref: 73B61CE7
Part of subcall function 73B61A98: GlobalFree.KERNEL32 ref: 73B61CEC
Part of subcall function 73B61A98: GlobalFree.KERNEL32 ref: 73B61CF1

GlobalFree.KERNEL32 ref: 73B61786
FreeLibrary.KERNEL32(?), ref: 73B61809
GlobalFree.KERNEL32 ref: 73B6182E

Part of subcall function 73B6226F: GlobalAlloc.KERNEL32(00000040,?), ref: 73B622A0

Part of subcall function 73B62672: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73B61757,00000000), ref: 73B62742

Part of subcall function 73B6156B: wsprintfA.USER32 ref: 73B61599

Strings

, xrefs: 73B6180F

Memory Dump Source

Source File: 00000000.00000002.795929704.0000000073B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B60000, based on PE: true

Associated: 00000000.00000002.795920126.0000000073B60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795937300.0000000073B63000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795946501.0000000073B65000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b60000_download.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: b01d048a15e28cc56d6d75ef1a384880cbe0d433aa03e6da70c77e21f831eef2
Instruction ID: 8bf72219c3cd95befcb36f8118a6df9152800d8398e27919de451cdd62da133a
Opcode Fuzzy Hash: b01d048a15e28cc56d6d75ef1a384880cbe0d433aa03e6da70c77e21f831eef2
Instruction Fuzzy Hash: 6C419CF2500709DBEB01AF648AC4BAA37ACFF84315F188435E94B9E1D7EB748045CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C0A(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402AA9(3);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402AA9(4);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402ACB(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402ACB(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402ACB();
					_t32 = E00402ACB();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32); // executed
					goto L10;
				} else {
					_t61 = E00402AA9();
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t41 = E00402AA9(2);
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00405EDB();
				}
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c0a
0x00401c0c
0x00401c13
0x00401c16
0x00401c19
0x00401c23
0x00401c27
0x00401c2a
0x00401c33
0x00401c33
0x00401c36
0x00401c3a
0x00401c43
0x00401c43
0x00401c46
0x00401c4a
0x00401c4c
0x00401ca1
0x00401ca3
0x00401cac
0x00401cb4
0x00401cb7
0x00401cb7
0x00401cc0
0x00000000
0x00401c4e
0x00401c55
0x00401c57
0x00401c5a
0x00401c60
0x00401c67
0x00401c6a
0x00401c92
0x00401cc6
0x00401cc6
0x00401c6c
0x00401c7a
0x00401c82
0x00401c85
0x00401c85
0x00401c6a
0x00401cc9
0x00401ccc
0x00401cd2
0x004028ff
0x004028ff
0x0040295a
0x00402966

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: c43426be20c63e6b74a186654e094edc4777d1d7f6ffbf13cc6d026f443e6381
Instruction ID: 435bc4df3b74c2d8df546d11ce2c7183e26475550abba04b2436001ae32cf151
Opcode Fuzzy Hash: c43426be20c63e6b74a186654e094edc4777d1d7f6ffbf13cc6d026f443e6381
Instruction Fuzzy Hash: 4B21A271E44209BEEF15DFA5D986AAD7BB4EF84304F24843EF501B61E0CB7885418F28

Uniqueness

Uniqueness Score: -1.00%

Function 004023D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004023D6(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t18;
				void* _t19;
				int _t22;
				long _t23;
				int _t28;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t35;
				void* _t37;
				void* _t40;

				_t31 = __edx;
				_t28 = __ebx;
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				_t32 = __eax;
				 *(_t37 - 0x3c) =  *(_t37 - 0x14);
				 *(_t37 - 0x34) = E00402ACB(2);
				_t18 = E00402ACB(0x11);
				 *(_t37 - 4) = 1;
				_t19 = E00402B5B(_t40, _t32, _t18, 2); // executed
				 *(_t37 + 8) = _t19;
				if(_t19 != __ebx) {
					_t22 = 0;
					if(_t35 == 1) {
						E00402ACB(0x23);
						_t22 = lstrlenA(0x40abe8) + 1;
					}
					if(_t35 == 4) {
						 *0x40abe8 = E00402AA9(3);
						 *((intOrPtr*)(_t37 - 0x80)) = _t31;
						_t22 = _t35;
					}
					if(_t35 == 3) {
						_t22 = E00402F9C( *((intOrPtr*)(_t37 - 0x1c)), _t28, 0x40abe8, 0xc00); // executed
					}
					_t23 = RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x34), _t28,  *(_t37 - 0x3c), 0x40abe8, _t22); // executed
					if(_t23 == 0) {
						 *(_t37 - 4) = _t28;
					}
					_push( *(_t37 + 8));
					RegCloseKey(); // executed
				}
				 *0x7a2fe8 =  *0x7a2fe8 +  *(_t37 - 4);
				return 0;
			}

0x004023d6
0x004023d6
0x004023d6
0x004023d9
0x004023e0
0x004023ea
0x004023ed
0x004023f6
0x004023fd
0x00402404
0x00402407
0x0040240d
0x00402417
0x0040241b
0x00402426
0x00402426
0x0040242a
0x00402434
0x0040243a
0x0040243d
0x0040243d
0x00402441
0x0040244d
0x0040244d
0x0040245e
0x00402466
0x00402468
0x00402468
0x0040246b
0x00402542
0x00402542
0x0040295a
0x00402966

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsp8E94.tmp,00000023,00000011,00000002), ref: 00402421
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsp8E94.tmp,00000000,00000011,00000002), ref: 0040245E
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsp8E94.tmp,00000000,00000011,00000002), ref: 00402542

Strings

C:\Users\user\AppData\Local\Temp\nsp8E94.tmp, xrefs: 00402412, 00402434, 00402448, 00402453

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp
API String ID: 2655323295-2586765908
Opcode ID: 7807c853d1e5bc1e90de5f21f6a92c2b707fb2dd02873cc10ecb13d547e726d3
Instruction ID: b9f9fe5e010ce9562f7769f0650a0fc1c691aa098229d6fee64222e6c9067592
Opcode Fuzzy Hash: 7807c853d1e5bc1e90de5f21f6a92c2b707fb2dd02873cc10ecb13d547e726d3
Instruction Fuzzy Hash: 29119371E00215BEDB10EFA5DE49EAEBA74EB54318F20843BF504F71D1C6B94D419B28

Uniqueness

Uniqueness Score: -1.00%

Function 00405A03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405A03(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405F7D(0x7a0948, _a4);
				_t21 = E004059AE(0x7a0948);
				if(_t21 != 0) {
					E004061E7(_t21);
					if(( *0x7a2f5c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x7a0948;
						while(1) {
							_t11 = lstrlenA(0x7a0948);
							_push(0x7a0948);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00406280();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E0040595C(0x7a0948);
								continue;
							} else {
								goto L1;
							}
						}
						E00405915();
						_t16 = GetFileAttributesA(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405a0f
0x00405a1a
0x00405a1e
0x00405a25
0x00405a31
0x00405a3d
0x00405a3d
0x00405a55
0x00405a56
0x00405a5d
0x00405a5e
0x00000000
0x00000000
0x00405a41
0x00405a48
0x00405a50
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a48
0x00405a60
0x00405a66
0x00000000
0x00405a74
0x00405a33
0x00405a37
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a37
0x00405a20
0x00000000

APIs

Part of subcall function 00405F7D: lstrcpynA.KERNEL32(?,?,00000400,004032BB,Doktorgraden Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F8A

Part of subcall function 004059AE: CharNextA.USER32(?,?,Forgngeliges.rea,?,00405A1A,Forgngeliges.rea,Forgngeliges.rea,746AFA90,?,C:\Users\user\AppData\Local\Temp\,00405765,?,746AFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059BC
Part of subcall function 004059AE: CharNextA.USER32(00000000), ref: 004059C1
Part of subcall function 004059AE: CharNextA.USER32(00000000), ref: 004059D5

lstrlenA.KERNEL32(Forgngeliges.rea,00000000,Forgngeliges.rea,Forgngeliges.rea,746AFA90,?,C:\Users\user\AppData\Local\Temp\,00405765,?,746AFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A56
GetFileAttributesA.KERNELBASE(Forgngeliges.rea,Forgngeliges.rea,Forgngeliges.rea,Forgngeliges.rea,Forgngeliges.rea,Forgngeliges.rea,00000000,Forgngeliges.rea,Forgngeliges.rea,746AFA90,?,C:\Users\user\AppData\Local\Temp\,00405765,?,746AFA90,C:\Users\user\AppData\Local\Temp\), ref: 00405A66

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A03
Forgngeliges.rea, xrefs: 00405A09, 00405A0E, 00405A14, 00405A4F, 00405A55, 00405A5D, 00405A65

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$Forgngeliges.rea
API String ID: 3248276644-1839164034
Opcode ID: 59c4d439f8e780665a95aab8c0f078ab1494ed1c34d0f7562e7ab92a144acefd
Instruction ID: 99d34a1d2256cfbc911754f26576654ac704e19cee30922b90174233901e1ae6
Opcode Fuzzy Hash: 59c4d439f8e780665a95aab8c0f078ab1494ed1c34d0f7562e7ab92a144acefd
Instruction Fuzzy Hash: 48F0A431315D5156C622323A1C4AAAF0A48CEC7364749463BF861B12D3DA3C89439D6E

Uniqueness

Uniqueness Score: -1.00%

Function 00402BCD Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402BCD(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				char _v272;
				void* _t19;
				signed int _t25;
				intOrPtr* _t27;
				signed int _t32;
				signed int _t33;
				signed int _t34;

				_t33 = _a12;
				_t34 = _t33 & 0x00000300;
				_t32 = _t33 & 0x00000001;
				_t19 = E00405E03(__eflags, _a4, _a8, _t34 | 0x00000008,  &_v8); // executed
				if(_t19 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _t32;
						if(__eflags != 0) {
							RegCloseKey(_v8);
							return 0x3eb;
						}
						_t25 = E00402BCD(__eflags, _v8,  &_v272, _a12);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00406315(3);
					if(_t27 == 0) {
						return RegDeleteKeyA(_a4, _a8);
					}
					return  *_t27(_a4, _a8, _t34, 0);
				}
				return _t19;
			}

0x00402bd8
0x00402be1
0x00402bea
0x00402bf6
0x00402bfd
0x00402c21
0x00402c07
0x00402c09
0x00402c5c
0x00000000
0x00402c62
0x00402c18
0x00402c1d
0x00402c1f
0x00000000
0x00000000
0x00402c1f
0x00402c3b
0x00402c43
0x00402c4a
0x00000000
0x00402c6f
0x00000000
0x00402c55
0x00402c79

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C32
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C3B
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C5C

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: e80e024fca40de8deb0b9c297206eede72932d1e756bb36d88eb62ad8731df9a
Instruction ID: c4db57b0a2e4c89af525aedefa8ad358439d5fabd543c2a0248dd752bef9be78
Opcode Fuzzy Hash: e80e024fca40de8deb0b9c297206eede72932d1e756bb36d88eb62ad8731df9a
Instruction Fuzzy Hash: 16115832504109FBEF129F90CF09F9E7B69AB48390F104032BD45B51E0EBB59E11AAA8

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402ACB(0xfffffff0);
				_t13 = E004059AE(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405940(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004055E7(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E00405604(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E0040556A(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405F7D("C:\\Users\\engineer\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Heize", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x0040223d
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x0040295a
0x00402966

APIs

Part of subcall function 004059AE: CharNextA.USER32(?,?,Forgngeliges.rea,?,00405A1A,Forgngeliges.rea,Forgngeliges.rea,746AFA90,?,C:\Users\user\AppData\Local\Temp\,00405765,?,746AFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059BC
Part of subcall function 004059AE: CharNextA.USER32(00000000), ref: 004059C1
Part of subcall function 004059AE: CharNextA.USER32(00000000), ref: 004059D5

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040556A: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004055AD

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize
API String ID: 1892508949-2525576826
Opcode ID: 706787508d35a8d8ecc409debaf704ccf98c79ae3ecce5f039e50421844b329f
Instruction ID: e2f0057a106d67730eaa6cdd0667b4b20a1f2aaf6f6dd3ced09863daba4193e1
Opcode Fuzzy Hash: 706787508d35a8d8ecc409debaf704ccf98c79ae3ecce5f039e50421844b329f
Instruction Fuzzy Hash: 5C112B31104151EBCF217BB54D418BF66B09E92324B28053FE5D1B22E3D63D4D42963F

Uniqueness

Uniqueness Score: -1.00%

Function 00405E64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405E64(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405E03(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20); // executed
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00405e72
0x00405e74
0x00405e8c
0x00405e91
0x00405e96
0x00405ed3
0x00405ed3
0x00405e98
0x00405eaa
0x00405eb5
0x00405ebb
0x00405ec5
0x00000000
0x00000000
0x00405ec5
0x00405ed8

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,004060A8,80000002), ref: 00405EAA
RegCloseKey.KERNELBASE(?,?,004060A8,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll), ref: 00405EB5

Strings

Call, xrefs: 00405E67, 00405E9B

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 2ae01f244120d487d9f351ea12627f7621f1ac4d10347c017b688b21594c6fc7
Instruction ID: be592471178a3b34147732ee01c8456e78db25e2de640fde20402d2d05791b9a
Opcode Fuzzy Hash: 2ae01f244120d487d9f351ea12627f7621f1ac4d10347c017b688b21594c6fc7
Instruction Fuzzy Hash: 88015A76500609AADF228F61CD09FDB3BA8EF59364F10442AF955A2190D378DA54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040561C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040561C(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a0d48->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a0d48,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405625
0x00405645
0x0040564d
0x00405652
0x00000000
0x00405658
0x0040565c

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A0D48,Error launching installer), ref: 00405645
CloseHandle.KERNEL32(?), ref: 00405652

Strings

Error launching installer, xrefs: 0040562F

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 70af5941f3bc690bdcd9881a93690d3303993229d12fc254cd5844f1ea8daab6
Instruction ID: bdfa79d73584ee4add39219e15a001359f74b35d93969b7cce68af7ca5274bde
Opcode Fuzzy Hash: 70af5941f3bc690bdcd9881a93690d3303993229d12fc254cd5844f1ea8daab6
Instruction Fuzzy Hash: 7AE04FF1600209BFEB009FA0DD05F7F77ACEB50744F004821BD14F6150D675A8008A78

Uniqueness

Uniqueness Score: -1.00%

Function 00401B63 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B63(void* __ebx, void* __edx) {
				intOrPtr _t7;
				void* _t8;
				void _t11;
				void* _t13;
				void* _t21;
				void* _t24;
				void* _t30;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t37;

				_t27 = __ebx;
				_t7 =  *((intOrPtr*)(_t37 - 0x20));
				_t30 =  *0x40b828; // 0x0
				if(_t7 == __ebx) {
					if(__edx == __ebx) {
						_t8 = GlobalAlloc(0x40, 0x404); // executed
						_t34 = _t8;
						_t4 = _t34 + 4; // 0x4
						E00405F9F(__ebx, _t30, _t34, _t4,  *((intOrPtr*)(_t37 - 0x28)));
						_t11 =  *0x40b828; // 0x0
						 *_t34 = _t11;
						 *0x40b828 = _t34;
					} else {
						if(_t30 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t2 = _t30 + 4; // 0x4
							E00405F7D(_t33, _t2);
							_push(_t30);
							 *0x40b828 =  *_t30;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t7 = _t7 - 1;
						if(_t30 == _t27) {
							break;
						}
						_t30 =  *_t30;
						if(_t7 != _t27) {
							continue;
						} else {
							if(_t30 == _t27) {
								break;
							} else {
								_t32 = _t30 + 4;
								_t36 = "Call";
								E00405F7D(_t36, _t30 + 4);
								_t21 =  *0x40b828; // 0x0
								E00405F7D(_t32, _t21 + 4);
								_t24 =  *0x40b828; // 0x0
								_push(_t36);
								_push(_t24 + 4);
								E00405F7D();
								L15:
								 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t37 - 4));
								_t13 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E00405F9F(_t27, _t30, _t33, _t27, 0xffffffe8));
					E00405699();
					_t13 = 0x7fffffff;
				}
				L17:
				return _t13;
			}

0x00401b63
0x00401b63
0x00401b66
0x00401b6e
0x00401bb6
0x00401be4
0x00401bed
0x00401bef
0x00401bf3
0x00401bf8
0x00401bfd
0x00401bff
0x00401bb8
0x00401bba
0x0040271c
0x00401bc0
0x00401bc0
0x00401bc5
0x00401bcc
0x00401bcd
0x00401bd2
0x00401bd2
0x00401bba
0x00000000
0x00401b70
0x00401b70
0x00401b70
0x00401b73
0x00000000
0x00000000
0x00401b79
0x00401b7d
0x00000000
0x00401b7f
0x00401b81
0x00000000
0x00401b87
0x00401b87
0x00401b8a
0x00401b91
0x00401b96
0x00401ba0
0x00401ba5
0x00401baa
0x00401bae
0x00402875
0x00402957
0x0040295a
0x00402960
0x00402960
0x00401b81
0x00000000
0x00401b7d
0x004022d4
0x004022e1
0x004022e2
0x004022e7
0x004022e7
0x00402962
0x00402966

APIs

GlobalFree.KERNEL32 ref: 00401BD2
GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401BE4

Strings

Call, xrefs: 00401B8A, 00401B90, 00401BAA

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 8eb6dae97830193f231230356c069ea56aa4cbbf7ca1eb96ec13b83194e7dfea
Instruction ID: 8b9b56f0063ecb260e9570f253baa71b042281610a2597273f6a2f26b4be7353
Opcode Fuzzy Hash: 8eb6dae97830193f231230356c069ea56aa4cbbf7ca1eb96ec13b83194e7dfea
Instruction Fuzzy Hash: 932184726001069BCB10FB949D84DAA73A8DF44324B10453BF101F32E1D77C99418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004024E5 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004024E5(int* __ebx, intOrPtr __edx, char* __esi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				void* _t22;
				char* _t24;
				void* _t26;
				void* _t29;

				_t24 = __esi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402B0B(_t29, 0x20019); // executed
				_t22 = _t9;
				_t10 = E00402AA9(3);
				 *((intOrPtr*)(_t26 - 0x3c)) = _t21;
				 *__esi = __ebx;
				if(_t22 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x18)) == __ebx) {
						_t13 = RegEnumValueA(_t22, _t10, __esi, _t26 + 8, __ebx, __ebx, __ebx, __ebx); // executed
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyA(_t22, _t10, __esi, 0x3ff); // executed
					}
					_t24[0x3ff] = _t16;
					_push(_t22); // executed
					RegCloseKey(); // executed
				}
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x004024e5
0x004024e5
0x004024e5
0x004024ea
0x004024f1
0x004024f3
0x004024fb
0x004024fe
0x00402500
0x0040271c
0x00402506
0x0040250e
0x00402511
0x0040252a
0x00402530
0x00402532
0x00402534
0x00402534
0x00402513
0x00402517
0x00402517
0x0040253b
0x00402541
0x00402542
0x00402542
0x0040295a
0x00402966

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402517
RegEnumValueA.KERNELBASE(00000000,00000000,?,?), ref: 0040252A
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsp8E94.tmp,00000000,00000011,00000002), ref: 00402542

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 0f199fac73fa034a888c8f233137f05f5704bcb160ec432268ac7fbc93c17938
Instruction ID: 518d0c9c0f1d18e9ba130a50ca70a4c0b748d884a109ef79be1f353746569a5a
Opcode Fuzzy Hash: 0f199fac73fa034a888c8f233137f05f5704bcb160ec432268ac7fbc93c17938
Instruction Fuzzy Hash: 000171B1A04205FFEB159FA99E9CEBF7A7CDF40348F10443EF145A61C0DAB84A459729

Uniqueness

Uniqueness Score: -1.00%

Function 73B628E1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x73b64038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x73b6404c, 4, 0x40, 0x73b6403c); // executed
					 *0x73b6404c = 0xc2;
					 *0x73b6403c = 0;
					 *0x73b64044 = 0;
					 *0x73b64058 = 0;
					 *0x73b64048 = 0;
					 *0x73b64040 = 0;
					 *0x73b64050 = 0;
					 *0x73b6404e = 0;
				}
				return 1;
			}

0x73b628ea
0x73b628ef
0x73b628ff
0x73b62907
0x73b6290e
0x73b62913
0x73b62918
0x73b6291d
0x73b62922
0x73b62927
0x73b6292c
0x73b6292c
0x73b62934

APIs

VirtualProtect.KERNELBASE(73B6404C,00000004,00000040,73B6403C), ref: 73B628FF

Strings

`get@Met, xrefs: 73B628FF

Memory Dump Source

Source File: 00000000.00000002.795929704.0000000073B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B60000, based on PE: true

Associated: 00000000.00000002.795920126.0000000073B60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795937300.0000000073B63000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795946501.0000000073B65000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b60000_download.jbxd

Similarity

API ID: ProtectVirtual
String ID: `get@Met
API String ID: 544645111-50837814
Opcode ID: cfeef85dbcbfad19a93e42c67b72601869adf58fb530b90ac7bb90cf6927bb4a
Instruction ID: a94ad2d27a688eb61b9a186f0f3aa1d804bb846f59c4dfc0b29c915d2b7f8c33
Opcode Fuzzy Hash: cfeef85dbcbfad19a93e42c67b72601869adf58fb530b90ac7bb90cf6927bb4a
Instruction Fuzzy Hash: 23F092B3508EB1EEC371EF6A86447053EE0A359254B21492AE59CDFAC3E33440488B15

Uniqueness

Uniqueness Score: -1.00%

Function 00402473 Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402473(int* __ebx, char* __esi) {
				void* _t17;
				char* _t18;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402B0B(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402ACB(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x3c) = 0x400;
					if(RegQueryValueExA(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x3c) != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E00405EDB(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x3ff] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33); // executed
					RegCloseKey(); // executed
				}
				 *0x7a2fe8 =  *0x7a2fe8 +  *(_t37 - 4);
				return 0;
			}

0x00402473
0x00402473
0x00402478
0x0040247f
0x00402481
0x00402488
0x0040248a
0x0040271c
0x00402490
0x00402493
0x004024ae
0x004024de
0x004024de
0x004024e0
0x004024b0
0x004024b4
0x004024cd
0x004024d4
0x004024d7
0x004024b6
0x004024b9
0x004024c4
0x0040253b
0x00000000
0x00000000
0x00000000
0x004024b9
0x004024b4
0x00402541
0x00402542
0x00402542
0x0040295a
0x00402966

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024A3
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsp8E94.tmp,00000000,00000011,00000002), ref: 00402542

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 5e96c94577c72a8421cf27317bc81f7e5bff8a2ed958b696fc1b0b32e65e245e
Instruction ID: 16843ebe9de4b10a0f02fc33a3446f9eb73abb2b3234f807e7777e2680f676dd
Opcode Fuzzy Hash: 5e96c94577c72a8421cf27317bc81f7e5bff8a2ed958b696fc1b0b32e65e245e
Instruction Fuzzy Hash: BF11E371A01205FEDF15CF64DA989AEBBB49F00348F20843FE445B72C0D6B84A81DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x7a2f90; // 0xb3c44c
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7a272c =  *0x7a272c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x7a272c, 0x7530,  *0x7a2714), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x00401392
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f1e14ae547b8f36b78d572cd64f3e527c113299c5085ae7931b2eb67e5d22d6e
Instruction ID: b093ac6dabfd3bf5cd98619b9c3e878c543c382afaa1261ab96434968757bf0e
Opcode Fuzzy Hash: f1e14ae547b8f36b78d572cd64f3e527c113299c5085ae7931b2eb67e5d22d6e
Instruction Fuzzy Hash: C601F4316202209FE7094B389D04B6A36A8E751354F10813FF955F65F2D678CC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00402381 Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402381(void* __ebx, void* __edx) {
				long _t6;
				void* _t9;
				void* _t13;
				long _t18;
				void* _t20;
				void* _t22;
				void* _t23;

				_t13 = __ebx;
				_t26 =  *(_t23 - 0x18) - __ebx;
				_t20 = __edx;
				if( *(_t23 - 0x18) != __ebx) {
					_t6 = E00402B89(_t20, E00402ACB(0x22),  *(_t23 - 0x18) >> 1); // executed
					_t18 = _t6;
					goto L4;
				} else {
					_t9 = E00402B0B(_t26, 2); // executed
					_t22 = _t9;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t18 = RegDeleteValueA(_t22, E00402ACB(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t18 != _t13) {
							goto L6;
						}
					}
				}
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x00402381
0x00402381
0x00402384
0x00402386
0x004023c2
0x004023c7
0x00000000
0x00402388
0x0040238a
0x0040238f
0x00402393
0x0040271c
0x0040271c
0x00402399
0x004023a9
0x004023ab
0x004023c9
0x004023cb
0x00000000
0x004023d1
0x004023cb
0x00402393
0x0040295a
0x00402966

APIs

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 004023A2
RegCloseKey.ADVAPI32(00000000), ref: 004023AB

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 5445e67bd19a0de7c3166edb4b33ed723ca6d0d068d08aad39274ce5b4577d87
Instruction ID: 8aec8fe7cd38f654026d76d8600474ef4a57e980fe65a380d0022aaa37355860
Opcode Fuzzy Hash: 5445e67bd19a0de7c3166edb4b33ed723ca6d0d068d08aad39274ce5b4577d87
Instruction Fuzzy Hash: 27F09C32A00511ABD711BBE89B8EABE76A49B40314F25443FE602B71C1DAFC4D02876D

Uniqueness

Uniqueness Score: -1.00%

Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401A1E(char __ebx) {
				CHAR* _t7;
				long _t8;
				char _t12;
				CHAR* _t17;
				void* _t19;

				_t12 = __ebx;
				_t7 = E00402ACB(1);
				 *(_t19 + 8) = _t7;
				_t8 = ExpandEnvironmentStringsA(_t7, _t17, 0x400); // executed
				if(_t8 == 0 ||  *((intOrPtr*)(_t19 - 0x20)) != __ebx && lstrcmpA( *(_t19 + 8), _t17) == 0) {
					 *((intOrPtr*)(_t19 - 4)) = 1;
					 *_t17 = _t12;
				}
				_t17[0x3ff] = _t12;
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00401a1e
0x00401a22
0x00401a2e
0x00401a31
0x00401a39
0x00401a4e
0x00401a51
0x00401a51
0x00401a53
0x0040295a
0x00402966

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A31
lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A44

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: EnvironmentExpandStringslstrcmp
String ID:
API String ID: 1938659011-0
Opcode ID: 1137a8a5cbc908740eefc184875257b747a3bb4458315c5ba0e43d2a11d1a4e9
Instruction ID: ebe663b7bc3ba7a189a06dab4aa1d5f3cbe4965007ea0afe01e1c09fb46068e6
Opcode Fuzzy Hash: 1137a8a5cbc908740eefc184875257b747a3bb4458315c5ba0e43d2a11d1a4e9
Instruction Fuzzy Hash: 4EF08231705241EBCB21DF659D08A9BBEE8EF91354B10843BE185F61A0D6388512CA2C

Uniqueness

Uniqueness Score: -1.00%

Function 00401E2B Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E49
EnableWindow.USER32(00000000,00000000), ref: 00401E54

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: c2e0d07cf7c5bdb33dd7620c9ab430a01052b6745be682b123c0b856876fc3b2
Instruction ID: d2bea1c1c0aacda3dd255fed30ad1f680590af6f3d359f9745203f9ff1fc1010
Opcode Fuzzy Hash: c2e0d07cf7c5bdb33dd7620c9ab430a01052b6745be682b123c0b856876fc3b2
Instruction Fuzzy Hash: 02E01272B04212AFDB14EBE5EA499EEB7B4DF40319B10443FE411F11D1DA7849419F5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040156F Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040156F(void* __ebx, int __edx) {
				int _t3;
				void* _t8;
				struct HWND__* _t10;
				struct HWND__* _t11;
				void* _t16;

				_t8 = __ebx;
				_t10 =  *0x7a2710; // 0x1039c
				if(_t10 != __ebx) {
					ShowWindow(_t10, __edx); // executed
					_t3 =  *(_t16 - 0x28);
				}
				_t11 =  *0x7a2724; // 0x10396
				if(_t11 != _t8) {
					ShowWindow(_t11, _t3); // executed
				}
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t16 - 4));
				return 0;
			}

0x0040156f
0x0040156f
0x0040157d
0x00401581
0x00401583
0x00401583
0x00401586
0x0040158e
0x00401596
0x00401596
0x0040295a
0x00402966

APIs

ShowWindow.USER32(0001039C), ref: 00401581
ShowWindow.USER32(00010396), ref: 00401596

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6bfd83b54cd70e945bcd9228706dc900d8a338461371b154b40d29b430c88c03
Instruction ID: 1e8a20e7e34c326eaa8816cefaf5ed79bffbb2cf12c8d4da7cecda694498405c
Opcode Fuzzy Hash: 6bfd83b54cd70e945bcd9228706dc900d8a338461371b154b40d29b430c88c03
Instruction Fuzzy Hash: 4CE086B27001119BCF14DBA8EDD0C7E77B5DBC4310710443FD602B36A0C6789D418B28

Uniqueness

Uniqueness Score: -1.00%

Function 00406315 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406315(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E004062A7(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x0040631d
0x00406320
0x00406327
0x0040632f
0x0040633b
0x00000000
0x00406342
0x00406332
0x00406339
0x00000000
0x0040634a
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040325C,0000000A), ref: 00406327
GetProcAddress.KERNEL32(00000000,?), ref: 00406342

Part of subcall function 004062A7: GetSystemDirectoryA.KERNEL32 ref: 004062BE
Part of subcall function 004062A7: wsprintfA.USER32 ref: 004062F7
Part of subcall function 004062A7: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040630B

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 8b993a8f6eb8e905ca30c67f896f6c6ad868427c201d07e664c6abec48b1d465
Instruction ID: cd2a927f582b596fa2e162cbd064daf7ca6e898847132114174d0915a8f4e586
Opcode Fuzzy Hash: 8b993a8f6eb8e905ca30c67f896f6c6ad868427c201d07e664c6abec48b1d465
Instruction Fuzzy Hash: BCE0863260421057D61066745E0493BA3A89F94700302083EFD47F2140D73C9C3196AD

Uniqueness

Uniqueness Score: -1.00%

Function 00405B16 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405B16(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405b1a
0x00405b27
0x00405b3c
0x00405b42

APIs

GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\download.exe,80000000,00000003), ref: 00405B1A
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B3C

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405AF1 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AF1(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405af6
0x00405afc
0x00405b01
0x00405b0a
0x00405b0a
0x00405b13

APIs

GetFileAttributesA.KERNELBASE(?,?,00405709,?,?,00000000,004058EC,?,?,?,?), ref: 00405AF6
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B0A

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction ID: 414a467aaabbe507cf471caeb43fbb4459db83339ab651609fa67d9973c7acb5
Opcode Fuzzy Hash: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction Fuzzy Hash: 60D0C972504125AFC2103728AE0C89BBB65DB54271702CE35F8A9A26B2DB304C969A98

Uniqueness

Uniqueness Score: -1.00%

Function 004055E7 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055E7(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004055ed
0x004055f5
0x00000000
0x004055fb
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004031DC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 004055ED
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004055FB

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction ID: 4c9d675ee46a87f1ce13dde1798736571a6da7ffae6fc201d3902fb2775d8c1a
Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction Fuzzy Hash: 2AC04C30204501EBD7515B31DE08B177A56AB91781F11883D618AE41B4DA358455DE2E

Uniqueness

Uniqueness Score: -1.00%

Function 73B629F8 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E73B629F8(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t70;
				intOrPtr _t72;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t81;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t94;

				if( *0x73b64040 != 0 && E73B6293D(_a4) == 0) {
					 *0x73b64044 = _t93;
					if( *0x73b6403c != 0) {
						_t93 =  *0x73b6403c;
					} else {
						E73B62F20(E73B62937(), __ecx);
						 *0x73b6403c = _t93;
					}
				}
				_t28 = E73B6296B(_a4);
				_t94 = _t93 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E73B6295F();
					_t72 = _a4;
					_t79 =  *0x73b64048;
					 *((intOrPtr*)(_t29 + _t72)) = _t79;
					 *0x73b64048 = _t72;
					E73B62959();
					_t33 = ReadFile(??, ??, ??, ??, ??); // executed
					 *0x73b6401c = _t33;
					 *0x73b64020 = _t79;
					if( *0x73b64040 != 0 && E73B6293D( *0x73b64048) == 0) {
						 *0x73b6403c = _t94;
						_t94 =  *0x73b64044;
					}
					_t80 =  *0x73b64048;
					_a4 = _t80;
					 *0x73b64048 =  *((intOrPtr*)(E73B6295F() + _t80));
					_t37 = E73B6294B(_t80);
					_pop(_t81);
					if(_t37 != 0) {
						_t40 = E73B6296B(_t81);
						if(_t40 > 0) {
							_push(_t40);
							_push(E73B62976() + _a4 + _v8);
							_push(E73B62980());
							if( *0x73b64040 <= 0 || E73B6293D(_a4) != 0) {
								_pop(_t88);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t88 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t89);
								_pop(_t49);
								 *0x73b6403c =  *0x73b6403c +  *(_t89 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t107 =  *0x73b64048;
					if( *0x73b64048 == 0) {
						 *0x73b6403c = 0;
					}
					E73B629A4(_t107, _a4,  *0x73b6401c,  *0x73b64020);
					return _a4;
				}
				_push(E73B62976() + _a4);
				_t56 = E73B6297C();
				_v8 = _t56;
				_t77 = _t28;
				_push(_t68 + _t56 * _t77);
				_t70 = E73B62988();
				_t87 = E73B62984();
				_t90 = E73B62980();
				_t61 = _t77;
				if( *((intOrPtr*)(_t90 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t70 + _t61)));
				}
				_push( *((intOrPtr*)(_t87 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x73b62a08
0x73b62a19
0x73b62a26
0x73b62a3a
0x73b62a28
0x73b62a2d
0x73b62a32
0x73b62a32
0x73b62a26
0x73b62a43
0x73b62a48
0x73b62a4e
0x73b62a92
0x73b62a92
0x73b62a97
0x73b62a9c
0x73b62aa2
0x73b62aa4
0x73b62aaa
0x73b62ab7
0x73b62ab9
0x73b62abe
0x73b62acb
0x73b62ade
0x73b62ae4
0x73b62aea
0x73b62aeb
0x73b62af1
0x73b62afd
0x73b62b03
0x73b62b0b
0x73b62b0c
0x73b62b0f
0x73b62b1a
0x73b62b1c
0x73b62b28
0x73b62b2e
0x73b62b36
0x73b62b62
0x73b62b63
0x73b62b65
0x73b62b69
0x73b62b69
0x73b62b70
0x73b62b46
0x73b62b46
0x73b62b47
0x73b62b55
0x73b62b5e
0x73b62b5e
0x73b62b36
0x73b62b1a
0x73b62b72
0x73b62b79
0x73b62b7b
0x73b62b7b
0x73b62b94
0x73b62ba2
0x73b62ba2
0x73b62a59
0x73b62a5a
0x73b62a5f
0x73b62a63
0x73b62a68
0x73b62a7c
0x73b62a7d
0x73b62a7e
0x73b62a80
0x73b62a85
0x73b62a87
0x73b62a87
0x73b62a8a
0x73b62a90
0x00000000

APIs

ReadFile.KERNELBASE(00000000), ref: 73B62AB7

Memory Dump Source

Source File: 00000000.00000002.795929704.0000000073B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B60000, based on PE: true

Associated: 00000000.00000002.795920126.0000000073B60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795937300.0000000073B63000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795946501.0000000073B65000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b60000_download.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 34841c49e088d568937ee63c9170e74906304a21f28b94e34f8a10c681297eac
Instruction ID: ded643b7f0210dfbb15a9a7cbbedf54efef0165ae98ea48db302cff619b72eb0
Opcode Fuzzy Hash: 34841c49e088d568937ee63c9170e74906304a21f28b94e34f8a10c681297eac
Instruction Fuzzy Hash: C74181B3904B29DFFB21AFA5DA80B593779EB84314F248839E409CF5D3D63894418B96

Uniqueness

Uniqueness Score: -1.00%

Function 004025CA Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025CA(intOrPtr __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _t27;
				intOrPtr _t33;
				void* _t38;
				void* _t41;

				_t33 = __edx;
				 *((intOrPtr*)(_t38 - 8)) = __ebx;
				_t27 = E00402AA9(2);
				_t41 = _t27 - 1;
				 *((intOrPtr*)(_t38 - 0x3c)) = _t33;
				 *((intOrPtr*)(_t38 - 0xc)) = _t27;
				if(_t41 < 0) {
					L24:
					 *0x7a2fe8 =  *0x7a2fe8 +  *(_t38 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *((intOrPtr*)(__ebp - 0xc)) = 0x3ff;
					}
					if( *__esi == __bl) {
						L21:
						__esi =  *((intOrPtr*)(__ebp - 8));
						goto L22;
					} else {
						 *((char*)(__ebp + 0xb)) = __bl;
						 *(__ebp - 0x30) = E00405EF4(__ecx, __esi);
						if( *((intOrPtr*)(__ebp - 0xc)) <= __ebx) {
							goto L21;
						} else {
							__esi =  *((intOrPtr*)(__ebp - 8));
							while(1) {
								__eax = __ebp - 0xd;
								__eax = E00405B8E( *(__ebp - 0x30), __ebp - 0xd, 1); // executed
								if(__eax == 0) {
									break;
								}
								if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
									 *(__ebp - 0xd) & 0x000000ff = E00405EDB(__edi,  *(__ebp - 0xd) & 0x000000ff);
								} else {
									if( *((char*)(__ebp + 0xb)) == 0xd ||  *((char*)(__ebp + 0xb)) == 0xa) {
										__al =  *(__ebp - 0xd);
										if( *((intOrPtr*)(__ebp + 0xb)) == __al || __al != 0xd && __al != 0xa) {
											__eax = SetFilePointer( *(__ebp - 0x30), 0xffffffff, __ebx, 1);
										} else {
											 *((char*)(__esi + __edi)) = __al;
											__esi = __esi + 1;
										}
										break;
									} else {
										__al =  *(__ebp - 0xd);
										 *((char*)(__esi + __edi)) = __al;
										__esi = __esi + 1;
										 *((char*)(__ebp + 0xb)) = __al;
										if(__al == __bl) {
											break;
										} else {
											if(__esi <  *((intOrPtr*)(__ebp - 0xc))) {
												continue;
											} else {
												break;
											}
										}
									}
								}
								goto L25;
							}
							L22:
							 *((char*)(__esi + __edi)) = __bl;
							if(_t41 == 0) {
								 *(_t38 - 4) = 1;
							}
							goto L24;
						}
					}
				}
				L25:
				return 0;
			}

0x004025ca
0x004025cc
0x004025cf
0x004025d4
0x004025d8
0x004025db
0x004025de
0x00402957
0x0040295a
0x004025e4
0x004025e4
0x004025eb
0x004025ed
0x004025ed
0x004025f2
0x0040267a
0x0040267a
0x00000000
0x004025f8
0x004025f9
0x00402604
0x00402607
0x00000000
0x00402609
0x00402609
0x0040260c
0x0040260c
0x00402615
0x0040261c
0x00000000
0x00000000
0x00402621
0x0040264a
0x00402623
0x00402627
0x00402654
0x0040265a
0x00402672
0x00402664
0x00402664
0x00402667
0x00402667
0x00000000
0x0040262f
0x0040262f
0x00402632
0x00402635
0x00402638
0x0040263b
0x00000000
0x0040263d
0x00402640
0x00000000
0x00402642
0x00000000
0x00402642
0x00402640
0x0040263b
0x00402627
0x00000000
0x00402621
0x0040267d
0x0040267d
0x004015b0
0x0040271c
0x0040271c
0x00000000
0x004015b0
0x00402607
0x004025f2
0x00402960
0x00402966

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 255e133b5fdcbc2f7a9ca64d0d55690020652cb371cb3a25a4775619f9253d8f
Instruction ID: c2a1b850aa9b93e4cbc4820df7219add1c6eba77a771e25ce3fc61ee94bd300f
Opcode Fuzzy Hash: 255e133b5fdcbc2f7a9ca64d0d55690020652cb371cb3a25a4775619f9253d8f
Instruction Fuzzy Hash: C121E770C04299BADF218BA99548AAEBF749F11314F1448BFE490B62D1C6BD8A81CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0040166A Relevance: 1.5, APIs: 1, Instructions: 38
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040166A() {
				int _t7;
				void* _t13;
				void* _t15;
				void* _t20;

				_t18 = E00402ACB(0xffffffd0);
				_t16 = E00402ACB(0xffffffdf);
				E00402ACB(0x13);
				_t7 = MoveFileA(_t4, _t5); // executed
				if(_t7 == 0) {
					if( *((intOrPtr*)(_t20 - 0x20)) == _t13 || E00406280(_t18) == 0) {
						 *((intOrPtr*)(_t20 - 4)) = 1;
					} else {
						E00405D5C(_t15, _t18, _t16);
						_push(0xffffffe4);
						goto L5;
					}
				} else {
					_push(0xffffffe3);
					L5:
					E00401423();
				}
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t20 - 4));
				return 0;
			}

0x00401673
0x0040167c
0x0040167e
0x00401685
0x0040168d
0x00401699
0x0040271c
0x004016ad
0x004016af
0x004016b4
0x00000000
0x004016b4
0x0040168f
0x0040168f
0x0040223d
0x0040223d
0x0040223d
0x0040295a
0x00402966

APIs

MoveFileA.KERNEL32 ref: 00401685

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 944bb400cff2b095e6de598e4842fa66ab82baf3c7dc668ccd4c64bafde35679
Instruction ID: 2d7bf1c298bed6491edf678891ac3a09e03c979460778333709229851ac33c08
Opcode Fuzzy Hash: 944bb400cff2b095e6de598e4842fa66ab82baf3c7dc668ccd4c64bafde35679
Instruction Fuzzy Hash: 77F09031704221A7CB20B6A94F5DD9F56648F8236CB244A3FF111B21E2DABD8902867F

Uniqueness

Uniqueness Score: -1.00%

Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00402688(intOrPtr __edx, void* __eflags) {
				long _t7;
				long _t9;
				LONG* _t11;
				void* _t13;
				intOrPtr _t14;
				void* _t17;
				void* _t19;

				_t14 = __edx;
				_push(ds);
				if(__eflags != 0) {
					_t7 = E00402AA9(2);
					_pop(_t13);
					 *((intOrPtr*)(_t19 - 0x3c)) = _t14;
					_t9 = SetFilePointer(E00405EF4(_t13, _t17), _t7, _t11,  *(_t19 - 0x1c)); // executed
					if( *((intOrPtr*)(_t19 - 0x24)) >= _t11) {
						_push(_t9);
						E00405EDB();
					}
				}
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402688
0x00402688
0x00402689
0x00402691
0x00402696
0x00402697
0x004026a6
0x004026af
0x004028fd
0x004028ff
0x004028ff
0x004026af
0x0040295a
0x00402966

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004026A6

Part of subcall function 00405EDB: wsprintfA.USER32 ref: 00405EE8

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 8303a16c8324cd1585bb4d8f8fd59fc2d4d610d9dc2ffc373cffb4fce9594ffb
Instruction ID: 110f2c4880f6573f93162833435315c6132d41cf51db6092c043686707d14882
Opcode Fuzzy Hash: 8303a16c8324cd1585bb4d8f8fd59fc2d4d610d9dc2ffc373cffb4fce9594ffb
Instruction Fuzzy Hash: 39E0EDB2B00116AADB01EBD5AA49CBFB768DF40318B10403BF141B50D1CA7D4A029B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004022FC Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004022FC(int __eax, CHAR* __ebx) {
				CHAR* _t11;
				void* _t13;
				CHAR* _t14;
				void* _t18;
				int _t22;

				_t11 = __ebx;
				_t5 = __eax;
				_t14 = 0;
				if(__eax != __ebx) {
					__eax = E00402ACB(__ebx);
				}
				if(_t13 != _t11) {
					_t14 = E00402ACB(0x11);
				}
				if( *((intOrPtr*)(_t18 - 0x18)) != _t11) {
					_t11 = E00402ACB(0x22);
				}
				_t5 = WritePrivateProfileStringA(0, _t14, _t11, E00402ACB(0xffffffcd)); // executed
				_t22 = _t5;
				if(_t22 == 0) {
					 *((intOrPtr*)(_t18 - 4)) = 1;
				}
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t18 - 4));
				return 0;
			}

0x004022fc
0x004022fc
0x004022fe
0x00402302
0x00402305
0x0040230d
0x00402311
0x0040231a
0x0040231a
0x0040231f
0x00402328
0x00402328
0x00402335
0x004015ae
0x004015b0
0x0040271c
0x0040271c
0x0040295a
0x00402966

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402335

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 9fcb8b4b564c740448a4b0e2fc3fd6f1d230d5e928dfd18d81c924f1707ae997
Instruction ID: fc3d639ee2ba9d49225374e904560d05d066977e3d8f4235cfc91afb5433c7ac
Opcode Fuzzy Hash: 9fcb8b4b564c740448a4b0e2fc3fd6f1d230d5e928dfd18d81c924f1707ae997
Instruction Fuzzy Hash: 2FE012317005146BD72076B10FCE96F10989BC4308B284D3AF502761C6DDBD4D4245B9

Uniqueness

Uniqueness Score: -1.00%

Function 0040171F Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040171F() {
				long _t5;
				CHAR* _t8;
				CHAR* _t12;
				void* _t14;
				long _t17;

				_t5 = SearchPathA(_t8, E00402ACB(0xffffffff), _t8, 0x400, _t12, _t14 + 8); // executed
				_t17 = _t5;
				if(_t17 == 0) {
					 *((intOrPtr*)(_t14 - 4)) = 1;
					 *_t12 = _t8;
				}
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t14 - 4));
				return 0;
			}

0x00401733
0x00401739
0x0040173b
0x004026f0
0x004026f7
0x004026f7
0x0040295a
0x00402966

APIs

SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401733

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 2a13b4b93a0e1c03d473111e2c7d121948ca15ad83d34c6e7037289292d1ee4d
Instruction ID: a921dc9e30d1d81fe6b9094ed5ee79d2c80462cb6aa05ca6df5bdeca8f1c6b24
Opcode Fuzzy Hash: 2a13b4b93a0e1c03d473111e2c7d121948ca15ad83d34c6e7037289292d1ee4d
Instruction Fuzzy Hash: 68E0D8B1300141ABDB00DBA89D49EAA7B58DB40368F20853AE111A60C2D2B949419728

Uniqueness

Uniqueness Score: -1.00%

Function 00405E31 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E31(void* __eflags, intOrPtr _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00405D88(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExA(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00405e3b
0x00405e44
0x00405e5a
0x00000000
0x00405e5a
0x00405e48
0x00000000

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B7C,00000000,?,?), ref: 00405E5A

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 33ca04e46434342caff68362b3d2cda83283301915701ba1f7808c3e8cd8b3f6
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: F9E0ECB211050DBEEF195F90DD0ADBB3B1DEB04344F50492EFA46E4090E6B5EA20AE78

Uniqueness

Uniqueness Score: -1.00%

Function 00405B8E Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B8E(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405b92
0x00405ba2
0x00405baa
0x00000000
0x00405bb1
0x00000000
0x00405bb3

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040319E,00000000,00000000,00402FEB,000000FF,00000004,00000000,00000000,00000000), ref: 00405BA2

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction ID: a6de1eac7d35dbb408d2fa80093daaad73b751b804ef2b379125a3e319db5d80
Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction Fuzzy Hash: 46E0EC3221565AABEF119E559C00AEB7B6CEB05360F004476FD15E3190D6B1FA219BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405BBD Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BBD(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405bc1
0x00405bd1
0x00405bd9
0x00000000
0x00405be0
0x00000000
0x00405be2

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403154,00000000,0078A0F8,000000FF,0078A0F8,000000FF,000000FF,00000004,00000000), ref: 00405BD1

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: b26364db078b9021274dcd752d930f9f8b31cc58193ee345d62fa94dbd0509c3
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: 2EE0EC3221865AABDF609E559C00AEB7B7CEB05364F044437F925EA190D631F821DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402340 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402340(char __ebx) {
				char _t7;
				CHAR* _t8;
				CHAR* _t19;
				void* _t21;
				void* _t24;

				_t7 =  *0x40a010; // 0xa
				 *(_t21 + 0xa) = _t7;
				_t8 = E00402ACB(1);
				 *(_t21 - 0x3c) = E00402ACB(0x12);
				GetPrivateProfileStringA(_t8,  *(_t21 - 0x3c), _t21 + 0xa, _t19, 0x3ff, E00402ACB(0xffffffdd)); // executed
				_t24 =  *_t19 - 0xa;
				if(_t24 == 0) {
					 *((intOrPtr*)(_t21 - 4)) = 1;
					 *_t19 = __ebx;
				}
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402340
0x00402348
0x0040234c
0x0040235c
0x00402373
0x00402379
0x0040173b
0x004026f0
0x004026f7
0x004026f7
0x0040295a
0x00402966

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402373

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: de46147d6d5d82b5e111b4c29e7f346d5c0562a281aa24714321742148aa4174
Instruction ID: 8e029bd2b2674609338b614665d9252e3eb93026fbeeab8b0acd3e0b98e79a96
Opcode Fuzzy Hash: de46147d6d5d82b5e111b4c29e7f346d5c0562a281aa24714321742148aa4174
Instruction Fuzzy Hash: 2EE0803090430479DB10AFA18E0AEAD35649F41714F144839F5507B0D1EEB544419B3D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E03 Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E03(void* __eflags, intOrPtr _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00405D88(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExA(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00405e0d
0x00405e14
0x00405e27
0x00000000
0x00405e27
0x00405e18
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405E91,?,?,?,?,00000002,Call), ref: 00405E27

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 2a8135548ed97db7cee66e6f72713ae5fed4585321cbc755a00175e49ece29d7
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: B7D0EC32000209BADF115F90ED05FAB371DEB08350F004C26BE45A4091D6759530AA58

Uniqueness

Uniqueness Score: -1.00%

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040159D() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesA(E00402ACB(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015a8
0x004015ae
0x004015b0
0x0040271c
0x0040271c
0x0040295a
0x00402966

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c31499beedfeda25af1f90d3bd790105c80114bb09e997b040da30281fcaddbd
Instruction ID: 6c3c7c81edca22ef1082c61e7c8c2dbb2dad1037c78d96895750c72c7df92d73
Opcode Fuzzy Hash: c31499beedfeda25af1f90d3bd790105c80114bb09e997b040da30281fcaddbd
Instruction Fuzzy Hash: 81D01272704111DBCB01EBE89B489DDB7A49B40328B308537D111F21D1D6B98A45A72D

Uniqueness

Uniqueness Score: -1.00%

Function 00401563 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00010396), ref: 00401596

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: a7e7ca525386e16ee7e89cfb1fc4c75f42d594badfd29f8b07d6e0c03fd97da5
Instruction ID: a21bfe6b1d13300a8ee4ecaf898b43311dd8cfbd3fc211a1c449442b6368b73e
Opcode Fuzzy Hash: a7e7ca525386e16ee7e89cfb1fc4c75f42d594badfd29f8b07d6e0c03fd97da5
Instruction Fuzzy Hash: 81D0A97A304122EBCA01F3E8A90889EE7A08B913183304033E202B50E1D0BC4603BBEF

Uniqueness

Uniqueness Score: -1.00%

Function 00404068 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404068(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x7a2718; // 0x10390
				if(_t2 != 0) {
					_t3 = SendMessageA(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00404068
0x0040406f
0x0040407a
0x00000000
0x0040407a
0x00404080

APIs

SendMessageA.USER32(00010390,00000000,00000000,00000000), ref: 0040407A

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a3efc5eb78e3e56d017e2e6455c4acb5d850ed487973469c59e03f22f97d3db8
Instruction ID: 451079f561cf800dc5e0e3c220f6615dfdf47e2dc175ffa0b928ab0310d81608
Opcode Fuzzy Hash: a3efc5eb78e3e56d017e2e6455c4acb5d850ed487973469c59e03f22f97d3db8
Instruction Fuzzy Hash: E0C09B717407007BFA20CB649E49F077798AB90710F15842DB790F50E1C674E410DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00404051 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404051(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x7a2f48, 0x28, _a4, 1); // executed
				return _t2;
			}

0x0040405f
0x00404065

APIs

SendMessageA.USER32(00000028,?,00000001,00403E81), ref: 0040405F

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 346968a0720bb3734bf3dae4b81c014f7857494700bdb546aecc84c256ab8e1e
Instruction ID: f42b45c65ed6a3ee6e87ec929b41dfaaf359f69b17cd9f6c2b1881eba3545dd7
Opcode Fuzzy Hash: 346968a0720bb3734bf3dae4b81c014f7857494700bdb546aecc84c256ab8e1e
Instruction Fuzzy Hash: 64B09235180A00AAEA114B00DE09F457A62A7A4701F008068B250240F1CAB200A1DB08

Uniqueness

Uniqueness Score: -1.00%

Function 0040565F Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040565F(struct _SHELLEXECUTEINFOA* _a4) {
				struct _SHELLEXECUTEINFOA* _t4;
				int _t5;

				_t4 = _a4;
				_t4->lpIDList = _t4->lpIDList & 0x00000000;
				_t4->cbSize = 0x3c; // executed
				_t5 = ShellExecuteExA(_t4); // executed
				return _t5;
			}

0x0040565f
0x00405664
0x00405668
0x0040566e
0x00405674

APIs

ShellExecuteExA.SHELL32(?,00404463,?), ref: 0040566E

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
Instruction ID: fedc52184ae6edd1acf052e6849869f1d6de8b7351bc39b82099fbd6471e80b9
Opcode Fuzzy Hash: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
Instruction Fuzzy Hash: ECC092B2000200DFE301CF90CB18F077BE8AF55306F028058E1C49A160C7788810CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004031A1 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031A1(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004031af
0x004031b5

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F2A,0003FBE4), ref: 004031AF

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 0040403E Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040403E(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x79f53c, _a4); // executed
				return _t2;
			}

0x00404048
0x0040404e

APIs

KiUserCallbackDispatcher.NTDLL(?,00403E1A), ref: 00404048

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 16589da7e4045b76edf9d30eb88c390adf98e68054f17749ecabb79a433e11f9
Instruction ID: 19a36987b167f9348e871b3ba6280065f8d182bcd10231b416c22424f7deb768
Opcode Fuzzy Hash: 16589da7e4045b76edf9d30eb88c390adf98e68054f17749ecabb79a433e11f9
Instruction Fuzzy Hash: 0DA00176404101EBCB029F54FF08D4ABFA2AFA4705B12C43AE295D4036CA764872FF1D

Uniqueness

Uniqueness Score: -1.00%

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D6(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402AA9(_t7);
				 *((intOrPtr*)(_t13 - 0x3c)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d6
0x004014d7
0x004014e0
0x004014e3
0x004014e7
0x004014e7
0x004014e9
0x0040295a
0x00402966

APIs

Sleep.KERNELBASE(00000000), ref: 004014E9

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: e73a92aa41515daeb585d050e8429cc66fc7923e91e6afc56cf09d11a5d12b2a
Instruction ID: a830f3fcad8b1b5918cbc0f4af807c6c9b556cc747c31dbb8bc258613536cb5a
Opcode Fuzzy Hash: e73a92aa41515daeb585d050e8429cc66fc7923e91e6afc56cf09d11a5d12b2a
Instruction Fuzzy Hash: C8D05B73B10141DBD714E7F8BD8485E73B4DB503153204837D441E1091D578C5424A28

Uniqueness

Uniqueness Score: -1.00%

Function 73B61215 Relevance: 1.3, APIs: 1, Instructions: 4
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E73B61215() {
				void* _t1;

				_t1 = GlobalAlloc(0x40,  *0x73b6405c); // executed
				return _t1;
			}

0x73b6121d
0x73b61223

APIs

GlobalAlloc.KERNELBASE(00000040,73B61233,?,73B612CF,-73B6404B,73B611AB,-000000A0), ref: 73B6121D

Memory Dump Source

Source File: 00000000.00000002.795929704.0000000073B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B60000, based on PE: true

Associated: 00000000.00000002.795920126.0000000073B60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795937300.0000000073B63000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795946501.0000000073B65000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b60000_download.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 8af0b0961bea912e6ce8fd6880ef1e49acd54e2419cabca3d6ac877935811c0f
Instruction ID: 2da407537de8bd27928ee87b5f6082d27c18af4c6a8921b750badeec8675b5d9
Opcode Fuzzy Hash: 8af0b0961bea912e6ce8fd6880ef1e49acd54e2419cabca3d6ac877935811c0f
Instruction Fuzzy Hash: 90A00273D44D20DBDE66BBE28B4AF143B21F748701F208040E35D5E9E6C6768018DB35

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404A21 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00404A21(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t179;
				intOrPtr _t180;
				int _t187;
				signed int _t192;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				intOrPtr _t230;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int* _t235;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed int _t244;
				signed int _t247;
				signed char _t248;
				signed int _t249;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				int _t290;
				signed int _t294;
				intOrPtr _t301;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;
				void* _t326;
				void* _t329;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t179 =  *0x7a2f88; // 0xb3abbc
				_t318 = SendMessageA;
				_v20 = _t179;
				_t180 =  *0x7a2f54; // 0xb3aa10
				_t282 = 0;
				_v24 = _t180 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t285;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x7a2f5d & 0x00000002;
							if(( *0x7a2f5d & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t282;
								if(_v16 != _t282) {
									_t231 = _v16;
									__eflags =  *((intOrPtr*)(_t231 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t232 + 0xc)) - 2;
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											_t235 = _t233 * 0x418 + _t285 + 8;
											 *_t235 =  *_t235 & 0xffffffdf;
											__eflags =  *_t235;
										} else {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E0040496F(_v8, _a8 != 0x413);
								_t311 = _t239;
								__eflags = _t311 - _t282;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x418 + _t88;
									_t241 =  *_t285;
									__eflags = _t241 & 0x00000010;
									if((_t241 & 0x00000010) == 0) {
										__eflags = _t241 & 0x00000040;
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
											__eflags = _t242;
										} else {
											_t248 = _t241 ^ 0x00000080;
											__eflags = _t248;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_t244 =  *0x7a2f5c; // 0x80
										_t247 =  !_t244 >> 0x00000008 & 0x00000001;
										__eflags = _t247;
										_a12 = _t311 + 1;
										_a16 = _t247;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							__eflags =  *((intOrPtr*)(_t285 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t285 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t285 + 4)) - 0x408;
						if( *((intOrPtr*)(_t285 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t282, _t282);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t219 =  *0x79f524;
									__eflags = _t219 - _t282;
									if(_t219 != _t282) {
										ImageList_Destroy(_t219);
									}
									_t220 =  *0x79f538;
									__eflags = _t220 - _t282;
									if(_t220 != _t282) {
										GlobalFree(_t220);
									}
									 *0x79f524 = _t282;
									 *0x79f538 = _t282;
									 *0x7a2fc0 = _t282;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L88:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x7a2f5d & 0x00000001;
										if(( *0x7a2f5d & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t187 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t187;
											_t307 = _t187;
											ShowWindow(_v8, _t307);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
										}
									}
									goto L91;
								} else {
									E004011EF(_t285, _t282, _t282);
									_t192 = _a12;
									__eflags = _t192 - _t282;
									if(_t192 != _t282) {
										__eflags = _t192 - 0xffffffff;
										if(_t192 != 0xffffffff) {
											_t192 = _t192 - 1;
											__eflags = _t192;
										}
										_push(_t192);
										_push(8);
										E004049EF();
									}
									__eflags = _a16 - _t282;
									if(_a16 == _t282) {
										L75:
										E004011EF(_t285, _t282, _t282);
										__eflags =  *0x7a2f8c - _t282; // 0x6
										_v32 =  *0x79f538;
										_t195 =  *0x7a2f88; // 0xb3abbc
										_v60 = 0xf030;
										_v20 = _t282;
										if(__eflags <= 0) {
											L86:
											InvalidateRect(_v8, _t282, 1);
											_t197 =  *0x7a271c; // 0xb3fc7d
											__eflags =  *((intOrPtr*)(_t197 + 0x10)) - _t282;
											if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
												E0040492A(0x3ff, 0xfffffffb, E00404942(5));
											}
											goto L88;
										} else {
											_t138 = _t195 + 8; // 0xb3abc4
											_t308 = _t138;
											do {
												_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
												__eflags = _t201 - _t282;
												if(_t201 != _t282) {
													_t287 =  *_t308;
													_v68 = _t201;
													__eflags = _t287 & 0x00000001;
													_v72 = 8;
													if((_t287 & 0x00000001) != 0) {
														_t147 =  &(_t308[4]); // 0xb3abd4
														_v72 = 9;
														_v56 = _t147;
														_t150 =  &(_t308[0]);
														 *_t150 = _t308[0] & 0x000000fe;
														__eflags =  *_t150;
													}
													__eflags = _t287 & 0x00000040;
													if((_t287 & 0x00000040) == 0) {
														_t205 = (_t287 & 0x00000001) + 1;
														__eflags = _t287 & 0x00000010;
														if((_t287 & 0x00000010) != 0) {
															_t205 = _t205 + 3;
															__eflags = _t205;
														}
													} else {
														_t205 = 3;
													}
													_t290 = (_t287 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t290;
													_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t290, _v68);
													SendMessageA(_v8, 0x110d, _t282,  &_v72);
												}
												_v20 = _v20 + 1;
												_t308 =  &(_t308[0x106]);
												__eflags = _v20 -  *0x7a2f8c; // 0x6
											} while (__eflags < 0);
											goto L86;
										}
									} else {
										_t309 = E004012E2( *0x79f538);
										E00401299(_t309);
										_t216 = 0;
										_t285 = 0;
										__eflags = _t309 - _t282;
										if(_t309 <= _t282) {
											L74:
											SendMessageA(_v12, 0x14e, _t285, _t282);
											_a16 = _t309;
											_a8 = 0x420;
											goto L75;
										} else {
											goto L71;
										}
										do {
											L71:
											_t301 = _v24;
											__eflags =  *((intOrPtr*)(_t301 + _t216 * 4)) - _t282;
											if( *((intOrPtr*)(_t301 + _t216 * 4)) != _t282) {
												_t285 = _t285 + 1;
												__eflags = _t285;
											}
											_t216 = _t216 + 1;
											__eflags = _t216 - _t309;
										} while (_t216 < _t309);
										goto L74;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L91;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L91;
							}
							_t226 = SendMessageA(_v12, 0x147, _t282, _t282);
							__eflags = _t226 - 0xffffffff;
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageA(_v12, 0x150, _t226, _t282);
							__eflags = _t310 - 0xffffffff;
							if(_t310 == 0xffffffff) {
								L54:
								_t310 = 0x20;
								L55:
								E00401299(_t310);
								SendMessageA(_a4, 0x420, _t282, _t310);
								_t119 =  &_a12;
								 *_t119 = _a12 | 0xffffffff;
								__eflags =  *_t119;
								_a16 = _t282;
								_a8 = 0x40f;
								goto L56;
							}
							_t230 = _v24;
							__eflags =  *((intOrPtr*)(_t230 + _t310 * 4)) - _t282;
							if( *((intOrPtr*)(_t230 + _t310 * 4)) != _t282) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					_t249 =  *0x7a2f8c; // 0x6
					_v32 = 0;
					_v16 = 2;
					 *0x7a2fc0 = _t306;
					 *0x79f538 = GlobalAlloc(0x40, _t249 << 2);
					_t252 = LoadBitmapA( *0x7a2f40, 0x6e);
					 *0x79f52c =  *0x79f52c | 0xffffffff;
					_t313 = _t252;
					 *0x79f534 = SetWindowLongA(_v8, 0xfffffffc, E00405018);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x79f524 = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x79f524);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t282, E00405F9F(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E0040401C(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E0040401C(_a4);
					_t316 = 0;
					_t284 = 0;
					_t326 =  *0x7a2f8c - _t316; // 0x6
					if(_t326 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									__eflags = _t271 & 0x00000004;
									if((_t271 & 0x00000004) == 0) {
										 *( *0x79f538 + _t316 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t284 = SendMessageA(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v32 = 1;
									 *( *0x79f538 + _t316 * 4) = _t276;
									_t284 =  *( *0x79f538 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x418]);
							_t329 = _t316 -  *0x7a2f8c; // 0x6
							_v28 = _t302;
						} while (_t329 < 0);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E00404051(_v8);
								_t282 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404051(_v12);
								L91:
								return E00404083(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404a30
0x00404a41
0x00404a46
0x00404a49
0x00404a4e
0x00404a54
0x00404a57
0x00404a5c
0x00404a6a
0x00404a6d
0x00404c8d
0x00404c8d
0x00404c94
0x00404ca8
0x00404c96
0x00404c98
0x00404c9b
0x00404c9c
0x00404ca3
0x00404ca3
0x00404cab
0x00404cb4
0x00404cbf
0x00404cbf
0x00404cc2
0x00404cc5
0x00404cd4
0x00404cd4
0x00404cdb
0x00404d50
0x00404d50
0x00404d53
0x00404d55
0x00404d58
0x00404d5f
0x00404d6d
0x00404d6d
0x00404d6f
0x00404d72
0x00404d79
0x00404d7b
0x00404d7f
0x00404d82
0x00404d85
0x00404d9c
0x00404da0
0x00404da0
0x00404d87
0x00404d91
0x00404d91
0x00404d85
0x00404d79
0x00000000
0x00404d53
0x00404cdd
0x00404ce0
0x00404ceb
0x00404ced
0x00404cf0
0x00404cf7
0x00404cfc
0x00404cfe
0x00404d00
0x00404d0b
0x00404d0b
0x00404d0f
0x00404d11
0x00404d13
0x00404d15
0x00404d17
0x00404d2a
0x00404d2a
0x00404d19
0x00404d19
0x00404d1e
0x00404d20
0x00404d26
0x00404d22
0x00404d22
0x00404d22
0x00404d20
0x00404d2e
0x00404d30
0x00404d35
0x00404d40
0x00404d40
0x00404d43
0x00404d46
0x00404d49
0x00404d49
0x00404d13
0x00000000
0x00404d00
0x00404ce2
0x00404ce5
0x00404ce9
0x00000000
0x00000000
0x00000000
0x00404ce9
0x00404cc7
0x00404cce
0x00000000
0x00000000
0x00000000
0x00404cb6
0x00404cb6
0x00404cb9
0x00404da3
0x00404da3
0x00404daa
0x00404e1b
0x00404e20
0x00404e23
0x00404e2b
0x00404e2b
0x00404e2d
0x00404e34
0x00404e36
0x00404e3b
0x00404e3d
0x00404e40
0x00404e40
0x00404e46
0x00404e4b
0x00404e4d
0x00404e50
0x00404e50
0x00404e56
0x00404e5c
0x00404e62
0x00404e62
0x00404e68
0x00404e6f
0x00404fc5
0x00404fc5
0x00404fcc
0x00404fce
0x00404fd5
0x00404fd9
0x00404fe6
0x00404fe6
0x00404fe9
0x00404fef
0x00405001
0x00405001
0x00404fd5
0x00000000
0x00404e75
0x00404e77
0x00404e7c
0x00404e7f
0x00404e81
0x00404e83
0x00404e86
0x00404e88
0x00404e88
0x00404e88
0x00404e89
0x00404e8a
0x00404e8c
0x00404e8c
0x00404e91
0x00404e94
0x00404ed5
0x00404ed7
0x00404ee1
0x00404ee7
0x00404eea
0x00404eef
0x00404ef6
0x00404ef9
0x00404f9b
0x00404fa1
0x00404fa7
0x00404fac
0x00404faf
0x00404fc0
0x00404fc0
0x00000000
0x00404eff
0x00404eff
0x00404eff
0x00404f02
0x00404f08
0x00404f0b
0x00404f0d
0x00404f0f
0x00404f11
0x00404f14
0x00404f17
0x00404f1e
0x00404f20
0x00404f23
0x00404f2a
0x00404f2d
0x00404f2d
0x00404f2d
0x00404f2d
0x00404f31
0x00404f34
0x00404f40
0x00404f41
0x00404f44
0x00404f46
0x00404f46
0x00404f46
0x00404f36
0x00404f38
0x00404f38
0x00404f65
0x00404f65
0x00404f66
0x00404f72
0x00404f81
0x00404f81
0x00404f83
0x00404f86
0x00404f8f
0x00404f8f
0x00000000
0x00404f02
0x00404e96
0x00404ea1
0x00404ea4
0x00404ea9
0x00404eab
0x00404ead
0x00404eaf
0x00404ebf
0x00404ec9
0x00404ecb
0x00404ece
0x00000000
0x00000000
0x00000000
0x00000000
0x00404eb1
0x00404eb1
0x00404eb1
0x00404eb4
0x00404eb7
0x00404eb9
0x00404eb9
0x00404eb9
0x00404eba
0x00404ebb
0x00404ebb
0x00000000
0x00404eb1
0x00404e94
0x00404e6f
0x00404dac
0x00404db2
0x00000000
0x00000000
0x00404dbe
0x00404dc2
0x00000000
0x00000000
0x00404dd2
0x00404dd4
0x00404dd7
0x00000000
0x00000000
0x00404de9
0x00404deb
0x00404dee
0x00404df8
0x00404dfa
0x00404dfb
0x00404dfc
0x00404e0b
0x00404e0d
0x00404e0d
0x00404e0d
0x00404e11
0x00404e14
0x00000000
0x00404e14
0x00404df0
0x00404df3
0x00404df6
0x00000000
0x00000000
0x00000000
0x00404df6
0x00000000
0x00404cb9
0x00404a73
0x00404a73
0x00404a78
0x00404a81
0x00404a88
0x00404a96
0x00404aa1
0x00404aa7
0x00404ab5
0x00404ac9
0x00404ace
0x00404adb
0x00404ae0
0x00404af6
0x00404b07
0x00404b14
0x00404b14
0x00404b17
0x00404b1d
0x00404b1f
0x00404b22
0x00404b27
0x00404b2c
0x00404b2e
0x00404b2e
0x00404b4e
0x00404b4e
0x00404b50
0x00404b51
0x00404b56
0x00404b59
0x00404b5c
0x00404b60
0x00404b65
0x00404b6a
0x00404b6e
0x00404b73
0x00404b78
0x00404b7a
0x00404b7c
0x00404b82
0x00404c4c
0x00404c5f
0x00000000
0x00404b88
0x00404b8b
0x00404b8e
0x00404b91
0x00404b91
0x00404b97
0x00404b9d
0x00404ba0
0x00404ba6
0x00404ba7
0x00404bac
0x00404bb5
0x00404bbc
0x00404bbf
0x00404bc2
0x00404bc5
0x00404bff
0x00404c01
0x00404c2a
0x00404c03
0x00404c10
0x00404c10
0x00404bc7
0x00404bca
0x00404bd9
0x00404be3
0x00404beb
0x00404bf2
0x00404bfa
0x00404bfa
0x00404bc5
0x00404c30
0x00404c31
0x00404c37
0x00404c3d
0x00404c3d
0x00404c4a
0x00404c65
0x00404c69
0x00404c86
0x00404c8b
0x00404c8b
0x00000000
0x00404c6b
0x00404c70
0x00404c79
0x00405003
0x00405015
0x00405015
0x00404c69
0x00000000
0x00404c4a
0x00404b82

APIs

GetDlgItem.USER32 ref: 00404A39
GetDlgItem.USER32 ref: 00404A44
GlobalAlloc.KERNEL32(00000040,00000006), ref: 00404A8E
LoadBitmapA.USER32 ref: 00404AA1
SetWindowLongA.USER32(?,000000FC,00405018), ref: 00404ABA
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404ACE
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AE0
SendMessageA.USER32(?,00001109,00000002), ref: 00404AF6
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B02
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B14
DeleteObject.GDI32(00000000), ref: 00404B17
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B42
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B4E
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BE3
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404C0E
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C22
GetWindowLongA.USER32 ref: 00404C51
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C5F
ShowWindow.USER32(?,00000005), ref: 00404C70
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D6D
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DD2
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DE7
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E0B
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E2B
ImageList_Destroy.COMCTL32(?), ref: 00404E40
GlobalFree.KERNEL32 ref: 00404E50
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EC9
SendMessageA.USER32(?,00001102,?,?), ref: 00404F72
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F81
InvalidateRect.USER32(?,00000000,00000001), ref: 00404FA1
ShowWindow.USER32(?,00000000), ref: 00404FEF
GetDlgItem.USER32 ref: 00404FFA
ShowWindow.USER32(00000000), ref: 00405001

Strings

M, xrefs: 00404BCA
, xrefs: 00404FD9
N, xrefs: 00404CAB

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: a516a2d2a8aff3ef83b708eb5bd9a118a42f20c5a060fe46d5b01f8ac1bf1487
Instruction ID: 95fc731ee8c2f60e707b2e347886eca1b13b95ad12058a055eb87ebce7bf2e6a
Opcode Fuzzy Hash: a516a2d2a8aff3ef83b708eb5bd9a118a42f20c5a060fe46d5b01f8ac1bf1487
Instruction Fuzzy Hash: 720270B0900209EFEB149F58DD85AAE7BB5FB84315F10813AF610BA2E1D7789D52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004044AE Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004044AE(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x79ed18; // 0xb3ab3c
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + "kernel32::EnumResourceTypesW(i 0,i r1,i 0)";
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040567D(0x3fb, _t146);
					E004061E7(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040567D(0x3fb, _t146);
							if(E00405A03(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405F7D(0x79e510, _t146);
							_t87 = E00406315(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405F7D(0x79e510, _t146);
								_t89 = E004059AE(0x79e510);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x79e510,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79e510) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79e510,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E0040595C(0x79e510);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x79e510) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404942(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x7a271c; // 0xb3fc7d
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E0040492A(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x79e500);
									} else {
										E00404865(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a3004 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E0040403E(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x79f530 == _t158) {
									E00404407();
								}
								 *0x79f530 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x79f540;
							_v60 = E004047FF;
							_v56 = _t146;
							_v68 = E00405F9F(_t146, 0x79f540, _t166, 0x79e918, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405915(_t146);
								_t124 =  *0x7a2f54; // 0xb3aa10
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t146 == "C:\\Users\\engineer\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Heize") {
									E00405F9F(_t146, 0x79f540, _t166, 0, _t125);
									if(lstrcmpiA(0x7a1ee0, 0x79f540) != 0) {
										lstrcatA(_t146, 0x7a1ee0);
									}
								}
								 *0x79f530 =  *0x79f530 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405982(_t146) != 0 && E004059AE(_t146) == 0) {
						E00405915(_t146);
					}
					 *0x7a2718 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E0040401C(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E0040401C(_t166);
					E00404051(_t165);
					_t138 = E00406315(7);
					if(_t138 == 0) {
						L53:
						return E00404083(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x004044ae
0x004044b4
0x004044ba
0x004044c7
0x004044d5
0x004044d8
0x004044e0
0x004044e6
0x004044e6
0x004044f2
0x004044f5
0x00404563
0x0040456a
0x00404641
0x00404648
0x00404657
0x00404657
0x0040465b
0x00404665
0x00404672
0x00404674
0x00404674
0x00404682
0x00404689
0x00404690
0x00404693
0x004046ca
0x004046cc
0x004046d2
0x004046d7
0x004046db
0x004046dd
0x004046dd
0x004046f9
0x00000000
0x004046fb
0x004046fe
0x0040470c
0x00404712
0x00404713
0x00404716
0x00404719
0x00000000
0x00404719
0x00404695
0x00404697
0x0040469b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040469d
0x0040469d
0x004046aa
0x004046af
0x00000000
0x00000000
0x004046b3
0x004046b5
0x004046b5
0x004046bd
0x004046bf
0x004046c2
0x004046c5
0x004046c8
0x00000000
0x00000000
0x00000000
0x00000000
0x004046c8
0x00404725
0x0040472f
0x00404732
0x00404735
0x0040473c
0x0040473c
0x0040473e
0x0040473e
0x00404743
0x00404745
0x0040474d
0x00404754
0x00404756
0x00404761
0x00404761
0x00404756
0x00404768
0x00404771
0x0040477b
0x00404783
0x0040479e
0x00404785
0x0040478e
0x0040478e
0x00404783
0x004047a3
0x004047a8
0x004047ad
0x004047b6
0x004047b6
0x004047bf
0x004047c1
0x004047c1
0x004047cd
0x004047d5
0x004047df
0x004047df
0x004047e4
0x00000000
0x004047e4
0x00404693
0x0040464a
0x00404651
0x00000000
0x00000000
0x00000000
0x00404651
0x00404570
0x00404579
0x00404593
0x00404598
0x004045a2
0x004045a9
0x004045b5
0x004045b8
0x004045bb
0x004045c2
0x004045ca
0x004045cd
0x004045d1
0x004045d8
0x004045e0
0x0040463a
0x004045e2
0x004045e3
0x004045ea
0x004045ef
0x004045f4
0x004045fc
0x00404609
0x0040461d
0x00404621
0x00404621
0x0040461d
0x00404626
0x00404633
0x00404633
0x004045e0
0x00000000
0x00404598
0x00404586
0x00000000
0x00000000
0x0040458c
0x00000000
0x004044f7
0x00404504
0x0040450d
0x0040451a
0x0040451a
0x00404521
0x00404527
0x00404530
0x00404533
0x00404536
0x0040453e
0x00404541
0x00404544
0x0040454a
0x00404551
0x00404558
0x004047ea
0x004047fc
0x0040455e
0x00404561
0x00000000
0x00404561
0x00404558

APIs

GetDlgItem.USER32 ref: 004044FD
SetWindowTextA.USER32(00000000,?), ref: 00404527
SHBrowseForFolderA.SHELL32(?,0079E918,?), ref: 004045D8
CoTaskMemFree.OLE32(00000000), ref: 004045E3
lstrcmpiA.KERNEL32(Call,0079F540,00000000,?,?), ref: 00404615
lstrcatA.KERNEL32(?,Call), ref: 00404621
SetDlgItemTextA.USER32 ref: 00404633

Part of subcall function 0040567D: GetDlgItemTextA.USER32 ref: 00405690

Part of subcall function 004061E7: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\download.exe",746AFA90,C:\Users\user\AppData\Local\Temp\,00000000,004031C4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 0040623F
Part of subcall function 004061E7: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040624C
Part of subcall function 004061E7: CharNextA.USER32(?,"C:\Users\user\Desktop\download.exe",746AFA90,C:\Users\user\AppData\Local\Temp\,00000000,004031C4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 00406251
Part of subcall function 004061E7: CharPrevA.USER32(?,?,746AFA90,C:\Users\user\AppData\Local\Temp\,00000000,004031C4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 00406261

GetDiskFreeSpaceA.KERNEL32(0079E510,?,?,0000040F,?,0079E510,0079E510,?,00000001,0079E510,?,?,000003FB,?), ref: 004046F1
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040470C

Part of subcall function 00404865: lstrlenA.KERNEL32(0079F540,0079F540,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404780,000000DF,00000000,00000400,?), ref: 00404903
Part of subcall function 00404865: wsprintfA.USER32 ref: 0040490B
Part of subcall function 00404865: SetDlgItemTextA.USER32 ref: 0040491E

Strings

A, xrefs: 004045D1
Call, xrefs: 0040460F, 00404614, 0040461F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize, xrefs: 004045FE
kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 004044C7

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize$Call$kernel32::EnumResourceTypesW(i 0,i r1,i 0)
API String ID: 2624150263-241513387
Opcode ID: 835ebef96d9a185249aca47752db4aea3ea54f97fa15e05f5d6c04df71dbffb3
Instruction ID: c3220bc8085252b6637529823acfaab3e79984cbb1e105c0cbc22f2c5a0eab13
Opcode Fuzzy Hash: 835ebef96d9a185249aca47752db4aea3ea54f97fa15e05f5d6c04df71dbffb3
Instruction Fuzzy Hash: 61A171B1900209ABDB11EFA6CD45AAFB7B8EF85314F10443BF601B72D1D77C8A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 00404187 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404187(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x79e50c =  *0x79e50c + 1;
								__eflags =  *0x79e50c;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00404083(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x7a1ee0;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									_push(1);
									E0040442B(_a4, _v8);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x7a2f48, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x7a2f48, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x79e50c; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t103 =  *0x79ed18; // 0xb3ab3c
					_t25 = _t103 + 0x14; // 0xb3ab50
					_t112 = _t25;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E0040403E(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E00404407();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x7a271c; // 0xb3fc7d
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_t71 =  *0x7a2f98; // 0xb3e8b8
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 + _t71;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E00404152;
					E0040401C(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E0040401C(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E0040403E( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E00404051(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t85 =  *0x7a2f54; // 0xb3aa10
					_t86 =  *(_t85 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x79e50c = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x79e50c = 0;
					return 0;
				}
			}

0x00404197
0x004042a9
0x004042bc
0x00404318
0x00404318
0x0040431c
0x004043e2
0x004043e9
0x004043eb
0x004043eb
0x004043eb
0x004043f1
0x004043f1
0x004043f4
0x00000000
0x004043fb
0x0040432a
0x0040432c
0x0040432f
0x00404336
0x00404338
0x0040433f
0x00404341
0x00404344
0x00404347
0x0040434c
0x00404352
0x00404355
0x0040435c
0x0040436a
0x00404382
0x00404384
0x0040438c
0x0040439b
0x0040439d
0x0040439d
0x0040435c
0x0040433f
0x004043a0
0x004043a7
0x00000000
0x004043a9
0x004043a9
0x004043b0
0x00000000
0x00000000
0x004043b2
0x004043b6
0x004043c7
0x004043c7
0x004043c9
0x004043cd
0x004043db
0x004043db
0x00000000
0x004043df
0x004043a7
0x004042c4
0x004042c7
0x00000000
0x00000000
0x004042cf
0x004042d5
0x00000000
0x00000000
0x004042db
0x004042e1
0x004042e1
0x004042e4
0x004042e7
0x00000000
0x00000000
0x0040430a
0x0040430a
0x0040430c
0x0040430e
0x00404313
0x00000000
0x0040419d
0x0040419d
0x004041a0
0x004041a5
0x004041a7
0x004041b6
0x004041b6
0x004041b8
0x004041bd
0x004041c0
0x004041c2
0x004041c7
0x004041d0
0x004041d6
0x004041e2
0x004041e5
0x004041ee
0x004041f3
0x004041f6
0x004041fb
0x00404212
0x00404219
0x0040422c
0x0040422f
0x00404244
0x00404246
0x0040424b
0x00404250
0x00404255
0x00404255
0x00404264
0x00404273
0x00404285
0x0040428a
0x0040429a
0x0040429c
0x00000000
0x004042a2

APIs

CheckDlgButton.USER32 ref: 00404212
GetDlgItem.USER32 ref: 00404226
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404244
GetSysColor.USER32(?), ref: 00404255
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404264
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404273
lstrlenA.KERNEL32(?), ref: 00404276
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404285
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040429A
GetDlgItem.USER32 ref: 004042FC
SendMessageA.USER32(00000000), ref: 004042FF
GetDlgItem.USER32 ref: 0040432A
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040436A
LoadCursorA.USER32 ref: 00404379
SetCursor.USER32(00000000), ref: 00404382
LoadCursorA.USER32 ref: 00404398
SetCursor.USER32(00000000), ref: 0040439B
SendMessageA.USER32(00000111,00000001,00000000), ref: 004043C7
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043DB

Strings

Call, xrefs: 00404355
N, xrefs: 00404318
RA@, xrefs: 00404386

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$RA@
API String ID: 3103080414-2992999996
Opcode ID: 937b42b3135c4e1aa36ae5a1725e39aac0471f252f69529ff53d1d3c1c1a1b80
Instruction ID: 9d4f5b614004455fa0fc48963a53335b2d61895e96ab3f79d0888a2017683c32
Opcode Fuzzy Hash: 937b42b3135c4e1aa36ae5a1725e39aac0471f252f69529ff53d1d3c1c1a1b80
Instruction Fuzzy Hash: E761C5B1A40205BFEB109F61DD45F6A3B69FB84704F10802AFB05BA2D1C7BCA951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00405BEC Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BEC(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				intOrPtr _t14;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a12d0 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x7a16d0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a0ed0, "%s=%s\r\n", 0x7a12d0, 0x7a16d0);
						_t14 =  *0x7a2f54; // 0xb3aa10
						_t53 = _t52 + 0x10;
						E00405F9F(_t37, 0x400, 0x7a16d0, 0x7a16d0,  *((intOrPtr*)(_t14 + 0x128)));
						_t12 = E00405B16(0x7a16d0, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405B8E(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405A7B(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405A7B(_t38, _t21 + 0xa, 0x40a3b8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405AD1(_t24 + _t46, 0x7a0ed0, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405BBD(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405B16(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x7a12d0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405bec
0x00405bf5
0x00405bfc
0x00405c10
0x00405c38
0x00405c43
0x00405c47
0x00405c67
0x00405c69
0x00405c6e
0x00405c78
0x00405c85
0x00405c8a
0x00405c8f
0x00405c93
0x00405ca2
0x00405ca4
0x00405cb1
0x00405cb5
0x00405d50
0x00000000
0x00405ccb
0x00405cd8
0x00405cfc
0x00405d00
0x00405d1f
0x00405d23
0x00405d23
0x00405d25
0x00405d2e
0x00405d39
0x00405d44
0x00405d4a
0x00000000
0x00405d4a
0x00405d02
0x00405d05
0x00405d10
0x00405d0c
0x00405d0e
0x00405d0f
0x00405d0f
0x00405d17
0x00405d19
0x00000000
0x00405d19
0x00405ce3
0x00405ce9
0x00000000
0x00405ce9
0x00405cb5
0x00405c93
0x00405c12
0x00405c1d
0x00405c26
0x00405c2a
0x00000000
0x00000000
0x00405c2a
0x00405d5b

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D7D,?,?), ref: 00405C1D
GetShortPathNameA.KERNEL32 ref: 00405C26

Part of subcall function 00405A7B: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CD6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A8B
Part of subcall function 00405A7B: lstrlenA.KERNEL32(00000000,?,00000000,00405CD6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405ABD

GetShortPathNameA.KERNEL32 ref: 00405C43
wsprintfA.USER32 ref: 00405C61
GetFileSize.KERNEL32(00000000,00000000,007A16D0,C0000000,00000004,007A16D0,?,?,?,?,?), ref: 00405C9C
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405CAB
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE3
SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,007A0ED0,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D39
GlobalFree.KERNEL32 ref: 00405D4A
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D51

Part of subcall function 00405B16: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\download.exe,80000000,00000003), ref: 00405B1A
Part of subcall function 00405B16: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B3C

Strings

%s=%s, xrefs: 00405C57
[Rename], xrefs: 00405CCB, 00405CDD

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 45160d7d980c9177ced87b727a44c84efcd25dff5150337c1955e55c924b3a17
Instruction ID: 022478914a54526cde4d083c9269fc90008e130feab77c5089d91aa4570e4fa5
Opcode Fuzzy Hash: 45160d7d980c9177ced87b727a44c84efcd25dff5150337c1955e55c924b3a17
Instruction Fuzzy Hash: 6131DF31201B196BD2207B659D4CF6B3A5CDF85794F24053BBA01F62D2EA7CA8058EAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401073 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00401073(intOrPtr* __ebx, signed int __edi, void* __esi) {
				struct HBRUSH__* _t64;
				void* _t71;
				struct HDC__* _t100;
				void* _t104;

				L0:
				 *(_t104 + 0x10) = __edi -  *(_t104 - 0x18);
				asm("cdq");
				asm("cdq");
				asm("cdq");
				 *(_t104 - 8) = 0 << 0x00000008 | (( *(__esi + 0x50) & 0x000000ff) *  *(_t104 + 0x10) + ( *(__esi + 0x54) & 0x000000ff) *  *(_t104 - 0x18)) / __edi & 0x000000ff;
				_t64 = CreateBrushIndirect(_t104 - 0xc);
				 *((intOrPtr*)(_t104 - 0x10)) =  *((intOrPtr*)(_t104 - 0x10)) + 4;
				 *(_t104 + 0x14) = _t64;
				FillRect( *(_t104 + 0xc), _t104 - 0x1c, _t64);
				_push( *(_t104 + 0x14));
				 *__ebx();
				 *(_t104 - 0x18) =  *(_t104 - 0x18) + 4;
				if( *(_t104 - 0x18) < __edi) {
					goto L0;
				}
				if( *(__esi + 0x58) != 0xffffffff) {
					_t71 = CreateFontIndirectA( *(__esi + 0x34));
					 *(_t104 + 0x14) = _t71;
					if(_t71 != 0) {
						_t100 =  *(_t104 + 0xc);
						 *(_t104 - 0x1c) = 0x10;
						 *(_t104 - 0x18) = 8;
						SetBkMode(_t100, 1);
						SetTextColor(_t100,  *(__esi + 0x58));
						 *(_t104 + 0xc) = SelectObject(_t100,  *(_t104 + 0x14));
						DrawTextA(_t100, "Doktorgraden Setup", 0xffffffff, _t104 - 0x1c, 0x820);
						SelectObject(_t100,  *(_t104 + 0xc));
						_push( *(_t104 + 0x14));
						 *__ebx();
					}
				}
				EndPaint( *(_t104 + 8), _t104 - 0x5c);
				return 0;
			}

0x00401073
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ea
0x004010ed
0x004010ef
0x004010f6
0x00000000
0x00000000
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401162
0x00401165
0x00401165
0x00401110
0x0040116e
0x0040117a

APIs

CreateBrushIndirect.GDI32(?), ref: 004010CF
FillRect.USER32 ref: 004010E4
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(?,00000001), ref: 00401126
SetTextColor.GDI32(?,000000FF), ref: 00401130
SelectObject.GDI32(?,?), ref: 00401140
DrawTextA.USER32(?,Doktorgraden Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(?,?), ref: 00401160
EndPaint.USER32(?,?), ref: 0040116E

Strings

Doktorgraden Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CreateIndirectObjectSelectText$BrushColorDrawFillFontModePaintRect
String ID: Doktorgraden Setup
API String ID: 2017289033-805053502
Opcode ID: 4eb47d40530ef7159d923fd92e4a22f94aaad7a90eae2348a825257ff51c9a33
Instruction ID: 1b5142ae175cc15f7c2fcace1666f8ab95c7f94b1e4467e05bbd5237ea87d222
Opcode Fuzzy Hash: 4eb47d40530ef7159d923fd92e4a22f94aaad7a90eae2348a825257ff51c9a33
Instruction Fuzzy Hash: BF31A9728002499FCB098FA5CE459BFBFB5EF85314F04842EF5A2A51A0CB38E614DB64

Uniqueness

Uniqueness Score: -1.00%

Function 73B62498 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E73B62498(intOrPtr* _a4) {
				char _v80;
				int _v84;
				intOrPtr _v88;
				short _v92;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr _t31;
				signed int _t43;
				void* _t44;
				intOrPtr _t45;
				void* _t48;

				_t44 = E73B61215();
				_t28 = _a4;
				_t45 =  *((intOrPtr*)(_t28 + 0x814));
				_v88 = _t45;
				_t48 = (_t45 + 0x41 << 5) + _t28;
				do {
					if( *((intOrPtr*)(_t48 - 4)) >= 0) {
					}
					_t43 =  *(_t48 - 8) & 0x000000ff;
					if(_t43 <= 7) {
						switch( *((intOrPtr*)(_t43 * 4 +  &M73B625E6))) {
							case 0:
								 *_t44 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									_v84 = __ecx;
									__ecx =  *(0x73b6307c + __edx * 4);
									__edx = _v84;
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x73b6309c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E73B61429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x73b6405c);
								goto L17;
							case 4:
								__ecx =  *0x73b6405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x73b6405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L17;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push(__ecx);
								_push( *__eax);
								" {3v@u3v"();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x73b6405c, __ebx, __ebx);
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfA(__edi, 0x73b64000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t30 =  *(_t48 + 0x14);
					if(_t30 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t48 - 4)) > 0)) {
						GlobalFree(_t30);
					}
					_t31 =  *((intOrPtr*)(_t48 + 0xc));
					if(_t31 != 0) {
						if(_t31 != 0xffffffff) {
							if(_t31 > 0) {
								E73B612D1(_t31 - 1, _t44);
								goto L26;
							}
						} else {
							E73B61266(_t44);
							L26:
						}
					}
					_v88 = _v88 - 1;
					_t48 = _t48 - 0x20;
				} while (_v88 >= 0);
				return GlobalFree(_t44);
			}

0x73b624a4
0x73b624a6
0x73b624b0
0x73b624b6
0x73b624c0
0x73b624c4
0x73b624c9
0x73b624c9
0x73b624d1
0x73b624d8
0x73b624de
0x00000000
0x73b624e5
0x00000000
0x00000000
0x73b624ec
0x73b624f0
0x73b624f3
0x73b624f7
0x73b624fe
0x73b62502
0x73b62508
0x73b6250a
0x73b6250c
0x73b6250c
0x73b62513
0x00000000
0x00000000
0x73b6251c
0x00000000
0x00000000
0x73b6252c
0x00000000
0x00000000
0x73b62558
0x73b62560
0x73b6256a
0x73b6256c
0x73b62571
0x00000000
0x00000000
0x73b62534
0x73b62538
0x73b6253a
0x73b6253b
0x73b6253d
0x73b6254d
0x73b62554
0x00000000
0x00000000
0x73b62577
0x73b62579
0x73b6257f
0x73b62585
0x73b62585
0x00000000
0x00000000
0x73b624de
0x73b62588
0x73b62588
0x73b6258d
0x73b6259e
0x73b6259e
0x73b625a4
0x73b625a9
0x73b625ae
0x73b625ba
0x73b625bf
0x00000000
0x73b625c4
0x73b625b0
0x73b625b1
0x73b625c5
0x73b625c5
0x73b625ae
0x73b625c6
0x73b625ca
0x73b625cd
0x73b625e5

APIs

Part of subcall function 73B61215: GlobalAlloc.KERNELBASE(00000040,73B61233,?,73B612CF,-73B6404B,73B611AB,-000000A0), ref: 73B6121D

GlobalFree.KERNEL32 ref: 73B6259E
GlobalFree.KERNEL32 ref: 73B625D8

Strings

{3v@u3v, xrefs: 73B6253D

Memory Dump Source

Source File: 00000000.00000002.795929704.0000000073B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B60000, based on PE: true

Associated: 00000000.00000002.795920126.0000000073B60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795937300.0000000073B63000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795946501.0000000073B65000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b60000_download.jbxd

Similarity

API ID: Global$Free$Alloc
String ID: {3v@u3v
API String ID: 1780285237-40114749
Opcode ID: 6ecaf1a2a80d497ff8cd6ee8efeecae0d44b2cc6311e3816ff85fd11e41bb951
Instruction ID: 6720f2d473e52f9db2da0e733f7b162cc5232f72a2ec49d55e6df7f5fcd345ef
Opcode Fuzzy Hash: 6ecaf1a2a80d497ff8cd6ee8efeecae0d44b2cc6311e3816ff85fd11e41bb951
Instruction Fuzzy Hash: 64411272504619EFF3269F54CEA4F2A77BAEB85300B14453DF6498F292D7359808CB63

Uniqueness

Uniqueness Score: -1.00%

Function 00402C7C Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C7C(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x78a0f4; // 0xa4d3a
					_t11 =  *0x7960fc; // 0xa6270
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402c89
0x00402c97
0x00402c9d
0x00402c9d
0x00402cab
0x00402cad
0x00402cb3
0x00402cba
0x00402cbc
0x00402cbc
0x00402cd2
0x00402ce2
0x00402cf4
0x00402cf4
0x00402cfc

APIs

SetTimer.USER32 ref: 00402C97
MulDiv.KERNEL32(000A4D3A,00000064,000A6270), ref: 00402CC2
wsprintfA.USER32 ref: 00402CD2
SetWindowTextA.USER32(?,?), ref: 00402CE2
SetDlgItemTextA.USER32 ref: 00402CF4

Strings

verifying installer: %d%%, xrefs: 00402CCC
pb, xrefs: 00402CB3
:M, xrefs: 00402CAD

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: :M$pb$verifying installer: %d%%
API String ID: 1451636040-2400729567
Opcode ID: 5bc376e969e12caa47fa3f233e97b7e9205a4f9680dc87fa7bda5c810414eec7
Instruction ID: de2615d2472e4fc16c898f89e06f4c65c316d83b10e4b0077f24645c8aa4783b
Opcode Fuzzy Hash: 5bc376e969e12caa47fa3f233e97b7e9205a4f9680dc87fa7bda5c810414eec7
Instruction Fuzzy Hash: E8014F70540209FBEF249F61DE4AEEE3769EB04304F00803AFA16B92D0DBB989518F59

Uniqueness

Uniqueness Score: -1.00%

Function 73B622B1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E73B622B1(void* __edx, intOrPtr _a4) {
				signed int _v4;
				signed int _v8;
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t43;
				void* _t48;
				signed int* _t50;
				signed char* _t51;

				_v8 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t51 = (_v8 << 5) + _t9;
					_t38 = _t51[0x18];
					if(_t38 == 0) {
						goto L9;
					}
					_t48 = 0x1a;
					if(_t38 == _t48) {
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						if(_t38 <= 0 || _t38 > 0x19) {
							_t51[0x18] = _t48;
						} else {
							_t38 = E73B612AD(_t38 - 1);
							L10:
						}
						goto L11;
					} else {
						_t38 = E73B6123B();
						L11:
						_t43 = _t38;
						_t13 =  &(_t51[8]); // 0x820
						_t50 = _t13;
						if(_t51[4] >= 0) {
						}
						_t39 =  *_t51 & 0x000000ff;
						_t51[0x1c] = _t51[0x1c] & 0x00000000;
						_v4 = _t39;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t43);
							if(_v8 == 0) {
								return _t40;
							}
							if(_v8 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v8 = _v8 + 1;
							} else {
								_v8 = _v8 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M73B6243E))) {
								case 0:
									 *_t50 =  *_t50 & 0x00000000;
									goto L27;
								case 1:
									__eax = E73B612FE(__ebx);
									goto L20;
								case 2:
									 *__ebp = E73B612FE(__ebx);
									_a4 = __edx;
									goto L27;
								case 3:
									__eax = E73B61224(__ebx);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebp = __eax;
									goto L27;
								case 4:
									 *0x73b6405c =  *0x73b6405c +  *0x73b6405c;
									__edi = GlobalAlloc(0x40,  *0x73b6405c +  *0x73b6405c);
									 *0x73b6405c = MultiByteToWideChar(0, 0, __ebx,  *0x73b6405c, __edi,  *0x73b6405c);
									if(_v4 != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebp = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if( *__ebx != 0) {
										__eax = E73B612FE(__ebx);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x73b6405c;
									__esi = __esi +  *0x73b64064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E73B61429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E73B61224(0x73b64034);
					goto L10;
				}
			}

0x73b622c6
0x73b622ca
0x73b622d5
0x73b622d5
0x73b622dc
0x73b622e1
0x00000000
0x00000000
0x73b622e5
0x73b622e8
0x00000000
0x00000000
0x73b622ed
0x73b622f8
0x73b62308
0x73b622ff
0x73b62301
0x73b62317
0x73b62317
0x00000000
0x73b622ef
0x73b622ef
0x73b62318
0x73b6231c
0x73b6231e
0x73b6231e
0x73b62321
0x73b62321
0x73b62329
0x73b6232c
0x73b62333
0x73b62337
0x73b62406
0x73b62407
0x73b62412
0x73b6243d
0x73b6243d
0x73b62422
0x73b6242e
0x73b62424
0x73b62424
0x73b62424
0x00000000
0x73b6233d
0x73b6233d
0x00000000
0x73b62344
0x00000000
0x00000000
0x73b6234d
0x00000000
0x00000000
0x73b6235b
0x73b6235e
0x00000000
0x00000000
0x73b62367
0x73b6236c
0x73b6236f
0x73b62370
0x00000000
0x00000000
0x73b6237d
0x73b62388
0x73b62397
0x73b623a2
0x73b623c5
0x73b623c8
0x73b623a4
0x73b623a8
0x73b623ae
0x73b623af
0x73b623b2
0x73b623b3
0x73b623b6
0x73b623bd
0x73b623bd
0x00000000
0x00000000
0x73b623d0
0x73b623d3
0x73b623df
0x73b623e1
0x00000000
0x00000000
0x73b623e4
0x73b623e7
0x73b623e8
0x73b623ef
0x73b623f6
0x73b623f9
0x73b623fb
0x73b623fe
0x00000000
0x00000000
0x73b6233d
0x73b62337
0x73b6230d
0x73b62312
0x00000000
0x73b62312

APIs

GlobalFree.KERNEL32 ref: 73B62407

Part of subcall function 73B61224: lstrcpynA.KERNEL32(00000000,?,73B612CF,-73B6404B,73B611AB,-000000A0), ref: 73B61234

GlobalAlloc.KERNEL32(00000040,?), ref: 73B62382
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 73B62397
GlobalAlloc.KERNEL32(00000040,00000010), ref: 73B623A8
CLSIDFromString.OLE32(00000000,00000000), ref: 73B623B6
GlobalFree.KERNEL32 ref: 73B623BD

Strings

@u3v, xrefs: 73B623B6

Memory Dump Source

Source File: 00000000.00000002.795929704.0000000073B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B60000, based on PE: true

Associated: 00000000.00000002.795920126.0000000073B60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795937300.0000000073B63000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795946501.0000000073B65000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b60000_download.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID: @u3v
API String ID: 3730416702-2775030947
Opcode ID: bd99fd724e29899d8558d01c04efcf33a911383b341f5b5005946b0dcb1e8fc0
Instruction ID: 8f532eb9f1c8ac7a3d5c164e9f92caf84b440b0e2c4e4f7e8c87565797e8fcd1
Opcode Fuzzy Hash: bd99fd724e29899d8558d01c04efcf33a911383b341f5b5005946b0dcb1e8fc0
Instruction Fuzzy Hash: 6A416CB1908709EFF3259F259944B2AB7E8FB84311F10493AE54BDF582E7309585CB62

Uniqueness

Uniqueness Score: -1.00%

Function 004061E7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004061E7(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405982(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405940("*?|<>/\":", _t5))) == 0) {
							E00405AD1(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004061e9
0x004061f1
0x00406205
0x00406205
0x0040620b
0x00406218
0x00406218
0x00406219
0x0040621b
0x0040621f
0x00406221
0x0040622a
0x0040622c
0x00406246
0x0040624e
0x0040624e
0x00406253
0x00406255
0x00406257
0x0040625b
0x0040625c
0x0040625f
0x00406267
0x00406269
0x0040626d
0x00000000
0x00000000
0x00406273
0x00406278
0x00000000
0x00000000
0x00000000
0x00406278
0x0040627d

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\download.exe",746AFA90,C:\Users\user\AppData\Local\Temp\,00000000,004031C4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 0040623F
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040624C
CharNextA.USER32(?,"C:\Users\user\Desktop\download.exe",746AFA90,C:\Users\user\AppData\Local\Temp\,00000000,004031C4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 00406251
CharPrevA.USER32(?,?,746AFA90,C:\Users\user\AppData\Local\Temp\,00000000,004031C4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 00406261

Strings

"C:\Users\user\Desktop\download.exe", xrefs: 00406223
C:\Users\user\AppData\Local\Temp\, xrefs: 004061E8
*?|<>/":, xrefs: 0040622F

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\download.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2234470313
Opcode ID: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
Instruction ID: 21773b32b681db819c24220f05ced2ff1897e85ed8b94fc5b560f7e9dc9cebfa
Opcode Fuzzy Hash: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
Instruction Fuzzy Hash: D511BF6180479129FB3236240C44BB7AF998F977A0F1A00BFE5D6722C2D67C5CA2966D

Uniqueness

Uniqueness Score: -1.00%

Function 00404083 Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404083(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x00404095
0x0040414b
0x00000000
0x0040414b
0x004040a6
0x004040aa
0x00000000
0x004040c4
0x004040c4
0x004040cd
0x00000000
0x00000000
0x004040cf
0x004040db
0x004040de
0x004040de
0x004040e4
0x004040ea
0x004040ea
0x004040f6
0x004040fc
0x00404103
0x00404106
0x00404109
0x0040410b
0x0040410b
0x00404113
0x00404119
0x00404119
0x00404123
0x00404128
0x0040412b
0x00404130
0x00404133
0x00404133
0x00404143
0x00404143
0x00000000
0x00404146

APIs

GetWindowLongA.USER32 ref: 004040A0
GetSysColor.USER32(00000000), ref: 004040DE
SetTextColor.GDI32(?,00000000), ref: 004040EA
SetBkMode.GDI32(?,?), ref: 004040F6
GetSysColor.USER32(?), ref: 00404109
SetBkColor.GDI32(?,?), ref: 00404119
DeleteObject.GDI32(?), ref: 00404133
CreateBrushIndirect.GDI32(?), ref: 0040413D

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
Instruction ID: 14bb72118498863180d434f19a0418890adeb1616dfc149a02695bee4dee3a88
Opcode Fuzzy Hash: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
Instruction Fuzzy Hash: 422162715007049BCB309F68DD4CB5BBBF8AF91714B04893EEA96A62E0D734E984CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040496F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040496F(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x0040497d
0x0040498a
0x00404990
0x004049ce
0x004049ce
0x004049dd
0x004049e4
0x00000000
0x004049e6
0x00404992
0x004049a1
0x004049a9
0x004049ac
0x004049be
0x004049c4
0x004049cb
0x00000000
0x004049cb
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040498A
GetMessagePos.USER32 ref: 00404992
ScreenToClient.USER32 ref: 004049AC
SendMessageA.USER32(?,00001111,00000000,?), ref: 004049BE
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049E4

Strings

f, xrefs: 004049C0

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: a28b31c987ffe71ebed06cd45d35d2090213a5ff436324a44693cf4fbc71b07e
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: F7015EB5900219BAEB00DBA5DD85BFFBBBCAF55711F10412BBB51B61C0C7B49901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040273C Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040273C(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402ACB(0xfffffff0);
				 *(_t56 - 0x34) = _t23;
				if(E00405982(_t50) == 0) {
					E00402ACB(0xffffffed);
				}
				E00405AF1(_t50);
				_t26 = E00405B16(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x7a2f58; // 0x3fc00
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E004031A1(_t45);
						E0040318B(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x3c) = _t54;
						if(_t54 != _t45) {
							_push( *(_t56 - 0x20));
							_push(_t54);
							_push(_t45);
							_push( *((intOrPtr*)(_t56 - 0x24)));
							E00402F9C();
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x84) =  *_t54;
								E00405AD1( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x84);
							}
							GlobalFree( *(_t56 - 0x3c));
						}
						E00405BBD( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						_push(_t45);
						_push(_t45);
						_push( *(_t56 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t56 - 0xc)) = E00402F9C();
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x34));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x0040273c
0x0040273e
0x0040274a
0x0040274d
0x00402757
0x0040275b
0x0040275b
0x00402761
0x0040276e
0x00402776
0x00402779
0x0040277f
0x0040278d
0x00402792
0x00402796
0x00402799
0x004027a2
0x004027ae
0x004027b2
0x004027b5
0x004027b7
0x004027ba
0x004027bb
0x004027bc
0x004027bf
0x004027e4
0x004027c6
0x004027cb
0x004027d3
0x004027d9
0x004027de
0x004027de
0x004027eb
0x004027eb
0x004027f8
0x004027fe
0x00402804
0x00402805
0x00402806
0x00402809
0x00402810
0x00402810
0x00402816
0x00402816
0x00402821
0x00402822
0x00402826
0x0040282a
0x00402830
0x00402830
0x00402837
0x0040223d
0x0040295a
0x00402966

APIs

GlobalAlloc.KERNEL32(00000040,0003FC00,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402790
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027AC
GlobalFree.KERNEL32 ref: 004027EB
GlobalFree.KERNEL32 ref: 004027FE
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402816
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040282A

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 239df5607afa4b69fac1f624e6af6ab52b19528534294da437cf780cbc7d734c
Instruction ID: a3aa65fdc26674a25697bbf1b98d1dc7df5c11bc78c453e7b8258ed70cc26f26
Opcode Fuzzy Hash: 239df5607afa4b69fac1f624e6af6ab52b19528534294da437cf780cbc7d734c
Instruction Fuzzy Hash: 41219F71800124BBDF207FA5CE89DAE7B79AF49364F14823AF510762E0CB794D419F68

Uniqueness

Uniqueness Score: -1.00%

Function 73B61837 Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E73B61837(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v52;
				void _t45;
				void _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x73b6405c = _a8;
				_t77 = 0;
				 *0x73b64060 = _a16;
				_v12 = 0;
				_v8 = E73B6123B();
				_t90 = E73B612FE(_t42);
				_t87 = _t85;
				_t81 = E73B6123B();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E73B6123B();
					_t77 = E73B612FE(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3c;
						if( *((char*)(_t81 + 1)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E73B61429(_t85, _t90, _t87,  &_v52);
								E73B61266( &_v52);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E73B62EB0(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3e;
						if( *((char*)(_t81 + 1)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((char*)(_t81 + 2)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((char*)(_t81 + 2)) != 0x3e) {
							_t48 = E73B62ED0(_t59, _t83, _t85);
						} else {
							_t48 = E73B62F00(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x7c;
						if( *((char*)(_t81 + 1)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E73B62D40(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E73B62DF0(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((char*)(_t81 + 1)) - 0x26;
					if( *((char*)(_t81 + 1)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E73B62D00(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x73b61837
0x73b61841
0x73b6184a
0x73b6184d
0x73b61852
0x73b6185b
0x73b61864
0x73b61866
0x73b6186d
0x73b6186f
0x73b61872
0x73b61876
0x73b61882
0x73b6188b
0x73b61890
0x73b61893
0x73b61899
0x73b61899
0x73b6189c
0x73b6189f
0x73b618a2
0x73b61968
0x73b61968
0x73b6196b
0x73b619e5
0x73b619e9
0x73b619f8
0x73b619fb
0x73b61a03
0x73b61a03
0x73b61a03
0x73b61a05
0x73b61a05
0x73b61a06
0x73b61a06
0x73b61a08
0x73b61a0a
0x73b61a10
0x73b61a19
0x73b61a2a
0x73b61a35
0x73b61a35
0x73b619fd
0x73b619e0
0x73b619e0
0x73b619e2
0x73b619e2
0x00000000
0x73b619e2
0x73b619ff
0x73b61a01
0x00000000
0x00000000
0x00000000
0x73b61a01
0x73b619ed
0x73b619f1
0x00000000
0x73b619f1
0x73b6196d
0x73b6196d
0x73b6196e
0x73b619d7
0x73b619d9
0x00000000
0x00000000
0x73b619db
0x73b619de
0x00000000
0x00000000
0x00000000
0x73b619de
0x73b61970
0x73b61970
0x73b61971
0x73b619aa
0x73b619ae
0x73b619ca
0x73b619cd
0x00000000
0x00000000
0x73b619cf
0x00000000
0x00000000
0x73b619d1
0x73b619d3
0x00000000
0x00000000
0x00000000
0x73b619d5
0x73b619b0
0x73b619b4
0x73b619b6
0x73b619b8
0x73b619ba
0x73b619c3
0x73b619bc
0x73b619bc
0x73b619bc
0x00000000
0x73b619ba
0x73b61973
0x73b61973
0x73b61976
0x73b619a3
0x73b619a5
0x00000000
0x73b619a5
0x73b61978
0x73b61978
0x73b6197b
0x73b6198b
0x73b6198f
0x73b6199c
0x73b6199e
0x00000000
0x73b6199e
0x73b61991
0x73b61993
0x00000000
0x00000000
0x73b61995
0x73b61998
0x00000000
0x00000000
0x00000000
0x73b6199a
0x73b6197e
0x73b6197f
0x73b61985
0x73b61987
0x73b61987
0x00000000
0x73b6197f
0x73b618a8
0x73b61920
0x73b61922
0x73b61925
0x73b61943
0x73b61946
0x73b6194c
0x73b61951
0x73b61927
0x73b61927
0x73b6192b
0x73b6192f
0x73b61931
0x73b61931
0x73b61954
0x73b61957
0x00000000
0x73b6195d
0x73b6195d
0x73b61960
0x00000000
0x73b61960
0x73b61957
0x73b618aa
0x73b618ad
0x73b61911
0x73b61913
0x73b61915
0x00000000
0x00000000
0x00000000
0x73b6191b
0x73b618af
0x73b618b2
0x00000000
0x00000000
0x73b618b4
0x73b618b5
0x73b618eb
0x73b618ef
0x73b61907
0x73b61909
0x00000000
0x73b61909
0x73b618f1
0x73b618f3
0x00000000
0x00000000
0x73b618f9
0x73b618fc
0x00000000
0x00000000
0x00000000
0x73b61902
0x73b618b7
0x73b618ba
0x73b618e1
0x00000000
0x73b618bc
0x73b618bc
0x73b618bd
0x73b618d1
0x73b618d3
0x73b618bf
0x73b618c1
0x73b618c7
0x73b618c9
0x73b618c9
0x73b618c1
0x00000000
0x73b618bd

APIs

GlobalFree.KERNEL32 ref: 73B61893
GlobalFree.KERNEL32 ref: 73B61A2A
GlobalFree.KERNEL32 ref: 73B61A2F

Memory Dump Source

Source File: 00000000.00000002.795929704.0000000073B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B60000, based on PE: true

Associated: 00000000.00000002.795920126.0000000073B60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795937300.0000000073B63000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795946501.0000000073B65000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b60000_download.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: c78577fcc97eac5b4be9cae87b6ad20eb2fe530e936f5855e13908dc63834c06
Instruction ID: 51b2387fd3138f5922011704e5ba59f72c49f7fc5d54108278fb33bb2a69fd7a
Opcode Fuzzy Hash: c78577fcc97eac5b4be9cae87b6ad20eb2fe530e936f5855e13908dc63834c06
Instruction Fuzzy Hash: 8251D472D04198EFEB12CFA4C9447AEBBBEEBC424AF18407AD417E31D7E63199428751

Uniqueness

Uniqueness Score: -1.00%

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D41(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x48);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402ACB(_t21), _t21,  *(_t27 - 0x40) *  *(_t27 - 0x20),  *(_t27 - 0x3c) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x7a2fe8 =  *0x7a2fe8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d4b
0x00401d52
0x00401d81
0x00401d89
0x00401d90
0x00401d90
0x0040295a
0x00402966

APIs

GetDlgItem.USER32 ref: 00401D45
GetClientRect.USER32 ref: 00401D52
LoadImageA.USER32 ref: 00401D73
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D81
DeleteObject.GDI32(00000000), ref: 00401D90

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 0777a0bc9aae8d48d60abd948d5b693148789b0eae7bd979b17299fbd41c00fb
Instruction ID: 86ae4d2b40e720423d53cfa3fe8a52c583987269cec1c9f3ad3a23d9d9d7ea30
Opcode Fuzzy Hash: 0777a0bc9aae8d48d60abd948d5b693148789b0eae7bd979b17299fbd41c00fb
Instruction Fuzzy Hash: F6F0AFB2600515BFDB01EBE4DE89DEFB7BCEB44345B14446AF641F6191CA749D018B38

Uniqueness

Uniqueness Score: -1.00%

Function 00404865 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404865(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405F9F(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405F9F(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405F9F(_t41, _t47, 0x79f540, 0x79f540, _a8);
				wsprintfA(_t32 + lstrlenA(0x79f540), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x7a2718, _a4, 0x79f540);
			}

0x0040486b
0x00404870
0x00404878
0x00404879
0x00404886
0x0040488e
0x0040488f
0x00404891
0x00404893
0x00404895
0x00404898
0x00404898
0x0040489f
0x004048a5
0x004048a5
0x004048ac
0x004048b3
0x004048b6
0x004048b9
0x004048b9
0x004048bd
0x004048cd
0x004048cf
0x004048d2
0x0040487b
0x0040487b
0x00404882
0x00404882
0x004048da
0x004048e5
0x004048fb
0x0040490b
0x00404927

APIs

lstrlenA.KERNEL32(0079F540,0079F540,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404780,000000DF,00000000,00000400,?), ref: 00404903
wsprintfA.USER32 ref: 0040490B
SetDlgItemTextA.USER32 ref: 0040491E

Strings

%u.%u%s%s, xrefs: 004048ED

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 5f074f6faf701013ce45bc378f4b03b5d4ee46098f1275575472d42f1ef86f4b
Instruction ID: 24807b9fc88fe5fbc2e72c1c6e729af153b5b07cedbd852725a961613b6e70ef
Opcode Fuzzy Hash: 5f074f6faf701013ce45bc378f4b03b5d4ee46098f1275575472d42f1ef86f4b
Instruction Fuzzy Hash: 99110A776045282BEB01657D9C41EAF3288DB81378F254637FA26F72D1E978CC1246E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405915 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405915(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405916
0x0040592d
0x00405935
0x00405935
0x0040593d

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031D6,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 0040591B
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031D6,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 00405924
lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405935

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405915

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction ID: da490e60620d11e3c07f2fcccd6c796fdaa9f48d202f5171465a07f32f6e55b9
Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction Fuzzy Hash: B5D0A9A2201E30BED20227169C09ECB2A08CF2231AB05043BF240B61A1CA7C4D428BFE

Uniqueness

Uniqueness Score: -1.00%

Function 004059AE Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004059AE(CHAR* _a4) {
				CHAR* _t5;
				char* _t7;
				CHAR* _t9;
				char _t10;
				CHAR* _t11;
				void* _t13;

				_t11 = _a4;
				_t9 = CharNextA(_t11);
				_t5 = CharNextA(_t9);
				_t10 =  *_t11;
				if(_t10 == 0 ||  *_t9 != 0x3a || _t9[1] != 0x5c) {
					if(_t10 != 0x5c || _t11[1] != _t10) {
						L10:
						return 0;
					} else {
						_t13 = 2;
						while(1) {
							_t13 = _t13 - 1;
							_t7 = E00405940(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 1;
							if(_t13 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextA(_t5);
				}
			}

0x004059b7
0x004059be
0x004059c1
0x004059c3
0x004059c7
0x004059dc
0x004059fb
0x00000000
0x004059e3
0x004059e5
0x004059e6
0x004059e9
0x004059ea
0x004059f2
0x00000000
0x00000000
0x004059f4
0x004059f7
0x00000000
0x00000000
0x00000000
0x004059f7
0x00000000
0x004059e6
0x004059d4
0x00000000
0x004059d5

APIs

CharNextA.USER32(?,?,Forgngeliges.rea,?,00405A1A,Forgngeliges.rea,Forgngeliges.rea,746AFA90,?,C:\Users\user\AppData\Local\Temp\,00405765,?,746AFA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059BC
CharNextA.USER32(00000000), ref: 004059C1
CharNextA.USER32(00000000), ref: 004059D5

Strings

Forgngeliges.rea, xrefs: 004059AF

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CharNext
String ID: Forgngeliges.rea
API String ID: 3213498283-2553225184
Opcode ID: 6ae5a98c75981dc822015e60cfe3a73e92d8e62117e7577616a1c134a98ac786
Instruction ID: 53b5fd27e09cdb27f7d5e0d280f650891fab3cf45ffc187ddecf7516587659fd
Opcode Fuzzy Hash: 6ae5a98c75981dc822015e60cfe3a73e92d8e62117e7577616a1c134a98ac786
Instruction Fuzzy Hash: D4F0F6D1908F50EAFB32A6244C54B776B89CB55370F14457BD680772C1C27C4C409FAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402CFF Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402CFF(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x7960f8; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7a2f50;
						if(_t2 >  *0x7a2f50) {
							_t3 = CreateDialogParamA( *0x7a2f40, 0x6f, 0, E00402C7C, 0);
							 *0x7960f8 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406351(0);
					}
				} else {
					_t6 =  *0x7960f8; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x7960f8 = 0;
					return _t6;
				}
			}

0x00402d06
0x00402d20
0x00402d26
0x00402d30
0x00402d36
0x00402d3c
0x00402d4d
0x00402d56
0x00000000
0x00402d5b
0x00402d62
0x00402d28
0x00402d2f
0x00402d2f
0x00402d08
0x00402d08
0x00402d0f
0x00402d12
0x00402d12
0x00402d18
0x00402d1f
0x00402d1f

APIs

DestroyWindow.USER32(00000000,00000000,00402EDF,00000001), ref: 00402D12
GetTickCount.KERNEL32 ref: 00402D30
CreateDialogParamA.USER32(0000006F,00000000,00402C7C,00000000), ref: 00402D4D
ShowWindow.USER32(00000000,00000005), ref: 00402D5B

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 87f9a02f322897d0e4f948bf7da259dfca77796329a29cb391b18909f99ca198
Instruction ID: b66414e99a5f690dcfe7c27c209bc19b2a06c79591cef1c7d36985daa8eb92e7
Opcode Fuzzy Hash: 87f9a02f322897d0e4f948bf7da259dfca77796329a29cb391b18909f99ca198
Instruction Fuzzy Hash: D6F05E30401621EBC6116B68FFCEE8F7B74AB45B02712457BF158B11E4DA7C48868B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00405018 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405018(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x79f52c != _t16) {
							_push(_t16);
							_push(6);
							 *0x79f52c = _t16;
							E004049EF();
						}
						L11:
						return CallWindowProcA( *0x79f534, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E0040496F(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404068(0x413);
				return 0;
			}

0x0040501c
0x00405026
0x00405042
0x00405064
0x00405067
0x0040506d
0x00405077
0x00405078
0x0040507a
0x00405080
0x00405080
0x0040508a
0x00000000
0x00405098
0x0040504f
0x00405087
0x00405087
0x00000000
0x00405087
0x0040505b
0x0040505d
0x00000000
0x0040505d
0x0040502c
0x00000000
0x00000000
0x00405033
0x00000000

APIs

IsWindowVisible.USER32 ref: 00405047
CallWindowProcA.USER32 ref: 00405098

Part of subcall function 00404068: SendMessageA.USER32(00010390,00000000,00000000,00000000), ref: 0040407A

Strings

, xrefs: 00405028

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: d6227ddab35ba9883f4bf3de8d352398880cea24f9ab2b0966d31f7a69b3ea3c
Instruction ID: fa8f59a087aa50fe202e55d5174182462002e51d1c5a0d53021f2a5da998cc86
Opcode Fuzzy Hash: d6227ddab35ba9883f4bf3de8d352398880cea24f9ab2b0966d31f7a69b3ea3c
Instruction Fuzzy Hash: 99012171100608AFDF215F21DD85EAF3625EB84764F244137FA41B61D1C77A8C52DEAD

Uniqueness

Uniqueness Score: -1.00%

Function 73B62133 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E73B62133(void* __eax, void* __ebx, void* __esi) {
				void* _t11;
				void* _t16;

				_t16 = __esi;
				_t11 = __eax;
				_push(ss);
			}

0x73b62133
0x73b62133
0x73b62133

APIs

GetProcAddress.KERNEL32(?), ref: 73B6213E
lstrlenA.KERNEL32(00000408), ref: 73B62158

Strings

Net, xrefs: 73B6213E

Memory Dump Source

Source File: 00000000.00000002.795929704.0000000073B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B60000, based on PE: true

Associated: 00000000.00000002.795920126.0000000073B60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795937300.0000000073B63000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795946501.0000000073B65000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b60000_download.jbxd

Similarity

API ID: AddressProclstrlen
String ID: Net
API String ID: 2233632393-515476347
Opcode ID: 7fb5a2b560c9471bc7dcb7b284f12c20d0afe45de997b871dfec7fd794fc534e
Instruction ID: 4390a2a9a7549284211e88094f88066b3109ac62040adf3422911739aa7e686d
Opcode Fuzzy Hash: 7fb5a2b560c9471bc7dcb7b284f12c20d0afe45de997b871dfec7fd794fc534e
Instruction Fuzzy Hash: C5F08271600706DAD7712F25D880795B7F5FB40215B10C63FE2EB850A1EB3480898F51

Uniqueness

Uniqueness Score: -1.00%

Function 00403716 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403716() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x79e504; // 0xb50670
				_t3 = E004036FB(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x79e504 =  *0x79e504 & 0x00000000;
				return _t3;
			}

0x00403717
0x0040371f
0x00403726
0x00403729
0x00403729
0x0040372b
0x00403730
0x00403737
0x0040373d
0x00403741
0x00403742
0x0040374a

APIs

FreeLibrary.KERNEL32(?,746AFA90,00000000,C:\Users\user\AppData\Local\Temp\,004036EE,00403508,?,?,00000006,00000008,0000000A), ref: 00403730
GlobalFree.KERNEL32 ref: 00403737

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403716

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: 4d9750b91f9c818690002108793fa6d5ed1a6d42b958517d28de6e516f48fa46
Instruction ID: e3cd8cf2938ee13ec1fefa9c4a9681649e8a36576cb89bbd23f75385d37883fe
Opcode Fuzzy Hash: 4d9750b91f9c818690002108793fa6d5ed1a6d42b958517d28de6e516f48fa46
Instruction Fuzzy Hash: AEE0C2334011209FC6219F04FE0872A7778AF49B23F06842BF8807B36087781C534BC8

Uniqueness

Uniqueness Score: -1.00%

Function 0040595C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040595C(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x0040595d
0x00405967
0x00405969
0x00405970
0x00405978
0x00000000
0x00000000
0x00000000
0x00405978
0x0040597a
0x0040597f

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\download.exe,C:\Users\user\Desktop\download.exe,80000000,00000003), ref: 00405962
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\download.exe,C:\Users\user\Desktop\download.exe,80000000,00000003), ref: 00405970

Strings

C:\Users\user\Desktop, xrefs: 0040595C

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3125694417
Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction ID: 1bd18926039b2b13e1a5e2b6749e0a20dca9854900914240940d95a6582504e3
Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction Fuzzy Hash: BAD0C9A2409DB0AEE71363249C04B9F6A88DF26715F0904B7E181F61A1C6BC4D828BAD

Uniqueness

Uniqueness Score: -1.00%

Function 73B610E0 Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E73B610E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x73b6405c = _a8;
				 *0x73b64060 = _a16;
				 *0x73b64064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73b64038, E73B61556, _t52);
				_t43 =  *0x73b6405c +  *0x73b6405c * 4 << 2;
				_t17 = E73B6123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E73B61266(E73B612AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E73B612D1( *_t55 - 0x30, E73B6123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x73b64030;
								 *0x73b64030 = _t31;
								E73B61508(_t31 + 4,  *0x73b64064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x73b64030;
							if( *0x73b64030 != 0) {
								E73B61508( *0x73b64064, _t34 + 4, _t43);
								_t37 =  *0x73b64030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x73b64030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x73b610e7
0x73b610ef
0x73b61103
0x73b6110b
0x73b61116
0x73b61119
0x73b61121
0x73b61124
0x73b61126
0x73b611c4
0x73b611d0
0x73b6112c
0x73b6112d
0x73b6112d
0x73b61130
0x73b61131
0x73b61134
0x73b61203
0x73b61206
0x73b6119e
0x73b611a4
0x73b611ac
0x73b611b1
0x73b611b4
0x00000000
0x73b611b4
0x73b61209
0x73b6120a
0x73b61186
0x73b6118c
0x73b61194
0x00000000
0x73b61194
0x73b61152
0x73b61153
0x73b6115b
0x73b61168
0x73b61170
0x73b61179
0x73b6117e
0x73b6117e
0x00000000
0x73b61153
0x73b6113a
0x73b611d1
0x73b611d1
0x73b611d8
0x73b611e5
0x73b611ea
0x73b611ef
0x73b611f5
0x73b611fb
0x73b611fb
0x00000000
0x73b611d8
0x73b61140
0x73b61143
0x00000000
0x00000000
0x73b61149
0x73b6114c
0x73b6119b
0x00000000
0x73b6119b
0x73b6114f
0x73b61150
0x73b61183
0x00000000
0x73b61183
0x00000000
0x73b611ba
0x73b611ba
0x00000000
0x73b611c3

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 73B6115B
GlobalFree.KERNEL32 ref: 73B611B4
GlobalFree.KERNEL32 ref: 73B611C7
GlobalFree.KERNEL32 ref: 73B611F5

Memory Dump Source

Source File: 00000000.00000002.795929704.0000000073B61000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B60000, based on PE: true

Associated: 00000000.00000002.795920126.0000000073B60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795937300.0000000073B63000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.795946501.0000000073B65000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b60000_download.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: eca2554628df7494d77306a422b62954f2b2bd5db4cb53b10b3496f4e77a9beb
Instruction ID: fffb6193aa6d1c1f5f4f83c7c379bde9d9398d39243d992b493a7c52910d1e75
Opcode Fuzzy Hash: eca2554628df7494d77306a422b62954f2b2bd5db4cb53b10b3496f4e77a9beb
Instruction Fuzzy Hash: A531C9B2A04A65EFE7219F66DA44B257FF8FB85240B284535E84ACB6D3E734D400CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00405A7B Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A7B(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405a8b
0x00405a8d
0x00405a90
0x00405abc
0x00405a95
0x00405a9e
0x00405aa3
0x00405aae
0x00405ab1
0x00405acd
0x00405ab3
0x00405aba
0x00000000
0x00405aba
0x00405ac6
0x00405aca
0x00405aca
0x00405ac4
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CD6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A8B
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405CD6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA3
CharNextA.USER32(00000000,?,00000000,00405CD6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AB4
lstrlenA.KERNEL32(00000000,?,00000000,00405CD6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405ABD

Memory Dump Source

Source File: 00000000.00000002.776859141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.776843531.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776890664.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.776911397.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.777759720.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction ID: bbf0fe82adfec40a5435aad4fbaff8462ffeb4f6e62521b4b159965ff53dba99
Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction Fuzzy Hash: 9BF0C232215914BFC702DBA8CD40D9EBBA8EF46350B2540B9E840F7211D634DE019FA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report download.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsp8E94.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\Afreager.For

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\Poserne\Bedugget39.Rus

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\lang-1032.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\microphone-sensitivity-low-symbolic.symbolic.png

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
download.exe

Function 004031E9 Relevance: 93.1, APIs: 32, Strings: 21, Instructions: 366
stringcomfileCOMMON

Function 004051E2 Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405745 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159
filestringCOMMON

Function 73B61A98 Relevance: 18.6, APIs: 12, Instructions: 565
stringmemorylibraryCOMMONCrypto

Function 004020D1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Function 00406280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 004026FE Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Function 004037AB Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00403B48 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 00402D63 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 182
COMMON

Function 00405F9F Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Function 004050A4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00402003 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
libraryloaderCOMMON

Function 00401D9B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Function 0040556A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 004062A7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00402F9C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Function 00405B45 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 73B616DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Function 004023D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 00405A03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
stringCOMMON

Function 00402BCD Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 00405E64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Function 0040561C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 00401B63 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Function 004024E5 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Function 73B628E1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
memoryCOMMON

Function 00402473 Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00402381 Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30
stringCOMMON

Function 0040156F Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Function 00406315 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405B16 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405AF1 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 004055E7 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 73B629F8 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Function 004025CA Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Function 0040166A Relevance: 1.5, APIs: 1, Instructions: 38
fileCOMMON

Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Function 004022FC Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 0040171F Relevance: 1.5, APIs: 1, Instructions: 24
COMMON